Garbage Collector crash (spellcheck)

RESOLVED INCOMPLETE

Status

()

Core
XPConnect
--
critical
RESOLVED INCOMPLETE
8 years ago
4 years ago

People

(Reporter: Nils, Unassigned)

Tracking

({crash, reproducible, testcase})

Trunk
x86
All
crash, reproducible, testcase
Points:
---

Firefox Tracking Flags

(blocking2.0 -, status1.9.2 wanted)

Details

(Whiteboard: [sg:needinfo])

Attachments

(1 attachment, 1 obsolete attachment)

(Reporter)

Description

8 years ago
User-Agent:       Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b6) Gecko/20100101 Firefox/4.0b6
Build Identifier: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b6) Gecko/20100101 Firefox/4.0b6

Description:
------------------------
A use-after free condition occurs after reload the attached testcase several times.
Most of the crashes are in the garbage collection routine and show exploitable
behaviour.

Confirmed Versions:
------------------------
	Firefox 4.0 beta 6

Testcase:
------------------------
Testcase is attached. You will need iframe.html in the same directory.

iframe.html:
<html>
        <body id="element">
        </body>
</html>


Testcase Notes:
------------------------
The testcase will need quite a few reloads in the browser.

Stack Backtrace:
------------------------

Linux:
eax            0xf71a49b0       -149272144
ecx            0x610fff 6361087
edx            0x610063 6357091
ebx            0xf71a1264       -149286300
esp            0xffff858c       0xffff858c
ebp            0xffff8598       0xffff8598
esi            0xffff8634       -31180
edi            0x0      0
eip            0xf70e857b       0xf70e857b <js_IsAboutToBeFinalized+75>
eflags         0x210206 [ PF IF RF ID ]
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x63     99
=> 0xf70e857b <js_IsAboutToBeFinalized+75>:     mov    -0xf(%ecx),%edi
   0xf70e857e <js_IsAboutToBeFinalized+78>:     lea    -0xf(%ecx),%esi
   0xf70e8581 <js_IsAboutToBeFinalized+81>:     test   %edi,%edi


Program received signal SIGSEGV, Segmentation fault.
js_IsAboutToBeFinalized (cx=0xf5d13600, thing=0x610063) at /home/nils/fuzzer/build/mozilla-1.9.2/js/src/jsgc.cpp:1219
1219        if (!a->list) {
#0  js_IsAboutToBeFinalized (cx=0xf5d13600, thing=0x610063) at /home/nils/fuzzer/build/mozilla-1.9.2/js/src/jsgc.cpp:1219
#1  0xf73886f1 in WrappedNativeSuspecter (table=0xe90248a0, hdr=0xe805618c, number=17, arg=0xffff8634)
    at /home/nils/fuzzer/build/mozilla-1.9.2/js/src/xpconnect/src/xpcwrappednativescope.cpp:417
#2  0xf70d0123 in JS_DHashTableEnumerate (table=0xe90248a0, etor=0xf7388686 <WrappedNativeSuspecter>, arg=0xffff8634)
    at /home/nils/fuzzer/build/mozilla-1.9.2/js/src/jsdhash.cpp:743
#3  0xf738900c in Native2WrappedNativeMap::Enumerate (rt=0xf5a05150, cx=0xf5d13600, cb=...)
    at /home/nils/fuzzer/build/mozilla-1.9.2/js/src/xpconnect/src/xpcmaps.h:165
#4  XPCWrappedNativeScope::SuspectAllWrappers (rt=0xf5a05150, cx=0xf5d13600, cb=...)
    at /home/nils/fuzzer/build/mozilla-1.9.2/js/src/xpconnect/src/xpcwrappednativescope.cpp:439
#5  0xf7372c3f in XPCJSRuntime::AddXPConnectRoots (this=0xf5a05150, cx=0xf5d13600, cb=...)
    at /home/nils/fuzzer/build/mozilla-1.9.2/js/src/xpconnect/src/xpcjsruntime.cpp:424
#6  0xf735c6b4 in nsXPConnect::BeginCycleCollection (this=0xf5db4b70, cb=...)
    at /home/nils/fuzzer/build/mozilla-1.9.2/js/src/xpconnect/src/nsXPConnect.cpp:572
#7  0xf7c498f0 in nsCycleCollector::BeginCollection (this=0xf5d31800)
    at /home/nils/fuzzer/build/mozilla-1.9.2/xpcom/base/nsCycleCollector.cpp:2503
#8  0xf7c499b5 in nsCycleCollector_beginCollection ()
    at /home/nils/fuzzer/build/mozilla-1.9.2/xpcom/base/nsCycleCollector.cpp:3141
#9  0xf735ef47 in XPCCycleCollectGCCallback (cx=0xf5d13600, status=JSGC_MARK_END)
    at /home/nils/fuzzer/build/mozilla-1.9.2/js/src/xpconnect/src/nsXPConnect.cpp:390
#10 0xf70ea60f in js_GC (cx=0xf5d13600, gckind=GC_NORMAL) at /home/nils/fuzzer/build/mozilla-1.9.2/js/src/jsgc.cpp:3537
#11 0xf70ba8ab in JS_GC (cx=0xf5d13600) at /home/nils/fuzzer/build/mozilla-1.9.2/js/src/jsapi.cpp:2439
#12 0xf735b896 in nsXPConnect::Collect (this=0xf5db4b70)
    at /home/nils/fuzzer/build/mozilla-1.9.2/js/src/xpconnect/src/nsXPConnect.cpp:477
#13 0xf7c49ab4 in nsCycleCollector::Collect (this=0xf5d31800, aTryCollections=1)
    at /home/nils/fuzzer/build/mozilla-1.9.2/xpcom/base/nsCycleCollector.cpp:2434
#14 0xf7c49b82 in nsCycleCollector_collect () at /home/nils/fuzzer/build/mozilla-1.9.2/xpcom/base/nsCycleCollector.cpp:3129
#15 0xf7796e30 in nsJSContext::CC () at /home/nils/fuzzer/build/mozilla-1.9.2/dom/base/nsJSEnvironment.cpp:3578
#16 0xf7796e8b in nsJSContext::IntervalCC () at /home/nils/fuzzer/build/mozilla-1.9.2/dom/base/nsJSEnvironment.cpp:3666
#17 0xf7798ae2 in GCTimerFired (aTimer=0xeed46af0, aClosure=0x0)



