Closed Bug 655660 (CVE-2011-2991) Opened 14 years ago Closed 14 years ago

Firefox 4 crashing when I try to delete emails using Yahoo! Mail Beta [@ js::mjit::JaegerShot ]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
2.0 Branch
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox5 - affected
firefox6 + fixed
firefox7 + fixed
blocking2.0 --- ?
status2.0 --- wanted
status1.9.2 --- unaffected
status1.9.1 --- unaffected

People

(Reporter: bolvivek, Assigned: dvander)

References

(
URL
)

Details

(Keywords: crash, regression, reporter-external, Whiteboard: [sg:critical][fixed-in-tracemonkey][qa-])

Crash Data

Attachments

(1 file)

yup, this is really the bug
1.14 KB, patch
cdleary
: review+
christian
: approval-mozilla-aurora+
christian
: approval-mozilla-beta+
Details | Diff | Splinter Review
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 Build Identifier: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 Whenever I try to delete emails from new Yahoo! Mail Beta the Firefox 4 is crashing. Here are the crash reports http://crash-stats.mozilla.com/report/index/bp-fcaf835d-74d6-4bf8-b743-ebc2b2110506 http://crash-stats.mozilla.com/report/index/bp-6febb105-15de-4187-aeca-dff462110506 http://crash-stats.mozilla.com/report/index/bp-7f1af8c4-fe1e-480e-a21a-6ef232110505 http://crash-stats.mozilla.com/report/index/bp-7dd5937e-58d3-4ac5-a0b7-e45532110505 http://crash-stats.mozilla.com/report/index/bp-9c1687b3-58dd-4109-8d90-e1c7e2110504 http://crash-stats.mozilla.com/report/index/bp-778685f4-0b0d-4c16-a6f5-667e72110505 Reproducible: Always Steps to Reproduce: 1. Goto Yahoo! Mail Beta 2. Goto Inbox and try to delete emails by pressing delete key 3. Keep deleting and Firefox crashes
Keywords: regression
Version: unspecified → 4.0 Branch
I don't see this as an attack vector.
Group: core-security
Keywords: crash
If you visit the first crash report There lots of people have commented that they were on yahoo mail and Firefox crashed! Not sure what you meant by 'attack vector' please elaborate.
Priority: -- → P1
Works for me on Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:6.0a1) Gecko/20110508 Firefox/6.0a1 Also, could you see if the issue occurs if using Firefox in safe mode: http://support.mozilla.com/kb/Safe+Mode How about with a new, empty testing profile? (Don't install any addons into it) http://support.mozilla.com/kb/Basic+Troubleshooting#w_8-make-a-new-profile
(In reply to comment #2) > Not sure what you meant by 'attack vector' please elaborate. My guess and reading between the lines: Since Ludovic removed the group core-security when he wrote that comment that means that the bug previously had been marked as a security hole. Only a very limited number of people can view such bugs, but Ludovic states that he can't see how this crash could ever be used to take control over the browser and removed the restriction. ----- Regarding the crash reports, indeed, the comments tab of https://crash-stats.mozilla.com/report/index/bp-fcaf835d-74d6-4bf8-b743-ebc2b2110506 shows a lot of Yahoo mail related comments.
