Bug 655660 (CVE-2011-2991)

Firefox 4 crashing when I try to delete emails using Yahoo! Mail Beta [@ js::mjit::JaegerShot ]

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
6 years ago
2 years ago

People

(Reporter: Vivekanand Bolajwar, Assigned: dvander)

Tracking

({crash, regression})

2.0 Branch
x86
Mac OS X
crash, regression
Points:
---
Bug Flags:
sec-bounty +

Firefox Tracking Flags

(firefox5- affected, firefox6+ fixed, firefox7+ fixed, blocking2.0 ?, status2.0 wanted, status1.9.2 unaffected, status1.9.1 unaffected)

Details

(Whiteboard: [sg:critical][fixed-in-tracemonkey][qa-], crash signature, URL)

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
User-Agent:       Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Build Identifier: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko/20100101 Firefox/4.0.1

Whenever I try to delete emails from new Yahoo! Mail Beta the Firefox 4 is crashing.

Here are the crash reports
http://crash-stats.mozilla.com/report/index/bp-fcaf835d-74d6-4bf8-b743-ebc2b2110506

http://crash-stats.mozilla.com/report/index/bp-6febb105-15de-4187-aeca-dff462110506

http://crash-stats.mozilla.com/report/index/bp-7f1af8c4-fe1e-480e-a21a-6ef232110505

http://crash-stats.mozilla.com/report/index/bp-7dd5937e-58d3-4ac5-a0b7-e45532110505

http://crash-stats.mozilla.com/report/index/bp-9c1687b3-58dd-4109-8d90-e1c7e2110504

http://crash-stats.mozilla.com/report/index/bp-778685f4-0b0d-4c16-a6f5-667e72110505

Reproducible: Always

Steps to Reproduce:
1. Goto Yahoo! Mail Beta
2. Goto Inbox and try to delete emails by pressing delete key
3. Keep deleting and Firefox crashes
(Reporter)

Updated

6 years ago
Keywords: regression
Version: unspecified → 4.0 Branch
I don't see this as an attack vector.
Group: core-security
Keywords: crash
(Reporter)

Comment 2

6 years ago
If you visit the first crash report 

There lots of people have commented that they were on yahoo mail and Firefox crashed!

Not sure what you meant by 'attack vector' please elaborate.
(Reporter)

Updated

6 years ago
Priority: -- → P1

Comment 3

6 years ago
Works for me on Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:6.0a1) Gecko/20110508 Firefox/6.0a1

Also, could you see if the issue occurs if using Firefox in safe mode:
http://support.mozilla.com/kb/Safe+Mode

How about with a new, empty testing profile? (Don't install any addons into it)
http://support.mozilla.com/kb/Basic+Troubleshooting#w_8-make-a-new-profile

Comment 4

6 years ago
(In reply to comment #2)
> Not sure what you meant by 'attack vector' please elaborate.

My guess and reading between the lines: Since Ludovic removed the group core-security when he wrote that comment that means that the bug previously had been marked as a security hole. Only a very limited number of people can view such bugs, but Ludovic states that he can't see how this crash could ever be used to take control over the browser and removed the restriction.

