1129767 - Intermittent test_WaitingOnMissingData.html | application crashed [@ 0x5a5a5a5a][@ JSScript::maybeSweepTypes(js::types::AutoClearTypeInferenceStateOnOOM *)]

Status: RESOLVED WORKSFORME

(Core :: JavaScript: GC, defect)

Description

[Ryan VanderMeulen [:RyanVM]]

Looks like this can crash in scarier ways too...

17:47:12 WARNING - PROCESS-CRASH | dom/media/mediasource/test/test_WaitingOnMissingData.html | application crashed [@ 0x5a5a5a5a]
17:47:12 INFO - Crash dump filename: c:\users\cltbld\appdata\local\temp\tmpqluldh.mozrunner\minidumps\1ae3a723-498b-4ba7-befa-237017df77fa.dmp
17:47:12 INFO - Operating system: Windows NT
17:47:12 INFO - 6.1.7601 Service Pack 1
17:47:12 INFO - CPU: x86
17:47:12 INFO - GenuineIntel family 6 model 30 stepping 5
17:47:12 INFO - 8 CPUs
17:47:12 INFO - Crash reason: EXCEPTION_ACCESS_VIOLATION_EXEC
17:47:12 INFO - Crash address: 0x5a5a5a5a
17:47:12 INFO - Thread 0 (crashed)
17:47:12 INFO - 0 0x5a5a5a5a
17:47:12 INFO - eip = 0x5a5a5a5a esp = 0x0029f384 ebp = 0x0029f3b4 ebx = 0x0a4046c8
17:47:12 INFO - esi = 0x0f72fdb0 edi = 0x1084b4a8 eax = 0x5a5a5a5a ecx = 0x0f72fdb0
17:47:12 INFO - edx = 0x00000000 efl = 0x00210202
17:47:12 INFO - Found by: given as instruction pointer in context
17:47:12 INFO - 1 xul.dll!JSScript::maybeSweepTypes(js::types::AutoClearTypeInferenceStateOnOOM *) [jsinfer.cpp:a7e0245cec88 : 5199 + 0x11]
17:47:12 INFO - eip = 0x6655dff2 esp = 0x0029f3bc ebp = 0x0029f3ec
17:47:12 INFO - Found by: previous frame's frame pointer
17:47:12 INFO - 2 xul.dll!SweepArenaList<JSScript,js::types::AutoClearTypeInferenceStateOnOOM *> [jsgc.cpp:a7e0245cec88 : 5211 + 0xd]
17:47:12 INFO - eip = 0x6649d696 esp = 0x0029f3f4 ebp = 0x0029f420
17:47:12 INFO - Found by: call frame info
17:47:12 INFO - 3 xul.dll!js::gc::GCRuntime::sweepPhase(js::SliceBudget &) [jsgc.cpp:a7e0245cec88 : 5250 + 0x10]
17:47:12 INFO - eip = 0x665854f1 esp = 0x0029f428 ebp = 0x0029f518
17:47:12 INFO - Found by: call frame info
17:47:12 INFO - 4 xul.dll!js::gc::GCRuntime::incrementalCollectSlice(js::SliceBudget &,JS::gcreason::Reason) [jsgc.cpp:a7e0245cec88 : 5873 + 0x7]
17:47:12 INFO - eip = 0x66543896 esp = 0x0029f520 ebp = 0x0029f540
17:47:12 INFO - Found by: call frame info
17:47:12 INFO - 5 xul.dll!js::gc::GCRuntime::gcCycle(bool,js::SliceBudget &,JS::gcreason::Reason) [jsgc.cpp:a7e0245cec88 : 6046 + 0xa]
17:47:12 INFO - eip = 0x66533ef0 esp = 0x0029f548 ebp = 0x0029f5a4
17:47:12 INFO - Found by: call frame info
17:47:12 INFO - 6 xul.dll!js::gc::GCRuntime::collect(bool,js::SliceBudget,JS::gcreason::Reason) [jsgc.cpp:a7e0245cec88 : 6171 + 0x15]
17:47:12 INFO - eip = 0x665160ea esp = 0x0029f5ac ebp = 0x0029f63c
17:47:12 INFO - Found by: call frame info
17:47:12 INFO - 7 xul.dll!JS::GCForReason(JSRuntime *,JSGCInvocationKind,JS::gcreason::Reason) [jsgc.cpp:a7e0245cec88 : 7026 + 0x37]
17:47:12 INFO - eip = 0x664e718b esp = 0x0029f644 ebp = 0x0029f66c
17:47:12 INFO - Found by: call frame info
17:47:12 INFO - 8 xul.dll!mozilla::CycleCollectedJSRuntime::GarbageCollect(unsigned int) [CycleCollectedJSRuntime.cpp:a7e0245cec88 : 1024 + 0xc]
17:47:12 INFO - eip = 0x643045e0 esp = 0x0029f674 ebp = 0x0029f688
17:47:12 INFO - Found by: call frame info
17:47:12 INFO - 9 xul.dll!nsCycleCollector::FixGrayBits(bool) [nsCycleCollector.cpp:a7e0245cec88 : 3492 + 0x16]
17:47:12 INFO - eip = 0x64303f7f esp = 0x0029f690 ebp = 0x0029f69c
17:47:12 INFO - Found by: call frame info
17:47:12 INFO - 10 xul.dll!nsCycleCollector::BeginCollection(ccType,nsICycleCollectorListener *) [nsCycleCollector.cpp:a7e0245cec88 : 3754 + 0x9]
17:47:12 INFO - eip = 0x642ff88c esp = 0x0029f6a4 ebp = 0x0029f6e4
17:47:12 INFO - Found by: call frame info

Comment 1

[Legacy TBPL/Treeherder Robot]

log: https://treeherder.mozilla.org/logviewer.html#?repo=mozilla-inbound&job_id=6287147
repository: mozilla-inbound
start_time: 2015-02-04T17:16:28
who: rvandermeulen[at]mozilla[dot]com
machine: t-w732-ix-023
buildname: Windows 7 32-bit mozilla-inbound debug test mochitest-2
revision: a7e0245cec88

2220 ERROR TEST-UNEXPECTED-FAIL | dom/media/mediasource/test/test_WaitingOnMissingData.html | application terminated with exit code 1
PROCESS-CRASH | dom/media/mediasource/test/test_WaitingOnMissingData.html | application crashed [@ 0x5a5a5a5a]
TEST-UNEXPECTED-FAIL | leakcheck | default process: missing output line for total leaks!
Return code: 1

Comment 2

[Legacy TBPL/Treeherder Robot]

log: https://treeherder.mozilla.org/logviewer.html#?repo=fx-team&job_id=2009824
repository: fx-team
start_time: 2015-02-17T13:15:42
who: rvandermeulen[at]mozilla[dot]com
machine: t-w732-ix-072
buildname: Windows 7 32-bit fx-team debug test mochitest-2
revision: b6c56fab513d

2228 ERROR TEST-UNEXPECTED-FAIL | dom/media/mediasource/test/test_WaitingOnMissingData.html | application terminated with exit code 1
PROCESS-CRASH | dom/media/mediasource/test/test_WaitingOnMissingData.html | application crashed [@ XPCNativeSet::Mark()]
TEST-UNEXPECTED-FAIL | leakcheck | default process: missing output line for total leaks!
Return code: 1

Comment 3

[Mats Palmgren (inactive)]

17:47:12 INFO - Crash reason: EXCEPTION_ACCESS_VIOLATION_EXEC
17:47:12 INFO - Crash address: 0x5a5a5a5a

This means it's very likely exploitable.  Please file bugs like this as
security-sensitive in the future.

Comment 4

[Andrew McCreight [:mccr8]]

There's some other similar bugs: bug 1114850, bug 1115755, bug 1125142, bug 1129098.  None of them have happened that frequently, but more than once.  It is maybe interesting that the two crashes here are both on the poison address.

Comment 5

[Andrew McCreight [:mccr8]]

I'm setting this to sec-high because it is an intermittent and GC-related, so it may be harder to exploit.

Comment 6

[Andrew McCreight [:mccr8]]

This hasn't happened in 5 months so I'm going to close it.