Closed Bug 1029299 Opened 10 years ago Closed 10 years ago

Stale pointer in JSObject::TradeGuts()

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
32 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla34
Tracking Flags:
Tracking Status
firefox31 --- unaffected
firefox32 + fixed
firefox33 + fixed
firefox34 --- fixed
firefox-esr24 --- unaffected
firefox-esr31 --- unaffected
b2g-v1.3 --- unaffected
b2g-v1.3T --- unaffected
b2g-v1.4 --- unaffected
b2g-v2.0 --- unaffected
b2g-v2.1 --- unaffected

People

(Reporter: loobenyang, Assigned: terrence)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [reporter-external])

Crash Data

Attachments

(12 files, 1 obsolete file)

StalePointer_TradeGuts_Repro.html
2.80 KB, text/html
Details
StalePointer_TradeGuts_windbgCrashReport.txt
7.85 KB, text/plain
Details
StalePointer_TradeGuts_registers.txt
1.95 KB, text/plain
Details
StalePointer_TradeGuts_fullstack.txt
12.30 KB, text/plain
Details
StalePointer_TradeGuts_Minidump.dmp
237.46 KB, application/octet-stream
Details
TraceJumpRelocations_windbgCrashReport.txt
6.96 KB, text/plain
Details
TraceJumpRelocations_FullStack.txt
6.12 KB, text/plain
Details
TraceJumpRelocations_Registers.txt
1.97 KB, text/plain
Details
TraceJumpRelocations_Minidump.dmp
237.33 KB, application/octet-stream
Details
calls random gc-testing functions
632 bytes, text/plain
Details
UAF_replaceChild_TradeGuts_Repro.html
137.79 KB, text/plain
Details
refactor_tradegut_barriers-v0.diff
3.17 KB, patch
terrence
: review+
Sylvestre
: approval-mozilla-aurora+
Sylvestre
: approval-mozilla-beta+
abillings
: sec-approval+
terrence
: checkin+
Details | Diff | Splinter Review 
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.84 Safari/537.36

Steps to reproduce:

Run the reproduction test case  StalePointer_TradeGuts_Repro.html in Firefox browser.

Firefox Version: 32.0a1 (2014-05-20)
Operating System: Windows 8, 64 bit


Actual results:

Firefox crashes in about 15 minutes by accessing an invalid pointer:

(3a5c.35ac): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** WARNING: Unable to verify checksum for D:\OpenSrcCode\firefox-central\obj-i686-pc-mingw32\dist\bin\mozjs.dll
eax=20200000 ebx=1df28a80 ecx=1df28418 edx=1df28a98 esi=1df28400 edi=00000001
eip=6d1a74b5 esp=0022dc60 ebp=fe76bc2c iopl=0         nv up ei ng nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210282
mozjs!JSObject::TradeGuts+0x165:
6d1a74b5 807d5500        cmp     byte ptr [ebp+55h],0       ss:002b:fe76bc81=??
0:000> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

*** WARNING: Unable to verify checksum for D:\OpenSrcCode\firefox-central\obj-i686-pc-mingw32\dist\bin\xul.dll
*** WARNING: Unable to verify checksum for firefox.exe
*** WARNING: Unable to verify checksum for D:\OpenSrcCode\firefox-central\obj-i686-pc-mingw32\dist\bin\nss3.dll

FAULTING_IP: 
mozjs!JSObject::TradeGuts+165 [d:\opensrccode\firefox-central\js\src\jsobj.cpp @ 2296]
6d1a74b5 807d5500        cmp     byte ptr [ebp+55h],0

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 6d1a74b5 (mozjs!JSObject::TradeGuts+0x00000165)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: fe76bc81
Attempt to read from address fe76bc81

CONTEXT:  00000000 -- (.cxr 0x0;r)
eax=20200000 ebx=1df28a80 ecx=1df28418 edx=1df28a98 esi=1df28400 edi=00000001
eip=6d1a74b5 esp=0022dc60 ebp=fe76bc2c iopl=0         nv up ei ng nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210282
mozjs!JSObject::TradeGuts+0x165:
6d1a74b5 807d5500        cmp     byte ptr [ebp+55h],0       ss:002b:fe76bc81=??

FAULTING_THREAD:  000035ac

DEFAULT_BUCKET_ID:  INVALID_POINTER_READ

PROCESS_NAME:  firefox.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_PARAMETER1:  00000000

EXCEPTION_PARAMETER2:  fe76bc81

READ_ADDRESS:  fe76bc81 

FOLLOWUP_IP: 
mozjs!JSObject::TradeGuts+165 [d:\opensrccode\firefox-central\js\src\jsobj.cpp @ 2296]
6d1a74b5 807d5500        cmp     byte ptr [ebp+55h],0

NTGLOBALFLAG:  0

APPLICATION_VERIFIER_FLAGS:  0

APP:  firefox.exe

ANALYSIS_VERSION: 6.3.9600.16384 (debuggers(dbg).130821-1623) x86fre

PRIMARY_PROBLEM_CLASS:  INVALID_POINTER_READ

BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_READ

LAST_CONTROL_TRANSFER:  from 6d1c97f4 to 6d1a74b5

STACK_TEXT:  
0022dd30 6d1c97f4 0c687698 1df28400 1df28a80 mozjs!JSObject::TradeGuts+0x165
0022ddbc 6d15ee2d 0c687698 0022ddf8 0022deac mozjs!JSObject::swap+0x144
0022de2c 1045ceb8 192bcb90 0022de90 0022deac mozjs!JS_TransplantObject+0xfd
0022de64 103822f7 0c687698 0022de90 0022deac xul!xpc::TransplantObject+0x33
0022df40 10648e63 0c687698 0022df90 0022e0c0 xul!mozilla::dom::ReparentWrapper+0x469
0022dfd4 105de272 14721bb8 00000000 00000001 xul!nsNodeUtils::CloneAndAdopt+0x394
0022e004 105de64c 14721bb8 20264148 0022e058 xul!nsNodeUtils::Adopt+0x23
0022e0a8 105de2e1 14721bb8 0022e0c0 1e49d2d0 xul!nsIDocument::AdoptNode+0x336
0022e0d0 1063197d 1ffb3b80 14721c00 14721bb8 xul!nsDocument::AdoptNode+0x47
0022e0fc 1063eb40 00000000 14721bb8 0022e360 xul!AdoptNodeIntoOwnerDoc+0x7c
0022e2e4 1064e6fd 00000000 14721bb8 00000000 xul!nsINode::ReplaceOrInsertBefore+0x632
0022e320 10652f6c 1ee3d598 00000000 0022e3a4 xul!nsRange::InsertNode+0x1be
0022e344 102d4f82 00000000 1c4d6840 00000000 xul!nsRange::SurroundContents+0x15f
0022e378 10380655 0c687698 0022e3bc 1e575a10 xul!mozilla::dom::RangeBinding::surroundContents+0xcd
0022e3bc 6d22cd10 0c687698 00000001 1e575a10 xul!mozilla::dom::GenericBindingMethod+0x124
0022e5cc 6d22a02c 0c687698 07018180 00000001 mozjs!js::Invoke+0xf0
0022eca4 6d2305fe 0c687698 0022ecec 0c687698 mozjs!Interpret+0x508c
0022ecc8 6d22cdec 0c687698 0022ecec 0022f028 mozjs!js::RunScript+0x15e
0022eed4 6d22cbce 0c687698 0022ef40 00000000 mozjs!js::Invoke+0x1cc
0022ef70 6d155131 0c687698 0022f0ac 0022efe4 mozjs!js::Invoke+0x1de
0022ef94 1020b164 0c687698 0022f0ac 0022efe4 mozjs!JS::Call+0x21
0022f068 1049aedd 0022f1bc 0c687698 0022f0ac xul!mozilla::dom::Function::Call+0x19f
0022f178 104acdee 0022f1bc 0022f1a8 1e336814 xul!mozilla::dom::Function::Call<nsCOMPtr<nsISupports> >+0xea
0022f2a4 104acc0f 191ff538 0c628c88 0022f34c xul!nsGlobalWindow::RunTimeoutHandler+0xf4
0022f30c 104b50b5 191ff538 104b509d 0fcf83fb xul!nsGlobalWindow::RunTimeout+0x233
0022f318 0fcf83fb 18c73b80 191ff538 08965328 xul!nsGlobalWindow::TimerCallback+0x18
0022f358 0fcfa9d7 0fcf99e3 08965328 006aa410 xul!nsTimerImpl::Fire+0xd2
0022f35c 0fcf99e3 08965328 006aa410 006aa400 xul!nsTimerEvent::Run+0x14
0022f398 0fcc31e6 08965328 00000000 0022f3b7 xul!nsThread::ProcessNextEvent+0x1dd
0022f3ac 0fe696f8 012bcc10 00000000 002d9050 xul!NS_ProcessNextEvent+0x26
0022f3d8 0fe5cbda 002d9050 826539df 05b81ef8 xul!mozilla::ipc::MessagePump::Run+0x48
0022f410 0fe5c9d3 002bcc10 00000001 10e9ce00 xul!MessageLoop::RunHandler+0x54
0022f430 1040593c 05af5170 00000000 103e06c6 xul!MessageLoop::Run+0x19
0022f43c 103e06c6 05b81ef8 05af5170 6d3f4fa0 xul!nsBaseAppShell::Run+0x2a
0022f454 10b54a89 05b81ef8 0022f661 11027450 xul!nsAppShell::Run+0x75
0022f464 10b2d913 05af5170 71cf1408 0022f558 xul!nsAppStartup::Run+0x20
0022f53c 10b2c559 006a2b08 0022f6bc 00000001 xul!XREMain::XRE_mainRun+0x7fd
0022f558 10b2e0db 00000001 0068bae0 0022f6bc xul!XREMain::XRE_main+0x101
0022f668 01381854 00000001 0068bae0 0022f6bc xul!XRE_main+0x34
0022f7fc 01381494 00000001 0068bae0 006a29e8 firefox!do_main+0x272
0022f888 01381ae8 00000001 0068bae0 00000001 firefox!NS_internal_main+0x133
0022f8b8 0138245a 00000001 fffffe08 0068c0b8 firefox!wmain+0x10b
0022f8f8 7784338a fffde000 0022f944 77dc9f72 firefox!__tmainCRTStartup+0xfd
0022f904 77dc9f72 fffde000 6daecdb8 00000000 kernel32!BaseThreadInitThunk+0xe
0022f944 77dc9f45 013824c2 fffde000 00000000 ntdll!__RtlUserThreadStart+0x70
0022f95c 00000000 013824c2 fffde000 00000000 ntdll!_RtlUserThreadStart+0x1b


STACK_COMMAND:  .cxr 0x0 ; kb

FAULTING_SOURCE_LINE:  d:\opensrccode\firefox-central\js\src\jsobj.cpp

FAULTING_SOURCE_FILE:  d:\opensrccode\firefox-central\js\src\jsobj.cpp

FAULTING_SOURCE_LINE_NUMBER:  2296

FAULTING_SOURCE_CODE:  
  2292:          * Trigger post barriers for fixed slots. JSObject bits are barriered
  2293:          * below, in common with the other case.
  2294:          */
  2295:         for (size_t i = 0; i < a->numFixedSlots(); ++i) {
> 2296:             HeapSlot::writeBarrierPost(a, HeapSlot::Slot, i, a->getSlot(i));
  2297:             HeapSlot::writeBarrierPost(b, HeapSlot::Slot, i, b->getSlot(i));
  2298:         }
  2299: #endif
  2300:     } else {
  2301:         /*


SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  mozjs!JSObject::TradeGuts+165

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: mozjs

IMAGE_NAME:  mozjs.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  537a967e

FAILURE_BUCKET_ID:  INVALID_POINTER_READ_c0000005_mozjs.dll!JSObject::TradeGuts

BUCKET_ID:  APPLICATION_FAULT_INVALID_POINTER_READ_mozjs!JSObject::TradeGuts+165

ANALYSIS_SOURCE:  UM

FAILURE_ID_HASH_STRING:  um:invalid_pointer_read_c0000005_mozjs.dll!jsobject::tradeguts

FAILURE_ID_HASH:  {f16df772-a140-e997-f5fb-70a6fa587c4c}

Followup: MachineOwner
---------


Expected results:

Pointer should not be stale and of course Firefox should not crash.

