164880 – ASan detects container-overflow in HeapUtil::findGCObjectPointersForMarking

Bug 164880 - ASan detects container-overflow in HeapUtil::findGCObjectPointersForMarking

Summary: ASan detects container-overflow in HeapUtil::findGCObjectPointersForMarking

Status:	RESOLVED CONFIGURATION CHANGED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	Other
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2016-11-17 11:34 PST by Alexey Proskuryakov
Modified:	2017-01-18 14:20 PST (History)
CC List:	3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexey Proskuryakov 2016-11-17 11:34:59 PST

Seen on bots. False positive?

Application Specific Information:
=================================================================
==41956==ERROR: AddressSanitizer: container-overflow on address 0x60c0003d0ad8 at pc 0x00011254bb2f bp 0x7000003a4930 sp 0x7000003a4928
READ of size 8 at 0x60c0003d0ad8 thread T1579
    #0 0x11254bb2e in void JSC::HeapUtil::findGCObjectPointersForMarking<void JSC::ConservativeRoots::genericAddPointer<JSC::CompositeMarkHook>(void*, unsigned int, JSC::TinyBloomFilter, JSC::CompositeMarkHook&)::'lambda'(void*)>(JSC::Heap&, unsigned int, JSC::TinyBloomFilter, void*, JSC::CompositeMarkHook const&) (JavaScriptCore+0x228b2e)
    #1 0x11254b3d8 in void JSC::ConservativeRoots::genericAddPointer<JSC::CompositeMarkHook>(void*, unsigned int, JSC::TinyBloomFilter, JSC::CompositeMarkHook&) (JavaScriptCore+0x2283d8)
    #2 0x112549b17 in void JSC::ConservativeRoots::genericAddSpan<JSC::CompositeMarkHook>(void*, void*, JSC::CompositeMarkHook&) (JavaScriptCore+0x226b17)
    #3 0x1125499bd in JSC::ConservativeRoots::add(void*, void*, JSC::JITStubRoutineSet&, JSC::CodeBlockSet&) (JavaScriptCore+0x2269bd)
    #4 0x112e72334 in JSC::MachineThreads::gatherConservativeRoots(JSC::ConservativeRoots&, JSC::JITStubRoutineSet&, JSC::CodeBlockSet&) (JavaScriptCore+0xb4f334)
    #5 0x11297da70 in JSC::Heap::markToFixpoint(double) (JavaScriptCore+0x65aa70)
    #6 0x1129836a2 in JSC::Heap::collectInThread() (JavaScriptCore+0x6606a2)
    #7 0x112989ce8 in JSC::Heap::Thread::work() (JavaScriptCore+0x666ce8)
    #8 0x113304785 in WTF::AutomaticThread::start(WTF::Locker<WTF::LockBase> const&)::$_0::operator()() const (JavaScriptCore+0xfe1785)
    #9 0x113313b7d in WTF::threadEntryPoint(void*) (JavaScriptCore+0xff0b7d)
    #10 0x11331425d in WTF::wtfThreadEntryPoint(void*) (JavaScriptCore+0xff125d)
    #11 0x10eea799c in _pthread_body (libsystem_pthread.dylib+0x399c)
    #12 0x10eea7919 in _pthread_start (libsystem_pthread.dylib+0x3919)
    #13 0x10eea5350 in thread_start (libsystem_pthread.dylib+0x1350)
 
