Closed
Bug 1459932
Opened 6 years ago
Closed 5 years ago
Crash in NameResolver::resolve
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
RESOLVED
FIXED
People
(Reporter: marcia, Assigned: jorendorff)
References
Details
(4 keywords, Whiteboard: [#jsapi:crashes-retriage][adv-main67+])
Crash Data
Attachments
(1 file, 3 obsolete files)
9.08 KB,
patch
|
jorendorff
:
review+
|
Details | Diff | Splinter Review |
This bug was filed from the Socorro interface and is report bp-3d6d00d9-8526-4d8c-86e5-c97e70180505. ============================================================= Seen while looking at Android crash stats - this crash appears in the Fennec 60 rc: https://bit.ly/2HWL8Bb. This crash is also present in 59. 67 crashes/31 installs so far on RC - on 59.0.2 we have 241 crashes/112 installs in a 7 day period. Correlation shows (90.05% in signature vs 01.16% overall) Module "linker64" = true, although not sure if that means anything. APIs from 23-27 are affected. Top 1 frames of crashing thread: 0 libxul.so NameResolver::resolve js/public/RootingAPI.h:942 =============================================================
Comment 1•6 years ago
|
||
2 website in the comments. Steve, can you take a look?
Flags: needinfo?(sdetar)
Updated•6 years ago
|
Group: core-security → javascript-core-security
Comment 3•6 years ago
|
||
Putting this in our crash triage queue.
Whiteboard: [#jsapi:crashes-retriage]
Comment 4•6 years ago
|
||
Removing my needinfo since Jan put this bug in our crash triage queue where it will be looked into in more detail soon.
Flags: needinfo?(sdetar)
Updated•6 years ago
|
Updated•6 years ago
|
Priority: -- → P1
Comment 5•6 years ago
|
||
When looking at other variations of the same signature, I see other platforms crashing too.
Crash Signature: [@ NameResolver::resolve] → [@ NameResolver::resolve]
[@ 0x0 | NameResolver::resolve]
[@ (anonymous namespace)::NameResolver::resolve]
[@ `anonymous namespace'::NameResolver::resolve]
[@ static bool `anonymous namespace'::NameResolver::resolve]
OS: Android → Unspecified
Updated•6 years ago
|
Crash Signature: [@ NameResolver::resolve]
[@ 0x0 | NameResolver::resolve]
[@ (anonymous namespace)::NameResolver::resolve]
[@ `anonymous namespace'::NameResolver::resolve]
[@ static bool `anonymous namespace'::NameResolver::resolve] → [@ NameResolver::resolve]
[@ @0x0 | NameResolver::resolve]
[@ (anonymous namespace)::NameResolver::resolve]
[@ `anonymous namespace'::NameResolver::resolve]
[@ static bool `anonymous namespace'::NameResolver::resolve]
Comment 6•6 years ago
|
||
These crashes seem to have a number of resolve calls on the stack (expected) before either |cur| is garbage or the RootedAtom::stack pointer gets stomped. The actual crash location varies, but the second last crash is typically [1] and this is the last time |cur| is current so I'd paint the bullseye here. It isn't clear from the crashes which of these cases is failing here. [1] https://hg.mozilla.org/releases/mozilla-beta/annotate/106b1066bb3fb6a4821a8da52cc913846149928a/js/src/frontend/NameFunctions.cpp#l444
Comment 7•6 years ago
|
||
Jason, these crashes seem to stem from [1]. Can you add a release assert or otherwise track down what's going off the rails? [1] https://hg.mozilla.org/releases/mozilla-beta/annotate/106b1066bb3fb6a4821a8da52cc913846149928a/js/src/frontend/NameFunctions.cpp#l444
Flags: needinfo?(jorendorff)
Updated•6 years ago
|
status-firefox-esr52:
--- → unaffected
status-firefox-esr60:
--- → affected
tracking-firefox-esr60:
--- → ?
Updated•6 years ago
|
status-firefox63:
--- → ?
Comment 8•6 years ago
|
||
3 months with a NI for a release assert to be added... bumping
Flags: needinfo?(sdetar)
Comment 9•6 years ago
|
||
Jason, any updates on adding the release assert Ted suggested?
Flags: needinfo?(sdetar)
Assignee | ||
Comment 10•6 years ago
|
||
Attachment #9005507 -
Flags: review?(tcampbell)
Comment 11•6 years ago
|
||
Comment on attachment 9005507 [details] [diff] [review] Add assertions that all parse nodes visited in NameFunctions are in the parser's allocator Review of attachment 9005507 [details] [diff] [review]: ----------------------------------------------------------------- Fuzzy logic here, but I like it.