Windows:
|(1954.14c0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
xul!JS_TraceChildren+0x336:
5fafe0b6 804b1101        or      byte ptr [ebx+11h],1       ds:002b:5fabf341=74

xul!JS_TraceChildren+0x336
xul!js::Mark+0x14d
xul!WrappedNativeJSGCThingTracer+0x2d
xul!JS_DHashTableEnumerate+0x7c
xul!XPCWrappedNativeScope::TraceJS+0x2f
xul!XPCJSRuntime::TraceXPConnectRoots+0x98
xul!XPCJSRuntime::TraceJS+0x93
xul!js_TraceRuntime+0x2df
xul!GC+0x56
xul!GCUntilDone+0x8c
xul!js_GC+0x8c
xul!JS_GC+0x32
xul!nsXPConnect::Collect+0x78
xul!nsXPConnect::GarbageCollect+0xc
xul!nsJSContext::CC+0x34
xul!nsJSContext::IntervalCC+0x27
xul!GCTimerFired+0x35
xul!nsTimerImpl::Fire+0xe0
xul!nsTimerEvent::Run+0x20
xul!nsThread::ProcessNextEvent+0x17a


My reference #		: 78e728e5f1fabba16e9b5854867d52aa
VulnDev reference	: vd10001

reported by nils of vulndev ltd.


Reproducible: Always

Steps to Reproduce:
1. store iframe.html in same directory as attached testcase
2. load testcase
3. wait
Actual Results:  
Crash

Expected Results:  
No Crash
(Reporter)

Comment 1

8 years ago
Created attachment 484120 [details]
testcase (crashes browser)
On a Mac nightly I'm not getting a crash, I'm getting a hang. Appears to be some sort of deadlock, a "sample" shows no processing, just a bunch of waiting threads.

Between beta 6 and now we have fixed a bunch of GC bugs so it's hard to say if we've fixed this one (and uncovered a new one), the problem morphed, or this new deadlock (which I've seen a bunch recently) is hiding the original problem.

Comment 3

8 years ago
Hmm, Nils's stack shows paths that make it look he was testing 1.9.2 branch rather than 4.0b6.

Updated

8 years ago
Whiteboard: [sg:critical?]
(Reporter)

Comment 4

8 years ago
The Linux stack back trace was created by the fuzzer a while back, when I discovered the issue in 1.9.2. I confirmed it later in 4.0b6 on Windows, where the Windows stack back trace was created.
(Reporter)

Comment 5

8 years ago
I just downloaded the current nightly and was able to reproduce the issue, still with an exploitable looking crash:

