Open Bug 1275495 Opened 5 years ago Updated 5 days ago
Crash in js::fun
This bug was filed from the Socorro interface and is report bp-eb39db5e-7227-4dba-a605-03be22160525. ============================================================= https://crash-stats.mozilla.com/signature/?product=Firefox&signature=js%3A%3Afun_apply&_columns=date&_columns=product&_columns=version&_columns=build_id&_columns=platform&_columns=reason&_columns=address&page=1#summary This is #8 crash on Nightly 20160523030225, 7 crashes which are likely from single installation. We have this crash signature for a long time, average 3~4 crashes per day. Exploitability medium. Looks like we are calling into some invalid address. Probably related to jit. Jeff, you touched this code recently, do you have any idea?
My changes here (I assume you're referring to bug 1178653 and bug 1259877, right?) were generally cosmetic, not consequential -- just streamlining the internal APIs to do things more readably/simply. Calling into a random address, seems dubious as a failure mode of those patches. (I think you weren't implying my changes had anything to do with this, just noting in case.) As to what to do, how to debug this. Without any real information as to what triggered this, we're fairly in the dark as far as how this super-generic code path goes awry. The only real ideas I have, right off the bat, are to use MSDN's "This function is obsolete and should not be used" functions IsBadReadPtr https://msdn.microsoft.com/en-us/library/windows/desktop/aa366713(v=vs.85).aspx or similar functions IsBadCodePtr, IsBadStringPtr, or IsBadWritePtr to test the address being used here before actually using it -- and intentionally crashing if the claim is it's bad, in a way such that we can telemetrize whatever breadcrumbs we can find at that late date. Beyond this using obsolete functions of high dubiety, it's not necessarily clear those breadcrumbs would be enough to figure out what went wrong. But maybe if we grabbed the script URL or page URL or something, we could figure something out. Maybe?
Of some interest may be bug 1231024 comment 29 et seq: There was an error in the static register assignment for a fun_apply optimization on x86 (only) that was found and corrected. However, one unresolved aspect of that finding was that the code did not fail all the time, only when there was a certain amount of polymorphism in the test code, despite the register assignment being static.
Crash volume for signature 'js::fun_apply': - nightly (version 50): 0 crashes from 2016-06-06. - aurora (version 49): 0 crashes from 2016-06-07. - beta (version 48): 76 crashes from 2016-06-06. - release (version 47): 142 crashes from 2016-05-31. - esr (version 45): 2 crashes from 2016-04-07. Crash volume on the last weeks: W. N-1 W. N-2 W. N-3 W. N-4 W. N-5 W. N-6 W. N-7 - nightly 0 0 0 0 0 0 0 - aurora 0 0 0 0 0 0 0 - beta 9 2 5 6 11 18 21 - release 22 19 10 17 22 19 20 - esr 0 0 0 1 0 1 0 Affected platforms: Windows, Mac OS X
Bumping -- 153 crashes on Fennec in the past week. Comments saying this occurs a lot on Facebook.
This doesn't seem any worse or more actionable than it was in the past?
You need to log in before you can comment on or make changes to this bug.