Closed Bug 451829 Opened 16 years ago Closed 16 years ago

[TM] Random crash in jit-generated code

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Windows Vista
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED WORKSFORME

People

(Reporter: syskin2, Unassigned)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1a2pre) Gecko/20080822033426 Firefox/3.1a2pre
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1a2pre) Gecko/20080822033426 Minefield/3.1a2pre

This webpage causes a crash in what appears to be jit-generated code

Reproducible: Always

Steps to Reproduce:
1. Set javascript.options.jit.content = true
2. Visit http://news.ninemsn.com.au/article.aspx?id=619145

Actual Results:  
Random crash



Stack trace seems different every time, and at least on one occasion it seemed to contain non-executable (uninitialized?) junk.

On one occasion DEP detected there was a jump to non-executable page.

Might be exploitable.

I will paste some stack traces.

Breakpad remains silent for some reason.
Crash reading from NULL:

	js3250.dll!TraceRecorder::ifop()  Line 2378	C++

 	js3250.dll!js_Interpret(JSContext * cx=0x06016400)  + 0x4b8bd bytes	C++

 	js3250.dll!js_Execute(JSContext * cx=0x00000000, JSObject * chain=0x04c79a20, JSScript * script=0x05da2000, JSStackFrame * down=0x00000000, unsigned int flags=0, long * result=0x00000000)  Line 1550	C++

 	js3250.dll!JS_EvaluateUCScriptForPrincipals(JSContext * cx=0x06016400, JSObject * obj=0x04c79a20, JSPrincipals * principals=0x065fcb04, const unsigned short * chars=0x05d6f008, unsigned int length=44250, const char * filename=0x074fbbe8, unsigned int lineno=1, long * rval=0x00000000)  Line 5054 + 0x13 bytes	C++

 	xul.dll!nsJSContext::EvaluateString(const nsAString_internal & aScript={...}, void * aScopeObject=0x04c79a20, nsIPrincipal * aPrincipal=0x065fcb00, const char * aURL=0x074fbbe8, unsigned int aLineNo=1, unsigned int aVersion=0, nsAString_internal * aRetValue=0x00000000, int * aIsUndefined=0x0034f3a0)  Line 1540 + 0x3d bytes	C++

 	xul.dll!nsScriptLoader::EvaluateScript(nsScriptLoadRequest * aRequest=0x00000000, const nsString & aScript={...})  Line 594 + 0x4f bytes	C++

 	xul.dll!nsScriptLoader::ProcessRequest(nsScriptLoadRequest * aRequest=0x00000000)  Line 504 + 0x9 bytes	C++

 	xul.dll!nsCOMArray_base::RemoveObject(nsISupports * aObject=0x0532b6a0)  Line 130	C++

 	xul.dll!nsScriptLoader::ProcessPendingRequests()  Line 655	C++

Crash reading from NULL+0x30

	js3250.dll!FlushNativeStackFrame(JSContext * cx=0x05120f20, unsigned int callDepth=131082, unsigned char * mp=0x00040040, double * np=0x003fb600, long * stopAt=0x00000000)  Line 1044 + 0x1c bytes	C++

 	js3250.dll!js_ExecuteTree(JSContext * cx=0x05120f20, nanojit::Fragment * * treep=0x003ff6ac, unsigned int & inlineCallCount=3, nanojit::GuardRecord * * innermostNestedGuardp=0x003ff6a8)  Line 2086	C++

 	js3250.dll!js_LoopEdge(JSContext * cx=0x05120f20, unsigned char * oldpc=0x003ff7c4, unsigned int & inlineCallCount=3)  Line 2123 + 0x13 bytes	C++

 	js3250.dll!js_Interpret(JSContext * cx=0x05120f20)  + 0x4e092 bytes

... remainder identical to above stack
A random one:

 	mozcrt19.dll!memcpy(unsigned char * dst=0x00a1d600, unsigned char * src=0x0aadf888, unsigned long count=2)  Line 358	Asm

 	js3250.dll!js_NewStringCopyN(JSContext * cx=0x00b36d80, const unsigned short * s=0x0aadf888, unsigned int n=1)  Line 2618 + 0x10 bytes	C++

 	js3250.dll!js_NewDependentString(JSContext * cx=0x00a59300, JSString * base=0x00b36d80, unsigned int start=0, unsigned int length=0)  + 0x50d92 bytes	C++

	00a59300()	***** contains non-executable junk *****

 	js3250.dll!js_ExecuteTree(JSContext * cx=0x00000000, nanojit::Fragment * * treep=0x00000000, unsigned int & inlineCallCount=, nanojit::GuardRecord * * innermostNestedGuardp=0x7134eda0)  Line 1987 + 0xb bytes	C++

 	xul.dll!nsLineBreaker::FlushCurrentWord()  Line 133 + 0x37 bytes
	C++

 	xul.dll!nsTextFrame::Reflow(nsPresContext * aPresContext=0x00000000, nsHTMLReflowMetrics & aMetrics={...}, const nsHTMLReflowState & aReflowState={...}, unsigned int & aStatus=)  Line 6041	C++


I am posting those stacks because Mardeg on IRC says he can't reproduce. If there's more I can do, do tell.
I see this crash too, no breakpad here either.
Blocks: 451602
Summary: Random crash in jit-generated code → [TM] Random crash in jit-generated code
No longer crashes with Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1b1pre) Gecko/20080903034741 Minefield/3.1b1pre

BUT never finishes loading instead.
Loads correctly for me using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b1pre) Gecko/20080909032504 Minefield/3.1b1pre.

I'm on XP, so this bug might be Vista and DEP specific.
DEP was merely a by-product a random jumps in memory.

As per comment 5 the crasher is fixed - however, this page still doesn't finish loading with today's nightly (20080909032504) for me...

Finishes fine without JIT.
Ideally we would file a new bug for the new symptom, if we can identify what fixed the crasher here. But we may as well roll along in this bug, potentially morphing it. Summary needs updating.

/be
Is this still happening with the latest nightly?

No crash and loads fully using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b1pre) Gecko/20080924033412 Minefield/3.1b1pre
Confirmed, fully loads now. Resolving WFM.

I pretty much knew this would happen when I was filing the bug :)
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → WORKSFORME
Verified with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b1pre) Gecko/20080927033433 Minefield/3.1b1pre ID:20080927033433
Status: RESOLVED → VERIFIED
Version: unspecified → Trunk
You need to log in before you can comment on or make changes to this bug.