AddressSanitizer: heap-buffer-overflow [@ js::gc::MarkingValidator::validate] with READ of size 1 and gcslice
Categories
(Core :: JavaScript: GC, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr68 | --- | unaffected |
| firefox72 | --- | unaffected |
| firefox73 | --- | unaffected |
| firefox74 | --- | fixed |
People
(Reporter: gkw, Assigned: jonco)
References
(Blocks 1 open bug, Regression)
Details
(4 keywords, Whiteboard: [jsbugmon:update])
Attachments
(2 files, 1 obsolete file)
|
(deleted),
text/plain
|
Details | |
|
(deleted),
patch
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision d1406439c461 (build with --enable-address-sanitizer, run with --fuzzing-safe --no-threads --no-baseline --no-ion --gc-zeal=11):
try {} catch (e) {}
try {
x;
} catch (e) {}
gcslice(6326);
uneval(this);
Backtrace:
==7832==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000a13f at pc 0x55c6e5533f58 bp 0x7fffd6698720 sp 0x7fffd6698718
READ of size 1 at 0x60300000a13f thread T0
#0 0x55c6e5533f57 in js::gc::MarkingValidator::validate() js/src/gc/Verifier.cpp:703:15
#1 0x55c6e5431b88 in js::gc::GCRuntime::beginSweepingSweepGroup(JSFreeOp*, js::SliceBudget&) js/src/gc/GC.cpp:5150:3
#2 0x55c6e549ec27 in sweepaction::SweepActionSequence::run(js::gc::SweepAction::Args&) js/src/gc/GC.cpp:5882:23
#3 0x55c6e54904d6 in sweepaction::SweepActionForEach<js::gc::SweepGroupsIter, JSRuntime*>::run(js::gc::SweepAction::Args&) js/src/gc/GC.cpp:5917:19
#4 0x55c6e543d4e7 in js::gc::GCRuntime::performSweepActions(js::SliceBudget&) js/src/gc/GC.cpp:6050:48
#5 0x55c6e5443b5a in js::gc::GCRuntime::incrementalSlice(js::SliceBudget&, mozilla::Maybe<JSGCInvocationKind> const&, JS::GCReason, js::gc::AutoGCSession&) js/src/gc/GC.cpp:6572:11
/snip
For detailed crash information, see attachment.
Setting s-s as a start as this ASan issue involves GC.
|
Reporter | |
Comment 1•5 years ago
|
||
|
|
Reporter | |
Comment 2•5 years ago
|
||
autobisectjs shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/d389e3aa4522
user: Jon Coppeard
date: Thu Jan 09 10:35:24 2020 +0000
summary: Bug 1424934 - Replace the chunk's mark bitmap with one byte per cell in the arena r=sfink,jandem
Jon, is bug 1424934 a likely regressor?
|
|
Reporter | |
Comment 3•5 years ago
|
||
Opening up, :decoder pointed out to me that uneval is shell-only.
|
Assignee | |
Comment 4•5 years ago
|
||
Gary I can't reproduce this (tried the exact changeset / configure flags / options). Are you seeing any other cases with failures like this?
|
||
Updated•5 years ago
|
|
|
Reporter | |
Comment 5•5 years ago
|
||
I can still reproduce on m-c rev e71639544560 .
Jon, does this Pernosco link help? (Tested on Ubuntu 18.04.3 LTS, clang 8)
|
|
Assignee | |
Comment 6•5 years ago
|
||
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #5)
Thanks that helps a lot.
|
|
Assignee | |
Comment 7•5 years ago
|
||
This is a problem with the incremental marking verifier. The problem is that an arena can be freed after having its mark bits checked and reallocated in a new zone before we check the mark bits for that zone.
|
|
Assignee | |
Comment 8•5 years ago
|
||
|
||
Updated•5 years ago
|
|
||
Comment 10•5 years ago
|
||
| bugherder | ||
|
||
Comment 11•5 years ago
|
||
Should we land a test for this?
|
|
Assignee | |
Comment 12•5 years ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM] from comment #11)
I'd like to have a test for this, but I couldn't get the testcase to reproduce at all so it's unlikely it would do much good landing it.
|
|
Assignee | |
Comment 13•5 years ago
|
||
|
||
Comment 14•5 years ago
|
||
|
|
||
Comment 15•5 years ago
|
||
Backout merged: https://hg.mozilla.org/mozilla-central/rev/33932b670a10
|
|
Assignee | |
Comment 16•5 years ago
|
||
This was backed out because the change that caused it (bug 1424934) was also backed out.
|
|
||
Updated•5 years ago
|
|
||
Updated•5 years ago
|
Description
•