    
    

    
  


  

    
    

    
  


  
Added the WinDbg crash report, full stack, registers in text files for easy reading. Also attached a minidump for your easy assessment.

    
    

    
  
I also observed an invalid pointer access in js::jit::Assembler::TraceJumpRelocations(), though I'm not sure how to trigger it. (what I can remember is, restart the browser, the browser resume with last test cases running, I close the tab shortly, and check version,  later I saw this access violation)


(26b8.3528): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** WARNING: Unable to verify checksum for D:\OpenSrcCode\firefox-central\obj-i686-pc-mingw32\dist\bin\mozjs.dll
eax=150cf6a0 ebx=04bf07e8 ecx=00000000 edx=00000001 esi=04bf07c4 edi=00000000
eip=6cdf0060 esp=150cf67c ebp=1d23e538 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
mozjs!js::jit::Assembler::TraceJumpRelocations+0x20:
6cdf0060 8a16            mov     dl,byte ptr [esi]          ds:002b:04bf07c4=??
0:052> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

*** WARNING: Unable to verify checksum for D:\OpenSrcCode\firefox-central\obj-i686-pc-mingw32\dist\bin\xul.dll
*** WARNING: Unable to verify checksum for D:\OpenSrcCode\firefox-central\obj-i686-pc-mingw32\dist\bin\nss3.dll
*** WARNING: Unable to verify checksum for firefox.exe

FAULTING_IP: 
mozjs!js::jit::Assembler::TraceJumpRelocations+20 [d:\opensrccode\firefox-central\js\src\jit\x86\assembler-x86.cpp @ 86]
6cdf0060 8a16            mov     dl,byte ptr [esi]

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 6cdf0060 (mozjs!js::jit::Assembler::TraceJumpRelocations+0x00000020)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 04bf07c4
Attempt to read from address 04bf07c4

CONTEXT:  00000000 -- (.cxr 0x0;r)
eax=150cf6a0 ebx=04bf07e8 ecx=00000000 edx=00000001 esi=04bf07c4 edi=00000000
eip=6cdf0060 esp=150cf67c ebp=1d23e538 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
mozjs!js::jit::Assembler::TraceJumpRelocations+0x20:
6cdf0060 8a16            mov     dl,byte ptr [esi]          ds:002b:04bf07c4=??

FAULTING_THREAD:  00003528

DEFAULT_BUCKET_ID:  INVALID_POINTER_READ

PROCESS_NAME:  firefox.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_PARAMETER1:  00000000

EXCEPTION_PARAMETER2:  04bf07c4

READ_ADDRESS:  04bf07c4 

FOLLOWUP_IP: 
mozjs!js::jit::Assembler::TraceJumpRelocations+20 [d:\opensrccode\firefox-central\js\src\jit\x86\assembler-x86.cpp @ 86]
6cdf0060 8a16            mov     dl,byte ptr [esi]

NTGLOBALFLAG:  0

APPLICATION_VERIFIER_FLAGS:  0

APP:  firefox.exe

ANALYSIS_VERSION: 6.3.9600.16384 (debuggers(dbg).130821-1623) x86fre

PRIMARY_PROBLEM_CLASS:  INVALID_POINTER_READ

BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_READ

LAST_CONTROL_TRANSFER:  from 6cd83c44 to 6cdf0060

STACK_TEXT:  
150cf688 6cd83c44 1d714ca0 1d23e538 150cf6a0 mozjs!js::jit::Assembler::TraceJumpRelocations+0x20
150cf6a4 6ccd88ae 1d714ca0 1d714ca0 1d714ca0 mozjs!js::jit::JitCode::trace+0x34
150cf6b4 6ccd8b6d 00000005 1d23e538 150cf71c mozjs!js::GCMarker::processMarkStackOther+0x6e
150cf6e8 6ccd00c0 150cf71c 1d714c20 00000000 mozjs!js::GCMarker::processMarkStackTop+0x2ad
150cf6f8 6ce4a2e7 150cf71c 1d714c20 1d714c20 mozjs!js::GCMarker::drainMarkStack+0x30
150cf728 6ce475cc 00000000 00000000 00000000 mozjs!js::gc::GCRuntime::incrementalCollectSlice+0x107
150cf75c 6ce3e2d2 00000000 00000000 00000000 mozjs!js::gc::GCRuntime::gcCycle+0xdc
150cf798 6ce35d2b 00000000 00000000 00000000 mozjs!js::gc::GCRuntime::collect+0x202
150cf7b0 0f9d00f0 1d714a78 0000002e 196da0a8 mozjs!JS::ShrinkingGC+0x1b
150cf7c8 0f9d444e 1b001960 00000001 00000000 xul!mozilla::dom::workers::WorkerPrivate::GarbageCollectInternal+0x59
150cf7d8 0f9d504a 1b001960 1b9c57d8 1b9e2358 xul!`anonymous namespace'::GarbageCollectRunnable::WorkerRun+0x17
150cf84c 0f9d1ab6 196da0a8 1b9c57d8 1b9e2358 xul!mozilla::dom::workers::WorkerRunnable::Run+0x11a
150cf86c 0f9cfd54 1d6ec0b0 1b001960 1d6e3230 xul!mozilla::dom::workers::WorkerPrivate::ProcessAllControlRunnablesLocked+0x6d
150cf89c 0f9c8373 1b001960 1d6ec0b0 00000000 xul!mozilla::dom::workers::WorkerPrivate::DoRunLoop+0xc0
150cf97c 0f1499e3 1d6ec0b0 0cc42948 0cc42938 xul!`anonymous namespace'::WorkerThreadPrimaryRunnable::Run+0x156
150cf9b8 0f1131e6 1d6ec0b0 00000000 150cf9d7 xul!nsThread::ProcessNextEvent+0x1dd
150cf9cc 0f2b983a 01adffb0 00000000 1ba645c8 xul!NS_ProcessNextEvent+0x26
150cf9f8 0f2acbda 1ba645c8 c55998be 1badffb0 xul!mozilla::ipc::MessagePumpForNonMainThreads::Run+0x78
150cfa30 0f2ac9d3 1b72f430 00000001 1badff00 xul!MessageLoop::RunHandler+0x54
150cfa50 0f14ba42 1b72f4e0 1b72f430 150cfac0 xul!MessageLoop::Run+0x19
150cfa68 6d737338 1badffb0 001d8218 001d8218 xul!nsThread::ThreadFunc+0x83
150cfa80 6d73b0dd 1bb84888 6ef0f2e9 1b72f430 nss3!_PR_NativeRunThread+0xc8
150cfa88 6ef0f2e9 1b72f430 c566724d 00000000 nss3!pr_root+0xd
150cfac0 6ef0f2cd 00000000 150cfad8 7784338a MSVCR110!_beginthreadex+0xb4
150cfacc 7784338a 172dc7e8 150cfb18 77dc9f72 MSVCR110!_endthreadex+0x102
150cfad8 77dc9f72 172dc7e8 7875889a 00000000 kernel32!BaseThreadInitThunk+0xe
150cfb18 77dc9f45 6ef0f28e 172dc7e8 00000000 ntdll!__RtlUserThreadStart+0x70
150cfb30 00000000 6ef0f28e 172dc7e8 00000000 ntdll!_RtlUserThreadStart+0x1b


STACK_COMMAND:  .cxr 0x0 ; kb

FAULTING_SOURCE_LINE:  d:\opensrccode\firefox-central\js\src\jit\x86\assembler-x86.cpp

FAULTING_SOURCE_FILE:  d:\opensrccode\firefox-central\js\src\jit\x86\assembler-x86.cpp

FAULTING_SOURCE_LINE_NUMBER:  86

FAULTING_SOURCE_CODE:  
    82: void
    83: Assembler::TraceJumpRelocations(JSTracer *trc, JitCode *code, CompactBufferReader &reader)
    84: {
    85:     RelocationIterator iter(reader);
>   86:     while (iter.read()) {
    87:         JitCode *child = CodeFromJump(code->raw() + iter.offset());
    88:         MarkJitCodeUnbarriered(trc, &child, "rel32");
    89:         JS_ASSERT(child == CodeFromJump(code->raw() + iter.offset()));
    90:     }
    91: }


SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  mozjs!js::jit::Assembler::TraceJumpRelocations+20

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: mozjs

IMAGE_NAME:  mozjs.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  537a967e

FAILURE_BUCKET_ID:  INVALID_POINTER_READ_c0000005_mozjs.dll!js::jit::Assembler::TraceJumpRelocations

BUCKET_ID:  APPLICATION_FAULT_INVALID_POINTER_READ_mozjs!js::jit::Assembler::TraceJumpRelocations+20

ANALYSIS_SOURCE:  UM

FAILURE_ID_HASH_STRING:  um:invalid_pointer_read_c0000005_mozjs.dll!js::jit::assembler::tracejumprelocations

FAILURE_ID_HASH:  {ed71f23d-c1fc-0f1a-3b82-248c709b38a7}

Followup: MachineOwner
---------

    
    

    
  


  

    
    

    
  


  

        Attachment #8444896 -
        Attachment is obsolete: true

    
    

    
  


  

    
    

    
  


  

    
    

    
  


  

    
    

    
  
I can reproduce this access violation in js::jit::Assembler::TraceJumpRelocations() as well.

Run the test case, but close the tab in a few seconds instead of running it for 15min, check version, then a few minutes this access violation happen when doing GC.

    
    

    
  
Sorry the OS info I typed in comment 0 was wrong. It's actually:

Operating System: Windows 7 Professional 64bit Service Pack 1

(In reply to Looben Yang from comment #0)
> Created attachment 8444880 [details]
> StalePointer_TradeGuts_Repro.html
> 
> User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML,
> like Gecko) Chrome/36.0.1985.84 Safari/537.36
> 
> Steps to reproduce:
> 
> Run the reproduction test case  StalePointer_TradeGuts_Repro.html in Firefox
> browser.
> 
> Firefox Version: 32.0a1 (2014-05-20)
> Operating System: Windows 8, 64 bit
>
Component: Untriaged → JavaScript Engine
Flags: sec-bounty?
Product: Firefox → Core
Whiteboard: [reporter-external]

    
    

    
  
Looben, if you have submitted the crash to our crash servers a link to the crash report would also be helpful. You can get this by going to about:crashes in the awesomebar.
Flags: needinfo?(loobenyang)

    
    

    
  
Christian, Gary, Jesse: can we play with variants on this testcase in our own fuzzers and maybe catch a reproducible case? Our GC debugging tools and/or ASAN might help narrow it down, too.
Flags: needinfo?(choller)

    
    

    
  
(In reply to Curtis Koenig [:curtisk] from comment #13)
> Looben, if you have submitted the crash to our crash servers a link to the
> crash report would also be helpful. You can get this by going to
> about:crashes in the awesomebar.

