Closed Bug 1421786 Opened 7 years ago Closed 7 years ago

Crash in JSFunction::needsFunctionEnvironmentObjects

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Version:
57 Branch
Platform:
All
Windows
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox-esr52 --- wontfix
firefox57 --- wontfix
firefox58 --- fixed
firefox59 --- fixed

People

(Reporter: philipp, Assigned: tcampbell)

References

Details

(Keywords: crash, regression, sec-moderate, Whiteboard: [adv-main58+][post-critsmash-triage])

Crash Data

This bug was filed from the Socorro interface and is
report bp-9319d3d2-2d1e-436f-84b3-66fbf0171127.
=============================================================

Top 10 frames of crashing thread:

0 xul.dll JSFunction::needsFunctionEnvironmentObjects js/src/jsfun.h:163
1 xul.dll js::InterpreterFrame::prologue js/src/vm/Stack.cpp:244
2 xul.dll Interpret js/src/vm/Interpreter.cpp:1918
3 xul.dll js::RunScript js/src/vm/Interpreter.cpp:423
4 xul.dll js::ExecuteKernel js/src/vm/Interpreter.cpp:706
5 xul.dll ExecuteInExtensibleLexicalEnvironment js/src/builtin/Eval.cpp:465
6 xul.dll js::ExecuteInJSMEnvironment js/src/builtin/Eval.cpp:551
7 xul.dll js::ExecuteInJSMEnvironment js/src/builtin/Eval.cpp:509
8 xul.dll mozJSComponentLoader::ObjectForLocation js/xpconnect/loader/mozJSComponentLoader.cpp:879
9 xul.dll mozJSComponentLoader::ImportInto js/xpconnect/loader/mozJSComponentLoader.cpp:1163

=============================================================

crashes with this signature have been around for a while on a very low volume, but on 57 they are spiking up in frequency. the reports are all coming from windows builds and the uptime range is <60s in 99% of the cases.

some crash addresses indicate it's a UAF situation, so i'm marking the bug as security sensitive.
Group: core-security → javascript-core-security
That's a very odd crashing address. It does have a bunch of e5e5 in the middle but it doesn't start with e5 (or padded with fffff). There are a cluster of crashes with addresses in that range (from different people) but most crashes are near-null crashes. There's also a cluster of 0xa0000000xx

This appears to be crashing in chrome code so hopefully not as accessible to an attacker
Keywords: sec-moderate
Ted might be interested in this.
Flags: needinfo?(tcampbell)
Most of these look like null derefs, but a few look like UAFs.

We can probably add some assertions to narrow down the null deref case. Not sure about the UAF case.
This looks roughly similar to Bug 1415546 which I can hopefully look into this week or early next.
Flags: needinfo?(tcampbell)
See Also: → 1415546
Priority: -- → P1
Assignee: nobody → tcampbell
There are zero crashes in 58.0b9 after Bug 1418894 landed.
Status: NEW → RESOLVED
Closed: 7 years ago
Depends on: 1418894
Resolution: --- → FIXED
Calling ESR52 wontfix since the crash is low-volume there and this is only sec-moderate.
status-firefox57: affectedwontfix
status-firefox58: affectedfixed
status-firefox59: ?fixed
status-firefox-esr52: affectedwontfix
Group: javascript-core-security → core-security-release
Whiteboard: [adv-main58+]
Flags: qe-verify-
Whiteboard: [adv-main58+] → [adv-main58+][post-critsmash-triage]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.