Crash in [@ abort | abort_noreturn | w2c_FileMgr__getline_std____2__basic_string_char__std____2__char_traits_char___std____2__allocator_char_____]
Categories
(Core :: Spelling checker, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr78 | --- | unaffected |
| firefox-esr91 | --- | unaffected |
| firefox93 | --- | unaffected |
| firefox94 | --- | unaffected |
| firefox95 | --- | fixed |
People
(Reporter: aryx, Assigned: shravanrn)
References
(Regression)
Details
(Keywords: crash, regression)
Crash Data
Attachments
(1 file)
20 crashes from 6 installations so far, all with 32-bit builds on Windows and 50% of crashes in the first 5 minutes after the application had been launched. Bug 1733686 will be reverted.
Crash report: https://crash-stats.mozilla.org/report/index/ee6366e7-7a6b-4f7f-8c60-e7fb10211016
Reason: STATUS_STACK_BUFFER_OVERRUN / FAST_FAIL_FATAL_APP_EXIT
Top 10 frames of crashing thread:
0 ucrtbase.dll abort
1 xul.dll abort_noreturn intl/icu/source/i18n/double-conversion-utils.h:62
2 xul.dll w2c_FileMgr__getline_std____2__basic_string_char__std____2__char_traits_char___std____2__allocator_char_____ security/rlbox/rlbox.wasm.c:33605
3 xul.dll w2c_HashMgr__load_tables_char_const___char_const__ security/rlbox/rlbox.wasm.c:82482
4 xul.dll w2c_HashMgr__HashMgr_char_const___char_const___char_const__ security/rlbox/rlbox.wasm.c:81522
5 xul.dll w2c_HunspellImpl__HunspellImpl_char_const___char_const___char_const__ security/rlbox/rlbox.wasm.c:91292
6 xul.dll w2c_Hunspell_create security/rlbox/rlbox.wasm.c:109539
7 xul.dll RLBoxHunspell::RLBoxHunspell extensions/spellcheck/hunspell/glue/RLBoxHunspell.cpp:85
8 xul.dll mozHunspell::SetDictionary extensions/spellcheck/hunspell/glue/mozHunspell.cpp:189
9 xul.dll mozSpellChecker::SetCurrentDictionary extensions/spellcheck/src/mozSpellChecker.cpp:447
|
||
Comment 1•3 years ago
|
||
Now that we've got better crash diagnostic, we're temporarily reenabling the hunspell sandbox again for one cycle in bug 1738095.
|
Assignee | |
Comment 3•3 years ago
|
||
|
||
Updated•3 years ago
|
|
|
Assignee | |
Comment 4•3 years ago
•
|
||
Bug - the wasm sandbox would crash when sandboxing hunspell in 32-bit environments, when spell checking with words in the russian dictionary.
Source of the bug - the 32-bit wasm library sandbox environment uses masking to restrict access to memory. The mask should restrict all memory accesses to the memory reserved for the sandbox heap to ensure we can't access memory outside the sandbox. This if accessible memory is 16MB, the "accessible memory" mask should be set to 16MB-1. Due to the fact that this was configured in separate parts of the code base, these were not consistently set. Instead the accessible memory mask was set to 8MB-1 leaving the top part of memory inaccessible --- when the top part of memory was accessed, it would end up randomly corrupting something in the bottom half of memory.
Affected environments - In 32-bit envs, Spell checking in english does not appear to use more than half the memory in the sandbox, while the russian dictionary spell check needed to use the upper part of memory also. Using the upper memory, happened to corrupt the callback index to the getline function. Thus the former machines were not affected while the latter machines are affected by this bug.
The patch above fixes this.
|
||
Comment 6•3 years ago
|
||
| bugherder | ||
|
||
Updated•3 years ago
|
Description
•