Closed Bug 1412876 Opened 7 years ago Closed 4 years ago

Intermittent PROCESS-CRASH | autophone-s1s2 | application crashed [@ js::CompartmentChecker::fail]

Categories

(Core :: JavaScript Engine, defect, P3)

58 Branch
ARM
Android
defect

Tracking

()

RESOLVED WORKSFORME
Tracking Status
firefox58 --- affected

People

(Reporter: bc, Unassigned)

References

Details

(4 keywords, Whiteboard: [#jsapi:crashes-retriage])

Crash Data

Attachments

(1 file)

Attached file Crash report
https://treeherder.mozilla.org/#/jobs?repo=autoland&revision=d7f7d7cb6a4bd1cd76ce6929944e4eb952de0bbb&filter-searchStr=autophone PROCESS-CRASH | autophone-s1s2 | application crashed [@ js::CompartmentChecker::fail] This test basically loads a blank page <https://github.com/mozilla/autophone/blob/master/files/s1s2/blank.html> then shuts down. This occurred on a Pixel running Android 7.1.
Compartment mismatch in InterpreterFrame::epilogue() calling EnvironmentIter::EnvironmentIter().
Group: core-security → javascript-core-security
Jeff, could you take a look? Apparently assertSameCompartment(cx, frame); is failing, which means the dynamic Environment objects aren't in the same compartment as cx. Super odd; I wonder what JS code is running here (and what craziness we could possibly be doing to cause this).
Flags: needinfo?(jwalden+bmo)
Priority: -- → P1
Assignee: nobody → jwalden+bmo
Setting up a build environment/etc. sufficient to start debugging this at all is a chunk of work, that quite frankly it's been hard to justify compared to other work with more immediate wins. Particularly for a once-a-day thing, as that graph goes. Hoping to get to this soon, once UTF-8 script parsing is completed in the JS shell -- but compared to that clear value, I can't see how this can take precedence.
Priority: P1 → P3
Flags: needinfo?(jwalden+bmo)
Adding to crash triage queue since this seems stalled. We should determine if this still occurs.
Assignee: jwalden+bmo → nobody
Whiteboard: [#jsapi:crashes-retriage]
This doesn't need to be rated sec-high: it's a now-rare crash (8 in the last 90 days, most recent version is 62.0 and 60.3esr) and it's failing on a breakpoint. Yes, it's a worrying component mismatch, but it's one we're catching.
Keywords: sec-highsec-moderate
(In reply to Daniel Veditz [:dveditz] from comment #5) > Yes, it's a worrying component mismatch, but it's one we're catching. Compartment checking isn't enabled in release builds, only Nightly, if that matters...
Flags: needinfo?(dveditz)
The one I'm seeing in crash-stats appears to be a release assert: https://hg.mozilla.org/releases/mozilla-release/annotate/d2e449c73dac/js/src/jsscript.cpp#l1455 The above is 57.0.1, and I've seen 60esr crashes, too. It's spelled differently on trunk but is still a release assert: https://searchfox.org/mozilla-central/rev/8f0db72fb6e35414fb9a6fc88af19c69f332425f/js/src/vm/JSScript.cpp#1435 Yeah, I still worry, but not quite a sec-high worth of worry. "sec-moderate" is still an UNSAFE and potentially exploitable bug.
Flags: needinfo?(dveditz)
Ah, interesting. It looks like that was done as part of the compartment to realm changes.
Crash Signature: [@ js::CompartmentChecker::fail] → [@ js::CompartmentChecker::fail] [@ js::ContextChecks::check]

I only see a single crash for a supported version that isn't a nullptr issue (and those are also extremely rare). I think we can close this bug.

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → WORKSFORME
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: