Last Comment Bug 655660 - (CVE-2011-2991) Firefox 4 crashing when I try to delete emails using Yahoo! Mail Beta [@ js::mjit::JaegerShot ]
(CVE-2011-2991)
: Firefox 4 crashing when I try to delete emails using Yahoo! Mail Beta [@ js::...
Status: RESOLVED FIXED
[sg:critical][fixed-in-tracemonkey][qa-]
: crash, regression
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: 2.0 Branch
: x86 Mac OS X
: -- critical (vote)
: ---
Assigned To: David Anderson [:dvander]
:
Mentors:
http://mail.yahoo.com/
: 657523 662758 (view as bug list)
Depends on:
Blocks: 670603
  Show dependency treegraph
 
Reported: 2011-05-09 00:30 PDT by Vivekanand Bolajwar
Modified: 2015-10-16 11:48 PDT (History)
25 users (show)
rforbes: sec‑bounty+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
-
affected
+
fixed
+
fixed
?
wanted
unaffected
unaffected


Attachments
yup, this is really the bug (1.14 KB, patch)
2011-06-23 19:23 PDT, David Anderson [:dvander]
cdleary: review+
christian: approval‑mozilla‑aurora+
christian: approval‑mozilla‑beta+
Details | Diff | Splinter Review

Description Vivekanand Bolajwar 2011-05-09 00:30:50 PDT
User-Agent:       Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Build Identifier: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko/20100101 Firefox/4.0.1

Whenever I try to delete emails from new Yahoo! Mail Beta the Firefox 4 is crashing.

Here are the crash reports
http://crash-stats.mozilla.com/report/index/bp-fcaf835d-74d6-4bf8-b743-ebc2b2110506

http://crash-stats.mozilla.com/report/index/bp-6febb105-15de-4187-aeca-dff462110506

http://crash-stats.mozilla.com/report/index/bp-7f1af8c4-fe1e-480e-a21a-6ef232110505

http://crash-stats.mozilla.com/report/index/bp-7dd5937e-58d3-4ac5-a0b7-e45532110505

http://crash-stats.mozilla.com/report/index/bp-9c1687b3-58dd-4109-8d90-e1c7e2110504

http://crash-stats.mozilla.com/report/index/bp-778685f4-0b0d-4c16-a6f5-667e72110505

Reproducible: Always

Steps to Reproduce:
1. Goto Yahoo! Mail Beta
2. Goto Inbox and try to delete emails by pressing delete key
3. Keep deleting and Firefox crashes
Comment 1 Ludovic Hirlimann [:Usul] 2011-05-09 00:37:26 PDT
I don't see this as an attack vector.
Comment 2 Vivekanand Bolajwar 2011-05-09 02:31:53 PDT
If you visit the first crash report 

There lots of people have commented that they were on yahoo mail and Firefox crashed!

Not sure what you meant by 'attack vector' please elaborate.
Comment 3 Vlad [QA] 2011-05-09 05:37:57 PDT
Works for me on Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:6.0a1) Gecko/20110508 Firefox/6.0a1

Also, could you see if the issue occurs if using Firefox in safe mode:
http://support.mozilla.com/kb/Safe+Mode

How about with a new, empty testing profile? (Don't install any addons into it)
http://support.mozilla.com/kb/Basic+Troubleshooting#w_8-make-a-new-profile
Comment 4 Thomas Ahlblom 2011-05-09 06:12:09 PDT
(In reply to comment #2)
> Not sure what you meant by 'attack vector' please elaborate.

My guess and reading between the lines: Since Ludovic removed the group core-security when he wrote that comment that means that the bug previously had been marked as a security hole. Only a very limited number of people can view such bugs, but Ludovic states that he can't see how this crash could ever be used to take control over the browser and removed the restriction.

