Closed
Bug 451829
Opened 16 years ago
Closed 16 years ago
[TM] Random crash in jit-generated code
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
WORKSFORME
People
(Reporter: syskin2, Unassigned)
References
()
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1a2pre) Gecko/20080822033426 Firefox/3.1a2pre Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1a2pre) Gecko/20080822033426 Minefield/3.1a2pre This webpage causes a crash in what appears to be jit-generated code Reproducible: Always Steps to Reproduce: 1. Set javascript.options.jit.content = true 2. Visit http://news.ninemsn.com.au/article.aspx?id=619145 Actual Results: Random crash Stack trace seems different every time, and at least on one occasion it seemed to contain non-executable (uninitialized?) junk. On one occasion DEP detected there was a jump to non-executable page. Might be exploitable. I will paste some stack traces. Breakpad remains silent for some reason.
Reporter | ||
Comment 1•16 years ago
|
||
Crash reading from NULL: js3250.dll!TraceRecorder::ifop() Line 2378 C++ js3250.dll!js_Interpret(JSContext * cx=0x06016400) + 0x4b8bd bytes C++ js3250.dll!js_Execute(JSContext * cx=0x00000000, JSObject * chain=0x04c79a20, JSScript * script=0x05da2000, JSStackFrame * down=0x00000000, unsigned int flags=0, long * result=0x00000000) Line 1550 C++ js3250.dll!JS_EvaluateUCScriptForPrincipals(JSContext * cx=0x06016400, JSObject * obj=0x04c79a20, JSPrincipals * principals=0x065fcb04, const unsigned short * chars=0x05d6f008, unsigned int length=44250, const char * filename=0x074fbbe8, unsigned int lineno=1, long * rval=0x00000000) Line 5054 + 0x13 bytes C++ xul.dll!nsJSContext::EvaluateString(const nsAString_internal & aScript={...}, void * aScopeObject=0x04c79a20, nsIPrincipal * aPrincipal=0x065fcb00, const char * aURL=0x074fbbe8, unsigned int aLineNo=1, unsigned int aVersion=0, nsAString_internal * aRetValue=0x00000000, int * aIsUndefined=0x0034f3a0) Line 1540 + 0x3d bytes C++ xul.dll!nsScriptLoader::EvaluateScript(nsScriptLoadRequest * aRequest=0x00000000, const nsString & aScript={...}) Line 594 + 0x4f bytes C++ xul.dll!nsScriptLoader::ProcessRequest(nsScriptLoadRequest * aRequest=0x00000000) Line 504 + 0x9 bytes C++ xul.dll!nsCOMArray_base::RemoveObject(nsISupports * aObject=0x0532b6a0) Line 130 C++ xul.dll!nsScriptLoader::ProcessPendingRequests() Line 655 C++
Reporter | ||
Comment 2•16 years ago
|
||
Crash reading from NULL+0x30 js3250.dll!FlushNativeStackFrame(JSContext * cx=0x05120f20, unsigned int callDepth=131082, unsigned char * mp=0x00040040, double * np=0x003fb600, long * stopAt=0x00000000) Line 1044 + 0x1c bytes C++ js3250.dll!js_ExecuteTree(JSContext * cx=0x05120f20, nanojit::Fragment * * treep=0x003ff6ac, unsigned int & inlineCallCount=3, nanojit::GuardRecord * * innermostNestedGuardp=0x003ff6a8) Line 2086 C++ js3250.dll!js_LoopEdge(JSContext * cx=0x05120f20, unsigned char * oldpc=0x003ff7c4, unsigned int & inlineCallCount=3) Line 2123 + 0x13 bytes C++ js3250.dll!js_Interpret(JSContext * cx=0x05120f20) + 0x4e092 bytes ... remainder identical to above stack
Reporter | ||
Comment 3•16 years ago
|
||
A random one: mozcrt19.dll!memcpy(unsigned char * dst=0x00a1d600, unsigned char * src=0x0aadf888, unsigned long count=2) Line 358 Asm js3250.dll!js_NewStringCopyN(JSContext * cx=0x00b36d80, const unsigned short * s=0x0aadf888, unsigned int n=1) Line 2618 + 0x10 bytes C++ js3250.dll!js_NewDependentString(JSContext * cx=0x00a59300, JSString * base=0x00b36d80, unsigned int start=0, unsigned int length=0) + 0x50d92 bytes C++ 00a59300() ***** contains non-executable junk ***** js3250.dll!js_ExecuteTree(JSContext * cx=0x00000000, nanojit::Fragment * * treep=0x00000000, unsigned int & inlineCallCount=, nanojit::GuardRecord * * innermostNestedGuardp=0x7134eda0) Line 1987 + 0xb bytes C++ xul.dll!nsLineBreaker::FlushCurrentWord() Line 133 + 0x37 bytes C++ xul.dll!nsTextFrame::Reflow(nsPresContext * aPresContext=0x00000000, nsHTMLReflowMetrics & aMetrics={...}, const nsHTMLReflowState & aReflowState={...}, unsigned int & aStatus=) Line 6041 C++ I am posting those stacks because Mardeg on IRC says he can't reproduce. If there's more I can do, do tell.
Reporter | ||
Updated•16 years ago
|
Blocks: 451602
Summary: Random crash in jit-generated code → [TM] Random crash in jit-generated code
Reporter | ||
Comment 5•16 years ago
|
||
No longer crashes with Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1b1pre) Gecko/20080903034741 Minefield/3.1b1pre BUT never finishes loading instead.
Loads correctly for me using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b1pre) Gecko/20080909032504 Minefield/3.1b1pre. I'm on XP, so this bug might be Vista and DEP specific.
Find anything related here? https://bugzilla.mozilla.org/buglist.cgi?quicksearch=vista+dep
Reporter | ||
Comment 8•16 years ago
|
||
DEP was merely a by-product a random jumps in memory. As per comment 5 the crasher is fixed - however, this page still doesn't finish loading with today's nightly (20080909032504) for me... Finishes fine without JIT.
Comment 9•16 years ago
|
||
Ideally we would file a new bug for the new symptom, if we can identify what fixed the crasher here. But we may as well roll along in this bug, potentially morphing it. Summary needs updating. /be
Comment 10•16 years ago
|
||
Is this still happening with the latest nightly? No crash and loads fully using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b1pre) Gecko/20080924033412 Minefield/3.1b1pre
Reporter | ||
Comment 11•16 years ago
|
||
Confirmed, fully loads now. Resolving WFM. I pretty much knew this would happen when I was filing the bug :)
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → WORKSFORME
Comment 12•16 years ago
|
||
Verified with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b1pre) Gecko/20080927033433 Minefield/3.1b1pre ID:20080927033433
Status: RESOLVED → VERIFIED
Version: unspecified → Trunk
You need to log in
before you can comment on or make changes to this bug.
Description
•