Closed
Bug 1353621
Opened 7 years ago
Closed 4 months ago
Crash in js::GCMarker::eagerlyMarkChildren
Categories
(Core :: JavaScript: GC, defect, P5)
Tracking
()
RESOLVED
INCOMPLETE
People
(Reporter: jesup, Unassigned)
References
(Blocks 1 open bug)
Details
(4 keywords, Whiteboard: [sec-triage-backlog][#jsapi:crashes-retriage])
Crash Data
This bug was filed from the Socorro interface and is report bp-2b585805-ea05-42b2-a990-86a892170403. ============================================================= a small number of clear UAF crashes here. 15000 crashes in the last week with this signature, most with random addresses. Appears to go back to FF40 or earlier, but didn't check the call-stacks. Sec-high, but given risk of UAFs in GC perhaps critical is worth considering. See also a fairly hot intermittent, bug 1337578 (with about a dozen others duped to it), which from a short look at a few logs appears to be all 0x0 or 0xfffffff8 or so. Andrew or Steve, can you look into this or revector to the right person? thanks
|
||
Updated•7 years ago
|
Group: core-security → javascript-core-security
|
Reporter | |
Comment 1•7 years ago
|
||
Forgot to actually NI.... Andrew or Steve, can you look into this or revector to the right person? thanks
Flags: needinfo?(sphink)
Flags: needinfo?(continuation)
|
|
Reporter | |
Updated•7 years ago
|
Flags: needinfo?(jcoppeard)
|
||
Comment 3•7 years ago
|
||
Jon has a patch for a 54 regression in this signature in bug 1337578.
Depends on: 1337578
|
||
Comment 4•7 years ago
|
||
Seems this was killed with bug 1337578, no?
|
||
Comment 5•7 years ago
|
||
(In reply to Frederik Braun [:freddyb] from comment #4) That fix only affected 54 onwards so the intermittent test failures should be gone but I expect these crashes are still happening.
Flags: needinfo?(jcoppeard)
|
|
||
Updated•7 years ago
|
Keywords: testcase-wanted
|
||
Comment 6•7 years ago
|
||
Jon, what's the next step to get this bug fixed? Can you look into it?
Flags: needinfo?(jcoppeard)
|
|
||
Comment 7•7 years ago
|
||
This is a pretty wide signature that will catch any marking crashes due to heap corruption or bad RAM. Without STR it's hard to make any improvement here.
Flags: needinfo?(jcoppeard)
|
|
||
Updated•7 years ago
|
Whiteboard: [sec-triage-backlog]
Hi Jon: I have assigned these security bugs to you to reassign them to appropriate developers in your team to investigate and fix them. Thanks! Wennie
Assignee: nobody → jcoppeard
|
||
Comment 9•6 years ago
|
||
Stalled. This is a broad GC signature that could be caused by a variety of bad hardware or real bugs and has not been actionable.
|
|
||
Updated•6 years ago
|
Whiteboard: [sec-triage-backlog] → [sec-triage-backlog][#jsapi:crashes-retriage]
|
|
||
Updated•5 years ago
|
Priority: -- → P5
|
||
Updated•2 years ago
|
Severity: critical → S2
|
||
Comment 10•4 months ago
|
||
We are reviewing and closing unactionable stalled bugs.
Status: NEW → RESOLVED
Closed: 4 months ago
Resolution: --- → INCOMPLETE
|
||
Comment 11•4 months ago
|
||
Since the bug is closed, the stalled keyword is now meaningless.
For more information, please visit BugBot documentation.
Keywords: stalled
|
|
||
Updated•2 months ago
|
Group: javascript-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•