-----

Regarding the crash reports, indeed, the comments tab of https://crash-stats.mozilla.com/report/index/bp-fcaf835d-74d6-4bf8-b743-ebc2b2110506 shows a lot of Yahoo mail related comments.
Comment 5 Ludovic Hirlimann [:Usul] 2011-05-09 06:17:09 PDT
0 		@0x11e6ff826 	
1 	XUL 	js::mjit::JaegerShot 	js/src/methodjit/MethodJIT.cpp:749
2 	XUL 	js::RunScript 	js/src/jsinterp.cpp:646
3 	XUL 	js::Invoke 	js/src/jsinterp.cpp:740
4 	XUL 	js_fun_apply 	js/src/jsfun.cpp:2211
5 	XUL 	js::mjit::stubs::UncachedCallHelper 	js/src/jscntxtinlines.h:701
6 	XUL 	js::mjit::stubs::UncachedCall 	js/src/methodjit/InvokeHelpers.cpp:431
7 		@0x11e5c3b46 	
8 	XUL 	js::mjit::JaegerShot 	js/src/methodjit/MethodJIT.cpp:749
9 	XUL 	js::RunScript 	js/src/jsinterp.cpp:646
10 	XUL 	js::Invoke 	js/src/jsinterp.cpp:740
11 	XUL 	js_fun_apply 	js/src/jsfun.cpp:2211
12 	XUL 	js::mjit::stubs::UncachedCallHelper 	js/src/jscntxtinlines.h:701
13 	XUL 	js::mjit::stubs::UncachedCall 	js/src/methodjit/InvokeHelpers.cpp:431
14 		@0x11e483f9e 	
15 	XUL 	js::mjit::JaegerShot 	js/src/methodjit/MethodJIT.cpp:749
16 	XUL 	js::RunScript 	js/src/jsinterp.cpp:646
17 	XUL 	js::Invoke 	js/src/jsinterp.cpp:740
18 	XUL 	js_fun_apply 	js/src/jsfun.cpp:2211
19 	XUL 	js::mjit::stubs::UncachedCallHelper 	js/src/jscntxtinlines.h:701
20 	XUL 	js::mjit::stubs::UncachedCall 	js/src/methodjit/InvokeHelpers.cpp:431
21 		@0x11d8a17e8 	
22 	XUL 	js::mjit::JaegerShot 	js/src/methodjit/MethodJIT.cpp:749
23 	XUL 	js::RunScript 	js/src/jsinterp.cpp:646
24 	XUL 	js::Invoke 	js/src/jsinterp.cpp:740
25 	XUL 	js_fun_apply 	js/src/jsfun.cpp:2211
26 	XUL 	js::mjit::stubs::UncachedCallHelper 	js/src/jscntxtinlines.h:701
27 	XUL 	js::mjit::stubs::UncachedCall 	js/src/methodjit/InvokeHelpers.cpp:431
28 		@0x118f3393f 	
29 	XUL 	js::mjit::JaegerShot 	js/src/methodjit/MethodJIT.cpp:749
30 	XUL 	js::RunScript 	js/src/jsinterp.cpp:646
31 	XUL 	js::Invoke 	js/src/jsinterp.cpp:740
32 	XUL 	js_fun_call 	js/src/jsfun.cpp:2148
33 	XUL 	js::mjit::stubs::UncachedCallHelper 	js/src/jscntxtinlines.h:701
34 	XUL 	js::mjit::stubs::UncachedCall 	js/src/methodjit/InvokeHelpers.cpp:431
35 		@0x11aa75691 	
36 	XUL 	js::mjit::JaegerShot 	js/src/methodjit/MethodJIT.cpp:749
37 	XUL 	js::RunScript 	js/src/jsinterp.cpp:646
38 	XUL 	js::Invoke 	js/src/jsinterp.cpp:740
39 	XUL 	js_fun_call 	js/src/jsfun.cpp:2148
40 	XUL 	js::mjit::stubs::UncachedCallHelper 	js/src/jscntxtinlines.h:701
41 	XUL 	js::mjit::stubs::UncachedCall 	js/src/methodjit/InvokeHelpers.cpp:431
42 		@0x11aa742b4 	
43 	XUL 	js::mjit::JaegerShot 	js/src/methodjit/MethodJIT.cpp:749
44 	XUL 	js::RunScript 	js/src/jsinterp.cpp:646
45 	XUL 	js::Invoke 	js/src/jsinterp.cpp:740
46 	XUL 	js::ExternalInvoke 	js/src/jsinterp.cpp:863
47 	XUL 	JS_CallFunctionValue 	js/src/jsapi.cpp:5173
48 	XUL 	nsXPCWrappedJSClass::CallMethod 	js/src/xpconnect/src/xpcwrappedjsclass.cpp:1672
49 	XUL 	nsXPCWrappedJS::CallMethod 	js/src/xpconnect/src/xpcwrappedjs.cpp:588
50 	XUL 	PrepareAndDispatch 	xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_darwin.cpp:153
51 	XUL 	XUL@0xe2ec2a 	
52 	XUL 	NS_InvokeByIndex_P 	xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:172
53 	XUL 	NS_InvokeByIndex_P 	xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:195
54 	XUL 	XPCConvert::JSData2Native 	js/src/xpconnect/src/xpcconvert.cpp:1081
55 	XUL 	XPCWrappedNative::CallMethod 	js/src/xpconnect/src/xpcwrappednative.cpp:3124
56 	XUL 	XPC_WN_CallMethod 	js/src/xpconnect/src/xpcwrappednativejsops.cpp:1613
57 	XUL 	js::mjit::stubs::UncachedCallHelper 	js/src/jscntxtinlines.h:701
