Closed
Bug 1437125
Opened 7 years ago
Closed 7 years ago
ASan heap-buffer-overflow within GET_UINT32_INDEX | js::jit::IonBuilder::inspectOpcode [JSOP_DEFFUN]
Categories
(Core :: JavaScript Engine, defect, P3)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla60
Tracking | Status | |
---|---|---|
firefox60 | --- | fixed |
People
(Reporter: nbp, Assigned: nbp)
References
Details
Attachments
(1 file)
(deleted),
patch
|
tcampbell
:
review+
|
Details | Diff | Splinter Review |
I am able to reproduce this crash with an x64 _debug_ + asan build. $ js --ion-eager --ion-offthread-compile=off -f ./jit-test/tests/basic/bug568276.js ================================================================= ==19818==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300001dc09 at pc 0x00000050ae75 bp 0x7ffcbd17d8b0 sp 0x7ffcbd17d058 READ of size 4 at 0x60300001dc09 thread T0 #0 0x50ae74 in __asan_memcpy (/home/nicolas/mozilla/_build/js/bugzil.la/1436773/wip/x64/clang/dbg/js/src/shell/js+0x50ae74) #1 0x130b4f1 in GET_UINT32(unsigned char const*) /home/nicolas/mozilla/wksp-6/js/src/jsopcode.h:206:5 #2 0x1301124 in GET_UINT32_INDEX(unsigned char const*) /home/nicolas/mozilla/wksp-6/js/src/jsopcode.h:258:12 #3 0x12e8d40 in js::jit::IonBuilder::inspectOpcode(JSOp) /home/nicolas/mozilla/wksp-6/js/src/jit/IonBuilder.cpp:1858:28 #4 0x12e59f9 in js::jit::IonBuilder::visitBlock(js::jit::CFGBlock const*, js::jit::MBasicBlock*) /home/nicolas/mozilla/wksp-6/js/src/jit/IonBuilder.cpp:1564:9 #5 […] 0x60300001dc09 is located 0 bytes to the right of 25-byte region [0x60300001dbf0,0x60300001dc09) allocated by thread T0 here: #0 0x5216f0 in __interceptor_malloc (/home/nicolas/mozilla/_build/js/bugzil.la/1436773/wip/x64/clang/dbg/js/src/shell/js+0x5216f0) #1 0x673a34 in SystemMalloc::malloc(unsigned long) /home/nicolas/mozilla/wksp-6/memory/build/malloc_decls.h:37:1 #2 0x673968 in DummyArenaAllocator<SystemMalloc>::moz_arena_malloc(unsigned long, unsigned long) /home/nicolas/mozilla/wksp-6/memory/build/malloc_decls.h:37:1 #3 0x67384c in moz_arena_malloc /home/nicolas/mozilla/wksp-6/memory/build/malloc_decls.h:115:1 #4 0x7a69a6 in js_malloc(unsigned long) /home/nicolas/mozilla/_build/js/bugzil.la/1436773/wip/x64/clang/dbg/dist/include/js/Utility.h:387:12 #5 0x807f44 in unsigned char* js_pod_malloc<unsigned char>(unsigned long) /home/nicolas/mozilla/_build/js/bugzil.la/1436773/wip/x64/clang/dbg/dist/include/js/Utility.h:577:28 #6 0x847c53 in unsigned char* js::MallocProvider<JS::Zone>::maybe_pod_malloc<unsigned char>(unsigned long) /home/nicolas/mozilla/wksp-6/js/src/vm/MallocProvider.h:54:16 #7 0x84795a in unsigned char* js::MallocProvider<JS::Zone>::pod_malloc<unsigned char>(unsigned long) /home/nicolas/mozilla/wksp-6/js/src/vm/MallocProvider.h:87:16 #8 0x2068045 in js::SharedScriptData::new_(JSContext*, unsigned int, unsigned int, unsigned int) /home/nicolas/mozilla/wksp-6/js/src/jsscript.cpp:2441:66 #9 0x2057959 in JSScript::createScriptData(JSContext*, unsigned int, unsigned int, unsigned int) /home/nicolas/mozilla/wksp-6/js/src/jsscript.cpp:2478:29 #10 0x206beb4 in JSScript::fullyInitFromEmitter(JSContext*, JS::Handle<JSScript*>, js::frontend::BytecodeEmitter*) /home/nicolas/mozilla/wksp-6/js/src/jsscript.cpp:3028:18 #11 0x2fb002d in js::frontend::BytecodeEmitter::emitScript(js::frontend::ParseNode*) /home/nicolas/mozilla/wksp-6/js/src/frontend/BytecodeEmitter.cpp:4904:10 #12 0x2a4a5ca in BytecodeCompiler::compileScript(JS::Handle<JSObject*>, js::frontend::SharedContext*) /home/nicolas/mozilla/wksp-6/js/src/frontend/BytecodeCompiler.cpp:345:27 #13 0x2a4ad08 in BytecodeCompiler::compileGlobalScript(js::ScopeKind) /home/nicolas/mozilla/wksp-6/js/src/frontend/BytecodeCompiler.cpp:379:12 #14 […] Note, this is not a security issue. The call to GET_UINT32 in the JSOP_DEFFUN case of inspectOpcode is used to read the argument of the IonBuilder::jsop_deffun function. This problem might not appear with optimized builds because the index of the IonBuilder::jsop_deffun function is not used and the function is probably inlined.
Assignee | ||
Comment 1•7 years ago
|
||
Attachment #8949818 -
Flags: review?(tcampbell)
Comment 2•7 years ago
|
||
Comment on attachment 8949818 [details] [diff] [review] Remove operand read of JSOP_DEFFUN from inspectOpcode. Review of attachment 8949818 [details] [diff] [review]: ----------------------------------------------------------------- Ugh. Good find
Attachment #8949818 -
Flags: review?(tcampbell) → review+
Assignee | ||
Updated•7 years ago
|
Priority: -- → P3
Pushed by npierron@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/772a11f3103b Remove operand read of JSOP_DEFFUN from inspectOpcode. r=tcampbell
Comment 4•7 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/772a11f3103b
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
status-firefox60:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla60
You need to log in
before you can comment on or make changes to this bug.
Description
•