-----

Regarding the crash reports, indeed, the comments tab of https://crash-stats.mozilla.com/report/index/bp-fcaf835d-74d6-4bf8-b743-ebc2b2110506 shows a lot of Yahoo mail related comments.
0 		@0x11e6ff826 	
1 	XUL 	js::mjit::JaegerShot 	js/src/methodjit/MethodJIT.cpp:749
2 	XUL 	js::RunScript 	js/src/jsinterp.cpp:646
3 	XUL 	js::Invoke 	js/src/jsinterp.cpp:740
4 	XUL 	js_fun_apply 	js/src/jsfun.cpp:2211
5 	XUL 	js::mjit::stubs::UncachedCallHelper 	js/src/jscntxtinlines.h:701
6 	XUL 	js::mjit::stubs::UncachedCall 	js/src/methodjit/InvokeHelpers.cpp:431
7 		@0x11e5c3b46 	
8 	XUL 	js::mjit::JaegerShot 	js/src/methodjit/MethodJIT.cpp:749
9 	XUL 	js::RunScript 	js/src/jsinterp.cpp:646
10 	XUL 	js::Invoke 	js/src/jsinterp.cpp:740
11 	XUL 	js_fun_apply 	js/src/jsfun.cpp:2211
12 	XUL 	js::mjit::stubs::UncachedCallHelper 	js/src/jscntxtinlines.h:701
13 	XUL 	js::mjit::stubs::UncachedCall 	js/src/methodjit/InvokeHelpers.cpp:431
14 		@0x11e483f9e 	
15 	XUL 	js::mjit::JaegerShot 	js/src/methodjit/MethodJIT.cpp:749
16 	XUL 	js::RunScript 	js/src/jsinterp.cpp:646
17 	XUL 	js::Invoke 	js/src/jsinterp.cpp:740
18 	XUL 	js_fun_apply 	js/src/jsfun.cpp:2211
19 	XUL 	js::mjit::stubs::UncachedCallHelper 	js/src/jscntxtinlines.h:701
20 	XUL 	js::mjit::stubs::UncachedCall 	js/src/methodjit/InvokeHelpers.cpp:431
21 		@0x11d8a17e8 	
22 	XUL 	js::mjit::JaegerShot 	js/src/methodjit/MethodJIT.cpp:749
23 	XUL 	js::RunScript 	js/src/jsinterp.cpp:646
24 	XUL 	js::Invoke 	js/src/jsinterp.cpp:740
25 	XUL 	js_fun_apply 	js/src/jsfun.cpp:2211
26 	XUL 	js::mjit::stubs::UncachedCallHelper 	js/src/jscntxtinlines.h:701
27 	XUL 	js::mjit::stubs::UncachedCall 	js/src/methodjit/InvokeHelpers.cpp:431
28 		@0x118f3393f 	
29 	XUL 	js::mjit::JaegerShot 	js/src/methodjit/MethodJIT.cpp:749
30 	XUL 	js::RunScript 	js/src/jsinterp.cpp:646
31 	XUL 	js::Invoke 	js/src/jsinterp.cpp:740
32 	XUL 	js_fun_call 	js/src/jsfun.cpp:2148
33 	XUL 	js::mjit::stubs::UncachedCallHelper 	js/src/jscntxtinlines.h:701
34 	XUL 	js::mjit::stubs::UncachedCall 	js/src/methodjit/InvokeHelpers.cpp:431
35 		@0x11aa75691 	
36 	XUL 	js::mjit::JaegerShot 	js/src/methodjit/MethodJIT.cpp:749
37 	XUL 	js::RunScript 	js/src/jsinterp.cpp:646
38 	XUL 	js::Invoke 	js/src/jsinterp.cpp:740
39 	XUL 	js_fun_call 	js/src/jsfun.cpp:2148
40 	XUL 	js::mjit::stubs::UncachedCallHelper 	js/src/jscntxtinlines.h:701
41 	XUL 	js::mjit::stubs::UncachedCall 	js/src/methodjit/InvokeHelpers.cpp:431
42 		@0x11aa742b4 	
43 	XUL 	js::mjit::JaegerShot 	js/src/methodjit/MethodJIT.cpp:749
44 	XUL 	js::RunScript 	js/src/jsinterp.cpp:646
45 	XUL 	js::Invoke 	js/src/jsinterp.cpp:740
46 	XUL 	js::ExternalInvoke 	js/src/jsinterp.cpp:863
47 	XUL 	JS_CallFunctionValue 	js/src/jsapi.cpp:5173
48 	XUL 	nsXPCWrappedJSClass::CallMethod 	js/src/xpconnect/src/xpcwrappedjsclass.cpp:1672
49 	XUL 	nsXPCWrappedJS::CallMethod 	js/src/xpconnect/src/xpcwrappedjs.cpp:588
50 	XUL 	PrepareAndDispatch 	xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_darwin.cpp:153
51 	XUL 	XUL@0xe2ec2a 	
52 	XUL 	NS_InvokeByIndex_P 	xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:172
53 	XUL 	NS_InvokeByIndex_P 	xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:195