Just submitted a crash report: https://crash-stats.mozilla.com/report/index/65c0e4fc-e1bd-4d6a-82bd-b70dc2140624
Flags: needinfo?(loobenyang)

    
    

    
  
I also got different call stack with  different test case, the crash position is the same though:

1) NodeBinding::appendChild


STACK_TEXT:  
0044ded0 6d1c97f4 18097688 1bac6e00 1ba3e260 mozjs!JSObject::TradeGuts+0x165
0044df5c 6d15ee2d 18097688 0044df98 0044e04c mozjs!JSObject::swap+0x144
0044dfcc 0fbcceb8 178acfc0 0044e030 0044e04c mozjs!JS_TransplantObject+0xfd
0044e004 0faf22f7 18097688 0044e030 0044e04c xul!xpc::TransplantObject+0x33
0044e0e0 0fdb8e63 18097688 0044e130 1dc53148 xul!mozilla::dom::ReparentWrapper+0x469
0044e174 0fdb8f22 1a67f388 00000000 00000001 xul!nsNodeUtils::CloneAndAdopt+0x394
0044e220 0fd4e272 1f0f3ee8 00000000 00000001 xul!nsNodeUtils::CloneAndAdopt+0x453
0044e250 0fd4e64c 1f0f3ee8 1dc53148 0044e2a4 xul!nsNodeUtils::Adopt+0x23
0044e2f4 0fd4e2e1 1f0f3ee8 0044e30c 1a697098 xul!nsIDocument::AdoptNode+0x336
0044e31c 0fda197d 1ae5e780 1f0f3f30 1f0f3ee8 xul!nsDocument::AdoptNode+0x47
0044e348 0fdaeb40 00000000 1f0f3ee8 0044e598 xul!AdoptNodeIntoOwnerDoc+0x7c
0044e530 0fa0ec7b 00000000 1f0f3ee8 00000000 xul!nsINode::ReplaceOrInsertBefore+0x632
0044e56c 0faf0655 18097688 0044e5b0 1a6965b8 xul!mozilla::dom::NodeBinding::appendChild+0xcf
0044e5b0 6d22cd10 18097688 00000001 1a6965b8 xul!mozilla::dom::GenericBindingMethod+0x124
0044e7c0 6d22a02c 18097688 070181a0 00000001 mozjs!js::Invoke+0xf0
0044ee98 6d2305fe 18097688 0044eed0 18097688 mozjs!Interpret+0x508c
0044eebc 6d222725 18097688 0044eed0 00000000 mozjs!js::RunScript+0x15e
0044ef0c 6d222678 18097688 0044ef6c 11b55d30 mozjs!js::ExecuteKernel+0x85
0044ef44 6d156482 18097688 0044ef6c 11b55d30 mozjs!js::Execute+0xa8
0044eff0 6d156767 18097688 0044f03c 0044f104 mozjs!Evaluate+0xf2
0044f008 0fc3e47c 18097688 0044f03c 0044f104 mozjs!JS::Evaluate+0x17
0044f078 0fc3e6b3 18097688 0044f214 0044f0f0 xul!nsJSUtils::EvaluateString+0x238
0044f0b0 0fdbca38 18097688 0044f214 0044f0f0 xul!nsJSUtils::EvaluateString+0x4c
0044f1cc 0fdc034e 185d0c10 0044f214 00000000 xul!nsScriptLoader::EvaluateScript+0x185
0044f2b4 0fdc08c4 185d0c10 00000000 178438d0 xul!nsScriptLoader::ProcessRequest+0x1ac
0044f424 0fdbf38e 1a4c40b4 1a4c40b4 1ae825c8 xul!nsScriptLoader::ProcessScriptElement+0x4a4
0044f44c 0fbf49e2 1e1774e0 1e1774e0 0fbf76e1 xul!nsScriptElement::MaybeProcessScript+0x100
0044f458 0fbf76e1 1e1ea278 1a4c40b4 1e177588 xul!nsIScriptElement::AttemptToExecute+0xd
0044f468 0fbf75ca 1a4c4060 1e0e5aa0 00000000 xul!nsHtml5TreeOpExecutor::RunScript+0x4d
0044f498 0fbf725a 0f4699e3 1e0e5aa0 0025a410 xul!nsHtml5TreeOpExecutor::RunFlushLoop+0x212
0044f49c 0f4699e3 1e0e5aa0 0025a410 0025a400 xul!nsHtml5ExecutorFlusher::Run+0x16
0044f4d8 0f4331e6 1e0e5aa0 00000000 0044f4f7 xul!nsThread::ProcessNextEvent+0x1dd
0044f4ec 0f5d96f8 0148e018 00000000 004b6588 xul!NS_ProcessNextEvent+0x26
0044f518 0f5ccbda 004b6588 72cf3617 053ea0b8 xul!mozilla::ipc::MessagePump::Run+0x48
0044f550 0f5cc9d3 0048e018 00000001 1060ce00 xul!MessageLoop::RunHandler+0x54
0044f570 0fb7593c 05358c40 00000000 0fb506c6 xul!MessageLoop::Run+0x19
0044f57c 0fb506c6 053ea0b8 05358c40 6d3f4fa0 xul!nsBaseAppShell::Run+0x2a
0044f594 102c4a89 053ea0b8 0044f7a1 10797450 xul!nsAppShell::Run+0x75
0044f5a4 1029d913 05358c40 71cf1408 0044f698 xul!nsAppStartup::Run+0x20
0044f67c 1029c559 00252b08 0044f7fc 00000001 xul!XREMain::XRE_mainRun+0x7fd
0044f698 1029e0db 00000001 0023bae0 0044f7fc xul!XREMain::XRE_main+0x101
0044f7a8 00191854 00000001 0023bae0 0044f7fc xul!XRE_main+0x34
0044f93c 00191494 00000001 0023bae0 002529e8 firefox!do_main+0x272
0044f9c8 00191ae8 00000001 0023bae0 00000001 firefox!NS_internal_main+0x133
0044f9f8 0019245a 00000001 fffffe08 0023c0b8 firefox!wmain+0x10b
0044fa38 7784338a fffde000 0044fa84 77dc9f72 firefox!__tmainCRTStartup+0xfd
0044fa44 77dc9f72 fffde000 694f661c 00000000 kernel32!BaseThreadInitThunk+0xe
0044fa84 77dc9f45 001924c2 fffde000 00000000 ntdll!__RtlUserThreadStart+0x70
0044fa9c 00000000 001924c2 fffde000 00000000 ntdll!_RtlUserThreadStart+0x1b




2) RangeBinding::insertNode

STACK_TEXT:  
001fe1a4 6ce597f4 0bdeb950 1b2f7b40 153c72e0 mozjs!JSObject::TradeGuts+0x15b
001fe230 6cdeee2d 0bdeb950 001fe26c 001fe320 mozjs!JSObject::swap+0x144
001fe2a0 0ff1ceb8 1c17c900 001fe304 001fe320 mozjs!JS_TransplantObject+0xfd
001fe2d8 0fe422f7 0bdeb950 001fe304 001fe320 xul!xpc::TransplantObject+0x33
001fe3b4 10108e63 0bdeb950 001fe404 001fe534 xul!mozilla::dom::ReparentWrapper+0x469
001fe448 1009e272 1d4f3618 00000000 00000001 xul!nsNodeUtils::CloneAndAdopt+0x394
001fe478 1009e64c 1d4f3618 1fd36730 001fe4cc xul!nsNodeUtils::Adopt+0x23
001fe51c 1009e2e1 1d4f3618 001fe534 21ceb730 xul!nsIDocument::AdoptNode+0x336
001fe544 100f197d 1c8e1180 1d4f3660 1d4f3618 xul!nsDocument::AdoptNode+0x47
001fe570 100feb40 00000000 1d4f3618 001fe7b0 xul!AdoptNodeIntoOwnerDoc+0x7c
001fe758 1010e6fd 00000000 1d4f3618 00000000 xul!nsINode::ReplaceOrInsertBefore+0x632
001fe794 0fd94be6 1d26e860 00000000 00000000 xul!nsRange::InsertNode+0x1be
001fe7c8 0fe40655 0bdeb950 001fe80c 1f9ca108 xul!mozilla::dom::RangeBinding::insertNode+0xcd
001fe80c 6cebcd10 0bdeb950 00000001 1f9ca108 xul!mozilla::dom::GenericBindingMethod+0x124
001fea1c 6ceba02c 0bdeb950 070181a0 00000001 mozjs!js::Invoke+0xf0
001ff0f4 6cec05fe 0bdeb950 001ff12c 0bdeb950 mozjs!Interpret+0x508c
001ff118 6ceb2725 0bdeb950 001ff12c 00000000 mozjs!js::RunScript+0x15e
001ff168 6ceb2678 0bdeb950 001ff1c8 15a3a040 mozjs!js::ExecuteKernel+0x85
001ff1a0 6cde6482 0bdeb950 001ff1c8 15a3a040 mozjs!js::Execute+0xa8
001ff24c 6cde6767 0bdeb950 001ff298 001ff360 mozjs!Evaluate+0xf2
001ff264 0ff8e47c 0bdeb950 001ff298 001ff360 mozjs!JS::Evaluate+0x17
001ff2d4 0ff8e6b3 0bdeb950 001ff470 001ff34c xul!nsJSUtils::EvaluateString+0x238
001ff30c 1010ca38 0bdeb950 001ff470 001ff34c xul!nsJSUtils::EvaluateString+0x4c
001ff428 1011034e 0c7c5be0 001ff470 00000000 xul!nsScriptLoader::EvaluateScript+0x185
001ff510 101108c4 0c7c5be0 00000000 1d13b6d8 xul!nsScriptLoader::ProcessRequest+0x1ac
001ff680 1010f38e 1d419d74 1d419d74 08ba40e8 xul!nsScriptLoader::ProcessScriptElement+0x4a4
001ff6a8 0ff449e2 171fa7c8 171fa7c8 0ff476e1 xul!nsScriptElement::MaybeProcessScript+0x100
001ff6b4 0ff476e1 1c58a408 1d419d74 171fa870 xul!nsIScriptElement::AttemptToExecute+0xd
001ff6c4 0ff475ca 1d419d20 1c7e2ec0 00000000 xul!nsHtml5TreeOpExecutor::RunScript+0x4d
001ff6f4 0ff4725a 0f7b99e3 1c7e2ec0 006fa410 xul!nsHtml5TreeOpExecutor::RunFlushLoop+0x212
001ff6f8 0f7b99e3 1c7e2ec0 006fa410 006fa400 xul!nsHtml5ExecutorFlusher::Run+0x16
001ff734 0f7831e6 1c7e2ec0 00000000 001ff753 xul!nsThread::ProcessNextEvent+0x1dd
001ff748 0f9296f8 01290950 00000000 002b5fc8 xul!NS_ProcessNextEvent+0x26
001ff774 0f91cbda 002b5fc8 c2ede5a8 0552e0a0 xul!mozilla::ipc::MessagePump::Run+0x48
001ff7ac 0f91c9d3 00290950 00000001 1095ce00 xul!MessageLoop::RunHandler+0x54
001ff7cc 0fec593c 054b0a30 00000000 0fea06c6 xul!MessageLoop::Run+0x19
001ff7d8 0fea06c6 0552e0a0 054b0a30 6d724fa0 xul!nsBaseAppShell::Run+0x2a
001ff7f0 10614a89 0552e0a0 001ff9fd 10ae7450 xul!nsAppShell::Run+0x75
001ff800 105ed913 054b0a30 71cf1408 001ff8f4 xul!nsAppStartup::Run+0x20
001ff8d8 105ec559 006f2b08 001ffa58 00000001 xul!XREMain::XRE_mainRun+0x7fd
001ff8f4 105ee0db 00000001 006dbae0 001ffa58 xul!XREMain::XRE_main+0x101
001ffa04 00361854 00000001 006dbae0 001ffa58 xul!XRE_main+0x34
001ffb98 00361494 00000001 006dbae0 006f29e8 firefox!do_main+0x272
001ffc24 00361ae8 00000001 006dbae0 00000001 firefox!NS_internal_main+0x133
001ffc54 0036245a 00000001 fffffe08 006dc0b8 firefox!wmain+0x10b
001ffc94 7784338a fffde000 001ffce0 77dc9f72 firefox!__tmainCRTStartup+0xfd
001ffca0 77dc9f72 fffde000 687a1e32 00000000 kernel32!BaseThreadInitThunk+0xe
001ffce0 77dc9f45 003624c2 fffde000 00000000 ntdll!__RtlUserThreadStart+0x70
001ffcf8 00000000 003624c2 fffde000 00000000 ntdll!_RtlUserThreadStart+0x1b

