Crash [@ js::Value::setInt32(int)]

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
7 years ago
2 years ago

People

(Reporter: bc, Assigned: dvander)

Tracking

(Blocks: 1 bug, {crash, reproducible, testcase})

Trunk
All
Windows 7
crash, reproducible, testcase
Points:
---

Firefox Tracking Flags

(blocking2.0 final+)

Details

(Whiteboard: [sg:dos][fixed-in-tracemonkey], crash signature, URL)

Attachments

(2 attachments)

(Reporter)

Description

7 years ago
1. http://baixarodownload.com/category/acaoaventura/page/7
2. Crash Windows

ss since I don't like the write crash.

Operating system: Windows NT
                  5.1.2600 Service Pack 3
CPU: x86
     GenuineIntel family 6 model 44 stepping 2
     1 CPU

Crash reason:  EXCEPTION_ACCESS_VIOLATION_WRITE
Crash address: 0x2870000

Thread 0 (crashed)
 0  mozjs.dll!js::Value::setInt32(int) [jsvalue.h : 353 + 0x18]
    eip = 0x006a5f61   esp = 0x0012b71c   ebp = 0x0012b728   ebx = 0x00000001
    esi = 0x00000069   edi = 0x00000000   eax = 0x00000031   ecx = 0x02870000
    edx = 0x00000031   efl = 0x00010202
    Found by: given as instruction pointer in context
 1  mozjs.dll!js::Interpret(JSContext *,JSStackFrame *,unsigned int,JSInterpMode) [jsinterp.cpp : 4909 + 0x24]
    eip = 0x00772e48   esp = 0x0012b730   ebp = 0x0012c9dc
    Found by: call frame info
 2  mozjs.dll!js::RunScript(JSContext *,JSScript *,JSStackFrame *) [jsinterp.cpp : 650 + 0x10]
    eip = 0x0075d13e   esp = 0x0012c9e4   ebp = 0x0012ca10
    Found by: call frame info
 3  mozjs.dll!js::Execute(JSContext *,JSObject *,JSScript *,JSStackFrame *,unsigned int,js::Value *) [jsinterp.cpp : 1011 + 0x15]
    eip = 0x0075edd0   esp = 0x0012ca18   ebp = 0x0012ca90
    Found by: call frame info
 4  mozjs.dll!EvaluateUCScriptForPrincipalsCommon(JSContext *,JSObject *,JSPrincipals *,unsigned short const *,unsigned int,char const *,unsigned int,jsval_layout *,JSVersion) [jsapi.cpp : 5055 + 0x21]
    eip = 0x006b3945   esp = 0x0012ca98   ebp = 0x0012cac0
    Found by: call frame info
 5  mozjs.dll!JS_EvaluateUCScriptForPrincipalsVersion [jsapi.cpp : 5071 + 0x2d]
    eip = 0x006b3a34   esp = 0x0012cac8   ebp = 0x0012cb08
    Found by: call frame info
(Reporter)

Comment 1

7 years ago
bp-1cc062fe-7f78-4456-be37-8ecfa2110216

Comment 2

7 years ago
We have a test case. Lets jump on this quickly before the page changes.
blocking2.0: --- → ?
Bob: can you get a minidump, since it's on Windows?

https://developer.mozilla.org/Capturing_a_minidump
blocking2.0: ? → ---
restoring gal's blocking-?, even though no rationale was given!
blocking2.0: --- → ?
(Reporter)

Comment 5

7 years ago
(In reply to comment #3)
> Bob: can you get a minidump, since it's on Windows?
> 
> https://developer.mozilla.org/Capturing_a_minidump

yeah, but its a 130M.
zip and put it on dropbox?
(Reporter)

Comment 7

7 years ago
Ok. I have a locally saved version that crashes at the same place. I'll start reducing it. Do we still need the dump?
Up to Andreas.
(Reporter)

Comment 9

7 years ago
Note also bug 606960
(Reporter)

Comment 10

7 years ago
Created attachment 512838 [details]
testcase
(Reporter)

Updated

7 years ago
Keywords: testcase-wanted → testcase
Exploitable?

