Closed Bug 1319466 Opened 8 years ago Closed 3 years ago

Crash in js::GetPropertyNoGC

Categories

(Core :: JavaScript Engine, defect, P3)

Product:
Core
Component:
JavaScript Engine
Version:
51 Branch
Platform:
x86
Windows 7
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox-esr45 --- wontfix
firefox50 --- wontfix
firefox51 + wontfix
firefox52 --- wontfix
firefox53 --- wontfix

People

(Reporter: marcia, Unassigned)

Details

(Keywords: crash, csectype-uaf, sec-low)

Crash Data

[Tracking Requested - why for this release]: Volume increased from releases - we should try to figure out why.

This bug was filed from the Socorro interface and is 
report bp-7c8fb291-22d2-4d11-9f08-9d4232161122.
=============================================================

Seen while looking at Firefox B1 crash stats: http://bit.ly/2gyuslu. Volume seems to have increased from 49.0.2 and 50.
Let's track this for 51. Jason can you help find someone to investigate this? Thanks!
tracking-firefox51: ?+
Flags: needinfo?(jorendorff)
The 51 jump in crashes (with null-derefs almost always) seems to have gone away around the 23rd or so, and we're back to the base crash level.  However, the base crashes are actually worse, and include UAFs and EXEC crashes, and appear like they're in JIT code.

Crash appears to go back to Firefox 3X or earlier, but that might be deceptive as it can jump from the signature point into JIT code it appears, so there may well be multiple bugs here

Jason - who else should be cc'd?
Group: core-security
status-firefox50: --- → affected
status-firefox52: --- → affected
status-firefox53: --- → ?
status-firefox-esr45: --- → ?
Keywords: csectype-uaf, sec-critical
Group: core-security → javascript-core-security
Critsmash triage: is there anything that can be done to try to investigate and resolve this issue in time for 51? We're still seeing regular crashes with this that look bad.
Flags: needinfo?(rjesup)
Flags: needinfo?(rjesup) → needinfo?(jdemooij)
Most URLs are for the Facebook photo viewer, very similar to the crashes in bug 1308800 - see bug 1308800 comment 6. Probably the same bug, an invalid object pointer. Unfortunately it's impossible to say what's causing this without being able to reproduce it. I've spent a few hours on that and I can do some more testing, but no luck so far.
Flags: needinfo?(jdemooij)
Most crashes on bug 1308800 are nullptrs, but not all - overall less frightening, but maybe that's luck.

That one is fairly bad and spiked hard in 51, with no ideas on how to fix it yet.  :-(

This one spiked on uplift, dropped back again for no obvious reason, then had another spike and is back to 'base' level.
I don't see any of these crashes after 51, and not many happening at all, so I'm going to close this.
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(jorendorff)
Resolution: --- → WORKSFORME
It looks like this transmuted into a low-frequency nullptr crash on 52 - so still a bug, but much less severe there.  Maybe a crash or two a week.  Moving to fix-optional.
https://crash-stats.mozilla.com/report/index/500c0e3b-ec29-4bdb-9226-2e9682170114 is an example.

Note it still applies to 45esr: https://crash-stats.mozilla.com/report/index/38aed2de-e4f2-47dd-a7fd-63e622170125 and is still a sec issue there!  If we had a patch, *or* knew what made it a nullptr crash, we could take that there
Status: RESOLVED → REOPENED
status-firefox50: affectedwontfix
status-firefox51: affectedwontfix
status-firefox52: affectedfix-optional
status-firefox-esr45: ?affected
Resolution: WORKSFORME → ---
Priority: -- → P3

Crashes are down to basically zero in recent versions. I'm not sure there is anything left here to do.

Status: REOPENED → RESOLVED
Closed: 7 years ago3 years ago
Resolution: --- → WORKSFORME
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.