Closed Bug 974359 Opened 10 years ago Closed 10 years ago

Crash [@ nextLazyInnerFunction] or Crash [@ numFreeVariables]

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: decoder, Unassigned)

Details

(Keywords: crash, sec-moderate, testcase)

Crash Data

Attachments

(1 file)

Attached file Testcase for shell
The attached testcase crashes on mozilla-central revision bf0e76f2a7d4 (threadsafe build, run with --fuzzing-safe --thread-count=2 --ion-eager).
Jason and I discussed this already yesterday, here's some more crash information:

1) It only reproduces in a threadsafe optimized 64 bit build for me (--disable-debug --enable-optimize --enable-valgrind --enable-gczeal --enable-threadsafe).

2) It takes a variable amount of time to crash (I assume there is some thread scheduling issue that introduces the non-determinism here).

3) Crash trace:


Program received signal SIGSEGV, Segmentation fault.
nextLazyInnerFunction (this=0x7fffffffb768) at js/src/frontend/FullParseHandler.h:583
583             return lazyOuterFunction()->innerFunctions()[lazyInnerFunctionIndex++];
(gdb) bt 
#0  nextLazyInnerFunction (this=0x7fffffffb768) at js/src/frontend/FullParseHandler.h:583
#1  js::frontend::Parser<js::frontend::FullParseHandler>::checkFunctionDefinition (this=0x7fffffffb110, funName=0x0, pn_=0x7fffffffa140, kind=<optimized out>, pbodyProcessed=0x7fffffffa15f)
    at js/src/frontend/Parser.cpp:1832
#2  0x0000000000430985 in js::frontend::Parser<js::frontend::FullParseHandler>::functionDef (this=0x7fffffffb110, funName=0x0, start=..., type=js::frontend::Normal, kind=js::frontend::Expression, generatorKind=
    js::NotGenerator) at js/src/frontend/Parser.cpp:1960
#3  0x0000000000430d66 in js::frontend::Parser<js::frontend::FullParseHandler>::functionExpr (this=0x7fffffffb110) at js/src/frontend/Parser.cpp:2421
#4  0x0000000000432348 in js::frontend::Parser<js::frontend::FullParseHandler>::primaryExpr (this=0x7fffffffb110, tt=js::frontend::TOK_FUNCTION) at js/src/frontend/Parser.cpp:7001
#5  0x00000000004326fd in js::frontend::Parser<js::frontend::FullParseHandler>::memberExpr (this=0x7fffffffb110, tt=<optimized out>, allowCallSyntax=true) at js/src/frontend/Parser.cpp:6497
#6  0x0000000000432d34 in js::frontend::Parser<js::frontend::FullParseHandler>::unaryExpr (this=0x7fffffffb110) at js/src/frontend/Parser.cpp:5749
#7  0x000000000043326a in js::frontend::Parser<js::frontend::FullParseHandler>::orExpr1 (this=0x7fffffffb110) at js/src/frontend/Parser.cpp:5409
#8  0x0000000000433546 in condExpr1 (this=0x7fffffffb110) at js/src/frontend/Parser.cpp:5461
#9  js::frontend::Parser<js::frontend::FullParseHandler>::assignExpr (this=0x7fffffffb110) at js/src/frontend/Parser.cpp:5587
#10 0x00000000004360f2 in js::frontend::Parser<js::frontend::FullParseHandler>::variables (this=0x7fffffffb110, kind=js::frontend::PNK_VAR, psimple=0x0, blockObj=<optimized out>, varContext=js::frontend::HoistVars)
    at js/src/frontend/Parser.cpp:3516
#11 0x0000000000436bae in js::frontend::Parser<js::frontend::FullParseHandler>::statement (this=0x7fffffffb110, canHaveDirectives=true) at js/src/frontend/Parser.cpp:5192
#12 0x0000000000437356 in js::frontend::Parser<js::frontend::FullParseHandler>::statements (this=0x7fffffffb110) at js/src/frontend/Parser.cpp:2592
#13 0x0000000000438498 in js::frontend::Parser<js::frontend::FullParseHandler>::functionBody (this=0x7fffffffb110, kind=js::frontend::Statement, type=
    js::frontend::Parser<js::frontend::FullParseHandler>::StatementListBody) at js/src/frontend/Parser.cpp:1065
#14 0x000000000043873f in js::frontend::Parser<js::frontend::FullParseHandler>::functionArgsAndBodyGeneric (this=0x7fffffffb110, pn=0x15ee0a0, fun=(JSFunction * const) 0x7ffff5c61140 [object Function <unnamed>], 
    type=<optimized out>, kind=js::frontend::Statement, newDirectives=<optimized out>) at js/src/frontend/Parser.cpp:2312
#15 0x0000000000423caa in js::frontend::Parser<js::frontend::FullParseHandler>::standaloneLazyFunction (this=0x7fffffffb110, fun=(JSFunction * const) 0x7ffff5c61140 [object Function <unnamed>], 
    staticLevel=<optimized out>, strict=<optimized out>, generatorKind=<optimized out>) at js/src/frontend/Parser.cpp:2241
#16 0x000000000047b77f in js::frontend::CompileLazyFunction (cx=0x15c58f0, lazy=0x7ffff5c54080, chars=
    0x1606ef2 u"() { /* -*- Mode: C; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */\n/* This Source Code Form is subject to the terms of the Mozilla Public\n * file, You can obtain one at http://mozilla."..., length=<optimized out>) at js/src/frontend/BytecodeCompiler.cpp:457
#17 0x00000000006919c9 in JSFunction::createScriptForLazilyInterpretedFunction (cx=0x15c58f0, fun=(JSFunction * const) 0x7ffff5c61140 [object Function <unnamed>]) at js/src/jsfun.cpp:1217
#18 0x00000000007a4b20 in getOrCreateScript (cx=0x15c58f0, this=<optimized out>) at js/src/jsfun.h:302
#19 getOrCreateScript (cx=0x15c58f0, this=<optimized out>) at js/src/vm/Interpreter.cpp:440
#20 js::Invoke (cx=0x15c58f0, args=..., construct=<optimized out>) at js/src/vm/Interpreter.cpp:478
#21 0x00000000007a54eb in js::Invoke (cx=0x15c58f0, thisv=..., fval=..., argc=0, argv=<optimized out>, rval=...) at js/src/vm/Interpreter.cpp:532
#22 0x000000000054eb23 in js::jit::DoCallFallback (cx=0x15c58f0, frame=<optimized out>, stub=0x161d530, argc=0, vp=0x7fffffffc410, res=JSVAL_VOID) at js/src/jit/BaselineIC.cpp:8103
#23 0x00007ffff7e52f12 in ?? ()
warning: (Internal error: pc 0x0 in read in psymtab, but not in symtab.)