58 	XUL 	js::mjit::stubs::UncachedCall 	js/src/methodjit/InvokeHelpers.cpp:431
59 		@0x11a40a1b9 	
60 	XUL 	js::mjit::JaegerShot 	js/src/methodjit/MethodJIT.cpp:749
61 	XUL 	js::RunScript 	js/src/jsinterp.cpp:646
62 	XUL 	js::Invoke 	js/src/jsinterp.cpp:740
63 	XUL 	js::ExternalInvoke 	js/src/jsinterp.cpp:863
64 	XUL 	JS_CallFunctionValue 	js/src/jsapi.cpp:5173
65 	XUL 	nsXPCWrappedJSClass::CallMethod 	js/src/xpconnect/src/xpcwrappedjsclass.cpp:1672
66 	XUL 	nsXPCWrappedJS::CallMethod 	js/src/xpconnect/src/xpcwrappedjs.cpp:588
67 	XUL 	PrepareAndDispatch 	xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_darwin.cpp:153
68 	XUL 	XUL@0xe2ec2a 	
69 	XUL 	nsEventListenerManager::HandleEventSubType 	content/events/src/nsEventListenerManager.cpp:1127
70 	XUL 	nsEventListenerManager::HandleEventInternal 	content/events/src/nsEventListenerManager.cpp:1222
71 	XUL 	nsEventTargetChainItem::HandleEventTargetChain 	content/events/src/nsEventListenerManager.h:146
72 	XUL 	nsEventDispatcher::Dispatch 	content/events/src/nsEventDispatcher.cpp:628
73 	XUL 	nsEventDispatcher::DispatchDOMEvent 	content/events/src/nsEventDispatcher.cpp:691
74 	XUL 	nsXMLHttpRequest::ChangeState 	content/base/src/nsXMLHttpRequest.cpp:3073
75 	XUL 	nsXMLHttpRequest::RequestCompleted 	content/base/src/nsXMLHttpRequest.cpp:2192
76 	XUL 	nsXMLHttpRequest::OnStopRequest 	content/base/src/nsXMLHttpRequest.cpp:2155
77 	XUL 	NS_InvokeByIndex_P 	xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:195
78 	XUL 	XPCWrappedNative::CallMethod 	js/src/xpconnect/src/xpcwrappednative.cpp:3124
79 	XUL 	XPC_WN_CallMethod 	js/src/xpconnect/src/xpcwrappednativejsops.cpp:1613
80 	XUL 	js::Interpret 	js/src/jscntxtinlines.h:701
81 	XUL 	js::RunScript 	js/src/jsinterp.cpp:653
82 	XUL 	js::Invoke 	js/src/jsinterp.cpp:740
83 	XUL 	js::ExternalInvoke 	js/src/jsinterp.cpp:863
84 	XUL 	JS_CallFunctionValue 	js/src/jsapi.cpp:5173
85 	XUL 	nsXPCWrappedJSClass::CallMethod 	js/src/xpconnect/src/xpcwrappedjsclass.cpp:1672
86 	XUL 	nsXPCWrappedJS::CallMethod 	js/src/xpconnect/src/xpcwrappedjs.cpp:588
87 	XUL 	PrepareAndDispatch 	xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_darwin.cpp:153
88 	XUL 	XUL@0xe2ec2a 	
89 	XUL 	nsStreamListenerTee::OnStopRequest 	netwerk/base/src/nsStreamListenerTee.cpp:71
90 	XUL 	nsHttpChannel::OnStopRequest 	netwerk/protocol/http/nsHttpChannel.cpp:4032
91 	XUL 	nsInputStreamPump::OnStateStop 	netwerk/base/src/nsInputStreamPump.cpp:578
92 	XUL 	nsInputStreamPump::OnInputStreamReady 	netwerk/base/src/nsInputStreamPump.cpp:403
93 	XUL 	nsInputStreamReadyEvent::Run 	xpcom/io/nsStreamUtils.cpp:112
94 	XUL 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:633
95 	XUL 	NS_ProcessPendingEvents_P 	nsThreadUtils.cpp:200
96 	XUL 	nsBaseAppShell::NativeEventCallback 	widget/src/xpwidgets/nsBaseAppShell.cpp:132
97 	XUL 	nsAppShell::ProcessGeckoEvents 	widget/src/cocoa/nsAppShell.mm:399
98 	CoreFoundation 	__CFRunLoopDoSources0 	
99 	CoreFoundation 	__CFRunLoopRun 	
100 	CoreFoundation 	CFRunLoopRunSpecific 	
137 	Foundation 	Foundation@0x2eed 	
138 	CoreFoundation 	_CFAutoreleasePoolPush 	
139 	libSystem.B.dylib 	libSystem.B.dylib@0x66c7 	
140 	AppKit 	stub helpers 	
141 	AppKit 	-[NSApplication run] 	
142 	XUL 	nsAppShell::Run 	widget/src/cocoa/nsAppShell.mm:746
143 	XUL 	nsAppStartup::Run 	toolkit/components/startup/src/nsAppStartup.cpp:220
144 	XUL 	XRE_main 	toolkit/xre/nsAppRunner.cpp:3786
145 	firefox-bin 	main 	browser/app/nsBrowserApp.cpp:158
146 	firefox-bin 	firefox-bin@0x1953
Comment 6 Daniel Veditz [:dveditz] 2011-05-09 11:44:25 PDT
(In reply to comment #1)
> I don't see this as an attack vector.