0 @0x11e6ff826 1 XUL js::mjit::JaegerShot js/src/methodjit/MethodJIT.cpp:749 2 XUL js::RunScript js/src/jsinterp.cpp:646 3 XUL js::Invoke js/src/jsinterp.cpp:740 4 XUL js_fun_apply js/src/jsfun.cpp:2211 5 XUL js::mjit::stubs::UncachedCallHelper js/src/jscntxtinlines.h:701 6 XUL js::mjit::stubs::UncachedCall js/src/methodjit/InvokeHelpers.cpp:431 7 @0x11e5c3b46 8 XUL js::mjit::JaegerShot js/src/methodjit/MethodJIT.cpp:749 9 XUL js::RunScript js/src/jsinterp.cpp:646 10 XUL js::Invoke js/src/jsinterp.cpp:740 11 XUL js_fun_apply js/src/jsfun.cpp:2211 12 XUL js::mjit::stubs::UncachedCallHelper js/src/jscntxtinlines.h:701 13 XUL js::mjit::stubs::UncachedCall js/src/methodjit/InvokeHelpers.cpp:431 14 @0x11e483f9e 15 XUL js::mjit::JaegerShot js/src/methodjit/MethodJIT.cpp:749 16 XUL js::RunScript js/src/jsinterp.cpp:646 17 XUL js::Invoke js/src/jsinterp.cpp:740 18 XUL js_fun_apply js/src/jsfun.cpp:2211 19 XUL js::mjit::stubs::UncachedCallHelper js/src/jscntxtinlines.h:701 20 XUL js::mjit::stubs::UncachedCall js/src/methodjit/InvokeHelpers.cpp:431 21 @0x11d8a17e8 22 XUL js::mjit::JaegerShot js/src/methodjit/MethodJIT.cpp:749 23 XUL js::RunScript js/src/jsinterp.cpp:646 24 XUL js::Invoke js/src/jsinterp.cpp:740 25 XUL js_fun_apply js/src/jsfun.cpp:2211 26 XUL js::mjit::stubs::UncachedCallHelper js/src/jscntxtinlines.h:701 27 XUL js::mjit::stubs::UncachedCall js/src/methodjit/InvokeHelpers.cpp:431 28 @0x118f3393f 29 XUL js::mjit::JaegerShot js/src/methodjit/MethodJIT.cpp:749 30 XUL js::RunScript js/src/jsinterp.cpp:646 31 XUL js::Invoke js/src/jsinterp.cpp:740 32 XUL js_fun_call js/src/jsfun.cpp:2148 33 XUL js::mjit::stubs::UncachedCallHelper js/src/jscntxtinlines.h:701 34 XUL js::mjit::stubs::UncachedCall js/src/methodjit/InvokeHelpers.cpp:431 35 @0x11aa75691 36 XUL js::mjit::JaegerShot js/src/methodjit/MethodJIT.cpp:749 37 XUL js::RunScript js/src/jsinterp.cpp:646 38 XUL js::Invoke js/src/jsinterp.cpp:740 39 XUL js_fun_call js/src/jsfun.cpp:2148 40 XUL js::mjit::stubs::UncachedCallHelper js/src/jscntxtinlines.h:701 41 XUL js::mjit::stubs::UncachedCall js/src/methodjit/InvokeHelpers.cpp:431 42 @0x11aa742b4 43 XUL js::mjit::JaegerShot js/src/methodjit/MethodJIT.cpp:749 44 XUL js::RunScript js/src/jsinterp.cpp:646 45 XUL js::Invoke js/src/jsinterp.cpp:740 46 XUL js::ExternalInvoke js/src/jsinterp.cpp:863 47 XUL JS_CallFunctionValue js/src/jsapi.cpp:5173 48 XUL nsXPCWrappedJSClass::CallMethod js/src/xpconnect/src/xpcwrappedjsclass.cpp:1672 49 XUL nsXPCWrappedJS::CallMethod js/src/xpconnect/src/xpcwrappedjs.cpp:588 50 XUL PrepareAndDispatch xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_darwin.cpp:153 51 XUL XUL@0xe2ec2a 52 XUL NS_InvokeByIndex_P xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:172 53 XUL NS_InvokeByIndex_P xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:195 54 XUL XPCConvert::JSData2Native js/src/xpconnect/src/xpcconvert.cpp:1081 55 XUL XPCWrappedNative::CallMethod js/src/xpconnect/src/xpcwrappednative.cpp:3124 56 XUL XPC_WN_CallMethod js/src/xpconnect/src/xpcwrappednativejsops.cpp:1613 57 XUL js::mjit::stubs::UncachedCallHelper js/src/jscntxtinlines.h:701 58 XUL js::mjit::stubs::UncachedCall js/src/methodjit/InvokeHelpers.cpp:431 59 @0x11a40a1b9 60 XUL js::mjit::JaegerShot js/src/methodjit/MethodJIT.cpp:749 61 XUL js::RunScript js/src/jsinterp.cpp:646 62 XUL js::Invoke js/src/jsinterp.cpp:740 63 XUL js::ExternalInvoke js/src/jsinterp.cpp:863 64 XUL JS_CallFunctionValue js/src/jsapi.cpp:5173 65 XUL nsXPCWrappedJSClass::CallMethod