Closed Bug 1126405 Opened 5 years ago Closed 5 years ago

crash in js::jit::RegisterAllocator::init()

Categories

(Core :: JavaScript Engine: JIT, defect, critical)

34 Branch
All
Windows NT
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 1125734
Tracking Status
firefox38 - affected

People

(Reporter: lizzard, Unassigned)

Details

(Keywords: crash, sec-high)

Crash Data

[Tracking Requested - why for this release]:

This bug was filed from the Socorro interface and is 
report bp-3f848ae1-71f1-4106-a510-46dea2150126.
=============================================================
This is the #6 topcrasher for Firefox 38 with 523/19222 crashes in the last week. 
It may be exploitable. 

More reports: https://crash-stats.mozilla.com/report/list?product=Firefox&range_value=7&range_unit=days&date=2015-01-27&signature=js%3A%3Ajit%3A%3ARegisterAllocator%3A%3Ainit%28%29&version=Firefox%3A38.0a1#tab-sigsummary


Crashing thread:
0 	xul.dll 	js::jit::RegisterAllocator::init() 	js/src/jit/RegisterAllocator.cpp
1 	xul.dll 	js::jit::LiveRangeAllocator<js::jit::LinearScanVirtualRegister, 1>::init() 	js/src/jit/LiveRangeAllocator.cpp
2 	xul.dll 	js::jit::LiveRangeAllocator<js::jit::LinearScanVirtualRegister, 1>::buildLivenessInfo() 	js/src/jit/LiveRangeAllocator.cpp
3 	xul.dll 	js::jit::LinearScanAllocator::go() 	js/src/jit/LinearScan.cpp
4 	xul.dll 	js::jit::GenerateLIR(js::jit::MIRGenerator*) 	js/src/jit/Ion.cpp
5 	xul.dll 	js::jit::CompileBackEnd(js::jit::MIRGenerator*) 	js/src/jit/Ion.cpp
6 	xul.dll 	js::HelperThread::handleIonWorkload() 	js/src/vm/HelperThreads.cpp
7 	xul.dll 	js::HelperThread::threadLoop() 	js/src/vm/HelperThreads.cpp
8 	nss3.dll 	PR_NativeRunThread 	nsprpub/pr/src/threads/combined/pruthr.c
9 	nss3.dll 	pr_root 	nsprpub/pr/src/md/windows/w95thred.c
10 	msvcr120.dll 	_callthreadstartex 	f:\dd\vctools\crt\crtw32\startup\threadex.c:376
11 	msvcr120.dll 	_threadstartex 	f:\dd\vctools\crt\crtw32\startup\threadex.c:354
12 	kernel32.dll 	BaseThreadInitThunk 	
13 	ntdll.dll 	RtlUserThreadStart 	
14 	kernel32.dll 	BasepReportFault 	
15 	kernel32.dll 	BasepReportFault
Flags: sec-review?
This is now the #3 topcrash for Firefox 38, at 6.8% of crashes in the last week.
Flags: needinfo?(jdemooij)
The linked crash is a null deref, but many crash at 0x5a5a5a4e which hints at freed memory
Flags: sec-review?
Keywords: sec-high
Group: javascript-core-security
This seems to have gone away; based on the range it was probably a duplicate of bug 1125734...
Flags: needinfo?(jdemooij)
Keywords: topcrash
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1125734
Group: core-security → core-security-release
Group: javascript-core-security, core-security-release
You need to log in before you can comment on or make changes to this bug.