I disagree. Obviously you wouldn't attack someone by sending them to Yahoo and hope for a crash, but if Yahoo code crashes reasonably reliably then the crashing script could be isolated and reduced to a potential attack case.

The real question is whether this signature looks exploitable since the question about whether it can be caused by remote web content has been answered. Crashing in JITted code is scary in general. It might be a "safe" crash, might even be likely to be safe, but given the type of crash we need to put the burden of proof on the JS developers to prove it's safe rather than assume it is.

We need to be able to reproduce this to be able to fix it though. A reduced testcase we can attach to the bug would be great (but I'm not holding my breath).

Vevekanand: you marked this as a "regression" which I assume means it didn't happen to you in earlier versions. Which earlier version? 4.0 I hope because there were far fewer changes between 4.0 and 4.0.1 to investigate than there were between 3.6.x and 4.0.1
Comment 7 Marcia Knous [:marcia - use ni] 2011-05-09 11:45:43 PDT
I just started using the Yahoo Mail beta so I will see if I can reproduce this.
Comment 8 Ludovic Hirlimann [:Usul] 2011-05-09 11:47:54 PDT
(In reply to comment #6)
> (In reply to comment #1)
> > I don't see this as an attack vector.
> 
> I disagree. Obviously you wouldn't attack someone by sending them to Yahoo
> and hope for a crash, but if Yahoo code crashes reasonably reliably then the
> crashing script could be isolated and reduced to a potential attack case.

Oups sorry.
Comment 9 Daniel Veditz [:dveditz] 2011-05-09 14:53:05 PDT
fwiw I don't remember ever having crashed on Yahoo Mail Beta on my Mac, but I think I've been using Fx5/6 nightlies since I switched to the Yahoo Beta. Will play around with my 4.0.x test profile and see if I can reproduce.

Looking at crash-stats this appears to be a huge spike in 4.0.1 and very little seen in more recent versions (then again, very few users on development builds). Yahoo mail beta mentioned A LOT in the comments, deleting mail mentioned several times.

https://crash-stats.mozilla.com/report/list?query_search=signature&query_type=contains&reason_type=contains&date=now&range_value=2&range_unit=weeks&hang_type=any&process_type=any&signature=js%3A%3Amjit%3A%3AJaegerShot
Comment 10 Robert Sayre 2011-05-09 15:03:12 PDT
luke agreed to take a look at this in order to figure out whodunnit
Comment 11 christian 2011-05-09 15:30:59 PDT
Al, can you try to reproduce as well?
Comment 12 Marcia Knous [:marcia - use ni] 2011-05-09 15:41:23 PDT
I have tried a number of different scenarios around deleting mail in the Yahoo beta on both 10.5. and 10.6 using 4.0.1 and I have yet to reproduce the crash.
Comment 13 Luke Wagner [:luke] 2011-05-09 16:27:09 PDT
I am also having trouble reproducing.  Could you list any installed extensions?  Along the same lines, do you still get the crash when you disable all extensions/plugins?
Comment 14 Luke Wagner [:luke] 2011-05-09 16:49:41 PDT
(In reply to comment #13)
Oops, these are right there in the crash report!  I tried installing ABP and Firebug (enabling Script debugging), and still no crashes on 10.6.  I wasn't able to find the extension labeled delicious@vjkarunapg.com.
Comment 15 Vivekanand Bolajwar 2011-05-09 22:18:39 PDT
(In reply to comment #6)
> Vevekanand: you marked this as a "regression" which I assume means it didn't
> happen to you in earlier versions. Which earlier version? 4.0 I hope because
> there were far fewer changes between 4.0 and 4.0.1 to investigate than there
> were between 3.6.x and 4.0.1

Yes. I havent seen this happening before. But I am not sure if its happening after updating to 4.0.1 thus I marked it as regression.
Comment 16 Vivekanand Bolajwar 2011-05-09 22:19:26 PDT
(In reply to comment #13)
> I am also having trouble reproducing.  Could you list any installed
> extensions?  Along the same lines, do you still get the crash when you
> disable all extensions/plugins?

I have disabled all the addons and the issue is still reproducible.
Comment 17 Vivekanand Bolajwar 2011-05-09 22:26:19 PDT
Here is my further investigation

1. If you delete fewer messages then it doesnt crash.
2. To make it crash you need to keep on pressing delete button and vary the speed of pressing the delete button as well.

I have disabled all the addons and was still able to crash Firefox. Here is the crash report

https://crash-stats.mozilla.com/report/index/bp-1d562352-f62e-4c40-a849-620ce2110509


I have created new profile and was still able to crash Firefox. Here is the crash report.

https://crash-stats.mozilla.com/report/index/f4f24e02-6ef9-4a13-bbfb-3a8f32110509


Then I started the Firefox in Safe mode and on first start it automatically crashed. Here is the crash report.

https://crash-stats.mozilla.com/report/index/9be26227-deb0-4fbb-96db-6b6cb2110509


But after restarting in safe mode again I wasnt able to reproduce the issue and even after deleting around 100-150 emails Firefox didnt crash.

BTW. I work for Yahoo! Mail and it is difficult to track whats breaking Firefox since I dont get any error message or warning or anything of that sort. 

I tried tracking this with Dynatrace on Window but this issue doesnt exist on windows which made it even difficult to trace.

Even if you guys could possibly find any problem with Yahoo! Mail JS I will be glad to fix but I need to know whats causing this.
Comment 18 Thomas Ahlblom 2011-05-10 07:00:52 PDT
Vivekanand, I'm trying to understand exactly how to get a crash.

Do you use the mouse and click the Delete button on the screen or do you delete the messages by using the keyboard?

When you are in the Inbox deleting messages, do you delete messages from the list without reading them, or do you open them first so they are readable when deleting them?

When you try to delete a message and get a crash, does the message really get deleted, or is it still in the Inbox when you visit Yahoo next time?
Comment 19 Ludovic Hirlimann [:Usul] 2011-05-10 07:41:24 PDT
Vivekanand what langauge is Yahoo mail for you is it in english ?
Comment 20 Vivekanand Bolajwar 2011-05-10 07:44:02 PDT
(In reply to comment #18)
> Vivekanand, I'm trying to understand exactly how to get a crash.
> 
> Do you use the mouse and click the Delete button on the screen or do you
> delete the messages by using the keyboard?

I use keyboard.

> 
> When you are in the Inbox deleting messages, do you delete messages from the
> list without reading them, or do you open them first so they are readable
> when deleting them?
I dont let them render. Delete them before rendering. Sometimes they are in the middle of rendering. Sometimes they are in the middle of loading.

> 
> When you try to delete a message and get a crash, does the message really
> get deleted, or is it still in the Inbox when you visit Yahoo next time?
Since I delete around 30-40 messages can not figure out one message out of it. The crash happens instantly when I am in the process of pressing the delete button.
Comment 21 Vivekanand Bolajwar 2011-05-10 07:44:32 PDT
(In reply to comment #19)
> Vivekanand what langauge is Yahoo mail for you is it in english ?
Yes. My language is english.
Comment 22 Marcia Knous [:marcia - use ni] 2011-05-16 17:21:31 PDT
*** Bug 657523 has been marked as a duplicate of this bug. ***
Comment 23 Marcia Knous [:marcia - use ni] 2011-05-16 17:24:18 PDT
Bug 657523, which was marked as a dupe, indicates you need 30-50 emails opened in tabs in order to see this behavior. That may be why I wasn't able to repro in the first pass.
Comment 24 Marcia Knous [:marcia - use ni] 2011-05-17 11:45:06 PDT
I tried again to reproduce on a Windows machine in the lab but still have not had any luck yet.
Comment 25 Vivekanand Bolajwar 2011-05-17 22:37:25 PDT
I dont see any benefit of trying to reproduce on Windows machine when the bug is only experienced on MAC.

Please try it on Mac...
Comment 26 Marcia Knous [:marcia - use ni] 2011-05-19 14:01:15 PDT
It makes a lot of sense to me since the bug that was duped - https://bugzilla.mozilla.org/show_bug.cgi?id=657523#c3 - as a person crashing on Windows XP.

I have tried it on Mac and have yet to reproduce it.

(In reply to comment #25)
> I dont see any benefit of trying to reproduce on Windows machine when the
> bug is only experienced on MAC.
> 
> Please try it on Mac...
Comment 27 Vivekanand Bolajwar 2011-05-19 22:41:45 PDT
Ah.. ok. Sorry about that.

What can I help you to reproduce the issue? Any specific pattern that I should follow. Any logs to extract from somewhere?

I would love to collaborate.
Comment 28 Daniel Veditz [:dveditz] 2011-05-20 09:33:43 PDT
Crashes [@ js::mjit::JaegerShot] are overwhelmingly Mac OS X, with a smattering of Linux; zero Windows crashes with that signature. If bug 655660 is a duplicate (sure sounds like it) then it must have a different signature. I did find a bunch with essentially the same signature: [@ js::mjit::JaegerShot(JSContext*)] but no comments mentioning Yahoo mail -- very unlike the Mac crashes with dozens of people saying they were on yahoo mail beta.

We need crash ID's on Windows from mily to see if bug 655660 is really related, but in the meanwhile it looks like our best chance for reproducing this will be on Mac. This stack has 650+ crashes on Mac in a week with small marketshare, vs. only 120 in a week for the variant on Windows with 90% of the market.
Comment 29 Vivekanand Bolajwar 2011-05-30 00:26:06 PDT
Is anybody working on this bug? There seems to be no activity since last 10 days. 
BTW, I am able to crash Aurora builds as well with the same error. [@ js::mjit::JaegerShot]
Comment 30 David Mandelin [:dmandelin] 2011-06-01 10:31:27 PDT
(In reply to comment #29)
> Is anybody working on this bug? There seems to be no activity since last 10
> days. 
> BTW, I am able to crash Aurora builds as well with the same error. [@
> js::mjit::JaegerShot]

We don't have enough information to do anything right now--we were unable to reproduce the crash for local debugging. 

We might able to move forward if you could send us a core dump. Note that a core dump contains the contents of all the memory from your browser, which could include sensitive data. See 