    
    

    
  
(In reply to Looben Yang from comment #5)
> I also observed an invalid pointer access in
> js::jit::Assembler::TraceJumpRelocations(), though I'm not sure how to
> trigger it. (what I can remember is, restart the browser, the browser resume
> with last test cases running, I close the tab shortly, and check version, 
> later I saw this access violation)

This is most likely the interrupt mechanism we use for JIT code. We protect the JIT code memory pages to trigger a segfault, then our installed signal handler catches it, patches some code and makes the memory accessible again.

These "segfaults" often happen in TraceJumpRelocations, because that's where we touch JIT code (or in this case a relocation table stored in the same protected memory region).

You can disable this interrupt mechanism by setting the following environment variable: JS_DISABLE_SLOW_SCRIPT_SIGNALS=1

    
    

    
  
(In reply to Jan de Mooij [:jandem] from comment #17)
> (In reply to Looben Yang from comment #5)
> > I also observed an invalid pointer access in
> > js::jit::Assembler::TraceJumpRelocations(), though I'm not sure how to
> > trigger it. (what I can remember is, restart the browser, the browser resume
> > with last test cases running, I close the tab shortly, and check version, 
> > later I saw this access violation)
> 
> This is most likely the interrupt mechanism we use for JIT code. We protect
> the JIT code memory pages to trigger a segfault, then our installed signal
> handler catches it, patches some code and makes the memory accessible again.
> 
> These "segfaults" often happen in TraceJumpRelocations, because that's where
> we touch JIT code (or in this case a relocation table stored in the same
> protected memory region).
> 
> You can disable this interrupt mechanism by setting the following
> environment variable: JS_DISABLE_SLOW_SCRIPT_SIGNALS=1

Thanks Jan. No wonder I didn't see the access violation in TraceJumpRelocations() crashing the browser. It just happens as first chance exception and browser resume running after it.

So we can ignore it, but just focus on the crash in JSObject::TradeGuts() when doing DOM operation   appendChild/insertNode/surroundContents.
Crash Signature: mozjs.dll@0x29d12a

    
    

    
  
Right, those are about the only ways you can end up inside TradeGuts (plus explicit adoptNode).

We just did memcpys to/from a and b, so I wouldn't think those are stale...  Is it possible something in the slots is?
Flags: needinfo?(terrence)

    
    

    
  
I also got crash triggered by document.adoptNode(). I haven't have time to minimize the test case. If you think the test cases for different call stacks would be useful for debugging, let me know.



(2450.45e4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0cc00000 ebx=1b7820a0 ecx=1b509458 edx=1b7820b8 esi=1b509440 edi=00000001
eip=577a74b5 esp=0040dabc ebp=335b3165 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
mozjs!JSObject::TradeGuts+0x165:
577a74b5 807d5500        cmp     byte ptr [ebp+55h],0       ss:002b:335b31ba=??
0:000> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

*** WARNING: Unable to verify checksum for D:\OpenSrcCode\firefox-central\obj-i686-pc-mingw32\dist\bin\xul.dll
*** WARNING: Unable to verify checksum for firefox.exe
*** WARNING: Unable to verify checksum for D:\OpenSrcCode\firefox-central\obj-i686-pc-mingw32\dist\bin\nss3.dll

FAULTING_IP: 
mozjs!JSObject::TradeGuts+165 [d:\opensrccode\firefox-central\js\src\jsobj.cpp @ 2296]
577a74b5 807d5500        cmp     byte ptr [ebp+55h],0

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 577a74b5 (mozjs!JSObject::TradeGuts+0x00000165)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 335b31ba
Attempt to read from address 335b31ba

CONTEXT:  00000000 -- (.cxr 0x0;r)
eax=0cc00000 ebx=1b7820a0 ecx=1b509458 edx=1b7820b8 esi=1b509440 edi=00000001
eip=577a74b5 esp=0040dabc ebp=335b3165 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
mozjs!JSObject::TradeGuts+0x165:
577a74b5 807d5500        cmp     byte ptr [ebp+55h],0       ss:002b:335b31ba=??

FAULTING_THREAD:  000045e4

DEFAULT_BUCKET_ID:  INVALID_POINTER_READ

PROCESS_NAME:  firefox.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_PARAMETER1:  00000000

EXCEPTION_PARAMETER2:  335b31ba

READ_ADDRESS:  335b31ba 

FOLLOWUP_IP: 
mozjs!JSObject::TradeGuts+165 [d:\opensrccode\firefox-central\js\src\jsobj.cpp @ 2296]
577a74b5 807d5500        cmp     byte ptr [ebp+55h],0

NTGLOBALFLAG:  0

APPLICATION_VERIFIER_FLAGS:  0

APP:  firefox.exe

ANALYSIS_VERSION: 6.3.9600.16384 (debuggers(dbg).130821-1623) x86fre

PRIMARY_PROBLEM_CLASS:  INVALID_POINTER_READ

BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_READ

LAST_CONTROL_TRANSFER:  from 577c97f4 to 577a74b5

STACK_TEXT:  
0040db8c 577c97f4 17e6f800 1b509440 1b7820a0 mozjs!JSObject::TradeGuts+0x165
0040dc18 5775ee2d 17e6f800 0040dc54 0040dd08 mozjs!JSObject::swap+0x144
0040dc88 100eceb8 1980d038 0040dcec 0040dd08 mozjs!JS_TransplantObject+0xfd
0040dcc0 100122f7 17e6f800 0040dcec 0040dd08 xul!xpc::TransplantObject+0x33
0040dd9c 102d8e63 17e6f800 0040ddec 0cb6de80 xul!mozilla::dom::ReparentWrapper+0x469
0040de30 102d8f22 19884770 00000000 00000001 xul!nsNodeUtils::CloneAndAdopt+0x394
0040dedc 1026e272 19889ff0 00000000 00000001 xul!nsNodeUtils::CloneAndAdopt+0x453
0040df0c 1026e64c 19889ff0 0cb6de80 0040df60 xul!nsNodeUtils::Adopt+0x23
0040dfb0 0fe83e4e 19889ff0 0040dfcc 00000000 xul!nsIDocument::AdoptNode+0x336
0040dfe4 10010655 17e6f800 0040e028 17b13708 xul!mozilla::dom::DocumentBinding::adoptNode+0xcd
0040e028 5782cd10 17e6f800 00000001 17b13708 xul!mozilla::dom::GenericBindingMethod+0x124
0040e238 5782a02c 17e6f800 071181a0 00000001 mozjs!js::Invoke+0xf0
0040e910 578305fe 17e6f800 0040e958 17e6f800 mozjs!Interpret+0x508c
0040e934 5782cdec 17e6f800 0040e958 0040ecac mozjs!js::RunScript+0x15e
0040eb40 5782cbce 17e6f800 0040ebac 00000002 mozjs!js::Invoke+0x1cc
0040ebdc 57755131 17e6f800 0040ed20 0040ec60 mozjs!js::Invoke+0x1de
0040ec00 0ff211b7 17e6f800 0040ed20 0040ec60 mozjs!JS::Call+0x21
0040ecdc 102ac46f 17e6f800 0040ed20 0040ee18 xul!mozilla::dom::MutationCallback::Call+0x1e6
0040edec 102b55bc 0040ee1c 0040ee18 1cfa1448 xul!mozilla::dom::MutationCallback::Call<nsDOMMutationObserver *>+0xd8
0040ee2c 102b56af 17e6f800 00000000 00000000 xul!nsDOMMutationObserver::HandleMutation+0xfe
0040ee48 1028876e 1015e644 00000000 17f60ee0 xul!nsDOMMutationObserver::HandleMutationsInternal+0xca
0040ee4c 1015e644 00000000 17f60ee0 0040eee4 xul!nsContentUtils::LeaveMicroTask+0x16
0040eeac 1015e6b3 17e6f800 0040f048 0040ef24 xul!nsJSUtils::EvaluateString+0x400
0040eee4 102dca38 17e6f800 0040f048 0040ef24 xul!nsJSUtils::EvaluateString+0x4c
0040f000 102e034e 196fa590 0040f048 00000000 xul!nsScriptLoader::EvaluateScript+0x185
0040f0e8 102e08c4 196fa590 00000000 1c13dd18 xul!nsScriptLoader::ProcessRequest+0x1ac
0040f258 102df38e 1cfa1b1c 1cfa1b1c 19407da8 xul!nsScriptLoader::ProcessScriptElement+0x4a4
0040f280 101149e2 17f8e6b8 17f8e6b8 101176e1 xul!nsScriptElement::MaybeProcessScript+0x100
0040f28c 101176e1 1bb7c508 1cfa1b1c 17f8e760 xul!nsIScriptElement::AttemptToExecute+0xd
0040f29c 101175ca 1cfa1ac8 1c805c10 0040f318 xul!nsHtml5TreeOpExecutor::RunScript+0x4d
0040f2cc 101157b3 0040f30c 10115791 0f9883fb xul!nsHtml5TreeOpExecutor::RunFlushLoop+0x212
0040f2d8 0f9883fb 1cf7efa0 00000000 074ca380 xul!FlushTimerCallback+0x22
0040f318 0f98a9d7 0f9899e3 074ca380 001aa410 xul!nsTimerImpl::Fire+0xd2
0040f31c 0f9899e3 074ca380 001aa410 001aa400 xul!nsTimerEvent::Run+0x14
0040f358 0f9531e6 074ca380 00000001 0040f377 xul!nsThread::ProcessNextEvent+0x1dd
0040f36c 0faf974c 014580f0 00000001 0045ddb8 xul!NS_ProcessNextEvent+0x26
0040f398 0faecbda 0045ddb8 2153a7cc 05b200c8 xul!mozilla::ipc::MessagePump::Run+0x9c
0040f3d0 0faec9d3 004580f0 00000001 10b2ce00 xul!MessageLoop::RunHandler+0x54
0040f3f0 1009593c 05b78a30 00000000 100706c6 xul!MessageLoop::Run+0x19
0040f3fc 100706c6 05b200c8 05b78a30 6d3f4fa0 xul!nsBaseAppShell::Run+0x2a
0040f414 107e4a89 05b200c8 0040f621 10cb7450 xul!nsAppShell::Run+0x75
0040f424 107bd913 05b78a30 71cf1408 0040f518 xul!nsAppStartup::Run+0x20
0040f4fc 107bc559 001a2b08 0040f67c 00000001 xul!XREMain::XRE_mainRun+0x7fd
0040f518 107be0db 00000001 0018bae0 0040f67c xul!XREMain::XRE_main+0x101
0040f628 008e1854 00000001 0018bae0 0040f67c xul!XRE_main+0x34
0040f7bc 008e1494 00000001 0018bae0 001a29e8 firefox!do_main+0x272
0040f848 008e1ae8 00000001 0018bae0 00000001 firefox!NS_internal_main+0x133
0040f878 008e245a 00000001 fffffe08 0018c0b8 firefox!wmain+0x10b
0040f8b8 7784338a fffde000 0040f904 77dc9f72 firefox!__tmainCRTStartup+0xfd
0040f8c4 77dc9f72 fffde000 526aad15 00000000 kernel32!BaseThreadInitThunk+0xe
0040f904 77dc9f45 008e24c2 fffde000 00000000 ntdll!__RtlUserThreadStart+0x70
0040f91c 00000000 008e24c2 fffde000 00000000 ntdll!_RtlUserThreadStart+0x1b