js/src/xpconnect/src/xpcwrappedjsclass.cpp:1672 66 XUL nsXPCWrappedJS::CallMethod js/src/xpconnect/src/xpcwrappedjs.cpp:588 67 XUL PrepareAndDispatch xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_darwin.cpp:153 68 XUL XUL@0xe2ec2a 69 XUL nsEventListenerManager::HandleEventSubType content/events/src/nsEventListenerManager.cpp:1127 70 XUL nsEventListenerManager::HandleEventInternal content/events/src/nsEventListenerManager.cpp:1222 71 XUL nsEventTargetChainItem::HandleEventTargetChain content/events/src/nsEventListenerManager.h:146 72 XUL nsEventDispatcher::Dispatch content/events/src/nsEventDispatcher.cpp:628 73 XUL nsEventDispatcher::DispatchDOMEvent content/events/src/nsEventDispatcher.cpp:691 74 XUL nsXMLHttpRequest::ChangeState content/base/src/nsXMLHttpRequest.cpp:3073 75 XUL nsXMLHttpRequest::RequestCompleted content/base/src/nsXMLHttpRequest.cpp:2192 76 XUL nsXMLHttpRequest::OnStopRequest content/base/src/nsXMLHttpRequest.cpp:2155 77 XUL NS_InvokeByIndex_P xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:195 78 XUL XPCWrappedNative::CallMethod js/src/xpconnect/src/xpcwrappednative.cpp:3124 79 XUL XPC_WN_CallMethod js/src/xpconnect/src/xpcwrappednativejsops.cpp:1613 80 XUL js::Interpret js/src/jscntxtinlines.h:701 81 XUL js::RunScript js/src/jsinterp.cpp:653 82 XUL js::Invoke js/src/jsinterp.cpp:740 83 XUL js::ExternalInvoke js/src/jsinterp.cpp:863 84 XUL JS_CallFunctionValue js/src/jsapi.cpp:5173 85 XUL nsXPCWrappedJSClass::CallMethod js/src/xpconnect/src/xpcwrappedjsclass.cpp:1672 86 XUL nsXPCWrappedJS::CallMethod js/src/xpconnect/src/xpcwrappedjs.cpp:588 87 XUL PrepareAndDispatch xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_darwin.cpp:153 88 XUL XUL@0xe2ec2a 89 XUL nsStreamListenerTee::OnStopRequest netwerk/base/src/nsStreamListenerTee.cpp:71 90 XUL nsHttpChannel::OnStopRequest netwerk/protocol/http/nsHttpChannel.cpp:4032 91 XUL nsInputStreamPump::OnStateStop netwerk/base/src/nsInputStreamPump.cpp:578 92 XUL nsInputStreamPump::OnInputStreamReady netwerk/base/src/nsInputStreamPump.cpp:403 93 XUL nsInputStreamReadyEvent::Run xpcom/io/nsStreamUtils.cpp:112 94 XUL nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:633 95 XUL NS_ProcessPendingEvents_P nsThreadUtils.cpp:200 96 XUL nsBaseAppShell::NativeEventCallback widget/src/xpwidgets/nsBaseAppShell.cpp:132 97 XUL nsAppShell::ProcessGeckoEvents widget/src/cocoa/nsAppShell.mm:399 98 CoreFoundation __CFRunLoopDoSources0 99 CoreFoundation __CFRunLoopRun 100 CoreFoundation CFRunLoopRunSpecific 137 Foundation Foundation@0x2eed 138 CoreFoundation _CFAutoreleasePoolPush 139 libSystem.B.dylib libSystem.B.dylib@0x66c7 140 AppKit stub helpers 141 AppKit -[NSApplication run] 142 XUL nsAppShell::Run widget/src/cocoa/nsAppShell.mm:746 143 XUL nsAppStartup::Run toolkit/components/startup/src/nsAppStartup.cpp:220 144 XUL XRE_main toolkit/xre/nsAppRunner.cpp:3786 145 firefox-bin main browser/app/nsBrowserApp.cpp:158 146 firefox-bin firefox-bin@0x1953
Assignee: nobody → general
Component: General → JavaScript Engine
Priority: P1 → --
Product: Firefox → Core
QA Contact: general → general
Summary: Firefox 4 crashing when I try to delete emails using Yahoo! Mail Beta → Firefox 4 crashing when I try to delete emails using Yahoo! Mail Beta [@ js::mjit::JaegerShot ]
Version: 4.0 Branch → 2.0 Branch
