Closed Bug 1509986 Opened 6 years ago Closed 5 years ago

[meta] Write barrier crash in ~XPCWrappedJS

Categories

(Core :: XPConnect, defect)

Product:
Core
Component:
XPConnect
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla66
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox64 --- wontfix
firefox65 --- fixed
firefox66 --- fixed

People

(Reporter: mccr8, Assigned: jandem)

References

Details

(Keywords: meta, sec-other, Whiteboard: [post-critsmash-triage][adv-main65-]) 

      No description provided.
Oops, I clicked submit too soon. jonco has a possible patch for this in bug 1508102, but I think it makes sense to have a central bug to track these, as they are showing up all over the place on TreeHerder.
Depends on: 1508102
Keywords: meta
Summary: write barrier crash in ~XPCWrappedJS → Write barrier crash in ~XPCWrappedJS
Depends on: 1501413, 1503226
sfink posted this in bug 1503226:

(In reply to Steve Fink [:sfink] [:s:] from comment #10)
> I looked at this a little. The likely field involved would be mJSObjGlobal,
> a Heap<JSObject*> in nsXPCWrappedJS:
> https://searchfox.org/mozilla-central/source/js/xpconnect/src/xpcprivate.
> h#1939
> 
> The JSObject* in question would appear to be 0xcf600000 (the crash is when
> we do some masking to access its chunk's trailer). That seems like an
> unlikely address. Duplicate bugs' crash addresses are
> 
>   0x7fb363fffff0
>   0x7f2b311ffff0
>   0x0
>   0xd0cffff8
> 
> The first two seem plausible, the nullptr made it through to accessing a
> StoreBuffer perhaps because we happened to hit readable memory that
> contained 0x0, and the last one is similar to this one.
> 
> So sticking to the 0xcf600000 one, it seems like the field was corrupt by
> the time it was destroyed.
> 
> I don't know enough about the lifecycle of nsXPCWrappedJS, I guess. needinfo
> mccr8.
bug 1508102 has a patch and a security rating, so I guess this can be sec-other for now until we see if that fixes it.
Keywords: sec-other
Depends on: 1506749
Depends on: 1511580
Depends on: 1509502
Depends on: 1508618
Fixed by bug 1480121.
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Assignee: nobody → jdemooij
status-firefox64: --- → wontfix
status-firefox65: --- → fixed
status-firefox66: --- → fixed
status-firefox-esr60: --- → unaffected
Target Milestone: --- → mozilla66
Group: dom-core-security → core-security-release
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main65-]
Group: core-security-release
Summary: Write barrier crash in ~XPCWrappedJS → [meta] Write barrier crash in ~XPCWrappedJS
You need to log in before you can comment on or make changes to this bug.