Closed Bug 634629 Opened 13 years ago Closed 13 years ago

Crash [@ js::Value::setInt32(int)]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
All
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- final+

People

(Reporter: bc, Assigned: dvander)

References

(
URL
)

Details

(Keywords: crash, reproducible, testcase, Whiteboard: [sg:dos][fixed-in-tracemonkey])

Crash Data

Attachments

(2 files)

testcase
48.29 KB, text/html
Details
fix
721 bytes, patch
luke
: review+
sayrer
: approval2.0+
Details | Diff | Splinter Review 
1. http://baixarodownload.com/category/acaoaventura/page/7
2. Crash Windows

ss since I don't like the write crash.

Operating system: Windows NT
                  5.1.2600 Service Pack 3
CPU: x86
     GenuineIntel family 6 model 44 stepping 2
     1 CPU

Crash reason:  EXCEPTION_ACCESS_VIOLATION_WRITE
Crash address: 0x2870000

Thread 0 (crashed)
 0  mozjs.dll!js::Value::setInt32(int) [jsvalue.h : 353 + 0x18]
    eip = 0x006a5f61   esp = 0x0012b71c   ebp = 0x0012b728   ebx = 0x00000001
    esi = 0x00000069   edi = 0x00000000   eax = 0x00000031   ecx = 0x02870000
    edx = 0x00000031   efl = 0x00010202
    Found by: given as instruction pointer in context
 1  mozjs.dll!js::Interpret(JSContext *,JSStackFrame *,unsigned int,JSInterpMode) [jsinterp.cpp : 4909 + 0x24]
    eip = 0x00772e48   esp = 0x0012b730   ebp = 0x0012c9dc
    Found by: call frame info
 2  mozjs.dll!js::RunScript(JSContext *,JSScript *,JSStackFrame *) [jsinterp.cpp : 650 + 0x10]
    eip = 0x0075d13e   esp = 0x0012c9e4   ebp = 0x0012ca10
    Found by: call frame info
 3  mozjs.dll!js::Execute(JSContext *,JSObject *,JSScript *,JSStackFrame *,unsigned int,js::Value *) [jsinterp.cpp : 1011 + 0x15]
    eip = 0x0075edd0   esp = 0x0012ca18   ebp = 0x0012ca90
    Found by: call frame info
 4  mozjs.dll!EvaluateUCScriptForPrincipalsCommon(JSContext *,JSObject *,JSPrincipals *,unsigned short const *,unsigned int,char const *,unsigned int,jsval_layout *,JSVersion) [jsapi.cpp : 5055 + 0x21]
    eip = 0x006b3945   esp = 0x0012ca98   ebp = 0x0012cac0
    Found by: call frame info
 5  mozjs.dll!JS_EvaluateUCScriptForPrincipalsVersion [jsapi.cpp : 5071 + 0x2d]
    eip = 0x006b3a34   esp = 0x0012cac8   ebp = 0x0012cb08
    Found by: call frame info
We have a test case. Lets jump on this quickly before the page changes.
blocking2.0: --- → ?
Bob: can you get a minidump, since it's on Windows?

https://developer.mozilla.org/Capturing_a_minidump
blocking2.0: ? → ---
restoring gal's blocking-?, even though no rationale was given!
blocking2.0: --- → ?
(In reply to comment #3)
> Bob: can you get a minidump, since it's on Windows?
> 
> https://developer.mozilla.org/Capturing_a_minidump

yeah, but its a 130M.
Ok. I have a locally saved version that crashes at the same place. I'll start reducing it. Do we still need the dump?
Note also bug 606960
Attached file testcase 

    
  
Keywords: testcase-wantedtestcase

    
    

    
  
The ? is for investigation. Looking now.

    
    

    
  
I am not crashing with TM tip, 64-bit linux.

    
    

    
  
As far as I can tell this is an invalid pc, reading past the script code, so probably exploitable. I still can't reproduce. I vote blocking and put a JS guy on it to figure out whats up.

    
  
blocking2.0: ? → final+
Whiteboard: [hardblocker]

    
  
Assignee: general → dvander

    
  
Whiteboard: [hardblocker] → [sg:critical][hardblocker]

    
    

    
  
STR don't work for me on Linux x64, or Windows 7, both using m-c on the cset in the given crash link. Also doesn't crash on the latest tm nightly. I'll look into this ASAP if I can get a crash dump.

I'm unblocking this because:
 (1) I can't reproduce it.
 (2) comment #14 isn't the cause. It's an invalid read at a page boundary.
     This is almost definitely a case of not committing enough of the
     thread-local contiguous stack. We have lots of random JIT crashes on this
     already, we have no test cases for those, and we're not blocking on them.
 (3) Writes/reads beyond the committed pages, but within the reserved stack,
     will safely segfault. It's not clear whether the commit bounds check is
     wrong, or the actual stack limit bounds check is wrong. The latter would
     be sg:something, but getting this sort of thing to crash reliably is 
     difficult.
Whiteboard: [sg:critical][hardblocker] → [softblocker]

    
    

    
  
http://dl.dropbox.com/u/21344102/firefoxcrash.dmp

I can also get it in the debugger and answer any questions you may have.

    
    

    
  
There are no softblockers any more. If you are sure this is not a problem, lets unblock, otherwise its a hardblocker.

    
    

    
  
bc, can we meet you on irc and buddy debugging this?

    
    

    
  
(Why do we have "hardblocker" then?)

Thanks for the dump, bc, I'll take a look at this now.
blocking2.0: final+ → -
Whiteboard: [softblocker]

    
  
OS: Windows XP → All
Whiteboard: [sg:critical? see comment 15]

    
    

    
  

      
      
      
      

        Attached patch
          
          
        fixSplinter Review
      

    


  
Wow - awesome bug. I ended up being able to reproduce this in the shell thanks to bc's test case - it's indeed a safe crash, writing beyond the commit depth.

What makes this awesome is that it's a trivial typo to fix and will probably reduce our EnterMethodJIT crashes by 5-10%, since a large portion of those are crashes writing beyond the commit end.

        Attachment #512968 -
        Flags: review?(lw)

    
    

    
  
We don't really have to block on this, but the risk is so low and the benefit so high, we should just get it in.
blocking2.0: - → final+
OS: All → Windows 7
Hardware: x86 → All
Whiteboard: [sg:critical? see comment 15] → [sg:dos]

    
  

        Attachment #512968 -
        Flags: review?(lw) → review+

    
  

        Attachment #512968 -
        Flags: approval2.0+

    
    

    
  
http://hg.mozilla.org/tracemonkey/rev/d0c8f25fe4f5
Whiteboard: [sg:dos] → [sg:dos][fixed-in-tracemonkey]
Status: NEW → ASSIGNED
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Crash Signature: [@ js::Value::setInt32(int)]
Group: core-security

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: