Closed
Bug 1470949
Opened 6 years ago
Closed 6 years ago
Crash in static class js::NativeObject* CallTraceHook<T>
Categories
(Core :: JavaScript: GC, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 719114
| Tracking | Status | |
|---|---|---|
| firefox-esr52 | --- | unaffected |
| firefox-esr60 | --- | unaffected |
| firefox60 | --- | unaffected |
| firefox61 | --- | wontfix |
| firefox62 | --- | fix-optional |
| firefox63 | --- | fix-optional |
People
(Reporter: marcia, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash, regression)
Crash Data
This bug was filed from the Socorro interface and is report bp-68ebbc7e-3473-4556-8e68-98e9a0180625. ============================================================= Seen while looking at 61 RC crash stats - it appears as if the crash is growing in the RC: https://bit.ly/2tqiyzc. Most of the crashes are EXCEPTION_ACCESS_VIOLATION_READ either EXCEPTION_ILLEGAL_INSTRUCTION. Top 10 frames of crashing thread: 0 xul.dll static class js::NativeObject* CallTraceHook<TraverseObjectFunctor, js::GCMarker*, JSObject*&> js/src/gc/Marking.cpp:1572 1 xul.dll js::GCMarker::processMarkStackTop js/src/gc/Marking.cpp:1833 2 xul.dll js::GCMarker::drainMarkStack js/src/gc/Marking.cpp:1651 3 xul.dll js::gc::GCRuntime::drainMarkStack js/src/gc/GC.cpp:5903 4 xul.dll js::gc::GCRuntime::incrementalCollectSlice js/src/gc/GC.cpp:7116 5 xul.dll js::gc::GCRuntime::gcCycle js/src/gc/GC.cpp:7478 6 xul.dll js::gc::GCRuntime::collect js/src/gc/GC.cpp:7621 7 xul.dll js::gc::GCRuntime::gcSlice js/src/gc/GC.cpp:7710 8 xul.dll nsJSContext::GarbageCollectNow dom/base/nsJSEnvironment.cpp:1208 9 xul.dll InterSliceGCRunnerFired dom/base/nsJSEnvironment.cpp:1817 =============================================================
|
||
Comment 1•6 years ago
|
||
Hey Jon, does this stack tell you anything interesting?
status-firefox63:
--- → affected
status-firefox-esr52:
--- → unaffected
status-firefox-esr60:
--- → unaffected
Component: JavaScript Engine → JavaScript: GC
Flags: needinfo?(jcoppeard)
|
||
Comment 2•6 years ago
|
||
This looks like heap corruption. We're crashing when we access either the group of a JSObject or the class pointer stored in the group (I can't tell because of inlining). We're getting invalid pointers that are zero of close to zero. May be UAF although seeing the poison value is rare. No smoking gun.
Blocks: GCCrashes
|
||
Comment 3•6 years ago
|
||
May be security sensitive, hiding the bug. We'd like to keep an eye on the crashes as 61 rolls out.
Group: javascript-core-security
|
||
Comment 4•6 years ago
|
||
This could just be a variant of bug 719114 (processMarkStackTop) where CallTraceHook didn't get inlined for whatever reason.
|
||
Updated•6 years ago
|
Group: javascript-core-security
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
|
|
||
Updated•6 years ago
|
|
|
||
Updated•5 years ago
|
Flags: needinfo?(jcoppeard)
You need to log in
before you can comment on or make changes to this bug.
Description
•