(In reply to comment #1) > I don't see this as an attack vector. I disagree. Obviously you wouldn't attack someone by sending them to Yahoo and hope for a crash, but if Yahoo code crashes reasonably reliably then the crashing script could be isolated and reduced to a potential attack case. The real question is whether this signature looks exploitable since the question about whether it can be caused by remote web content has been answered. Crashing in JITted code is scary in general. It might be a "safe" crash, might even be likely to be safe, but given the type of crash we need to put the burden of proof on the JS developers to prove it's safe rather than assume it is. We need to be able to reproduce this to be able to fix it though. A reduced testcase we can attach to the bug would be great (but I'm not holding my breath). Vevekanand: you marked this as a "regression" which I assume means it didn't happen to you in earlier versions. Which earlier version? 4.0 I hope because there were far fewer changes between 4.0 and 4.0.1 to investigate than there were between 3.6.x and 4.0.1
Group: core-security
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: testcase-wanted
I just started using the Yahoo Mail beta so I will see if I can reproduce this.
(In reply to comment #6) > (In reply to comment #1) > > I don't see this as an attack vector. > > I disagree. Obviously you wouldn't attack someone by sending them to Yahoo > and hope for a crash, but if Yahoo code crashes reasonably reliably then the > crashing script could be isolated and reduced to a potential attack case. Oups sorry.
fwiw I don't remember ever having crashed on Yahoo Mail Beta on my Mac, but I think I've been using Fx5/6 nightlies since I switched to the Yahoo Beta. Will play around with my 4.0.x test profile and see if I can reproduce. Looking at crash-stats this appears to be a huge spike in 4.0.1 and very little seen in more recent versions (then again, very few users on development builds). Yahoo mail beta mentioned A LOT in the comments, deleting mail mentioned several times. https://crash-stats.mozilla.com/report/list?query_search=signature&query_type=contains&reason_type=contains&date=now&range_value=2&range_unit=weeks&hang_type=any&process_type=any&signature=js%3A%3Amjit%3A%3AJaegerShot
luke agreed to take a look at this in order to figure out whodunnit
Assignee: general → luke
Al, can you try to reproduce as well?
I have tried a number of different scenarios around deleting mail in the Yahoo beta on both 10.5. and 10.6 using 4.0.1 and I have yet to reproduce the crash.
I am also having trouble reproducing. Could you list any installed extensions? Along the same lines, do you still get the crash when you disable all extensions/plugins?
(In reply to comment #13) Oops, these are right there in the crash report! I tried installing ABP and Firebug (enabling Script debugging), and still no crashes on 10.6. I wasn't able to find the extension labeled delicious@vjkarunapg.com.
(In reply to comment #6) > Vevekanand: you marked this as a "regression" which I assume means it didn't > happen to you in earlier versions. Which earlier version? 4.0 I hope because > there were far fewer changes between 4.0 and 4.0.1 to investigate than there > were between 3.6.x and 4.0.1 Yes. I havent seen this happening before. But I am not sure if its happening after updating to 4.0.1 thus I marked it as regression.
(In reply to comment #13) > I am also having trouble reproducing. Could you list any installed > extensions? Along the same lines, do you still get the crash when you > disable all extensions/plugins? I have disabled all the addons and the issue is still reproducible.