Attachment #9005507 -
Flags: review?(tcampbell) → review+
Assignee | ||
Comment 12•6 years ago
|
||
Assignee | ||
Updated•6 years ago
|
Attachment #9005507 -
Attachment is obsolete: true
Assignee | ||
Comment 13•6 years ago
|
||
This adds one release-mode assertion in NameResolver::resolve(), but most of the work is plumbing for a new debug-only assertion (for the fuzzers).
Assignee | ||
Updated•6 years ago
|
Attachment #9005626 -
Attachment is obsolete: true
Assignee | ||
Updated•6 years ago
|
Assignee: nobody → jorendorff
Status: NEW → ASSIGNED
Assignee | ||
Comment 14•6 years ago
|
||
This adds one release-mode assertion in NameResolver::resolve(), but most of the work is plumbing for a new debug-only assertion (for the fuzzers).
Assignee | ||
Updated•6 years ago
|
Attachment #9005628 -
Attachment is obsolete: true
Assignee | ||
Comment 15•6 years ago
|
||
Comment on attachment 9005629 [details] [diff] [review] Add assertions that all parse nodes visited in NameFunctions are in the parser's allocator Carrying Jeff's review forward. [Security approval request comment] How easily could an exploit be constructed based on the patch? The patch does not fix a bug, it just adds assertions. It is unlikely an exploit could be constructed based on this. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? They point out a place in the code where we do have crashes. But it isn't clear (even to us) what the bug is or how to trigger it. Which older supported branches are affected by this flaw? All. How likely is this patch to cause regressions; how much testing does it need? Normal testing will suffice. Most likely regression: the new MOZ_RELEASE_ASSERT in this patch is not sound, hits way more than expected in practice, and has to be backed out. This is not likely.
Flags: needinfo?(jorendorff)
Attachment #9005629 -
Flags: sec-approval?
Attachment #9005629 -
Flags: review+
Assignee | ||
Comment 16•6 years ago
|
||
Comment on attachment 9005629 [details] [diff] [review] Add assertions that all parse nodes visited in NameFunctions are in the parser's allocator Clearing sec-approval. The DEBUG-only assertion calling alloc.contains() is too slow. I need to fix that and get review again.
Attachment #9005629 -
Flags: sec-approval?
Updated•6 years ago
|
Assignee | ||
Updated•6 years ago
|
Flags: needinfo?(jorendorff)
Assignee | ||
Comment 17•6 years ago
|
||
Bug 1489572 might make LifoAlloc::contains fast enough that this assertion can land. If that's not enough, or if the patches there can't land, I can add DEBUG-only bookkeeping to LifoAlloc. nbp suggested a SplayTree. But post-1489572, if there are at most ~50 regions per LifoAlloc, a SplayTree would be overkill; we'd want a vector of pointers, for simplicity and locality. Anyway -- I'm going to give this a week and see if bug 1489572 magically makes this fast enough. Again, the assertion doesn't fix this bug; it just gives us a chance of getting lucky and finding it.
Assignee | ||
Updated•6 years ago
|
Assignee | ||
Updated•6 years ago
|
Comment 19•6 years ago
|
||
Seems unlikely to make it to 64. Jason, what do you think?
Updated•5 years ago
|
status-firefox65:
--- → fix-optional
status-firefox66:
--- → affected
Comment 20•5 years ago
|
||
Anything further to do here or should we call this stalled? (I'll follow up in email.)
Updated•5 years ago
|
Assignee | ||
Comment 21•5 years ago
|
||
Bug 1529607 partly rewrote this code.
If crashes still happen in NameFunction.cpp, it's the same bug, but the signature will change since that resolve()
method is gone.
Updated•5 years ago
|
Updated•5 years ago
|
Updated•5 years ago
|
status-firefox68:
--- → affected
Assignee | ||
Comment 22•5 years ago
|
||
This seems to be fixed in Firefox 67 by the rewrite in bug 1529607.
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Flags: needinfo?(jorendorff)
Resolution: --- → FIXED
Updated•5 years ago
|
Updated•5 years ago
|
Whiteboard: [#jsapi:crashes-retriage] → [#jsapi:crashes-retriage][adv-main67+]
Updated•5 years ago
|
Group: javascript-core-security → core-security-release
Updated•4 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•