Crash in [@ JSRuntime::cloneSelfHostedFunctionScript] called from EvaluateAdminConfigScript()
Categories
(Core :: JavaScript Engine, defect, P3)
Tracking
()
People
(Reporter: mccr8, Unassigned)
Details
(Keywords: crash)
Crash Data
Crash report: https://crash-stats.mozilla.org/report/index/824f9d89-a9a9-4fc7-87ce-aa7380210127
Reason: EXCEPTION_ACCESS_VIOLATION_READ
Top 10 frames of crashing thread:
0 xul.dll JSRuntime::cloneSelfHostedFunctionScript js/src/vm/SelfHosting.cpp:3269
1 xul.dll static JSFunction::delazifySelfHostedLazyFunction js/src/vm/JSFunction.cpp:1657
2 xul.dll Interpret js/src/vm/Interpreter.cpp:3321
3 xul.dll js::ExecuteKernel js/src/vm/Interpreter.cpp:839
4 xul.dll js::Execute js/src/vm/Interpreter.cpp:871
5 xul.dll JS::Evaluate js/src/vm/CompilationAndEvaluation.cpp:541
6 xul.dll xpc::EvalInSandbox js/xpconnect/src/Sandbox.cpp:2026
7 xul.dll nsXPConnect::EvalInSandboxObject js/xpconnect/src/nsXPConnect.cpp:762
8 xul.dll EvaluateAdminConfigScript extensions/pref/autoconfig/src/nsJSConfigTriggers.cpp:158
9 xul.dll nsReadConfig::openAndEvaluateJSFile extensions/pref/autoconfig/src/nsReadConfig.cpp:291
There are only 9 crashes from a single installation with this signature, but this seems like something that might not be tested very well so it might be worth looking at. We're hitting a null deref. Maybe we're trying to run JS too early? Though if that was the case you'd think that would show up here more often.
Reporter | ||
Comment 1•3 years ago
|
||
Mike, you might be interested in this crash. I'm not sure if anything has changed recently in how these admin scripts are executed.
Reporter | ||
Comment 2•3 years ago
|
||
Looks like JS is supposed to be initialized at that point, based on a comment near FinishInitializingUserPrefs().
Comment 3•3 years ago
|
||
Definitely nothing has changed with this on the Autoconfig side. Could something have changed in JS?
And we do have tests.
I'll run some autoconfig tests next week on nightly to see if anything is broke.
Reporter | ||
Comment 4•3 years ago
|
||
It has only happened once on Nightly in the last week, from a single installation, so maybe somebody just had something weird going on with how they were running Firefox.
Comment 5•3 years ago
|
||
Yeah, I'm wondering if something in their Autoconfig is causing it?
I don't even know where we'd begin to look at it.
I ran some quick tests and Autoconfig is working on nightly, both sandboxed and unsandboxed.
I sure wish we could get in contact with the person seeing the crash...
Comment 6•3 years ago
|
||
Ted, sounds like this might be related to an area you investigated recently.
Comment 7•3 years ago
|
||
Code from crash report:
xul!JSRuntime::cloneSelfHostedFunctionScript:
00007ffd`5f8896e0 4157 push r15
00007ffd`5f8896e2 4156 push r14
00007ffd`5f8896e4 56 push rsi
00007ffd`5f8896e5 57 push rdi
00007ffd`5f8896e6 53 push rbx
00007ffd`5f8896e7 4881ecb0000000 sub rsp, 0B0h
00007ffd`5f8896ee 4d89ce mov r14, r9
00007ffd`5f8896f1 4889d7 mov rdi, rdx
00007ffd`5f8896f4 488b053d79d005 mov rax, qword ptr [xul!__security_cookie (00007ffd`65591038)]
00007ffd`5f8896fb 4931e0 xor r8, rsp // << Wut?
00007ffd`5f8896fe 48898424a8000000 mov qword ptr [rsp+0A8h], rax
00007ffd`5f889706 498b10 mov rdx, qword ptr [r8]
Actual code from that version:
xul!JSRuntime::cloneSelfHostedFunctionScript:
00000001`801996e0 4157 push r15
00000001`801996e2 4156 push r14
00000001`801996e4 56 push rsi
00000001`801996e5 57 push rdi
00000001`801996e6 53 push rbx
00000001`801996e7 4881ecb0000000 sub rsp, 0B0h
00000001`801996ee 4d89ce mov r14, r9
00000001`801996f1 4889d7 mov rdi, rdx
00000001`801996f4 488b053d79d005 mov rax, qword ptr [xul!__security_cookie (00000001`85ea1038)]
00000001`801996fb 4831e0 xor rax, rsp // << normal stack cookie
00000001`801996fe 48898424a8000000 mov qword ptr [rsp+0A8h], rax
00000001`80199706 498b10 mov rdx, qword ptr [r8]
There is a single bit flip in the instruction stream. Either bad memory or bad disk.
Description
•