Here is my further investigation 1. If you delete fewer messages then it doesnt crash. 2. To make it crash you need to keep on pressing delete button and vary the speed of pressing the delete button as well. I have disabled all the addons and was still able to crash Firefox. Here is the crash report https://crash-stats.mozilla.com/report/index/bp-1d562352-f62e-4c40-a849-620ce2110509 I have created new profile and was still able to crash Firefox. Here is the crash report. https://crash-stats.mozilla.com/report/index/f4f24e02-6ef9-4a13-bbfb-3a8f32110509 Then I started the Firefox in Safe mode and on first start it automatically crashed. Here is the crash report. https://crash-stats.mozilla.com/report/index/9be26227-deb0-4fbb-96db-6b6cb2110509 But after restarting in safe mode again I wasnt able to reproduce the issue and even after deleting around 100-150 emails Firefox didnt crash. BTW. I work for Yahoo! Mail and it is difficult to track whats breaking Firefox since I dont get any error message or warning or anything of that sort. I tried tracking this with Dynatrace on Window but this issue doesnt exist on windows which made it even difficult to trace. Even if you guys could possibly find any problem with Yahoo! Mail JS I will be glad to fix but I need to know whats causing this.
blocking2.0: --- → ?
status2.0: --- → wanted
Vivekanand, I'm trying to understand exactly how to get a crash. Do you use the mouse and click the Delete button on the screen or do you delete the messages by using the keyboard? When you are in the Inbox deleting messages, do you delete messages from the list without reading them, or do you open them first so they are readable when deleting them? When you try to delete a message and get a crash, does the message really get deleted, or is it still in the Inbox when you visit Yahoo next time?
Vivekanand what langauge is Yahoo mail for you is it in english ?
(In reply to comment #18) > Vivekanand, I'm trying to understand exactly how to get a crash. > > Do you use the mouse and click the Delete button on the screen or do you > delete the messages by using the keyboard? I use keyboard. > > When you are in the Inbox deleting messages, do you delete messages from the > list without reading them, or do you open them first so they are readable > when deleting them? I dont let them render. Delete them before rendering. Sometimes they are in the middle of rendering. Sometimes they are in the middle of loading. > > When you try to delete a message and get a crash, does the message really > get deleted, or is it still in the Inbox when you visit Yahoo next time? Since I delete around 30-40 messages can not figure out one message out of it. The crash happens instantly when I am in the process of pressing the delete button.
(In reply to comment #19) > Vivekanand what langauge is Yahoo mail for you is it in english ? Yes. My language is english.
Bug 657523, which was marked as a dupe, indicates you need 30-50 emails opened in tabs in order to see this behavior. That may be why I wasn't able to repro in the first pass.
I tried again to reproduce on a Windows machine in the lab but still have not had any luck yet.
I dont see any benefit of trying to reproduce on Windows machine when the bug is only experienced on MAC. Please try it on Mac...
It makes a lot of sense to me since the bug that was duped - https://bugzilla.mozilla.org/show_bug.cgi?id=657523#c3 - as a person crashing on Windows XP. I have tried it on Mac and have yet to reproduce it. (In reply to comment #25) > I dont see any benefit of trying to reproduce on Windows machine when the > bug is only experienced on MAC. > > Please try it on Mac...
Ah.. ok. Sorry about that. What can I help you to reproduce the issue? Any specific pattern that I should follow. Any logs to extract from somewhere? I would love to collaborate.
Crashes [@ js::mjit::JaegerShot] are overwhelmingly Mac OS X, with a smattering of Linux; zero Windows crashes with that signature. If bug 655660 is a duplicate (sure sounds like it) then it must have a different signature. I did find a bunch with essentially the same signature: [@ js::mjit::JaegerShot(JSContext*)] but no comments mentioning Yahoo mail -- very unlike the Mac crashes with dozens of people saying they were on yahoo mail beta. We need crash ID's on Windows from mily to see if bug 655660 is really related, but in the meanwhile it looks like our best chance for reproducing this will be on Mac. This stack has 650+ crashes on Mac in a week with small marketshare, vs. only 120 in a week for the variant on Windows with 90% of the market.
