Closed Bug 1689500 Opened 2 years ago Closed 2 years ago

Crash in [@ JSRuntime::cloneSelfHostedFunctionScript] called from EvaluateAdminConfigScript()


(Core :: JavaScript Engine, defect, P3)

Windows 10





(Reporter: mccr8, Unassigned)


(Keywords: crash)

Crash Data

Crash report:


Top 10 frames of crashing thread:

0 xul.dll JSRuntime::cloneSelfHostedFunctionScript js/src/vm/SelfHosting.cpp:3269
1 xul.dll static JSFunction::delazifySelfHostedLazyFunction js/src/vm/JSFunction.cpp:1657
2 xul.dll Interpret js/src/vm/Interpreter.cpp:3321
3 xul.dll js::ExecuteKernel js/src/vm/Interpreter.cpp:839
4 xul.dll js::Execute js/src/vm/Interpreter.cpp:871
5 xul.dll JS::Evaluate js/src/vm/CompilationAndEvaluation.cpp:541
6 xul.dll xpc::EvalInSandbox js/xpconnect/src/Sandbox.cpp:2026
7 xul.dll nsXPConnect::EvalInSandboxObject js/xpconnect/src/nsXPConnect.cpp:762
8 xul.dll EvaluateAdminConfigScript extensions/pref/autoconfig/src/nsJSConfigTriggers.cpp:158
9 xul.dll nsReadConfig::openAndEvaluateJSFile extensions/pref/autoconfig/src/nsReadConfig.cpp:291

There are only 9 crashes from a single installation with this signature, but this seems like something that might not be tested very well so it might be worth looking at. We're hitting a null deref. Maybe we're trying to run JS too early? Though if that was the case you'd think that would show up here more often.

Mike, you might be interested in this crash. I'm not sure if anything has changed recently in how these admin scripts are executed.

Flags: needinfo?(mozilla)

Looks like JS is supposed to be initialized at that point, based on a comment near FinishInitializingUserPrefs().

Definitely nothing has changed with this on the Autoconfig side. Could something have changed in JS?

And we do have tests.

I'll run some autoconfig tests next week on nightly to see if anything is broke.

Flags: needinfo?(mozilla)

It has only happened once on Nightly in the last week, from a single installation, so maybe somebody just had something weird going on with how they were running Firefox.

Yeah, I'm wondering if something in their Autoconfig is causing it?

I don't even know where we'd begin to look at it.

I ran some quick tests and Autoconfig is working on nightly, both sandboxed and unsandboxed.

I sure wish we could get in contact with the person seeing the crash...

Ted, sounds like this might be related to an area you investigated recently.

Severity: -- → S3
Flags: needinfo?(tcampbell)
Priority: -- → P3

Code from crash report:

00007ffd`5f8896e0 4157                   push    r15
00007ffd`5f8896e2 4156                   push    r14
00007ffd`5f8896e4 56                     push    rsi
00007ffd`5f8896e5 57                     push    rdi
00007ffd`5f8896e6 53                     push    rbx
00007ffd`5f8896e7 4881ecb0000000         sub     rsp, 0B0h
00007ffd`5f8896ee 4d89ce                 mov     r14, r9
00007ffd`5f8896f1 4889d7                 mov     rdi, rdx
00007ffd`5f8896f4 488b053d79d005         mov     rax, qword ptr [xul!__security_cookie (00007ffd`65591038)]
00007ffd`5f8896fb 4931e0                 xor     r8, rsp   // << Wut?
00007ffd`5f8896fe 48898424a8000000       mov     qword ptr [rsp+0A8h], rax
00007ffd`5f889706 498b10                 mov     rdx, qword ptr [r8]

Actual code from that version:

00000001`801996e0 4157                   push    r15
00000001`801996e2 4156                   push    r14
00000001`801996e4 56                     push    rsi
00000001`801996e5 57                     push    rdi
00000001`801996e6 53                     push    rbx
00000001`801996e7 4881ecb0000000         sub     rsp, 0B0h
00000001`801996ee 4d89ce                 mov     r14, r9
00000001`801996f1 4889d7                 mov     rdi, rdx
00000001`801996f4 488b053d79d005         mov     rax, qword ptr [xul!__security_cookie (00000001`85ea1038)]
00000001`801996fb 4831e0                 xor     rax, rsp   // << normal stack cookie
00000001`801996fe 48898424a8000000       mov     qword ptr [rsp+0A8h], rax
00000001`80199706 498b10                 mov     rdx, qword ptr [r8]

There is a single bit flip in the instruction stream. Either bad memory or bad disk.

Closed: 2 years ago
Flags: needinfo?(tcampbell)
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.