  https://developer.mozilla.org/en/Remote_debugging#Core_dumps_on_Mac_and_Linux

for instructions. Let me know if you have questions.
Comment 31 juan becerra [:juanb] 2011-06-08 00:00:03 PDT
Looks like we have steps to reproduce from bug 658757#c5 where it has been reproduced on Win 7 and Linux (although not indicated in the bug). It might actually be the same bug.
Comment 32 juan becerra [:juanb] 2011-06-08 00:06:34 PDT
*** Bug 658757 has been marked as a duplicate of this bug. ***
Comment 33 Marcia Knous [:marcia - use ni] 2011-06-08 11:39:45 PDT
I just tried to reproduce this in the lab on Windows 7, following the STR in the bug in Comment 31. But others have noted that it cannot consistently be reproduced.
Comment 34 David Mandelin [:dmandelin] 2011-06-08 11:51:02 PDT
If those STR work for some people, some of the time, maybe it always crashes on a certain line of code or a certain operation. Even if we can't reproduce it ourselves (I wasn't able to on Mac just now--I'll try on Windows when I get a chance), if we could gather stats on the crash JS source location, maybe we could find the bug by inspection or add some instrumentation to do further diagnostics. I don't think it's very easy to catch the JS location without a bunch of breakpad heavy lifting, though.
Comment 35 Johnathan Nightingale [:johnath] 2011-06-08 11:54:42 PDT
Minusing for tracking-firefox5, but we sure would like to see this fixed ASAP. Dave M, any thoughts on how quickly/safely we can get a fix for this into, say, Aurora/FF6?
Comment 36 Daniel Veditz [:dveditz] 2011-06-08 17:15:24 PDT
guessing probably sg:critical based on the stacks.
Comment 37 David Mandelin [:dmandelin] 2011-06-08 18:28:12 PDT
(In reply to comment #35)
> Minusing for tracking-firefox5, but we sure would like to see this fixed
> ASAP. Dave M, any thoughts on how quickly/safely we can get a fix for this
> into, say, Aurora/FF6?

Well, we have no STR (the ones in the other bug worked for neither Marcia nor me), so no ETA for now.

I tried to open one of the minidumps in the other bug (which was for 32-bit Linux), but it didn't have the jitcode memory, so there's nothing to learn there. (Maybe only on Windows do we get the memory around eip?)

We might be able to make some progress if someone could give us a full core dump.
Comment 38 Vivekanand Bolajwar 2011-06-09 03:08:27 PDT
I tried creating a core dump but its not happening. I follow the steps mentioned in the link above but no use.

I have used ulimit -c unlimited and started firefox from console. When it crashes nothing happens and no core dump is created inside /cores folder.

All I get is Firefox crash reporter.

When I start firefox from console I get a message saying 'FBTrace is not installed...' 

HTH
Comment 39 Marcia Knous [:marcia - use ni] 2011-06-09 13:38:24 PDT
I have tried again to reproduce this on Mac and Windows 7 but with no luck. I realize there is an important extra step in Bug 658757 Comment 5 which involves changing the preview view. But even with that and deleting the emails rapidly I was not able to reproduce.
Comment 40 David Mandelin [:dmandelin] 2011-06-10 12:08:04 PDT
(In reply to comment #38)
> I tried creating a core dump but its not happening. I follow the steps
> mentioned in the link above but no use.
> 
> I have used ulimit -c unlimited and started firefox from console. When it
> crashes nothing happens and no core dump is created inside /cores folder.
> 
> All I get is Firefox crash reporter.

Hmmm. Maybe you need to disable the crash reporter from that run. You can do that by using the command line:

  MOZ_CRASHREPORTER_DISABLE=1  normal_cmdline_to_run_fx

If that works, let me know so I can update the instructions (but certainly feel free to do that yourself if you like.)

> When I start firefox from console I get a message saying 'FBTrace is not
> installed...' 

That seems to be a message from Firebug or a Firebug-related plugin. I don't think it's related to not getting a core dump. But now I do wonder if FB is somehow related to the crash.
Comment 41 Vlad [QA] 2011-06-13 05:58:13 PDT
*** Bug 662758 has been marked as a duplicate of this bug. ***
Comment 42 David Anderson [:dvander] 2011-06-23 13:42:16 PDT
I can reproduce this, Linux x86-64, Aurora 2011-06-21 build.
Comment 43 David Anderson [:dvander] 2011-06-23 19:23:32 PDT
Created attachment 541582 [details] [diff] [review]
yup, this is really the bug

Also, I bet a glazed ham that this is *the* EnterMethodJIT crash bug. Every single weird JIT crash anomaly I debugged as part of the categorization tool appeared while looking into this Yahoo thing.
Comment 44 Luke Wagner [:luke] 2011-06-23 20:13:39 PDT
we should mail a ham to Vivekanand :)
Comment 45 David Anderson [:dvander] 2011-06-24 00:29:02 PDT
http://hg.mozilla.org/tracemonkey/rev/d403daff812c - would like to verify Windows x86 tomorrow, after that will check into m-c to see what happens to crash stats.
Comment 46 Vivekanand Bolajwar 2011-06-24 06:57:16 PDT
Good to see atleast this has changed its status to 'assigned'

@Luke most welcome! Shall I put my address here? ;-)
Comment 47 David Anderson [:dvander] 2011-06-24 13:33:03 PDT
Indeed, thank you Vivekanand for reporting this with accurate steps-to-reproduce!

http://hg.mozilla.org/mozilla-central/rev/a042d0d4c792
Comment 48 Jesse Ruderman 2011-06-28 11:28:51 PDT
dvander, can you make a testcase? It would be nice to understand why the fuzzers missed this bug, and it would be nice to have a regression test.
Comment 50 David Baron :dbaron: ⌚️UTC+1 (mostly busy through August 4; review requests must explain patch) 2011-06-28 11:51:30 PDT
Is it appropriate to nominate this for aurora?  If it fixes a topcrash, it seems like it may be good to take.  (Is it low risk?  It's not clear to me from looking at the patch *why* it fixes a crash, so it's hard for me to evaluate.)
Comment 51 David Anderson [:dvander] 2011-06-28 13:11:04 PDT
Comment on attachment 541582 [details] [diff] [review]
yup, this is really the bug

Requesting approval for aurora.

Benefit: Potentially fixes a large class of method JIT crash bugs, including at least one reproducible Yahoo mail crash bug.

Risk: Increases the size of a data structure by 0-4 bytes. Total browser increase would be measured in KB.
Comment 52 christian 2011-06-28 15:04:49 PDT
Comment on attachment 541582 [details] [diff] [review]
yup, this is really the bug

Please land on releases/mozilla-aurora
Comment 53 David Anderson [:dvander] 2011-07-05 20:14:31 PDT
(In reply to comment #48)
> dvander, can you make a testcase? It would be nice to understand why the
> fuzzers missed this bug, and it would be nice to have a regression test.

You have to generate code with like |x.y = z| where |y| is not on |x| and |x| has an extremely long prototype chain - probably like 50 objects. Long protos might reveal some interesting stuff. The bug here was that the offset stored a distance between two points in memory, and with enough prototype checks it overflowed ~10 bits and patched garbage.

Anyway, sorry, I think I missed the aurora checkin for this so now it's already there after taking m-c.
Comment 54 Daniel Veditz [:dveditz] 2011-07-06 10:58:24 PDT
We missed the mozilla6 aurora window but the patch looks safe enough for the beta branch and it's still a pretty common crash. Should we take it there?
Comment 55 Daniel Veditz [:dveditz] 2011-07-06 11:00:25 PDT
Comment on attachment 541582 [details] [diff] [review]
yup, this is really the bug

We missed the mozilla6 aurora window but the patch looks safe enough for the beta branch. It's still a pretty common crash and the intent of clegnitto's aurora approval was to get it into Firefox 6, not just on some aurora branch sometime. Can we get beta approval?
Comment 56 christian 2011-07-06 11:03:19 PDT
Comment on attachment 541582 [details] [diff] [review]
yup, this is really the bug

releases/mozilla-beta approval as well!
Comment 57 David Anderson [:dvander] 2011-07-06 17:58:14 PDT
http://hg.mozilla.org/releases/mozilla-beta/rev/af53ceda8b4a
Comment 58 Brendan Eich [:brendan] 2011-07-09 00:07:17 PDT
Why such crazy long proto chains? Anyone know?

/be
Comment 59 chris hofmann 2011-07-15 15:35:55 PDT
re: comment 46.

We have no hams, but if you send your address to chofmann@mozilla.org I'll send you a firefox/mozilla t-shirt. ;-)
Comment 60 Luke Wagner [:luke] 2011-07-15 17:36:26 PDT
I'll send you a ham.  Try me.
Comment 61 Vivekanand Bolajwar 2011-07-16 08:40:31 PDT
@chris, thats awesome!!! I would love to show it off!

Have sent my address to mentioned email address. 

Thanks in advance :-)
Comment 62 Vivekanand Bolajwar 2011-08-23 23:54:04 PDT
(In reply to chris hofmann from comment #59)
> re: comment 46.
> 
> We have no hams, but if you send your address to chofmann@mozilla.org I'll
> send you a firefox/mozilla t-shirt. ;-)

Did my email went unnoticed? Shall I send it again, Chris? Apologies if I sound greedy about the t-shirt :-)
Comment 63 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2011-09-22 13:45:50 PDT
qa-: Vivekanand Bolajwar, can you please test Firefox 7.0b6  to see if this is fixed?

Note You need to log in before you can comment on or make changes to this bug.