Is anybody working on this bug? There seems to be no activity since last 10 days. BTW, I am able to crash Aurora builds as well with the same error. [@ js::mjit::JaegerShot]
(In reply to comment #29) > Is anybody working on this bug? There seems to be no activity since last 10 > days. > BTW, I am able to crash Aurora builds as well with the same error. [@ > js::mjit::JaegerShot] We don't have enough information to do anything right now--we were unable to reproduce the crash for local debugging. We might able to move forward if you could send us a core dump. Note that a core dump contains the contents of all the memory from your browser, which could include sensitive data. See https://developer.mozilla.org/en/Remote_debugging#Core_dumps_on_Mac_and_Linux for instructions. Let me know if you have questions.
Looks like we have steps to reproduce from bug 658757#c5 where it has been reproduced on Win 7 and Linux (although not indicated in the bug). It might actually be the same bug.
status-firefox5: --- → affected
tracking-firefox5: --- → ?
I just tried to reproduce this in the lab on Windows 7, following the STR in the bug in Comment 31. But others have noted that it cannot consistently be reproduced.
If those STR work for some people, some of the time, maybe it always crashes on a certain line of code or a certain operation. Even if we can't reproduce it ourselves (I wasn't able to on Mac just now--I'll try on Windows when I get a chance), if we could gather stats on the crash JS source location, maybe we could find the bug by inspection or add some instrumentation to do further diagnostics. I don't think it's very easy to catch the JS location without a bunch of breakpad heavy lifting, though.
Minusing for tracking-firefox5, but we sure would like to see this fixed ASAP. Dave M, any thoughts on how quickly/safely we can get a fix for this into, say, Aurora/FF6?
tracking-firefox5: ?-
guessing probably sg:critical based on the stacks.
status-firefox6: --- → affected
tracking-firefox6: --- → ?
Whiteboard: [sg:critical?]
(In reply to comment #35) > Minusing for tracking-firefox5, but we sure would like to see this fixed > ASAP. Dave M, any thoughts on how quickly/safely we can get a fix for this > into, say, Aurora/FF6? Well, we have no STR (the ones in the other bug worked for neither Marcia nor me), so no ETA for now. I tried to open one of the minidumps in the other bug (which was for 32-bit Linux), but it didn't have the jitcode memory, so there's nothing to learn there. (Maybe only on Windows do we get the memory around eip?) We might be able to make some progress if someone could give us a full core dump.
I tried creating a core dump but its not happening. I follow the steps mentioned in the link above but no use. I have used ulimit -c unlimited and started firefox from console. When it crashes nothing happens and no core dump is created inside /cores folder. All I get is Firefox crash reporter. When I start firefox from console I get a message saying 'FBTrace is not installed...' HTH
I have tried again to reproduce this on Mac and Windows 7 but with no luck. I realize there is an important extra step in Bug 658757 Comment 5 which involves changing the preview view. But even with that and deleting the emails rapidly I was not able to reproduce.
(In reply to comment #38) > I tried creating a core dump but its not happening. I follow the steps > mentioned in the link above but no use. > > I have used ulimit -c unlimited and started firefox from console. When it > crashes nothing happens and no core dump is created inside /cores folder. > > All I get is Firefox crash reporter. Hmmm. Maybe you need to disable the crash reporter from that run. You can do that by using the command line: MOZ_CRASHREPORTER_DISABLE=1 normal_cmdline_to_run_fx If that works, let me know so I can update the instructions (but certainly feel free to do that yourself if you like.) > When I start firefox from console I get a message saying 'FBTrace is not > installed...' That seems to be a message from Firebug or a Firebug-related plugin. I don't think it's related to not getting a core dump. But now I do wonder if FB is somehow related to the crash.
Crash Signature: [@ js::mjit::JaegerShot ]
I can reproduce this, Linux x86-64, Aurora 2011-06-21 build.