0x60c0003d0ad8 is located 88 bytes inside of 128-byte region [0x60c0003d0a80,0x60c0003d0b00)
allocated by thread T0 here:
    #0 0x10c8860b0 in wrap_malloc (libclang_rt.asan_iossim_dynamic.dylib+0x490b0)
    #1 0x11332ae1e in bmalloc::Allocator::allocateSlowCase(unsigned long) (JavaScriptCore+0x1007e1e)
    #2 0x1132c7875 in bmalloc::Allocator::allocate(unsigned long) (JavaScriptCore+0xfa4875)
    #3 0x112eab160 in WTF::VectorBufferBase<JSC::LargeAllocation*>::allocateBuffer(unsigned long) (JavaScriptCore+0xb88160)
    #4 0x112eab0d3 in WTF::Vector<JSC::LargeAllocation*, 0ul, WTF::CrashOnOverflow, 16ul>::reserveCapacity(unsigned long) (JavaScriptCore+0xb880d3)
    #5 0x112eab033 in WTF::Vector<JSC::LargeAllocation*, 0ul, WTF::CrashOnOverflow, 16ul>::expandCapacity(unsigned long, JSC::LargeAllocation**) (JavaScriptCore+0xb88033)
    #6 0x112eaaf21 in void WTF::Vector<JSC::LargeAllocation*, 0ul, WTF::CrashOnOverflow, 16ul>::appendSlowCase<JSC::LargeAllocation*&>(JSC::LargeAllocation*&&&) (JavaScriptCore+0xb87f21)
    #7 0x112ea3a44 in JSC::MarkedSpace::tryAllocateLarge(JSC::MarkedSpace::Subspace&, JSC::GCDeferralContext*, unsigned long) (JavaScriptCore+0xb80a44)
    #8 0x112ea3598 in JSC::MarkedSpace::allocateLarge(JSC::MarkedSpace::Subspace&, JSC::GCDeferralContext*, unsigned long) (JavaScriptCore+0xb80598)
    #9 0x11234e42a in JSC::Butterfly::createUninitialized(JSC::VM&, JSC::JSCell*, unsigned long, unsigned long, bool, unsigned long) (JavaScriptCore+0x2b42a)
    #10 0x112cb53ae in JSC::Butterfly::createOrGrowPropertyStorage(JSC::Butterfly*, JSC::VM&, JSC::JSCell*, JSC::Structure*, unsigned long, unsigned long) (JavaScriptCore+0x9923ae)
    #11 0x112379209 in bool JSC::JSObject::putDirectInternal<(JSC::JSObject::PutMode)1>(JSC::VM&, JSC::PropertyName, JSC::JSValue, unsigned int, JSC::PutPropertySlot&)::'lambda'(JSC::GCSafeConcurrentJSLocker const&, int)::operator()(JSC::GCSafeConcurrentJSLocker const&, int) const (JavaScriptCore+0x56209)
    #12 0x112379099 in int JSC::Structure::add<bool JSC::JSObject::putDirectInternal<(JSC::JSObject::PutMode)1>(JSC::VM&, JSC::PropertyName, JSC::JSValue, unsigned int, JSC::PutPropertySlot&)::'lambda'(JSC::GCSafeConcurrentJSLocker const&, int)>(JSC::VM&, JSC::PropertyName, unsigned int, bool JSC::JSObject::putDirectInternal<(JSC::JSObject::PutMode)1>(JSC::VM&, JSC::PropertyName, JSC::JSValue, unsigned int, JSC::PutPropertySlot&)::'lambda'(JSC::GCSafeConcurrentJSLocker const&, int) const&) (JavaScriptCore+0x56099)
    #13 0x112377ca3 in bool JSC::JSObject::putDirectInternal<(JSC::JSObject::PutMode)1>(JSC::VM&, JSC::PropertyName, JSC::JSValue, unsigned int, JSC::PutPropertySlot&) (JavaScriptCore+0x54ca3)
    #14 0x112caa690 in JSC::JSObject::putDirectCustomAccessor(JSC::VM&, JSC::PropertyName, JSC::JSValue, unsigned int) (JavaScriptCore+0x987690)
    #15 0x112cb0b9d in JSC::reifyStaticProperty(JSC::VM&, JSC::PropertyName const&, JSC::HashTableValue const&, JSC::JSObject&) (JavaScriptCore+0x98db9d)
    #16 0x112cac884 in JSC::JSObject::reifyAllStaticProperties(JSC::ExecState*) (JavaScriptCore+0x989884)
    #17 0x112c9d8cd in JSC::JSObject::deleteProperty(JSC::JSCell*, JSC::ExecState*, JSC::PropertyName) (JavaScriptCore+0x97a8cd)
    #18 0x112cf5bc3 in JSC::JSSymbolTableObject::deleteProperty(JSC::JSCell*, JSC::ExecState*, JSC::PropertyName) (JavaScriptCore+0x9d2bc3)
    #19 0x115f7f031 in WebCore::JSDOMWindow::deleteProperty(JSC::JSCell*, JSC::ExecState*, JSC::PropertyName) (WebCore+0x1313031)
    #20 0x112e5141f in llint_slow_path_del_by_id (JavaScriptCore+0xb2e41f)
    #21 0x112e6d03b in llint_entry (JavaScriptCore+0xb4a03b)
    #22 0x112e673ea in vmEntryToJavaScript (JavaScriptCore+0xb443ea)
    #23 0x112b26c6d in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) (JavaScriptCore+0x803c6d)
    #24 0x112a9dadc in JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*) (JavaScriptCore+0x77aadc)
    #25 0x112546e46 in JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) (JavaScriptCore+0x223e46)
    #26 0x11254704e in JSC::profiledEvaluate(JSC::ExecState*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) (JavaScriptCore+0x22404e)
    #27 0x1170811b3 in WebCore::JSMainThreadExecState::profiledEvaluate(JSC::ExecState*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) (WebCore+0x24151b3)
    #28 0x117080e54 in WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&, WebCore::ExceptionDetails*) (WebCore+0x2414e54)
    #29 0x117093d0d in WebCore::ScriptElement::executeScript(WebCore::ScriptSourceCode const&) (WebCore+0x2427d0d)

Comment 1 Alexey Proskuryakov 2016-11-17 15:14:49 PST

Filip says that this is likely a real bug.

Comment 2 Radar WebKit Bug Importer 2016-11-17 15:15:30 PST

<rdar://problem/29321179>

Comment 3 Alexey Proskuryakov 2017-01-18 14:20:46 PST

Hasn't happened since 2016-12-09.