STACK_COMMAND:  .cxr 0x0 ; kb

FAULTING_SOURCE_LINE:  d:\opensrccode\firefox-central\js\src\jsobj.cpp

FAULTING_SOURCE_FILE:  d:\opensrccode\firefox-central\js\src\jsobj.cpp

FAULTING_SOURCE_LINE_NUMBER:  2296

FAULTING_SOURCE_CODE:  
  2292:          * Trigger post barriers for fixed slots. JSObject bits are barriered
  2293:          * below, in common with the other case.
  2294:          */
  2295:         for (size_t i = 0; i < a->numFixedSlots(); ++i) {
> 2296:             HeapSlot::writeBarrierPost(a, HeapSlot::Slot, i, a->getSlot(i));
  2297:             HeapSlot::writeBarrierPost(b, HeapSlot::Slot, i, b->getSlot(i));
  2298:         }
  2299: #endif
  2300:     } else {
  2301:         /*


SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  mozjs!JSObject::TradeGuts+165

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: mozjs

IMAGE_NAME:  mozjs.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  537a967e

FAILURE_BUCKET_ID:  INVALID_POINTER_READ_c0000005_mozjs.dll!JSObject::TradeGuts

BUCKET_ID:  APPLICATION_FAULT_INVALID_POINTER_READ_mozjs!JSObject::TradeGuts+165

ANALYSIS_SOURCE:  UM

FAILURE_ID_HASH_STRING:  um:invalid_pointer_read_c0000005_mozjs.dll!jsobject::tradeguts

FAILURE_ID_HASH:  {f16df772-a140-e997-f5fb-70a6fa587c4c}

Followup: MachineOwner
---------

    
    

    
  
I was not able to reproduce with my usual tricks:

* Debug build
* ASan build
* Randomize the timers
* Replace the "gc()" function in the testcase with a function that calls a random GC-testing function

Looben, I applaud your patience. I'm curious if any of these tricks work better for you than they do for me, or if you can still reproduce with the setTimeouts chained instead of sort-of-racing.

    
    

    
  
To use that you'll need a debug build,
https://www.squarefree.com/extensions/domFuzzLite3.xpi, and
function R(n) { return Math.floor(Math.random() * n); }

    
    

    
  
(In reply to Boris Zbarsky [:bz] from comment #19)
> Right, those are about the only ways you can end up inside TradeGuts (plus
> explicit adoptNode).
> 
> We just did memcpys to/from a and b, so I wouldn't think those are stale... 
> Is it possible something in the slots is?

That seems most likely. The crashing line is:
  HeapSlot::writeBarrierPost(a, HeapSlot::Slot, i, a->getSlot(i));

The getSlot is not likely to be the culprit, given that we just copied a and b. The post barrier itself effectively is doing:

a->getSlot(i)->runtime()->info.trailer.storeBufferPtr.put(a, i)

There's lots in that chain that could be going wrong, but the actual crashing instruction is:

577a74b5 807d5500        cmp     byte ptr [ebp+55h],0       ss:002b:335b31ba=??
With: ebp=335b3165

And that's quite odd: specifically the offset of 55h: I've no idea what that could correspond to. Also, |ebp| does not appear to be a runtime address (0x...00000), or the trailer address (0x...fffxx). The sum is at least even, but there's really nothing obvious here.
Flags: needinfo?(terrence)

    
    

    
  
(In reply to Jesse Ruderman from comment #21)
> I was not able to reproduce with my usual tricks:
> 
> * Debug build
> * ASan build
> * Randomize the timers
> * Replace the "gc()" function in the testcase with a function that calls a
> random GC-testing function
> 
> Looben, I applaud your patience. I'm curious if any of these tricks work
> better for you than they do for me, or if you can still reproduce with the
> setTimeouts chained instead of sort-of-racing.

Thanks Jesse. Probably I will try some of your tricks later if I have time.

I can reproduce it with Windows 7 reliably by running 15-20 minutes. But for Windows 8, I haven't gotten any reliable test case.

However, I did observe it in my Windows 8 laptop ( 32.0a1 (2014-06-01), Windows 8, 64 bit ). And the crash address (ebp=5a5a5a5a) looks interesting, totally ASCII:



FAULTING_IP: 
mozjs!JSObject::TradeGuts+165 [f:\opensrccode\firefox\js\src\jsobj.cpp @ 2421]
50fec825 807d5500        cmp     byte ptr [ebp+55h],0

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 50fec825 (mozjs!JSObject::TradeGuts+0x00000165)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 5a5a5aaf
Attempt to read from address 5a5a5aaf

CONTEXT:  00000000 -- (.cxr 0x0;r)
eax=0b300000 ebx=1694a940 ecx=1694a2d8 edx=1694a958 esi=1694a2c0 edi=00000001
eip=50fec825 esp=0115dc78 ebp=5a5a5a5a iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210206
mozjs!JSObject::TradeGuts+0x165:
50fec825 807d5500        cmp     byte ptr [ebp+55h],0       ss:002b:5a5a5aaf=??

FAULTING_THREAD:  00002efc

DEFAULT_BUCKET_ID:  INVALID_POINTER_READ

PROCESS_NAME:  firefox.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_PARAMETER1:  00000000

EXCEPTION_PARAMETER2:  5a5a5aaf

READ_ADDRESS:  5a5a5aaf 

FOLLOWUP_IP: 
mozjs!JSObject::TradeGuts+165 [f:\opensrccode\firefox\js\src\jsobj.cpp @ 2421]
50fec825 807d5500        cmp     byte ptr [ebp+55h],0

NTGLOBALFLAG:  0

APPLICATION_VERIFIER_FLAGS:  0

APP:  firefox.exe

ANALYSIS_VERSION: 6.3.9600.17029 (debuggers(dbg).140219-1702) x86fre

PRIMARY_PROBLEM_CLASS:  INVALID_POINTER_READ

BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_READ

LAST_CONTROL_TRANSFER:  from 5100e224 to 50fec825

STACK_TEXT:  
0115dd48 5100e224 0a5159e0 1694a2c0 1694a940 mozjs!JSObject::TradeGuts+0x165
0115ddd4 50fa43dd 0a5159e0 0115de10 0115dec4 mozjs!JSObject::swap+0x144
0115de44 0f961a76 09034900 0115dea8 0115dec4 mozjs!JS_TransplantObject+0xfd
0115de7c 0f8763e5 0a5159e0 0115dea8 0115dec4 xul!xpc::TransplantObject+0x33
0115df58 0fb56ca3 0a5159e0 0115dfa8 0115e0d8 xul!mozilla::dom::ReparentWrapper+0x466
0115dfec 0faecabf 0a509d80 00000000 00000001 xul!nsNodeUtils::CloneAndAdopt+0x394
0115e01c 0faece88 0a509d80 066ee490 0115e070 xul!nsNodeUtils::Adopt+0x23
0115e0c0 0faecb30 0a509d80 0115e0d8 08747e80 xul!nsIDocument::AdoptNode+0x321
0115e0e8 0fb54a1d 02e529d0 0a509dc8 0a509d80 xul!nsDocument::AdoptNode+0x47
0115e114 0fb61e1a 00000000 0a509d80 0115e364 xul!AdoptNodeIntoOwnerDoc+0x7c
0115e2fc 0f78208e 00000000 0a509d80 00000000 xul!nsINode::ReplaceOrInsertBefore+0x632
0115e338 0f8746fc 0a5159e0 0115e37c 0a4bce80 xul!mozilla::dom::NodeBinding::appendChild+0xcf
0115e37c 5107005f 0a5159e0 00000001 0a4bce80 xul!mozilla::dom::GenericBindingMethod+0x124
0115e58c 5106d368 0a5159e0 07d1e080 00000001 mozjs!js::Invoke+0xef
0115ec80 5107358e 0a5159e0 0115ecb8 0a5159e0 mozjs!Interpret+0x5178
0115eca4 510658b5 0a5159e0 0115ecb8 0a5159e0 mozjs!js::RunScript+0x15e
0115ecf4 510657fe 0a5159e0 0115ed5c 1d372040 mozjs!js::ExecuteKernel+0x85
0115ed34 50f9bce2 0a5159e0 0115ed5c 1d372040 mozjs!js::Execute+0xbe
0115ede0 50f9bfb7 0a5159e0 0115ee2c 0115ef00 mozjs!Evaluate+0xf2
0115edf8 0f9d2fb7 0a5159e0 0115ee2c 0115ef00 mozjs!JS::Evaluate+0x17
0115ee68 0f9d31ee 0a5159e0 0115f020 0115eee0 xul!nsJSUtils::EvaluateString+0x24f
0115eea0 0fb5b155 0a5159e0 0115f020 0115eee0 xul!nsJSUtils::EvaluateString+0x4c
0115efd8 0fb604d9 08c51980 0115f020 00000000 xul!nsScriptLoader::EvaluateScript+0x1ba
0115f0c4 0fb60a58 08c51980 00000000 066d4a80 xul!nsScriptLoader::ProcessRequest+0x1bf
0115f234 0fb5f13f 08749054 08749054 07db24f8 xul!nsScriptLoader::ProcessScriptElement+0x4a4
0115f25c 0f989288 06636120 06636120 0f98bf97 xul!nsScriptElement::MaybeProcessScript+0x100
0115f268 0f98bf97 08b14a50 08749054 066361c8 xul!nsIScriptElement::AttemptToExecute+0xd
0115f278 0f98be80 08749000 066753f0 00000000 xul!nsHtml5TreeOpExecutor::RunScript+0x4d
0115f2a8 0f98bb10 0f1cd5a8 066753f0 02e0eaa0 xul!nsHtml5TreeOpExecutor::RunFlushLoop+0x212
0115f2ac 0f1cd5a8 066753f0 02e0eaa0 02e0ea90 xul!nsHtml5ExecutorFlusher::Run+0x16
0115f2e8 0f195e93 066753f0 00000001 0115f307 xul!nsThread::ProcessNextEvent+0x1dd
0115f2fc 0f33c2f1 01e1e1d0 00000001 02e720c0 xul!NS_ProcessNextEvent+0x26
0115f328 0f3302ca 02e720c0 795b3dfc 06148cc0 xul!mozilla::ipc::MessagePump::Run+0x9c
0115f360 0f3300bd 02e1e1d0 00000001 10368500 xul!MessageLoop::RunHandler+0x54
0115f380 0f8fee88 06679840 00000000 0f8d9f6a xul!MessageLoop::Run+0x19
0115f38c 0f8d9f6a 06148cc0 06679840 5121eb40 xul!nsBaseAppShell::Run+0x2a
0115f3a4 1006813d 06148cc0 0115f5b1 104f3220 xul!nsAppShell::Run+0x75
0115f3b4 10040a74 06679840 6168140d 0115f4a8 xul!nsAppStartup::Run+0x20
0115f48c 1003f68f 02e211c0 0115f60c 00000001 xul!XREMain::XRE_mainRun+0x7fa
0115f4a8 10041244 00000001 0147b1f8 0015f60c xul!XREMain::XRE_main+0x103
0115f5b8 0021185c 00000001 0147b1f8 0115f60c xul!XRE_main+0x34
0115f74c 0021149a 00000001 0147b1f8 02e210a0 firefox!do_main+0x272
0115f7d8 00211b07 00000001 0147b1f8 00000001 firefox!NS_internal_main+0x133
0115f808 0021248e 00000001 ffffcd90 0147bd60 firefox!wmain+0x122
0115f848 75e186e3 ff38f000 0115f898 77b9bf39 firefox!__tmainCRTStartup+0xfd
0115f854 77b9bf39 ff38f000 5efe91f8 00000000 KERNEL32!BaseThreadInitThunk+0xe
0115f898 77b9bf0c 002124f6 ff38f000 ffffffff ntdll!__RtlUserThreadStart+0x72
0115f8b0 00000000 002124f6 ff38f000 00000000 ntdll!_RtlUserThreadStart+0x1b


STACK_COMMAND:  .cxr 0x0 ; kb

FAULTING_SOURCE_LINE:  f:\opensrccode\firefox\js\src\jsobj.cpp

FAULTING_SOURCE_FILE:  f:\opensrccode\firefox\js\src\jsobj.cpp

FAULTING_SOURCE_LINE_NUMBER:  2421

FAULTING_SOURCE_CODE:  
  2417:          * Trigger post barriers for fixed slots. JSObject bits are barriered
  2418:          * below, in common with the other case.
  2419:          */
  2420:         for (size_t i = 0; i < a->numFixedSlots(); ++i) {
> 2421:             HeapSlot::writeBarrierPost(a, HeapSlot::Slot, i, a->getSlot(i));
  2422:             HeapSlot::writeBarrierPost(b, HeapSlot::Slot, i, b->getSlot(i));
  2423:         }
  2424: #endif
  2425:     } else {
  2426:         /*


SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  mozjs!JSObject::TradeGuts+165

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: mozjs

IMAGE_NAME:  mozjs.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  538b0c7d

FAILURE_BUCKET_ID:  INVALID_POINTER_READ_c0000005_mozjs.dll!JSObject::TradeGuts

BUCKET_ID:  APPLICATION_FAULT_INVALID_POINTER_READ_mozjs!JSObject::TradeGuts+165

ANALYSIS_SOURCE:  UM

FAILURE_ID_HASH_STRING:  um:invalid_pointer_read_c0000005_mozjs.dll!jsobject::tradeguts

FAILURE_ID_HASH:  {f16df772-a140-e997-f5fb-70a6fa587c4c}

Followup: MachineOwner
---------

    
    

    
  
(In reply to Looben Yang from comment #25)
> (In reply to Jesse Ruderman from comment #21)
> 
> However, I did observe it in my Windows 8 laptop ( 32.0a1 (2014-06-01),
> Windows 8, 64 bit ). And the crash address (ebp=5a5a5a5a) looks interesting,
> totally ASCII:

0x5a is jemalloc's free'd memory pattern, so this is definitely a UAF.

    
    

    
  


  
Added a reproduction case (UAF_replaceChild_TradeGuts_Repro.html) that can be reproduced in both Windows 7 and Windows 8 reliably. Please let me know whether you can reproduce it with this test case in Firefox 32 windows.


The crash address in Windows 7 looks kind of random. But in Windows 8 (with Firefox 32.0a1 (2014-06-01) ), the crash address indicates a Use After Free as pointed out by Terrence:



(4240.3194): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** WARNING: Unable to verify checksum for F:\OpenSrcCode\firefox\obj-i686-pc-mingw32\dist\bin\mozjs.dll
eax=1f200000 ebx=1acca160 ecx=20fa0918 edx=1acca178 esi=20fa0900 edi=00000001
eip=0220c825 esp=003cdd08 ebp=5a5a5a5a iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
mozjs!JSObject::TradeGuts+0x165:
0220c825 807d5500        cmp     byte ptr [ebp+55h],0       ss:002b:5a5a5aaf=??
0:000> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

*** WARNING: Unable to verify checksum for F:\OpenSrcCode\firefox\obj-i686-pc-mingw32\dist\bin\xul.dll
*** WARNING: Unable to verify checksum for firefox.exe
*** WARNING: Unable to verify checksum for F:\OpenSrcCode\firefox\obj-i686-pc-mingw32\dist\bin\nss3.dll
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\SysWOW64\atidxx32.dll - 
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files (x86)\360\360Safe\safemon\urlproc.dll - 
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files (x86)\360\360Safe\360NetBase.dll - 

FAULTING_IP: 
mozjs!JSObject::TradeGuts+165 [f:\opensrccode\firefox\js\src\jsobj.cpp @ 2421]
0220c825 807d5500        cmp     byte ptr [ebp+55h],0

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 0220c825 (mozjs!JSObject::TradeGuts+0x00000165)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 5a5a5aaf
Attempt to read from address 5a5a5aaf

CONTEXT:  00000000 -- (.cxr 0x0;r)
eax=1f200000 ebx=1acca160 ecx=20fa0918 edx=1acca178 esi=20fa0900 edi=00000001
eip=0220c825 esp=003cdd08 ebp=5a5a5a5a iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
mozjs!JSObject::TradeGuts+0x165:
0220c825 807d5500        cmp     byte ptr [ebp+55h],0       ss:002b:5a5a5aaf=??

FAULTING_THREAD:  00003194

DEFAULT_BUCKET_ID:  INVALID_POINTER_READ

PROCESS_NAME:  firefox.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_PARAMETER1:  00000000

EXCEPTION_PARAMETER2:  5a5a5aaf

READ_ADDRESS:  5a5a5aaf 

FOLLOWUP_IP: 
mozjs!JSObject::TradeGuts+165 [f:\opensrccode\firefox\js\src\jsobj.cpp @ 2421]
0220c825 807d5500        cmp     byte ptr [ebp+55h],0

NTGLOBALFLAG:  0

APPLICATION_VERIFIER_FLAGS:  0

APP:  firefox.exe

ANALYSIS_VERSION: 6.3.9600.17029 (debuggers(dbg).140219-1702) x86fre

PRIMARY_PROBLEM_CLASS:  INVALID_POINTER_READ

BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_READ

LAST_CONTROL_TRANSFER:  from 0222e224 to 0220c825

STACK_TEXT:  
003cddd8 0222e224 0faf8400 20fa0900 1acca160 mozjs!JSObject::TradeGuts+0x165
003cde64 021c43dd 0faf8400 003cdea0 003cdf54 mozjs!JSObject::swap+0x144
003cded4 03521a76 13ea7760 003cdf38 003cdf54 mozjs!JS_TransplantObject+0xfd
003cdf0c 034363e5 0faf8400 003cdf38 003cdf54 xul!xpc::TransplantObject+0x33
003cdfe8 03716ca3 0faf8400 003ce038 003ce168 xul!mozilla::dom::ReparentWrapper+0x466
003ce07c 036acabf 13bd0920 00000000 00000001 xul!nsNodeUtils::CloneAndAdopt+0x394
003ce0ac 036ace88 13bd0920 1de55610 003ce100 xul!nsNodeUtils::Adopt+0x23
003ce150 036acb30 13bd0920 003ce168 0a1de940 xul!nsIDocument::AdoptNode+0x321
003ce178 03714a1d 1c5ef1d0 13bd0968 13bd0920 xul!nsDocument::AdoptNode+0x47
003ce1a4 03721e1a 00000000 13bd0920 003ce3fc xul!AdoptNodeIntoOwnerDoc+0x7c
003ce38c 0334224c 00000001 13bd0920 1c2b50b0 xul!nsINode::ReplaceOrInsertBefore+0x632
003ce3d0 034346fc 0faf8400 003ce414 078f39a0 xul!mozilla::dom::NodeBinding::replaceChild+0x15b
003ce414 0229005f 0faf8400 00000002 078f39a0 xul!mozilla::dom::GenericBindingMethod+0x124
003ce624 0228d368 0faf8400 08f1e080 00000002 mozjs!js::Invoke+0xef
003ced18 0229358e 0faf8400 003ced60 0faf8400 mozjs!Interpret+0x5178
003ced3c 0229013b 0faf8400 003ced60 003cf0b4 mozjs!js::RunScript+0x15e
003cef48 0228ff1f 0faf8400 003cefb4 00000002 mozjs!js::Invoke+0x1cb
003cefe4 021ba9b1 0faf8400 003cf128 003cf068 mozjs!js::Invoke+0x1df
003cf008 0333576c 0faf8400 003cf128 003cf068 mozjs!JS::Call+0x21
003cf0e4 036ff9a3 0faf8400 003cf128 003cf220 xul!mozilla::dom::MutationCallback::Call+0x1ea
003cf1f4 03708352 003cf224 003cf220 14efda80 xul!mozilla::dom::MutationCallback::Call<nsDOMMutationObserver *>+0xd8
003cf234 03708445 0faf8400 00000000 00000000 xul!nsDOMMutationObserver::HandleMutation+0xfe
003cf250 036c7352 0359317f 1dbda3c0 120de1f0 xul!nsDOMMutationObserver::HandleMutationsInternal+0xca
003cf254 0359317f 1dbda3c0 120de1f0 003cf2ec xul!nsContentUtils::LeaveMicroTask+0x16
003cf2b4 035931ee 0faf8400 003cf46c 003cf32c xul!nsJSUtils::EvaluateString+0x417
003cf2ec 0371b155 0faf8400 003cf46c 003cf32c xul!nsJSUtils::EvaluateString+0x4c
003cf424 037204d9 0f841820 003cf46c 00000000 xul!nsScriptLoader::EvaluateScript+0x1ba
003cf510 03720a58 0f841820 00000000 1dbda3c0 xul!nsScriptLoader::ProcessRequest+0x1bf
003cf680 0371f13f 147984d4 147984d4 1637d8f8 xul!nsScriptLoader::ProcessScriptElement+0x4a4
003cf6a8 03549288 15d76110 15d76110 0354bf97 xul!nsScriptElement::MaybeProcessScript+0x100
003cf6b4 0354bf97 1631f780 147984d4 15d761b8 xul!nsIScriptElement::AttemptToExecute+0xd
003cf6c4 0354be80 14798480 0ff25b60 00000000 xul!nsHtml5TreeOpExecutor::RunScript+0x4d
003cf6f4 0354bb10 02d8d5a8 0ff25b60 0240eaa0 xul!nsHtml5TreeOpExecutor::RunFlushLoop+0x212
003cf6f8 02d8d5a8 0ff25b60 0240eaa0 0240ea90 xul!nsHtml5ExecutorFlusher::Run+0x16
003cf734 02d55e93 0ff25b60 00000000 003cf753 xul!nsThread::ProcessNextEvent+0x1dd
003cf748 02efc29d 0141e1d0 00000000 024720c0 xul!NS_ProcessNextEvent+0x26
003cf774 02ef02ca 024720c0 22c7f924 07448cc0 xul!mozilla::ipc::MessagePump::Run+0x48
003cf7ac 02ef00bd 0241e1d0 00000001 03f28500 xul!MessageLoop::RunHandler+0x54
003cf7cc 034bee88 07879840 00000000 03499f6a xul!MessageLoop::Run+0x19
003cf7d8 03499f6a 07448cc0 07879840 0f4aeb40 xul!nsBaseAppShell::Run+0x2a
003cf7f0 03c2813d 07448cc0 003cf9fd 040b3220 xul!nsAppShell::Run+0x75
003cf800 03c00a74 07879840 65cb140d 003cf8f4 xul!nsAppStartup::Run+0x20
003cf8d8 03bff68f 024211c0 003cfa58 00000001 xul!XREMain::XRE_mainRun+0x7fa
003cf8f4 03c01244 00000001 0074b248 003cfa58 xul!XREMain::XRE_main+0x103
003cfa04 001a185c 00000001 0074b248 003cfa58 xul!XRE_main+0x34
003cfb98 001a149a 00000001 0074b248 024210a0 firefox!do_main+0x272
003cfc24 001a1b07 00000001 0074b248 00000001 firefox!NS_internal_main+0x133
003cfc54 001a248e 00000001 ffffcd40 0074bd60 firefox!wmain+0x122
003cfc94 76fa86e3 fefb8000 003cfce4 771cbf39 firefox!__tmainCRTStartup+0xfd
003cfca0 771cbf39 fefb8000 5241179d 00000000 KERNEL32!BaseThreadInitThunk+0xe
003cfce4 771cbf0c 001a24f6 fefb8000 ffffffff ntdll!__RtlUserThreadStart+0x72
003cfcfc 00000000 001a24f6 fefb8000 00000000 ntdll!_RtlUserThreadStart+0x1b


STACK_COMMAND:  .cxr 0x0 ; kb

FAULTING_SOURCE_LINE:  f:\opensrccode\firefox\js\src\jsobj.cpp

FAULTING_SOURCE_FILE:  f:\opensrccode\firefox\js\src\jsobj.cpp

FAULTING_SOURCE_LINE_NUMBER:  2421

FAULTING_SOURCE_CODE:  
  2417:          * Trigger post barriers for fixed slots. JSObject bits are barriered
  2418:          * below, in common with the other case.
  2419:          */
  2420:         for (size_t i = 0; i < a->numFixedSlots(); ++i) {
> 2421:             HeapSlot::writeBarrierPost(a, HeapSlot::Slot, i, a->getSlot(i));
  2422:             HeapSlot::writeBarrierPost(b, HeapSlot::Slot, i, b->getSlot(i));
  2423:         }
  2424: #endif
  2425:     } else {
  2426:         /*


SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  mozjs!JSObject::TradeGuts+165

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: mozjs

IMAGE_NAME:  mozjs.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  538b0c7d

FAILURE_BUCKET_ID:  INVALID_POINTER_READ_c0000005_mozjs.dll!JSObject::TradeGuts

BUCKET_ID:  APPLICATION_FAULT_INVALID_POINTER_READ_mozjs!JSObject::TradeGuts+165

ANALYSIS_SOURCE:  UM

FAILURE_ID_HASH_STRING:  um:invalid_pointer_read_c0000005_mozjs.dll!jsobject::tradeguts

FAILURE_ID_HASH:  {f16df772-a140-e997-f5fb-70a6fa587c4c}

Followup: MachineOwner
---------

    
    

    
  
Can you try this in a debug build?  That may give a useful assertion that will indicate what is going wrong.  You can find them on ftp://ftp.mozilla.org/pub/firefox/

    
    

    
  
Clearing needinfo, probably nothing that I can do here to contribute.
Flags: needinfo?(choller)

    
    

    
  
(In reply to Andrew McCreight [:mccr8] from comment #28)
> Can you try this in a debug build?  That may give a useful assertion that
> will indicate what is going wrong.  You can find them on
> ftp://ftp.mozilla.org/pub/firefox/

Good idea.
I tried a few times but I have no luck to reproduce it with unmodified debug build.

Can someone have a try with reproduction case  UAF_replaceChild_TradeGuts_Repro.html in Firefox 32 Windows release build to confirm the bug first? 

I'll try playing with the assertions in the mean time.

    
    

    
  
I replaced JS_ASSERT() with MOZ_RELEASE_ASSERT() in jsobj.cpp and Barrier.h. The UAF can be reproduced but no assert is hit.  The this pointer of the StoreBuffer object is 0x5a5a5a5a:

    void putSlotFromAnyThread(JSObject *obj, int kind, int32_t start, int32_t count) {
        putFromAnyThread(bufferSlot, SlotsEdge(obj, kind, start, count));
    }

Locals:

+		this	0x5a5a5a5a {bufferVal={storage_=??? usedAtLastCompact_=??? } bufferCell={storage_=??? usedAtLastCompact_=...} ...}	js::gc::StoreBuffer *
+		obj	0x1ac5d8c0 {...}	JSObject *
		kind	0	int
		start	1	int
		count	1	int


Stack Trace:	
	
>	mozjs.dll!js::gc::StoreBuffer::putSlotFromAnyThread(JSObject * obj, int kind, int start, int count) Line 449	C++
 	mozjs.dll!JSObject::TradeGuts(JSContext * cx, JSObject * a, JSObject * b, JSObject::TradeGutsReserved & reserved) Line 2422	C++
 	mozjs.dll!JSObject::swap(JSContext * cx, JS::Handle<JSObject *> a, JS::Handle<JSObject *> b) Line 2532	C++
 	mozjs.dll!JS_TransplantObject(JSContext * cx, JS::Handle<JSObject *> origobj, JS::Handle<JSObject *> target) Line 1119	C++
 	xul.dll!xpc::TransplantObject(JSContext * cx, JS::Handle<JSObject *> origobj, JS::Handle<JSObject *> target) Line 585	C++
 	xul.dll!mozilla::dom::ReparentWrapper(JSContext * aCx, JS::Handle<JSObject *> aObjArg) Line 1785	C++
 	xul.dll!nsNodeUtils::CloneAndAdopt(nsINode * aNode, bool aClone, bool aDeep, nsNodeInfoManager * aNewNodeInfoManager, JS::Handle<JSObject *> aReparentScope, nsCOMArray<nsINode> & aNodesWithProperties, nsINode * aParent, nsINode * * aResult) Line 537	C++
 	xul.dll!nsNodeUtils::Adopt(nsINode * aNode, nsNodeInfoManager * aNewNodeInfoManager, JS::Handle<JSObject *> aReparentScope, nsCOMArray<nsINode> & aNodesWithProperties) Line 195	C++
 	xul.dll!nsIDocument::AdoptNode(nsINode & aAdoptedNode, mozilla::ErrorResult & rv) Line 7430	C++
 	xul.dll!nsDocument::AdoptNode(nsIDOMNode * aAdoptedNode, nsIDOMNode * * aResult) Line 7295	C++
 	xul.dll!AdoptNodeIntoOwnerDoc(nsINode * aParent, nsINode * aNode) Line 1418	C++
 	xul.dll!nsINode::ReplaceOrInsertBefore(bool aReplace, nsINode * aNewChild, nsINode * aRefChild, mozilla::ErrorResult & aError) Line 2087	C++
 	xul.dll!mozilla::dom::NodeBinding::replaceChild(JSContext * cx, JS::Handle<JSObject *> obj, nsINode * self, const JSJitMethodCallArgs & args) Line 654	C++
 	xul.dll!mozilla::dom::GenericBindingMethod(JSContext * cx, unsigned int argc, JS::Value * vp) Line 2356	C++
 	mozjs.dll!js::Invoke(JSContext * cx, JS::CallArgs args, js::MaybeConstruct construct) Line 448	C++
 	mozjs.dll!Interpret(JSContext * cx, js::RunState & state) Line 2561	C++
 	mozjs.dll!js::RunScript(JSContext * cx, js::RunState & state) Line 402	C++
 	mozjs.dll!js::Invoke(JSContext * cx, JS::CallArgs args, js::MaybeConstruct construct) Line 477	C++
 	mozjs.dll!js::Invoke(JSContext * cx, const JS::Value & thisv, const JS::Value & fval, unsigned int argc, const JS::Value * argv, JS::MutableHandle<JS::Value> rval) Line 511	C++
 	mozjs.dll!JS::Call(JSContext * cx, JS::Handle<JS::Value> thisv, JS::Handle<JS::Value> fval, const JS::HandleValueArray & args, JS::MutableHandle<JS::Value> rval) Line 5214	C++
 	xul.dll!mozilla::dom::MutationCallback::Call(JSContext * cx, JS::Handle<JS::Value> aThisVal, const mozilla::dom::Sequence<mozilla::dom::OwningNonNull<nsDOMMutationRecord> > & mutations, nsDOMMutationObserver & observer, mozilla::ErrorResult & aRv) Line 543	C++
 	xul.dll!mozilla::dom::MutationCallback::Call<nsDOMMutationObserver *>(nsDOMMutationObserver * const & thisObjPtr, const mozilla::dom::Sequence<mozilla::dom::OwningNonNull<nsDOMMutationRecord> > & mutations, nsDOMMutationObserver & observer, mozilla::ErrorResult & aRv, mozilla::dom::CallbackObject::ExceptionHandling aExceptionHandling) Line 172	C++
 	xul.dll!nsDOMMutationObserver::HandleMutation() Line 618	C++
 	xul.dll!nsDOMMutationObserver::HandleMutationsInternal() Line 658	C++
 	xul.dll!nsContentUtils::LeaveMicroTask() Line 4774	C++
 	xul.dll!nsJSUtils::EvaluateString(JSContext * aCx, JS::SourceBufferHolder & aSrcBuf, JS::Handle<JSObject *> aScopeObject, JS::CompileOptions & aCompileOptions, const nsJSUtils::EvaluateOptions & aEvaluateOptions, JS::MutableHandle<JS::Value> aRetValue, void * * aOffThreadToken) Line 295	C++
 	xul.dll!nsJSUtils::EvaluateString(JSContext * aCx, JS::SourceBufferHolder & aSrcBuf, JS::Handle<JSObject *> aScopeObject, JS::CompileOptions & aCompileOptions, void * * aOffThreadToken) Line 323	C++
 	xul.dll!nsScriptLoader::EvaluateScript(nsScriptLoadRequest * aRequest, JS::SourceBufferHolder & aSrcBuf, void * * aOffThreadToken) Line 1173	C++
 	xul.dll!nsScriptLoader::ProcessRequest(nsScriptLoadRequest * aRequest, void * * aOffThreadToken) Line 1003	C++
 	xul.dll!nsScriptLoader::ProcessScriptElement(nsIScriptElement * aElement) Line 812	C++
 	xul.dll!nsScriptElement::MaybeProcessScript() Line 140	C++
 	xul.dll!nsIScriptElement::AttemptToExecute() Line 221	C++
 	xul.dll!nsHtml5TreeOpExecutor::RunScript(nsIContent * aScriptElement) Line 661	C++
 	xul.dll!nsHtml5TreeOpExecutor::RunFlushLoop() Line 487	C++
 	xul.dll!nsHtml5ExecutorFlusher::Run() Line 128	C++
 	xul.dll!nsThread::ProcessNextEvent(bool aMayWait, bool * aResult) Line 766	C++
 	xul.dll!NS_ProcessNextEvent(nsIThread * thread, bool mayWait) Line 263	C++
 	xul.dll!mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate * aDelegate) Line 95	C++
 	xul.dll!MessageLoop::RunHandler() Line 223	C++
 	xul.dll!MessageLoop::Run() Line 197	C++
 	xul.dll!nsBaseAppShell::Run() Line 166	C++
 	xul.dll!nsAppShell::Run() Line 191	C++
 	xul.dll!nsAppStartup::Run() Line 279	C++
 	xul.dll!XREMain::XRE_mainRun() Line 4012	C++
 	xul.dll!NS_TableDrivenQI(void * aThis, const nsID & aIID, void * * aInstancePtr, const QITableEntry * entries) Line 17	C++
 	xul.dll!nsComponentManagerImpl::QueryInterface(const nsID & aIID, void * * aInstancePtr) Line 823	C++
 	xul.dll!nsQueryInterface::operator()(const nsID & aIID, void * * answer) Line 19	C++
 	xul.dll!nsCOMPtr_base::assign_from_qi(const nsQueryInterface qi, const nsID & iid) Line 56	C++
Group: javascript-core-security

    
  
Blocks: GC.stability

    
    

    
  
(In reply to Looben Yang from comment #30)
> (In reply to Andrew McCreight [:mccr8] from comment #28)
> > Can you try this in a debug build?  That may give a useful assertion that
> > will indicate what is going wrong.  You can find them on
> > ftp://ftp.mozilla.org/pub/firefox/
> 
> Good idea.
> I tried a few times but I have no luck to reproduce it with unmodified debug
> build.
> 
> Can someone have a try with reproduction case 
> UAF_replaceChild_TradeGuts_Repro.html in Firefox 32 Windows release build to
> confirm the bug first? 
> 
> I'll try playing with the assertions in the mean time.

I've tried replaced JS_ASSERT() with MOZ_RELEASE_ASSERT() in dozens of JS related source files and files on the crash stack, it can be reproduced but no assertion is hit. So probably no assert can be hit and I'll stop playing with assertion.


BTW. I can reproduced it with UAF_replaceChild_TradeGuts_Repro.html on local built latest firefox-central (34 branch)today:

First-chance exception at 0x565DA526 (mozjs.dll) in firefox.exe: 0xC0000005: Access violation reading location 0x5A5A5AAF.
Unhandled exception at 0x565DA526 (mozjs.dll) in firefox.exe: 0xC0000005: Access violation reading location 0x5A5A5AAF.


Firefox Version: 34.0a1 (2014-07-30)
Operating System: Windows 7 Professional 64bit Service Pack 1

    
    

    
  
Jesse, have you tried to reproduce this in an opt build? I'm trying to figure out if anyone has yet. We really need more people to try to repro this bug. It's a major topcrasher.
Flags: needinfo?(jruderman)

    
    

    
  
Terrence, can you please look at this or find somebody else to work on it?  Thanks.
Assignee: nobody → terrence
Flags: needinfo?(terrence)

    
    

    
  
Yeah, I'm elbows deep -- currently trying to find a crash-report and an official ff build with the same buildid.
Flags: needinfo?(terrence)

    
    

    
  
Looben, thank you for the great test case! I managed to catch the crash in VS on my second try and from there it was just a matter of laboriously working out what had happened through all the inlining and store elision.

The root cause is in the memcpy optimization path in TradeGuts. In that path we use tenuredSizeOfThis instead of slotSpan. This means we end up firing barriers on uninitialized slots. The correct fix happens to be the same as the prospective fix I posted to bug 1046015. Since the WholeObject buffer obeys slotSpan via MarkChildren, it will not overrun the initialized slots, and should be faster as well.

    
  
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Flags: needinfo?(jruderman)
Blocks: 1046015

    
    

    
  
Landing here so that the testcase and the fix are in the same bug.

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/1a67ee710c0d
Status: ASSIGNED → RESOLVED
Closed: 10 years ago

          status-firefox34:
          affectedfixed
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla34

    
    

    
  
(In reply to Andrew McCreight [:mccr8] from comment #38)
> So this is GGC-only?
I'm just trying to make sure the affected flags are set correctly, so we know where to backport it.
Flags: needinfo?(terrence)

    
    

    
  
[Tracking Requested - why for this release]:

          status-firefox-esr31:
          --- → unaffected

          tracking-firefox32:
          --- → ?

          tracking-firefox33:
          --- → ?

    
    

    
  
(In reply to Andrew McCreight [:mccr8] from comment #43)
> [Tracking Requested - why for this release]:
Fix for top crash, critical security bug.

    
    

    
  
Yes, this is GGC only. The tracking flags appear correct.
Flags: needinfo?(terrence)
OS: Windows 7 → All
Hardware: x86_64 → All

    
    

    
  
This landed without sec-approval?
Flags: needinfo?(terrence)

    
    

    
  
(In reply to Ryan VanderMeulen [:RyanVM UTC-4] from comment #46)
> This landed without sec-approval?

Yes, sorry. I was not aware that we needed to coordinate for m-i landings for sec-high as well as sec-crit.
Flags: needinfo?(terrence)

    
    

    
  
Please fill out the security approval form retroactively and nominate this for aurora/beta approval. I've already confirmed locally that it uplifts cleanly.

    
    

    
  
Comment on attachment 8465082 [details] [diff] [review]
refactor_tradegut_barriers-v0.diff

Approval Request Comment
[Feature/regressing bug #]: GGC.
[User impact if declined]: Intermittent random crashes.
[Describe test coverage new/current, TBPL]: 1-day on TBPL, fixes testcase in this bug.
[Risks and why]: Low. This patch is trivial.
[String/UUID change made/needed]: None.

        Attachment #8465082 -
        Flags: approval-mozilla-release?

        Attachment #8465082 -
        Flags: approval-mozilla-beta?

        Attachment #8465082 -
        Flags: approval-mozilla-aurora?

    
    

    
  
Comment on attachment 8465082 [details] [diff] [review]
refactor_tradegut_barriers-v0.diff

GGC isn't enabled on 31.

        Attachment #8465082 -
        Flags: approval-mozilla-release?

    
    

    
  
> [User impact if declined]: Intermittent random crashes.
Furthermore, the crash is probably the #3 crash on beta right now. (see bug 1046015)
Keywords: topcrash

    
    

    
  
(In reply to Ryan VanderMeulen [:RyanVM UTC-4] from comment #46)
> This landed without sec-approval?

Luckily, even with this patch and assuming the attacker has full access to the testcase here, it would still be extremely hard to exploit. The code still (1) does an isObject() check on the "uninitialized" pointer, (2) requires 3 very specific values at large offsets around and behind the uninitialized read before we make a write and (3) even then the write is the address of the valid source object, so hard to control for. Not necessarily more difficult than other exploits we've seen in the wild, but at least here the details depend heavily on changes we've made to the GC heap in the last few months, so are less likely to be widely known.

    
    

    
  
sec-high + top crash, tracking.

          tracking-firefox32:
          ?+

          tracking-firefox33:
          ?+

    
    

    
  
Comment on attachment 8465082 [details] [diff] [review]
refactor_tradegut_barriers-v0.diff

Approving because it is now in m-c but it would be nice to have the sec-approval information.

        Attachment #8465082 -
        Flags: approval-mozilla-beta?

        Attachment #8465082 -
        Flags: approval-mozilla-beta+

        Attachment #8465082 -
        Flags: approval-mozilla-aurora?

        Attachment #8465082 -
        Flags: approval-mozilla-aurora+

    
    

    
  
Yes, please fill out the sec-approval? template as we need the information in it for other purposes as well.
Flags: needinfo?(terrence)

    
    

    
  
Comment on attachment 8465082 [details] [diff] [review]
refactor_tradegut_barriers-v0.diff

[Security approval request comment]
How easily could an exploit be constructed based on the patch?
  As per comment 53, quite difficult but not impossible.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
  No.

Which older supported branches are affected by this flaw?
  32 and 33.

If not all supported branches, which bug introduced the flaw?
  GGC.

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
  It is trivial to backport and low risk.

How likely is this patch to cause regressions; how much testing does it need?
  Very unlikely. We should run the backports against the test-case here to verify, however.

        Attachment #8465082 -
        Flags: sec-approval?
Flags: needinfo?(terrence)

    
    

    
  
Comment on attachment 8465082 [details] [diff] [review]
refactor_tradegut_barriers-v0.diff

Thanks.

        Attachment #8465082 -
        Flags: sec-approval? → sec-approval+

    
  
Crash Signature: mozjs.dll@0x29d12a → [@ js::HeapSlot::post(JSObject*, js::HeapSlot::Kind, unsigned int, JS::Value const&) ]
[@ js::gc::StoreBuffer::putFromAnyThread<js::gc::StoreBuffer::MonoTypeBuffer<js::gc::StoreBuffer::SlotsEdge>, js::gc::StoreBuffer::SlotsEdge>(js::gc::StoreBuffer::Mono…
Flags: sec-bounty? → sec-bounty+

    
    

    
  
I've run this test for several 15+ minute periods - up to an hour plus - with no crash. As I'm not able to repro the original issue, I can't really guarantee a verification, so I am marking qe-verify- for now. If you feel that verification is important, let me know and we can work together to find other ways to reproduce. Thank you.
QA Whiteboard: qe-verify-
QA Whiteboard: qe-verify-
Flags: qe-verify-
Group: javascript-core-security
Group: core-security

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: