Closed Bug 1192988 Opened 10 years ago Closed 6 years ago

Crash in js::jit::ICStub::traceCode

Categories

(Core :: JavaScript Engine: JIT, defect, P3)

Product:
Core
Component:
JavaScript Engine: JIT
Version:
41 Branch
Platform:
Unspecified
Windows 7
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox45 --- wontfix
firefox46 --- wontfix
firefox47 --- wontfix
firefox48 --- wontfix
firefox49 --- wontfix
firefox-esr45 --- wontfix
firefox50 --- wontfix
firefox51 --- wontfix
firefox52 --- wontfix
firefox-esr52 --- wontfix
firefox-esr60 --- wontfix
firefox53 --- wontfix
firefox54 --- wontfix
firefox55 --- wontfix
firefox59 --- wontfix
firefox60 --- wontfix
firefox61 --- wontfix
firefox63 --- wontfix
firefox64 --- wontfix
firefox65 --- wontfix
firefox66 --- wontfix
firefox67 --- wontfix
firefox68 --- wontfix

People

(Reporter: jimm, Unassigned)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [sec-triage-backlog][#jsapi:crashes-retriage])

Crash Data

Depends on: 1192532
Crash Signature: [@ js::jit::ICStub::trace(JSTracer*)] → [@ js::jit::ICStub::trace(JSTracer*)] [@ js::jit::ICStub::trace]
I'm able to crash Nightly in easy way with this crash sig: https://crash-stats.mozilla.com/report/index/bp-bf822daf-3b44-4bee-a2c7-f5ef82160322 https://crash-stats.mozilla.com/report/index/65c74020-0a8b-48b6-9b05-785432160322 https://crash-stats.mozilla.com/report/index/bp-bbe582ca-1c04-476b-acb3-59b362160322 Nightly and OS info in crash sig. To reproduce You need IPB forum 4.0 version 1.Open existing topic 2.Use editor- choose [code] tag 3.In Code popup click with right mouse button 4.Nightly will crash with crash sig from above. Since I'm admin on IPB 4.0 forum I can create test account for tests, but login and password need to be used by one person working on this bug. I will not post this on open channel.
Flags: needinfo?(jdemooij)
Hi Semtex, your crashes are probably a duplicate of bug 1258301. I just landed a fix for that. Once that hits the Nightly channel, it'd be great if you could confirm it no longer crashes.
(In reply to Jan de Mooij [:jandem] from comment #3) > Hi Semtex, your crashes are probably a duplicate of bug 1258301. I just > landed a fix for that. > > Once that hits the Nightly channel, it'd be great if you could confirm it no > longer crashes. Feedback, I'm not able to crash anymore with crash sig from my first post, so Your fix seems to be working, now I'm able to crash with same STR to this crash SIG: https://crash-stats.mozilla.com/report/index/a3d93ec1-2958-4232-8d44-1b8fd2160325 lol
(In reply to Semtex from comment #4) > now I'm able to crash with same STR to this crash SIG: > https://crash-stats.mozilla.com/report/index/a3d93ec1-2958-4232-8d44- > 1b8fd2160325 > lol Thanks for your feedback. Actually that build does not include my fix yet so this crash is likely very similar to your other signature :)
Maybe Your fix, when landed will fix both crashes, hope so... ;)
Semtex, does the latest Nightly still crash? :)
Flags: needinfo?(semtex2)
(In reply to Jan de Mooij [:jandem] from comment #7) > Semtex, does the latest Nightly still crash? :) Hi, I'm not able to crash Nightly, so looks like fixed. Thanks. If I will see some new crash i will inform about that ASAP.
Flags: needinfo?(semtex2)
(In reply to Semtex from comment #8) > Hi, I'm not able to crash Nightly, so looks like fixed. Thanks. > If I will see some new crash i will inform about that ASAP. Great, thank you. Let's keep this bug open for comment 0.
Flags: needinfo?(jdemooij)
Crash volume for signature 'js::jit::ICStub::trace': - nightly (50): 5 - aurora (49): 10 - esr (45): 107 Affected platforms: Windows, Mac OS X, Linux
status-firefox49: --- → affected
status-firefox50: --- → affected
status-firefox-esr45: --- → affected
Crash volume for signature 'js::jit::ICStub::trace': - nightly (version 51): 2 crashes from 2016-08-01. - aurora (version 50): 2 crashes from 2016-08-01. - beta (version 49): 33 crashes from 2016-08-02. - release (version 48): 84 crashes from 2016-07-25. - esr (version 45): 181 crashes from 2016-05-02. Crash volume on the last weeks (Week N is from 08-22 to 08-28): W. N-1 W. N-2 W. N-3 - nightly 1 0 1 - aurora 2 0 0 - beta 11 12 5 - release 38 14 11 - esr 18 11 21 Affected platforms: Windows, Mac OS X, Linux Crash rank on the last 7 days: Browser Content Plugin - nightly - aurora #599 - beta #2012 #801 - release #549 - esr #354
status-firefox51: --- → affected
Crash volume for signature 'js::jit::ICStub::trace': - nightly (version 52): 4 crashes from 2016-09-19. - aurora (version 51): 2 crashes from 2016-09-19. - beta (version 50): 8 crashes from 2016-09-20. - release (version 49): 1362 crashes from 2016-09-05. - esr (version 45): 273 crashes from 2016-06-01. Crash volume on the last weeks (Week N is from 10-03 to 10-09): W. N-1 W. N-2 - nightly 2 2 - aurora 2 0 - beta 6 2 - release 1065 297 - esr 12 26 Affected platforms: Windows, Mac OS X, Linux Crash rank on the last 7 days: Browser Content Plugin - nightly #445 - aurora #654 - beta #5063 #522 - release #69 #22 - esr #592
status-firefox52: --- → affected
Priority: -- → P3
Crash volume for signature 'js::jit::ICStub::trace': - nightly (version 53): 41 crashes from 2016-11-14. - aurora (version 52): 45 crashes from 2016-11-14. - beta (version 51): 913 crashes from 2016-11-14. - release (version 50): 3998 crashes from 2016-11-01. - esr (version 45): 593 crashes from 2016-07-06. Crash volume on the last weeks (Week N is from 01-02 to 01-08): W. N-1 W. N-2 W. N-3 W. N-4 W. N-5 W. N-6 W. N-7 - nightly 8 8 8 9 7 0 0 - aurora 13 11 8 5 1 1 0 - beta 303 291 194 13 10 7 7 - release 1323 1338 673 76 81 70 16 - esr 21 35 32 37 29 39 22 Affected platforms: Windows, Mac OS X, Linux Crash rank on the last 7 days: Browser Content Plugin - nightly #643 #104 - aurora #630 #133 - beta #159 #60 - release #161 #68 - esr #408
status-firefox53: --- → affected
Crash volume for signature 'js::jit::ICStub::trace': - nightly (version 54): 13 crashes from 2017-01-23. - aurora (version 53): 5 crashes from 2017-01-23. - beta (version 52): 204 crashes from 2017-01-23. - release (version 51): 728 crashes from 2017-01-16. - esr (version 45): 681 crashes from 2016-08-03. Crash volume on the last weeks (Week N is from 01-30 to 02-05): W. N-1 W. N-2 W. N-3 W. N-4 W. N-5 W. N-6 W. N-7 - nightly 6 - aurora 2 - beta 105 - release 345 0 - esr 49 45 41 32 21 35 32 Affected platforms: Windows, Mac OS X, Linux Crash rank on the last 7 days: Browser Content Plugin - nightly #40 - aurora #221 #76 - beta #70 #29 - release #63 #21 - esr #372
status-firefox54: --- → affected
Mass wontfix for bugs affecting firefox 52.
status-firefox52: affectedwontfix
Wild pointers, some of them clear UAFs, in GC.
Group: core-security
status-firefox55: --- → affected
status-firefox-esr52: --- → affected
Flags: needinfo?(nihsanullah)
Keywords: csectype-uaf, sec-high
Jon is this still s-s after Jan's patches?
Assignee: nobody → jcoppeard
Flags: needinfo?(nihsanullah) → needinfo?(jcoppeard)
It looks like this crash is still happening so probably safest to leave this s-s.
Flags: needinfo?(jcoppeard)
Group: core-security → javascript-core-security
Unassigning myself as I'm not actively working on this.
Assignee: jcoppeard → nobody
Whiteboard: [sec-triage-backlog]
Steve: please find an appropriate assignee for this bug (or keep it for yourself if you don't have anyone at the moment). We need an assigned responsible person for severe security bugs.
Assignee: nobody → sdetar
Andrew, could you please help with this bug? This is happening for a while and the volume isn't negligible. Thanks
Flags: needinfo?(overholt)
Steve and I will try to get some fresh eyes on this to make progress.
Flags: needinfo?(overholt)
sstangl: Would you be willing to look at this bug?
Flags: needinfo?(sstangl)
Skimming stacks, I'm seeing: JSScript::traceChildren -> BaselineScript::trace -> ICStub::trace (or through BaselineICEntry::trace) JSScript::markChildren -> TraceIonScripts -> BaselineScript::Trace -> ... -> ICStub::trace and then crashing on a wide variety of different addresses. Which makes me wonder -- are we tracing dead scripts, jitscripts, or stubs? I wonder if a JIT person could look at the minidumps and tell where we're dealing with real objects and when we start dealing with garbage memory. (I haven't decompiled to see what instructions are crashing.)
(Initial instinct is corruption, but whodunit?)
Flags: needinfo?(sstangl)
Whiteboard: [sec-triage-backlog] → [sec-triage-backlog][#jsapi:crashes-retriage]
Absorb Bug 1260721 since that seems to be a inlining-dependent version of this. It is probably worth noting the proportion of these trace crashes that are in traceCode vs the aggregate.
Crash Signature: [@ js::jit::ICStub::trace(JSTracer*)] [@ js::jit::ICStub::trace] → [@ js::jit::ICStub::trace(JSTracer*)] [@ js::jit::ICStub::trace] [@ js::jit::ICStub::markCode ] [@ js::jit::ICStub::traceCode ]
Almost all the ICStub::trace crash volume is absorbed from ICStub::traceCode depending on inlining. The traceCode is the first line of trace anyways. This signature is a mess similar to Bug 858032 and at least a fraction of it is hardware failure or single-bit errors. The 70% Windows 7 bias is certainly curious. I'll look at minidumps.
Assignee: sdetar → nobody
Summary: crash in js::jit::ICStub::trace(JSTracer*) → Crash in js::jit::ICStub::traceCode
Depends on: 1462104
This is still affecting 62/63 on release at a fairly high rate.
status-firefox60: affectedwontfix
status-firefox61: affectedwontfix
status-firefox63: --- → affected
status-firefox64: --- → affected
status-firefox65: --- → affected

I'll ask iain to look into mitigation described in Bug 1462104.

¡Hola!

Updated the flags per the "Crash Data".

¡Gracias!
Alex

status-firefox66: --- → affected
status-firefox67: --- → affected
status-firefox68: --- → affected
status-firefox-esr60: --- → affected

We've collected about a month of data from the work in bug 1462104. Of the 34 crashes in ICEntry::trace, 27 either triggered the new assertion, or crashed while trying to evaluate the new assertion. This implies that ICEntry::trace was called with a bad |this| pointer.

Most of the remaining crashes occur when we try to dereference the jitcode_ pointer. Not all of the crash dumps contain useful data, but both cases that tcampbell and I managed to investigate were clear bitflips: the faulting pointer differed in only one bit from a valid pointer to executable memory.

There doesn't appear to be any signal in this noise. This signature is just what happens when you have a bunch of pointers that all get dereferenced by the same few lines of code.

Closing as WORKSFORME.

Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WORKSFORME
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.