Comment 12

7 years ago
The ? is for investigation. Looking now.

Comment 13

7 years ago
I am not crashing with TM tip, 64-bit linux.

Comment 14

7 years ago
As far as I can tell this is an invalid pc, reading past the script code, so probably exploitable. I still can't reproduce. I vote blocking and put a JS guy on it to figure out whats up.

Updated

7 years ago
blocking2.0: ? → final+
Whiteboard: [hardblocker]

Updated

7 years ago
Assignee: general → dvander

Updated

7 years ago
Whiteboard: [hardblocker] → [sg:critical][hardblocker]
(Assignee)

Comment 15

7 years ago
STR don't work for me on Linux x64, or Windows 7, both using m-c on the cset in the given crash link. Also doesn't crash on the latest tm nightly. I'll look into this ASAP if I can get a crash dump.

I'm unblocking this because:
 (1) I can't reproduce it.
 (2) comment #14 isn't the cause. It's an invalid read at a page boundary.
     This is almost definitely a case of not committing enough of the
     thread-local contiguous stack. We have lots of random JIT crashes on this
     already, we have no test cases for those, and we're not blocking on them.
 (3) Writes/reads beyond the committed pages, but within the reserved stack,
     will safely segfault. It's not clear whether the commit bounds check is
     wrong, or the actual stack limit bounds check is wrong. The latter would
     be sg:something, but getting this sort of thing to crash reliably is 
     difficult.
Whiteboard: [sg:critical][hardblocker] → [softblocker]
(Reporter)

Comment 16

7 years ago
http://dl.dropbox.com/u/21344102/firefoxcrash.dmp

I can also get it in the debugger and answer any questions you may have.

Comment 17

7 years ago
There are no softblockers any more. If you are sure this is not a problem, lets unblock, otherwise its a hardblocker.

Comment 18

7 years ago
bc, can we meet you on irc and buddy debugging this?
(Assignee)

Comment 19

7 years ago
(Why do we have "hardblocker" then?)

Thanks for the dump, bc, I'll take a look at this now.
blocking2.0: final+ → -
Whiteboard: [softblocker]

Updated

7 years ago
OS: Windows XP → All
Whiteboard: [sg:critical? see comment 15]
(Assignee)

Comment 20

7 years ago
Created attachment 512968 [details] [diff] [review]
fix

Wow - awesome bug. I ended up being able to reproduce this in the shell thanks to bc's test case - it's indeed a safe crash, writing beyond the commit depth.

What makes this awesome is that it's a trivial typo to fix and will probably reduce our EnterMethodJIT crashes by 5-10%, since a large portion of those are crashes writing beyond the commit end.
Attachment #512968 - Flags: review?(lw)
(Assignee)

Comment 21

7 years ago
We don't really have to block on this, but the risk is so low and the benefit so high, we should just get it in.
blocking2.0: - → final+
OS: All → Windows 7
Hardware: x86 → All
Whiteboard: [sg:critical? see comment 15] → [sg:dos]

Updated

7 years ago
Attachment #512968 - Flags: review?(lw) → review+

Updated

7 years ago
Attachment #512968 - Flags: approval2.0+
(Assignee)

Comment 22

7 years ago
http://hg.mozilla.org/tracemonkey/rev/d0c8f25fe4f5
Whiteboard: [sg:dos] → [sg:dos][fixed-in-tracemonkey]
(Assignee)

Updated

7 years ago
Status: NEW → ASSIGNED
cdleary-bot mozilla-central merge info:
http://hg.mozilla.org/mozilla-central/rev/d0c8f25fe4f5
Status: ASSIGNED → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
Crash Signature: [@ js::Value::setInt32(int)]
Group: core-security
You need to log in before you can comment on or make changes to this bug.