#24 0x0000000000000000 in ?? ()
(gdb) x /i $pc
=> 0x41f675 <js::frontend::Parser<js::frontend::FullParseHandler>::checkFunctionDefinition(JS::Handle<js::PropertyName*>, js::frontend::ParseNode**, js::frontend::FunctionSyntaxKind, bool*)+133>:
    mov    (%rax,%rdx,8),%r13
(gdb) info reg rax rdx r13
rax            0x0      0
rdx            0x0      0
r13            0x7fffffffa250   140737488331344


Marked this one s-s because the test involves gc and I'm not sure that might make it exploitable somehow.
Flags: needinfo?(jorendorff)
Before reduction, this also crashed [@ numFreeVariables]:


#0  numFreeVariables (this=<optimized out>) at js/src/jsscript.h:1730
#1  js::frontend::Parser<js::frontend::FullParseHandler>::addFreeVariablesFromLazyFunction (this=0x7fffcd675c20, fun=<optimized out>, pc=0x7fffcd6752e0) at js/src/frontend/Parser.cpp:1877
#2  0x000000000041f710 in js::frontend::Parser<js::frontend::FullParseHandler>::checkFunctionDefinition (this=0x7fffcd675c20, funName=..., pn_=0x7fffcd674c60, kind=<optimized out>, pbodyProcessed=0x7fffcd674c7f) at js/src/frontend/Parser.cpp:1839
#3  0x00000000004364e5 in js::frontend::Parser<js::frontend::FullParseHandler>::functionDef (this=<optimized out>, funName=0x0, start=..., type=js::frontend::Normal, kind=js::frontend::Expression, generatorKind=js::NotGenerator) at js/src/frontend/Parser.cpp:1960
#4  0x00000000004368c6 in js::frontend::Parser<js::frontend::FullParseHandler>::functionExpr (this=0x7fffcd675c20) at js/src/frontend/Parser.cpp:2421
#5  0x0000000000437ea8 in js::frontend::Parser<js::frontend::FullParseHandler>::primaryExpr (this=0x7fffcd675c20, tt=js::frontend::TOK_FUNCTION) at js/src/frontend/Parser.cpp:7001
#6  0x000000000043825d in js::frontend::Parser<js::frontend::FullParseHandler>::memberExpr (this=0x7fffcd675c20, tt=<optimized out>, allowCallSyntax=true) at js/src/frontend/Parser.cpp:6497
#7  0x0000000000438894 in js::frontend::Parser<js::frontend::FullParseHandler>::unaryExpr (this=0x7fffcd675c20) at js/src/frontend/Parser.cpp:5749
rsi	0xd71	3441
rip	0x42c8ed <js::frontend::Parser<js::frontend::FullParseHandler>::addFreeVariablesFromLazyFunction(JSFunction*, js::frontend::ParseContext<js::frontend::FullParseHandler>*)+29>
=> 0x42c8ed <js::frontend::Parser<js::frontend::FullParseHandler>::addFreeVariablesFromLazyFunction(JSFunction*, js::frontend::ParseContext<js::frontend::FullParseHandler>*)+29>:	mov    0x28(%rsi),%r9
Crash Signature: [@ nextLazyInnerFunction] → [@ nextLazyInnerFunction] [@ numFreeVariables]
Summary: Crash [@ nextLazyInnerFunction] → Crash [@ nextLazyInnerFunction] or Crash [@ numFreeVariables]
The first crash looks like null deref. Is there any evidence this might be worse?
I think I've seen this stack before in other hard-to-reproduce bugs:

Bug 953336 -  Assertion failure: lazyInnerFunctionIndex < lazyOuterFunction()->numInnerFunctions(), at frontend/FullParseHandler.h

Bug 942496

Please fix this asap, I think this will help with other intermittent bugs too!
(In reply to Daniel Veditz [:dveditz] from comment #3)
> The first crash looks like null deref. Is there any evidence this might be
> worse?

Yes, the second one is not a null-deref and from the same test (just less reduced). Also it involves GC, so it's likely more than a simple null-deref.
I don't seem to see this anymore, resolving WFM.
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(jorendorff)
Resolution: --- → WORKSFORME
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: