If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Start-up crash in mozilla::detail::HashUntilZero<char>(char const*)

RESOLVED FIXED in mozilla33

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: cosmin, Unassigned)

Tracking

({crash, regression, sec-moderate})

29 Branch
mozilla33
x86
Windows NT
crash, regression, sec-moderate
Points:
---

Firefox Tracking Flags

(firefox30 unaffected, firefox31 unaffected, firefox32 unaffected, firefox33 unaffected, firefox-esr31 unaffected)

Details

(Whiteboard: [mozmill], crash signature, URL)

(Reporter)

Description

3 years ago
This bug was filed from the Socorro interface and is 
report bp-2ad1374d-11f5-41cb-a171-dc6b62140613.
=============================================================
Failed in mozmill testrun:
https://hg.mozilla.org/qa/mozmill-tests/file/a5bf6e119076/firefox/tests/endurance/testBookmarks_AddAndRemoveBookmarkViaAwesomeBar/test1.js

Host: mm-win-8-32-1
Branch: Nightly en-US
(Reporter)

Comment 1

3 years ago
I ran the testrun with 250 iterations on host mm-win-8-32-1.scl3.qa.mozilla.com
First only with test it crashed in, then with all the tests prior of crash but I couldn't reproduce it.
Low volume crash on x86 systems:

Windows XP 	50.00 %	11
Windows 7 	40.91 %	9
Windows 8 	9.09 %	2 

Crash Reason 	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address 	0x5a5a5a5a

First 10 stack frames:

0 	mozjs.dll 	mozilla::detail::HashUntilZero<char>(char const *) 	obj-firefox/dist/include/mozilla/HashFunctions.h
1 	mozjs.dll 	js::detail::HashTable<js::HashMapEntry<char const *,JS::ScriptSourceInfo>,js::HashMap<char const *,JS::ScriptSourceInfo,js::CStringHashPolicy,js::SystemAllocPolicy>::MapHashPolicy,js::SystemAllocPolicy>::prepareHash(char const * const &) 	obj-firefox/dist/include/js/HashTable.h
2 	mozjs.dll 	js::detail::HashTable<js::HashMapEntry<char const *,JS::ClassInfo>,js::HashMap<char const *,JS::ClassInfo,js::CStringHashPolicy,js::SystemAllocPolicy>::MapHashPolicy,js::SystemAllocPolicy>::lookupForAdd(char const * const &) 	obj-firefox/dist/include/js/HashTable.h
3 	mozjs.dll 	js::HashMap<char const *,JS::ClassInfo,js::CStringHashPolicy,js::SystemAllocPolicy>::lookupForAdd(char const * const &) 	obj-firefox/dist/include/js/HashTable.h
4 	mozjs.dll 	AddClassInfo 	js/src/vm/MemoryMetrics.cpp
5 	mozjs.dll 	StatsCellCallback<0> 	js/src/vm/MemoryMetrics.cpp
6 	mozjs.dll 	IterateCompartmentsArenasCells 	js/src/gc/Iteration.cpp
7 	mozjs.dll 	js::IterateZonesCompartmentsArenasCells(JSRuntime *,void *,void (*)(JSRuntime *,void *,JS::Zone *),void (*)(JSRuntime *,void *,JSCompartment *),void (*)(JSRuntime *,void *,js::gc::Arena *,JSGCTraceKind,unsigned int),void (*)(JSRuntime *,void *,void *,JSGCTraceKind,unsigned int)) 	js/src/gc/Iteration.cpp
8 	mozjs.dll 	JS::CollectRuntimeStats(JSRuntime *,JS::RuntimeStats *,JS::ObjectPrivateVisitor *) 	js/src/vm/MemoryMetrics.cpp
9 	xul.dll 	xpc::JSReporter::CollectReports(nsDataHashtable<nsUint64HashKey,nsCString> *,nsDataHashtable<nsUint64HashKey,nsCString> *,nsIMemoryReporterCallback *,nsISupports *) 	js/xpconnect/src/XPCJSRuntime.cpp
10 	xul.dll 	nsWindowMemoryReporter::CollectReports(nsIMemoryReporterCallback *,nsISupports *) 	dom/base/nsWindowMemoryReporter.cpp

Looks like we access bad memory here. So smells like a security bug.
Group: core-security
status-firefox30: --- → affected
status-firefox31: --- → affected
status-firefox32: --- → affected
status-firefox33: --- → affected
Component: Bookmarks & History → JavaScript Engine
Product: Firefox → Core
Version: 33 Branch → 29 Branch
Whiteboard: [mozmill]
All crash reports show an uptime of 0s or at maximum 37s. So it looks like to be a start-up crash.
Summary: crash in mozilla::detail::HashUntilZero<char>(char const*) → Start-up crash in mozilla::detail::HashUntilZero<char>(char const*)
Looks like a use-after-free in memory reporter code.
Keywords: sec-moderate
This was caused by the patch from bug 1023719 which has subsequently been backed out. The s-s flag can be removed.
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → WORKSFORME
Duplicate of this bug: 1024996
Blocks: 1023719
Group: core-security
Keywords: regression
Resolution: WORKSFORME → FIXED
Target Milestone: --- → mozilla33
status-firefox30: affected → unaffected
status-firefox31: affected → unaffected
status-firefox32: affected → unaffected
status-firefox33: affected → unaffected
status-firefox-esr31: --- → unaffected
You need to log in before you can comment on or make changes to this bug.