Also, I bet a glazed ham that this is *the* EnterMethodJIT crash bug. Every single weird JIT crash anomaly I debugged as part of the categorization tool appeared while looking into this Yahoo thing.
Assignee: luke → dvander
Status: NEW → ASSIGNED
Attachment #541582 - Flags: review?(cdleary)
we should mail a ham to Vivekanand :)
Attachment #541582 - Flags: review?(cdleary) → review+
http://hg.mozilla.org/tracemonkey/rev/d403daff812c - would like to verify Windows x86 tomorrow, after that will check into m-c to see what happens to crash stats.
Whiteboard: [sg:critical?] → [sg:critical][fixed-in-tracemonkey]
Good to see atleast this has changed its status to 'assigned' @Luke most welcome! Shall I put my address here? ;-)
Indeed, thank you Vivekanand for reporting this with accurate steps-to-reproduce! http://hg.mozilla.org/mozilla-central/rev/a042d0d4c792
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
dvander, can you make a testcase? It would be nice to understand why the fuzzers missed this bug, and it would be nice to have a regression test.
Is it appropriate to nominate this for aurora? If it fixes a topcrash, it seems like it may be good to take. (Is it low risk? It's not clear to me from looking at the patch *why* it fixes a crash, so it's hard for me to evaluate.)
Comment on attachment 541582 [details] [diff] [review] yup, this is really the bug Requesting approval for aurora. Benefit: Potentially fixes a large class of method JIT crash bugs, including at least one reproducible Yahoo mail crash bug. Risk: Increases the size of a data structure by 0-4 bytes. Total browser increase would be measured in KB.
Attachment #541582 - Flags: approval-mozilla-aurora?
Comment on attachment 541582 [details] [diff] [review] yup, this is really the bug Please land on releases/mozilla-aurora
Attachment #541582 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
(In reply to comment #48) > dvander, can you make a testcase? It would be nice to understand why the > fuzzers missed this bug, and it would be nice to have a regression test. You have to generate code with like |x.y = z| where |y| is not on |x| and |x| has an extremely long prototype chain - probably like 50 objects. Long protos might reveal some interesting stuff. The bug here was that the offset stored a distance between two points in memory, and with enough prototype checks it overflowed ~10 bits and patched garbage. Anyway, sorry, I think I missed the aurora checkin for this so now it's already there after taking m-c.
status-firefox7: affectedfixed
We missed the mozilla6 aurora window but the patch looks safe enough for the beta branch and it's still a pretty common crash. Should we take it there?
status1.9.1: --- → unaffected
status1.9.2: --- → unaffected
Comment on attachment 541582 [details] [diff] [review] yup, this is really the bug We missed the mozilla6 aurora window but the patch looks safe enough for the beta branch. It's still a pretty common crash and the intent of clegnitto's aurora approval was to get it into Firefox 6, not just on some aurora branch sometime. Can we get beta approval?
Attachment #541582 - Flags: approval-mozilla-beta?
Comment on attachment 541582 [details] [diff] [review] yup, this is really the bug releases/mozilla-beta approval as well!
Attachment #541582 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Why such crazy long proto chains? Anyone know? /be
re: comment 46. We have no hams, but if you send your address to chofmann@mozilla.org I'll send you a firefox/mozilla t-shirt. ;-)
I'll send you a ham. Try me.
@chris, thats awesome!!! I would love to show it off! Have sent my address to mentioned email address. Thanks in advance :-)
Blocks: 670603
Alias: CVE-2011-2991
(In reply to chris hofmann from comment #59) > re: comment 46. > > We have no hams, but if you send your address to chofmann@mozilla.org I'll > send you a firefox/mozilla t-shirt. ;-) Did my email went unnoticed? Shall I send it again, Chris? Apologies if I sound greedy about the t-shirt :-)
qa-: Vivekanand Bolajwar, can you please test Firefox 7.0b6 to see if this is fixed?
Whiteboard: [sg:critical][fixed-in-tracemonkey] → [sg:critical][fixed-in-tracemonkey][qa-]
Group: core-security
Flags: sec-bounty+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: