Closed
Bug 634629
Opened 13 years ago
Closed 13 years ago
Crash [@ js::Value::setInt32(int)]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
blocking2.0 | --- | final+ |
People
(Reporter: bc, Assigned: dvander)
References
()
Details
(Keywords: crash, reproducible, testcase, Whiteboard: [sg:dos][fixed-in-tracemonkey])
Crash Data
Attachments
(2 files)
48.29 KB,
text/html
|
Details | |
721 bytes,
patch
|
luke
:
review+
sayrer
:
approval2.0+
|
Details | Diff | Splinter Review |
1. http://baixarodownload.com/category/acaoaventura/page/7 2. Crash Windows ss since I don't like the write crash. Operating system: Windows NT 5.1.2600 Service Pack 3 CPU: x86 GenuineIntel family 6 model 44 stepping 2 1 CPU Crash reason: EXCEPTION_ACCESS_VIOLATION_WRITE Crash address: 0x2870000 Thread 0 (crashed) 0 mozjs.dll!js::Value::setInt32(int) [jsvalue.h : 353 + 0x18] eip = 0x006a5f61 esp = 0x0012b71c ebp = 0x0012b728 ebx = 0x00000001 esi = 0x00000069 edi = 0x00000000 eax = 0x00000031 ecx = 0x02870000 edx = 0x00000031 efl = 0x00010202 Found by: given as instruction pointer in context 1 mozjs.dll!js::Interpret(JSContext *,JSStackFrame *,unsigned int,JSInterpMode) [jsinterp.cpp : 4909 + 0x24] eip = 0x00772e48 esp = 0x0012b730 ebp = 0x0012c9dc Found by: call frame info 2 mozjs.dll!js::RunScript(JSContext *,JSScript *,JSStackFrame *) [jsinterp.cpp : 650 + 0x10] eip = 0x0075d13e esp = 0x0012c9e4 ebp = 0x0012ca10 Found by: call frame info 3 mozjs.dll!js::Execute(JSContext *,JSObject *,JSScript *,JSStackFrame *,unsigned int,js::Value *) [jsinterp.cpp : 1011 + 0x15] eip = 0x0075edd0 esp = 0x0012ca18 ebp = 0x0012ca90 Found by: call frame info 4 mozjs.dll!EvaluateUCScriptForPrincipalsCommon(JSContext *,JSObject *,JSPrincipals *,unsigned short const *,unsigned int,char const *,unsigned int,jsval_layout *,JSVersion) [jsapi.cpp : 5055 + 0x21] eip = 0x006b3945 esp = 0x0012ca98 ebp = 0x0012cac0 Found by: call frame info 5 mozjs.dll!JS_EvaluateUCScriptForPrincipalsVersion [jsapi.cpp : 5071 + 0x2d] eip = 0x006b3a34 esp = 0x0012cac8 ebp = 0x0012cb08 Found by: call frame info
Reporter | ||
Comment 1•13 years ago
|
||
bp-1cc062fe-7f78-4456-be37-8ecfa2110216
Comment 2•13 years ago
|
||
We have a test case. Lets jump on this quickly before the page changes.
blocking2.0: --- → ?
Bob: can you get a minidump, since it's on Windows? https://developer.mozilla.org/Capturing_a_minidump
blocking2.0: ? → ---
restoring gal's blocking-?, even though no rationale was given!
blocking2.0: --- → ?
Reporter | ||
Comment 5•13 years ago
|
||
(In reply to comment #3) > Bob: can you get a minidump, since it's on Windows? > > https://developer.mozilla.org/Capturing_a_minidump yeah, but its a 130M.
zip and put it on dropbox?
Reporter | ||
Comment 7•13 years ago
|
||
Ok. I have a locally saved version that crashes at the same place. I'll start reducing it. Do we still need the dump?
Up to Andreas.
Reporter | ||
Comment 9•13 years ago
|
||
Note also bug 606960
Reporter | ||
Comment 10•13 years ago
|
||
Reporter | ||
Updated•13 years ago
|
Keywords: testcase-wanted → testcase
Comment 11•13 years ago
|
||
Exploitable?
Comment 12•13 years ago
|
||
The ? is for investigation. Looking now.
Comment 13•13 years ago
|
||
I am not crashing with TM tip, 64-bit linux.
Comment 14•13 years ago
|
||
As far as I can tell this is an invalid pc, reading past the script code, so probably exploitable. I still can't reproduce. I vote blocking and put a JS guy on it to figure out whats up.
Updated•13 years ago
|
blocking2.0: ? → final+
Whiteboard: [hardblocker]
Updated•13 years ago
|
Assignee: general → dvander
Updated•13 years ago
|
Whiteboard: [hardblocker] → [sg:critical][hardblocker]
Assignee | ||
Comment 15•13 years ago
|
||
STR don't work for me on Linux x64, or Windows 7, both using m-c on the cset in the given crash link. Also doesn't crash on the latest tm nightly. I'll look into this ASAP if I can get a crash dump. I'm unblocking this because: (1) I can't reproduce it. (2) comment #14 isn't the cause. It's an invalid read at a page boundary. This is almost definitely a case of not committing enough of the thread-local contiguous stack. We have lots of random JIT crashes on this already, we have no test cases for those, and we're not blocking on them. (3) Writes/reads beyond the committed pages, but within the reserved stack, will safely segfault. It's not clear whether the commit bounds check is wrong, or the actual stack limit bounds check is wrong. The latter would be sg:something, but getting this sort of thing to crash reliably is difficult.
Whiteboard: [sg:critical][hardblocker] → [softblocker]
Reporter | ||
Comment 16•13 years ago
|
||
http://dl.dropbox.com/u/21344102/firefoxcrash.dmp I can also get it in the debugger and answer any questions you may have.
Comment 17•13 years ago
|
||
There are no softblockers any more. If you are sure this is not a problem, lets unblock, otherwise its a hardblocker.
Comment 18•13 years ago
|
||
bc, can we meet you on irc and buddy debugging this?
Assignee | ||
Comment 19•13 years ago
|
||
(Why do we have "hardblocker" then?) Thanks for the dump, bc, I'll take a look at this now.
blocking2.0: final+ → -
Whiteboard: [softblocker]
Updated•13 years ago
|
OS: Windows XP → All
Whiteboard: [sg:critical? see comment 15]
Assignee | ||
Comment 20•13 years ago
|
||
Wow - awesome bug. I ended up being able to reproduce this in the shell thanks to bc's test case - it's indeed a safe crash, writing beyond the commit depth. What makes this awesome is that it's a trivial typo to fix and will probably reduce our EnterMethodJIT crashes by 5-10%, since a large portion of those are crashes writing beyond the commit end.
Attachment #512968 -
Flags: review?(lw)
Assignee | ||
Comment 21•13 years ago
|
||
We don't really have to block on this, but the risk is so low and the benefit so high, we should just get it in.
blocking2.0: - → final+
OS: All → Windows 7
Hardware: x86 → All
Whiteboard: [sg:critical? see comment 15] → [sg:dos]
Updated•13 years ago
|
Attachment #512968 -
Flags: review?(lw) → review+
Updated•13 years ago
|
Attachment #512968 -
Flags: approval2.0+
Assignee | ||
Comment 22•13 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/d0c8f25fe4f5
Whiteboard: [sg:dos] → [sg:dos][fixed-in-tracemonkey]
Assignee | ||
Updated•13 years ago
|
Status: NEW → ASSIGNED
Comment 23•13 years ago
|
||
cdleary-bot mozilla-central merge info: http://hg.mozilla.org/mozilla-central/rev/d0c8f25fe4f5
Updated•13 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Updated•13 years ago
|
Crash Signature: [@ js::Value::setInt32(int)]
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•