[Webkit-unassigned] [Bug 130122] W32: Use-after-free in WTF threading code

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu May 8 08:19:39 PDT 2014 

https://bugs.webkit.org/show_bug.cgi?id=130122





--- Comment #6 from LRN <lrn1986 at gmail.com>  2014-05-08 08:20:00 PST ---
Here's what is happening with free_list_:

Hardware watchpoint 2: WTF::threadheap_allocator.free_list_

Old value = {m_value = 0x0}
New value = {m_value = 0x7ef306a0}
WTF::PageHeapAllocator<WTF::TCMalloc_ThreadCache>::Delete (this=0xcc7978 <WTF::threadheap_allocator>, p=0x7ef306a0) at ../webkitgtk-2.2.6/Source/WTF/wtf/FastMalloc.cpp:1134
1134        inuse_--;
(gdb) l
1129
1130      void Delete(T* p) {
1131        HardenedSLL new_head = HardenedSLL::create(p);
1132        SLL_SetNext(new_head, free_list_, entropy_);
1133        free_list_ = new_head;
1134        inuse_--;
1135      }
1136
1137      int inuse() const { return inuse_; }
1138
(gdb) bt
#0  WTF::PageHeapAllocator<WTF::TCMalloc_ThreadCache>::Delete (this=0xcc7978 <WTF::threadheap_allocator>, p=0x7ef306a0) at ../webkitgtk-2.2.6/Source/WTF/wtf/FastMalloc.cpp:1134
#1  0x00a41aaa in WTF::TCMalloc_ThreadCache::DeleteCache (heap=0x7ef306a0) at ../webkitgtk-2.2.6/Source/WTF/wtf/FastMalloc.cpp:3649
#2  0x00a41a01 in WTF::TCMalloc_ThreadCache::DestroyThreadCache (ptr=0x7ef306a0) at ../webkitgtk-2.2.6/Source/WTF/wtf/FastMalloc.cpp:3634
#3  0x00b8be39 in WTF::PlatformThreadSpecificKey::callDestructor (this=0x199df008) at ../webkitgtk-2.2.6/Source/WTF/wtf/ThreadSpecificWin.cpp:70
#4  0x00a47d2c in WTF::ThreadSpecificThreadExit () at ../webkitgtk-2.2.6/Source/WTF/wtf/ThreadSpecificWin.cpp:133
#5  0x00a480d1 in WTF::wtfThreadEntryPoint (param=0x7ee3e0f0) at ../webkitgtk-2.2.6/Source/WTF/wtf/ThreadingWin.cpp:222
#6  0x774e1287 in msvcrt!_itow_s () from C:\Windows\syswow64\msvcrt.dll
#7  0x774e1328 in msvcrt!_endthreadex () from C:\Windows\syswow64\msvcrt.dll
#8  0x7598338a in KERNEL32!BaseThreadInitThunk () from C:\Windows\syswow64\kernel32.dll
#9  0x77b89f72 in ntdll!RtlInitializeExceptionChain () from C:\Windows\system32\ntdll.dll
#10 0x77b89f45 in ntdll!RtlInitializeExceptionChain () from C:\Windows\system32\ntdll.dll
#11 0x00000000 in ?? ()

Then, at some later point, this happens:

(gdb) bt
#0  WTF::SLL_Next (t=..., entropy=2604373617) at ../webkitgtk-2.2.6/Source/WTF/wtf/FastMalloc.cpp:832
#1  0x00b7f7fc in WTF::PageHeapAllocator<WTF::TCMalloc_ThreadCache>::New (this=0xcc7978 <WTF::threadheap_allocator>) at ../webkitgtk-2.2.6/Source/WTF/wtf/FastMalloc.cpp:1108
#2  0x00b8451c in WTF::TCMalloc_ThreadCache::NewHeap (tid=8280, entropy=2604373617) at ../webkitgtk-2.2.6/Source/WTF/wtf/FastMalloc.cpp:3476
#3  0x00a4193f in WTF::TCMalloc_ThreadCache::CreateCacheIfNecessary () at ../webkitgtk-2.2.6/Source/WTF/wtf/FastMalloc.cpp:3588
#4  0x00b84719 in WTF::TCMalloc_ThreadCache::GetCache () at ../webkitgtk-2.2.6/Source/WTF/wtf/FastMalloc.cpp:3506
#5  0x00a42180 in WTF::do_malloc<true> (size=55) at ../webkitgtk-2.2.6/Source/WTF/wtf/FastMalloc.cpp:4041
#6  0x00b5a0bd in WTF::fastMalloc<true> (size=55) at ../webkitgtk-2.2.6/Source/WTF/wtf/FastMalloc.cpp:4281
#7  0x00a41e66 in WTF::fastMalloc (size=55) at ../webkitgtk-2.2.6/Source/WTF/wtf/FastMalloc.cpp:4244
#8  0x00a52ea4 in WTF::CStringBuffer::createUninitialized (length=46) at ../webkitgtk-2.2.6/Source/WTF/wtf/text/CString.cpp:42
#9  0x00a52f83 in WTF::CString::init (this=0x1a4efe8c, str=0x1a4ef9f4 "C:\\Users\\LRN\\AppData\\Local\\webkit\\icondatabase?u", length=46) at ../webkitgtk-2.2.6/Source/WTF/wtf/text/CString.cpp:68
#10 0x00a52f60 in WTF::CString::CString (this=0x1a4efe8c, str=0x1a4ef9f4 "C:\\Users\\LRN\\AppData\\Local\\webkit\\icondatabase?u", length=46) at ../webkitgtk-2.2.6/Source/WTF/wtf/text/CString.cpp:61
#11 0x00a59397 in WTF::StringImpl::utf8ForRange (this=0x7ee3f2d0, offset=0, length=46, mode=WTF::LenientConversion) at ../webkitgtk-2.2.6/Source/WTF/wtf/text/StringImpl.cpp:2069
#12 0x00a593e8 in WTF::StringImpl::utf8 (this=0x7ee3f2d0, mode=WTF::LenientConversion) at ../webkitgtk-2.2.6/Source/WTF/wtf/text/StringImpl.cpp:2074
#13 0x00a5c3f3 in WTF::String::utf8 (this=0x7ee3dc18, mode=WTF::LenientConversion) at ../webkitgtk-2.2.6/Source/WTF/wtf/text/WTFString.cpp:800
#14 0x68cd3a0c in fileSystemRepresentation () at ../webkitgtk-2.2.6/Source/WebCore/platform/gtk/FileSystemGtk.cpp:59
#15 makeAllDirectories () at ../webkitgtk-2.2.6/Source/WebCore/platform/gtk/FileSystemGtk.cpp:173
#16 0x6913db9e in iconDatabaseSyncThread () at ../webkitgtk-2.2.6/Source/WebCore/loader/icon/IconDatabase.cpp:996
#17 0x00a47db1 in WTF::threadEntryPoint (contextData=0x7ee412a8) at ../webkitgtk-2.2.6/Source/WTF/wtf/Threading.cpp:69
#18 0x00a480cc in WTF::wtfThreadEntryPoint (param=0x7ee3e6c8) at ../webkitgtk-2.2.6/Source/WTF/wtf/ThreadingWin.cpp:218
#19 0x774e1287 in msvcrt!_itow_s () from C:\Windows\syswow64\msvcrt.dll
#20 0x774e1328 in msvcrt!_endthreadex () from C:\Windows\syswow64\msvcrt.dll
#21 0x7598338a in KERNEL32!BaseThreadInitThunk () from C:\Windows\syswow64\kernel32.dll
#22 0x77b89f72 in ntdll!RtlInitializeExceptionChain () from C:\Windows\system32\ntdll.dll
#23 0x77b89f45 in ntdll!RtlInitializeExceptionChain () from C:\Windows\system32\ntdll.dll
#24 0x00000000 in ?? ()
(gdb) p t
$74 = {m_value = 0x7ef306a0}
(gdb) s
WTF::HardenedSLL::value (this=0x1a4ef7c0) at ../webkitgtk-2.2.6/Source/WTF/wtf/FastMalloc.cpp:788
788         ALWAYS_INLINE void* value() const { return m_value; }
(gdb) s
WTF::SLL_Next (t=..., entropy=2604373617) at ../webkitgtk-2.2.6/Source/WTF/wtf/FastMalloc.cpp:833
833         return HardenedSLL::create(XOR_MASK_PTR_WITH_KEY(tValueNext, t.value(), entropy));
(gdb) s
WTF::HardenedSLL::value (this=0x1a4ef7c0) at ../webkitgtk-2.2.6/Source/WTF/wtf/FastMalloc.cpp:788
788         ALWAYS_INLINE void* value() const { return m_value; }
(gdb) s
WTF::HardenedSLL::value (this=0x1a4ef7c0) at ../webkitgtk-2.2.6/Source/WTF/wtf/FastMalloc.cpp:788
788         ALWAYS_INLINE void* value() const { return m_value; }
(gdb) s
WTF::HardenedSLL::create (value=0x18) at ../webkitgtk-2.2.6/Source/WTF/wtf/FastMalloc.cpp:776
776             result.m_value = value;
(gdb) p result
$75 = {m_value = 0x1a4ef7c0}
(gdb) n
777             return result;
(gdb) p result
$76 = {m_value = 0x18}

which leads to

Hardware watchpoint 2: WTF::threadheap_allocator.free_list_

Old value = {m_value = 0x7ef306a0}
New value = {m_value = 0x18}
0x00b7f7ff in WTF::PageHeapAllocator<WTF::TCMalloc_ThreadCache>::New (this=0xcc7978 <WTF::threadheap_allocator>) at ../webkitgtk-2.2.6/Source/WTF/wtf/FastMalloc.cpp:1108
1108          free_list_ = SLL_Next(free_list_, entropy_);


And then this

(gdb) bt
#0  WTF::SLL_Next (t=..., entropy=2604373617) at ../webkitgtk-2.2.6/Source/WTF/wtf/FastMalloc.cpp:832
#1  0x00b7f7fc in WTF::PageHeapAllocator<WTF::TCMalloc_ThreadCache>::New (this=0xcc7978 <WTF::threadheap_allocator>) at ../webkitgtk-2.2.6/Source/WTF/wtf/FastMalloc.cpp:1108
#2  0x00b8451c in WTF::TCMalloc_ThreadCache::NewHeap (tid=5288, entropy=2604373617) at ../webkitgtk-2.2.6/Source/WTF/wtf/FastMalloc.cpp:3476
#3  0x00a4193f in WTF::TCMalloc_ThreadCache::CreateCacheIfNecessary () at ../webkitgtk-2.2.6/Source/WTF/wtf/FastMalloc.cpp:3588
#4  0x00b84719 in WTF::TCMalloc_ThreadCache::GetCache () at ../webkitgtk-2.2.6/Source/WTF/wtf/FastMalloc.cpp:3506
#5  0x00a42180 in WTF::do_malloc<true> (size=1) at ../webkitgtk-2.2.6/Source/WTF/wtf/FastMalloc.cpp:4041
#6  0x00b5a0bd in WTF::fastMalloc<true> (size=1) at ../webkitgtk-2.2.6/Source/WTF/wtf/FastMalloc.cpp:4281
#7  0x00a41e66 in WTF::fastMalloc (size=1) at ../webkitgtk-2.2.6/Source/WTF/wtf/FastMalloc.cpp:4244
#8  0x00a3f7d6 in WTF::fastZeroedMalloc (n=1) at ../webkitgtk-2.2.6/Source/WTF/wtf/FastMalloc.cpp:212
#9  0x00b6e1ec in WTF::ThreadSpecific<bool>::operator bool* (this=0x199df260) at ../webkitgtk-2.2.6/Source/WTF/wtf/ThreadSpecific.h:261
#10 0x00b6e237 in WTF::ThreadSpecific<bool>::operator* (this=0x199df260) at ../webkitgtk-2.2.6/Source/WTF/wtf/ThreadSpecific.h:277
#11 0x00a43afa in WTF::registerGCThread () at ../webkitgtk-2.2.6/Source/WTF/wtf/MainThread.cpp:273
#12 0x0099eff4 in JSC::GCThread::gcThreadMain (this=0x1ac30168) at ../webkitgtk-2.2.6/Source/JavaScriptCore/heap/GCThread.cpp:90
#13 0x0099f0ee in JSC::GCThread::gcThreadStartFunc (data=0x1ac30168) at ../webkitgtk-2.2.6/Source/JavaScriptCore/heap/GCThread.cpp:135
#14 0x00a47db1 in WTF::threadEntryPoint (contextData=0x7ee41e10) at ../webkitgtk-2.2.6/Source/WTF/wtf/Threading.cpp:69
#15 0x00a480cc in WTF::wtfThreadEntryPoint (param=0x7ee3e6b8) at ../webkitgtk-2.2.6/Source/WTF/wtf/ThreadingWin.cpp:218
#16 0x774e1287 in msvcrt!_itow_s () from C:\Windows\syswow64\msvcrt.dll
#17 0x774e1328 in msvcrt!_endthreadex () from C:\Windows\syswow64\msvcrt.dll
#18 0x7598338a in KERNEL32!BaseThreadInitThunk () from C:\Windows\syswow64\kernel32.dll
#19 0x77b89f72 in ntdll!RtlInitializeExceptionChain () from C:\Windows\system32\ntdll.dll
#20 0x77b89f45 in ntdll!RtlInitializeExceptionChain () from C:\Windows\system32\ntdll.dll
#21 0x00000000 in ?? ()

crashes when it tries to dereference 0x18

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list