Closed Bug 1459932 Opened 6 years ago Closed 5 years ago

Crash in NameResolver::resolve

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Version:
60 Branch
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox-esr60 --- wontfix
firefox60 --- wontfix
firefox61 --- wontfix
firefox62 --- wontfix
firefox63 --- wontfix
firefox64 --- wontfix
firefox65 --- wontfix
firefox66 --- wontfix
firefox67 --- fixed
firefox68 --- fixed

People

(Reporter: marcia, Assigned: jorendorff)

References

Details

(4 keywords, Whiteboard: [#jsapi:crashes-retriage][adv-main67+])

Crash Data

Attachments

(1 file, 3 obsolete files)

Add assertions that all parse nodes visited in NameFunctions are in the parser's allocator
9.08 KB, patch
jorendorff
: review+
Details | Diff | Splinter Review 
This bug was filed from the Socorro interface and is
report bp-3d6d00d9-8526-4d8c-86e5-c97e70180505.
=============================================================

Seen while looking at Android crash stats - this crash appears in the Fennec 60 rc: https://bit.ly/2HWL8Bb. This crash is also present in 59. 67 crashes/31 installs so far on RC - on 59.0.2 we have 241 crashes/112 installs in a 7 day period.

Correlation shows (90.05% in signature vs 01.16% overall) Module "linker64" = true, although not sure if that means anything.

APIs from 23-27 are affected. 

Top 1 frames of crashing thread:

0 libxul.so NameResolver::resolve js/public/RootingAPI.h:942

=============================================================
2 website in the comments. Steve, can you take a look?
Flags: needinfo?(sdetar)
all wildptr crashes
Group: core-security
Keywords: csectype-wildptr, sec-high
Group: core-security → javascript-core-security
Putting this in our crash triage queue.
Whiteboard: [#jsapi:crashes-retriage]
Removing my needinfo since Jan put this bug in our crash triage queue where it will be looked into in more detail soon.
Flags: needinfo?(sdetar)
Priority: -- → P1
When looking at other variations of the same signature, I see other platforms crashing too.
Crash Signature: [@ NameResolver::resolve] → [@ NameResolver::resolve] [@ 0x0 | NameResolver::resolve] [@ (anonymous namespace)::NameResolver::resolve] [@ `anonymous namespace'::NameResolver::resolve] [@ static bool `anonymous namespace'::NameResolver::resolve]
OS: Android → Unspecified
Crash Signature: [@ NameResolver::resolve] [@ 0x0 | NameResolver::resolve] [@ (anonymous namespace)::NameResolver::resolve] [@ `anonymous namespace'::NameResolver::resolve] [@ static bool `anonymous namespace'::NameResolver::resolve] → [@ NameResolver::resolve] [@ @0x0 | NameResolver::resolve] [@ (anonymous namespace)::NameResolver::resolve] [@ `anonymous namespace'::NameResolver::resolve] [@ static bool `anonymous namespace'::NameResolver::resolve]
These crashes seem to have a number of resolve calls on the stack (expected) before either |cur| is garbage or the RootedAtom::stack pointer gets stomped.

The actual crash location varies, but the second last crash is typically [1] and this is the last time |cur| is current so I'd paint the bullseye here. It isn't clear from the crashes which of these cases is failing here.

[1] https://hg.mozilla.org/releases/mozilla-beta/annotate/106b1066bb3fb6a4821a8da52cc913846149928a/js/src/frontend/NameFunctions.cpp#l444
Jason, these crashes seem to stem from [1]. Can you add a release assert or otherwise track down what's going off the rails?

[1] https://hg.mozilla.org/releases/mozilla-beta/annotate/106b1066bb3fb6a4821a8da52cc913846149928a/js/src/frontend/NameFunctions.cpp#l444
Flags: needinfo?(jorendorff)
3 months with a NI for a release assert to be added...  bumping
Flags: needinfo?(sdetar)
Jason, any updates on adding the release assert Ted suggested?
Flags: needinfo?(sdetar)
Comment on attachment 9005507 [details] [diff] [review]
Add assertions that all parse nodes visited in NameFunctions are in the parser's allocator

Review of attachment 9005507 [details] [diff] [review]:
-----------------------------------------------------------------

Fuzzy logic here, but I like it.
Attachment #9005507 - Flags: review?(tcampbell) → review+
Attachment #9005507 - Attachment is obsolete: true
This adds one release-mode assertion in NameResolver::resolve(), but most of
the work is plumbing for a new debug-only assertion (for the fuzzers).
Attachment #9005626 - Attachment is obsolete: true
Assignee: nobody → jorendorff
Status: NEW → ASSIGNED
This adds one release-mode assertion in NameResolver::resolve(), but most of
the work is plumbing for a new debug-only assertion (for the fuzzers).
Attachment #9005628 - Attachment is obsolete: true
Comment on attachment 9005629 [details] [diff] [review]
Add assertions that all parse nodes visited in NameFunctions are in the parser's allocator

Carrying Jeff's review forward.

[Security approval request comment]
How easily could an exploit be constructed based on the patch?

    The patch does not fix a bug, it just adds assertions. It is unlikely
    an exploit could be constructed based on this.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?

    They point out a place in the code where we do have crashes.
    But it isn't clear (even to us) what the bug is or how to trigger it.

Which older supported branches are affected by this flaw?

    All.

How likely is this patch to cause regressions; how much testing does it need?

    Normal testing will suffice.

    Most likely regression: the new MOZ_RELEASE_ASSERT in this patch is
    not sound, hits way more than expected in practice, and has to be backed
    out. This is not likely.
Flags: needinfo?(jorendorff)
Attachment #9005629 - Flags: sec-approval?
Attachment #9005629 - Flags: review+
Comment on attachment 9005629 [details] [diff] [review]
Add assertions that all parse nodes visited in NameFunctions are in the parser's allocator

Clearing sec-approval. The DEBUG-only assertion calling alloc.contains() is too slow. I need to fix that and get review again.
Attachment #9005629 - Flags: sec-approval?
Flags: needinfo?(jorendorff)
Bug 1489572 might make LifoAlloc::contains fast enough that this assertion can land. If that's not enough, or if the patches there can't land, I can add DEBUG-only bookkeeping to LifoAlloc. nbp suggested a SplayTree. But post-1489572, if there are at most ~50 regions per LifoAlloc, a SplayTree would be overkill; we'd want a vector of pointers, for simplicity and locality.

Anyway -- I'm going to give this a week and see if bug 1489572 magically makes this fast enough.

Again, the assertion doesn't fix this bug; it just gives us a chance of getting lucky and finding it.
Seems unlikely to make it to 64. Jason, what do you think?

Anything further to do here or should we call this stalled? (I'll follow up in email.)

Bug 1529607 partly rewrote this code.

If crashes still happen in NameFunction.cpp, it's the same bug, but the signature will change since that resolve() method is gone.

This seems to be fixed in Firefox 67 by the rewrite in bug 1529607.

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Flags: needinfo?(jorendorff)
Resolution: --- → FIXED
Whiteboard: [#jsapi:crashes-retriage] → [#jsapi:crashes-retriage][adv-main67+]
Group: javascript-core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: