Closed
Bug 762197
Opened 12 years ago
Closed 12 years ago
crash in JSObject::getGeneric
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla16
Tracking | Status | |
---|---|---|
firefox14 | --- | unaffected |
firefox15 | --- | unaffected |
firefox16 | + | fixed |
firefox-esr10 | --- | unaffected |
People
(Reporter: scoobidiver, Unassigned)
References
Details
(Keywords: crash, regression, sec-critical, Whiteboard: [js:inv:p1])
Crash Data
With combined signatures, it's #5 top crasher in today's build. It first appeared in 16.0a1/20120606. The regression range is: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=a7a905fd70d5&tochange=6338a8988917 Signature JSObject::getGeneric(JSContext*, JS::Handle<int>, JS::Value*) More Reports Search UUID 6f6984e3-1ca2-4dec-9a85-c48932120606 Date Processed 2012-06-06 18:45:30 Uptime 156 Last Crash more than 3 months before submission Install Age 19.1 minutes since version was first installed. Install Time 2012-06-06 18:25:56 Product Firefox Version 16.0a1 Build ID 20120606030528 Release Channel nightly OS Windows NT OS Version 6.1.7601 Service Pack 1 Build Architecture x86 Build Architecture Info GenuineIntel family 6 model 37 stepping 5 Crash Reason EXCEPTION_ACCESS_VIOLATION_READ Crash Address 0x69727453 App Notes AdapterVendorID: 0x8086, AdapterDeviceID: 0x0046, AdapterSubsysID: 043f1028, AdapterDriverVersion: 8.15.10.2622 D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ EMCheckCompatibility True Adapter Device ID Total Virtual Memory 2147352576 Available Virtual Memory 1530040320 System Memory Use Percentage 40 Available Page File 4256292864 Available Physical Memory 1836113920 Frame Module Signature Source 0 @0x69727453 1 mozjs.dll JSObject::getGeneric js/src/jsobjinlines.h:177 2 mozjs.dll JSObject::getProperty js/src/jsobjinlines.h:183 3 mozjs.dll js::Interpret js/src/jsinterp.cpp:1489 4 mozjs.dll js::types::TypeSet::addType js/src/jsinferinlines.h:1116 5 mozjs.dll js::types::TypeScript::SetThis js/src/jsinferinlines.h:690 6 mozjs.dll js::Execute js/src/jsinterp.cpp:493 More reports at: https://crash-stats.mozilla.com/report/list?signature=JSObject%3A%3AgetGeneric%28JSContext*%2C+JS%3A%3AHandle%3Cint%3E%2C+JS%3A%3AValue*%29 https://crash-stats.mozilla.com/report/list?signature=JSObject%3A%3AgetGeneric%28JSContext*%2C+JS%3A%3AHandle%3CJSObject*%3E%2C+JS%3A%3AHandle%3Cint%3E%2C+JS%3A%3AValue*%29 https://crash-stats.mozilla.com/report/list?signature=JSObject%3A%3AgetProperty%28JSContext*%2C+js%3A%3APropertyName*%2C+JS%3A%3AValue*%29
Comment 1•12 years ago
|
||
This shows as highly exploitable on Windows in crash automation. I'll see about reproducing. Debug pseudo-stack: JSObject::getGeneric(JSContext*, JS::Handle<jsid>, JS::Value*) JSObject::getProperty(JSContext*, js::PropertyName*, JS::Value*) js::GetObjectElementOperation js::GetElementOperation js::Interpret(JSContext*, js::StackFrame*, js::InterpMode)
Group: core-security
Keywords: sec-critical
Comment 2•12 years ago
|
||
The url is: http://www.google.com.vn/imgres?q=TravelMate%2B4750&hl=vi&biw=1366&bih=567&tbm=isch&tbnid=crk98WCtEsQ8IM:&imgrefurl=http://www.dienmay.com/laptop/acer-travelmate-4750-2332g50-%28039%29&docid=RyoM3kcMDg0D9M&imgurl=http://cdn.thegioididong.com/Products/Images/44/ I haven't been able to reproduce locally however. Note that Mac has a different stack/assertion: Assertion failure: (ptrBits & 0x7) == 0 JSVAL_TO_OBJECT_IMPL JS::Value::toObject js::CompartmentChecker::check js::assertSameCompartment<JS::Value> js::Interpret Windows XP once gave the following stack: js::EncapsulatedPtr<js::types::TypeObject, unsigned int>::operator->() js::ObjectImpl::hasSingletonType() js::types::Type::ObjectType(JSObject*) js::types::GetValueType(JSContext*, JS::Value const&) js::types::TypeMonitorResult(JSContext*, JSScript*, unsigned char*, JS::Value const&) Note the crash reason for the exploitable windows crashes was EXCEPTION_ACCESS_VIOLATION_EXEC
Updated•12 years ago
|
status-firefox-esr10:
--- → unaffected
status-firefox15:
--- → unaffected
status-firefox16:
--- → affected
Keywords: testcase-wanted
Whiteboard: js-triage-needed
Comment 3•12 years ago
|
||
I was able to repro the crash with one of the URLs (http://www.factorydirect.ca/), but I get a slightly different stack: https://crash-stats.mozilla.com/report/index/bp-8ca67003-fb21-4766-914e-b6ca12120607
I wasn't able to reproduce this crash, it is to randomly, I've try to keep my attention on Error Console without luck, any way this crash happen for me on one very popular Polish IT Forums, only during navigation between sub forums and Forum -> Portal page, never on Portal, forum is based on phpBB with their own Mods. Since I'm completely new on Bugzilla I will not post link now, if someone need it, please let me know in comment.
Reporter | ||
Updated•12 years ago
|
Crash Signature: [@ JSObject::getGeneric(JSContext*, JS::Handle<int>, JS::Value*)]
[@ JSObject::getGeneric(JSContext*, JS::Handle<JSObject*>, JS::Handle<int>, JS::Value*)]
[@ JSObject::getProperty(JSContext*, js::PropertyName*, JS::Value*)] → [@ JSObject::getGeneric(JSContext*, JS::Handle<int>, JS::Value*)]
[@ JSObject::getGeneric(JSContext*, JS::Handle<JSObject*>, JS::Handle<int>, JS::Value*)]
[@ JSObject::getProperty(JSContext*, js::PropertyName*, JS::Value*)]
[@ JSObject::getGeneric]
Reporter | ||
Updated•12 years ago
|
OS: Windows 7 → All
This is odd, almost whole day without single crash, no I got 3 in 15 minutes, last two in almost same time: https://crash-stats.mozilla.com/report/index/bp-4381c12e-b49a-4948-b881-f9d662120609 https://crash-stats.mozilla.com/report/index/bp-c0375f18-0388-49da-ba55-d42d32120609 Some steps to reproduce: 1. Go to this Forum: http://forum.dobreprogramy.pl/ 2. navigate a bit on site, sub forums etc. 3. On top of Page You can find header with "Forum Dobreprogramy" 4. "Dobreprogramy" lead to Portal page, use it, 99% times crash happen form me on this link. This is very not regular, You can browse there few hours without single crash and suddenly when You use this link browser crash. Hope this can help a bit.
Updated•12 years ago
|
Whiteboard: js-triage-needed → [js:inv:p1]
Updated•12 years ago
|
status-firefox14:
--- → unaffected
Comment 7•12 years ago
|
||
Given the regression range, could this be bug 659577?
Comment 8•12 years ago
|
||
Yes, there was definitely a big spike in this crash caused by bug 659577. However, the fix landed a few days later and the crashes practically all went away. If I look at crash-stats now, this is #42 and dropping; there is only one crash after 20120608, so I think we can resolve fixed here?
Reporter | ||
Comment 9•12 years ago
|
||
(In reply to Luke Wagner [:luke] from comment #8) > If I look at crash-stats now, this is #42 and dropping; there is > only one crash after 20120608, so I think we can resolve fixed here? There are still crashes in 15.0a2 and 16.0a1 at a very low volume.
Keywords: topcrash
Comment 10•12 years ago
|
||
Can we make the bug public?
Updated•12 years ago
|
status-firefox17:
--- → affected
tracking-firefox17:
--- → +
Comment 11•12 years ago
|
||
OK news is this appears fixed on 16 via bug 659577! Thanks Naveed, Luke, and Brian for checking :)
Status: NEW → RESOLVED
Closed: 12 years ago
status-firefox17:
affected → ---
tracking-firefox17:
+ → ---
Resolution: --- → FIXED
Reporter | ||
Updated•12 years ago
|
Target Milestone: --- → mozilla16
Updated•12 years ago
|
Group: core-security
Updated•11 years ago
|
Flags: in-testsuite-
Updated•9 years ago
|
Keywords: testcase-wanted
You need to log in
before you can comment on or make changes to this bug.
Description
•