Closed Bug 1530672 Opened 7 years ago Closed 7 years ago

Crash in [@ js::UncheckedUnwrapWithoutExpose]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
Unspecified
Windows 10
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1530364
Tracking Flags:
Tracking Status
firefox-esr60 --- wontfix
firefox65 --- wontfix
firefox66 --- wontfix
firefox67 --- fixed

People

(Reporter: marcia, Unassigned)

Details

(5 keywords, Whiteboard: [adv-main67-])

Crash Data

This bug is for crash report bp-b8fdb95d-61e4-412a-8511-b82aa0190226.

Seen while looking at nightly crash stats: https://bit.ly/2GMNphD, and picked up in the crash spike report. Crashes started spiking slightly on 67 nightly using Build 20190223041557. There are crashes on 65.0.1, but the nightly volume is the same as release volume.

Windows and Android are affected, and the crash reason for Windows crashes is all the same: EXCEPTION_ACCESS_VIOLATION_READ

Top 10 frames of crashing thread:

0 xul.dll js::UncheckedUnwrapWithoutExpose js/src/proxy/Wrapper.cpp:323
1 xul.dll bool js::WeakMap<js::HeapPtr<JSObject*>, js::HeapPtr<JSObject*> >::keyNeedsMark js/src/gc/WeakMap-inl.h:184
2 xul.dll bool js::WeakMap<js::HeapPtr<JSObject*>, js::HeapPtr<JSObject*> >::markIteratively js/src/gc/WeakMap-inl.h:153
3 xul.dll xpc::TraceXPCGlobal js/xpconnect/src/nsXPConnect.cpp:421
4 xul.dll js::GCMarker::processMarkStackTop js/src/gc/Marking.cpp:1796
5 xul.dll js::GCMarker::markUntilBudgetExhausted js/src/gc/Marking.cpp:1598
6 xul.dll js::gc::GCRuntime::incrementalSlice js/src/gc/GC.cpp:6977
7 xul.dll js::gc::GCRuntime::gcCycle js/src/gc/GC.cpp:7373
8 xul.dll js::gc::GCRuntime::collect js/src/gc/GC.cpp:7543
9 xul.dll JS::IncrementalGCSlice js/src/gc/GC.cpp:8491

Looks like a null pointer deref while trying to get the delegate. Do we allow weakmap keys to be null? It seems we assume they are not but I can't see anything stopping you from adding one. Filed bug 1531035 to address this.

Lots of these crashes are wildptrs, and at least one is a clear UAF in 65: https://crash-stats.mozilla.com/report/index/fffc06b4-11dc-4f26-b837-5a16b0190210
Low volume overall; small bump in 67

Group: core-security
Keywords: csectype-uaf, csectype-wildptr, sec-high
Group: core-security → javascript-core-security
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE

Looks like this was fixed in 67 beta.

status-firefox66: affectedwontfix
status-firefox67: affectedfixed
Whiteboard: [adv-main67-]

This crash signature reappeared recently in nightly 69 and it could be related to bug 1167452 fix.
:sfink, could you have a look please?

status-firefox68: --- → affected
status-firefox69: --- → affected
status-firefox-esr60: --- → affected
Flags: needinfo?(sphink)

My bad, I missed that the bug is closed.

Flags: needinfo?(sphink)
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.