(1278.16e0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** WARNING: Unable to verify checksum for C:\Users\user\Downloads\firefox-4.0b8pre.en-US.win32\firefox\mozjs.dll
mozjs!js::gc::MarkKind+0x234:
6b192744 8b4d00          mov     ecx,dword ptr [ebp]  ss:002b:2e7fbdd0=????????
0:000:x86> kp 6
ChildEBP RetAddr  
0052d368 6b196e23 mozjs!js::gc::MarkKind(struct JSTracer * trc = 0x0052d46c, void * thing = 0x0000000a, unsigned long kind = 0x2e7fbdc0)+0x234 [e:\builds\moz2_slave\mozilla-central-win32-nightly\build\js\src\jsgcinlines.h @ 437]
*** WARNING: Unable to verify checksum for C:\Users\user\Downloads\firefox-4.0b8pre.en-US.win32\firefox\xul.dll
0052d374 61fd8447 mozjs!JS_CallTracer(struct JSTracer * trc = 0x00000000, void * thing = 0x00000000, unsigned long kind = 0)+0x13 [e:\builds\moz2_slave\mozilla-central-win32-nightly\build\js\src\jsapi.cpp @ 2169]
0052d384 6b1b5bd5 xul!WrappedNativeJSGCThingTracer(struct JSDHashTable * table = 0x00000000, struct JSDHashEntryHdr * hdr = 0x00000000, unsigned long number = 0, void * arg = 0x00000000)+0x27 [e:\builds\moz2_slave\mozilla-central-win32-nightly\build\js\src\xpconnect\src\xpcwrappednativescope.cpp @ 373]
0052d3b4 61fd55c5 mozjs!JS_DHashTableEnumerate(struct JSDHashTable * table = 0x00000000, <function> * etor = 0x00000000, void * arg = 0x00000000)+0x55 [e:\builds\moz2_slave\mozilla-central-win32-nightly\build\js\src\jsdhash.cpp @ 743]
0052d3d4 61fd5530 xul!XPCWrappedNativeScope::TraceJS(struct JSTracer * trc = 0x046009c0, class XPCJSRuntime * rt = 0x2e7fbdc0)+0x35 [e:\builds\moz2_slave\mozilla-central-win32-nightly\build\js\src\xpconnect\src\xpcwrappednativescope.cpp @ 390]
0052d3e8 61fd54aa xul!XPCJSRuntime::TraceXPConnectRoots(struct JSTracer * trc = 0x00000400)+0x60 [e:\builds\moz2_slave\mozilla-central-win32-nightly\build\js\src\xpconnect\src\xpcjsruntime.cpp @ 388]

Comment 6

8 years ago
When I load the testcase (Mac OS X 10.5 / trunk), I immediately get:

###!!! ASSERTION: Incorrect scope passed: 'wrapper->GetScope() == aOldScope', file js/src/xpconnect/src/xpcwrappednative.cpp, line 1506

After maybe 15 seconds I get:

Crash [@ XPCNativeSet::IsMarked] with KERN_INVALID_ADDRESS (0x55555557).
Component: General → XPConnect
Product: Firefox → Core
QA Contact: general → xpconnect
Version: unspecified → Trunk

Updated

8 years ago
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: crash, reproducible, testcase

Updated

8 years ago
blocking2.0: --- → ?

Comment 7

8 years ago
Created attachment 484425 [details]
testcase (crashes browser)

This version uses a data: URL for the iframe, so it works on its own.
Attachment #484120 - Attachment is obsolete: true
Blocking 2.0 final, and assigning to peterv.
Assignee: nobody → peterv
blocking2.0: ? → final+

Comment 9

8 years ago
I filed bug 605672 with another testcase for the "Incorrect scope passed" assertion. It's probably unrelated to the crash.
Ben, could you look into this one?
Assignee: peterv → bent.mozilla
status1.9.2: --- → wanted

Updated

8 years ago
Whiteboard: [sg:critical?] → [sg:critical?], hardblocker

Comment 11

8 years ago
Alex Miller hit a crash [@ JS_IsAboutToBeFinalized] with his modified version of crossfuzz. That might indicate that this bug is at risk of becoming an 0-day.

Updated

8 years ago
Whiteboard: [sg:critical?], hardblocker → [sg:critical?][hardblocker]
Today's trace-monkey isn't crashing on OS X, nor is it asserting. Was this fixed by some other cross-fuzz bug?
Component: XPConnect → XSLT
I let it run for a while with gczeal turned up as well, still no crash or assertions.
Assignee: bent.mozilla → nobody
Component: XSLT → XPConnect
Not blocking on this given Ben's findings. If reliable ways to reproduce appears please renominate.
blocking2.0: final+ → -
Whiteboard: [sg:critical?][hardblocker] → [sg:needinfo]
A year and a half ago, Ben couldn't reproduce this, and I wasn't able to reproduce it now, so I'm going to close this as incomplete.
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → INCOMPLETE
Group: core-security
You need to log in before you can comment on or make changes to this bug.