54 	XUL 	XPCConvert::JSData2Native 	js/src/xpconnect/src/xpcconvert.cpp:1081
55 	XUL 	XPCWrappedNative::CallMethod 	js/src/xpconnect/src/xpcwrappednative.cpp:3124
56 	XUL 	XPC_WN_CallMethod 	js/src/xpconnect/src/xpcwrappednativejsops.cpp:1613
57 	XUL 	js::mjit::stubs::UncachedCallHelper 	js/src/jscntxtinlines.h:701
58 	XUL 	js::mjit::stubs::UncachedCall 	js/src/methodjit/InvokeHelpers.cpp:431
59 		@0x11a40a1b9 	
60 	XUL 	js::mjit::JaegerShot 	js/src/methodjit/MethodJIT.cpp:749
61 	XUL 	js::RunScript 	js/src/jsinterp.cpp:646
62 	XUL 	js::Invoke 	js/src/jsinterp.cpp:740
63 	XUL 	js::ExternalInvoke 	js/src/jsinterp.cpp:863
64 	XUL 	JS_CallFunctionValue 	js/src/jsapi.cpp:5173
65 	XUL 	nsXPCWrappedJSClass::CallMethod 	js/src/xpconnect/src/xpcwrappedjsclass.cpp:1672
66 	XUL 	nsXPCWrappedJS::CallMethod 	js/src/xpconnect/src/xpcwrappedjs.cpp:588
67 	XUL 	PrepareAndDispatch 	xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_darwin.cpp:153
68 	XUL 	XUL@0xe2ec2a 	
69 	XUL 	nsEventListenerManager::HandleEventSubType 	content/events/src/nsEventListenerManager.cpp:1127
70 	XUL 	nsEventListenerManager::HandleEventInternal 	content/events/src/nsEventListenerManager.cpp:1222
71 	XUL 	nsEventTargetChainItem::HandleEventTargetChain 	content/events/src/nsEventListenerManager.h:146
72 	XUL 	nsEventDispatcher::Dispatch 	content/events/src/nsEventDispatcher.cpp:628
73 	XUL 	nsEventDispatcher::DispatchDOMEvent 	content/events/src/nsEventDispatcher.cpp:691
74 	XUL 	nsXMLHttpRequest::ChangeState 	content/base/src/nsXMLHttpRequest.cpp:3073
75 	XUL 	nsXMLHttpRequest::RequestCompleted 	content/base/src/nsXMLHttpRequest.cpp:2192
76 	XUL 	nsXMLHttpRequest::OnStopRequest 	content/base/src/nsXMLHttpRequest.cpp:2155
77 	XUL 	NS_InvokeByIndex_P 	xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:195
78 	XUL 	XPCWrappedNative::CallMethod 	js/src/xpconnect/src/xpcwrappednative.cpp:3124
79 	XUL 	XPC_WN_CallMethod 	js/src/xpconnect/src/xpcwrappednativejsops.cpp:1613
80 	XUL 	js::Interpret 	js/src/jscntxtinlines.h:701
81 	XUL 	js::RunScript 	js/src/jsinterp.cpp:653
82 	XUL 	js::Invoke 	js/src/jsinterp.cpp:740
83 	XUL 	js::ExternalInvoke 	js/src/jsinterp.cpp:863
84 	XUL 	JS_CallFunctionValue 	js/src/jsapi.cpp:5173
85 	XUL 	nsXPCWrappedJSClass::CallMethod 	js/src/xpconnect/src/xpcwrappedjsclass.cpp:1672
86 	XUL 	nsXPCWrappedJS::CallMethod 	js/src/xpconnect/src/xpcwrappedjs.cpp:588
87 	XUL 	PrepareAndDispatch 	xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_darwin.cpp:153
88 	XUL 	XUL@0xe2ec2a 	
89 	XUL 	nsStreamListenerTee::OnStopRequest 	netwerk/base/src/nsStreamListenerTee.cpp:71
90 	XUL 	nsHttpChannel::OnStopRequest 	netwerk/protocol/http/nsHttpChannel.cpp:4032
91 	XUL 	nsInputStreamPump::OnStateStop 	netwerk/base/src/nsInputStreamPump.cpp:578
92 	XUL 	nsInputStreamPump::OnInputStreamReady 	netwerk/base/src/nsInputStreamPump.cpp:403
93 	XUL 	nsInputStreamReadyEvent::Run 	xpcom/io/nsStreamUtils.cpp:112
94 	XUL 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:633
95 	XUL 	NS_ProcessPendingEvents_P 	nsThreadUtils.cpp:200
96 	XUL 	nsBaseAppShell::NativeEventCallback 	widget/src/xpwidgets/nsBaseAppShell.cpp:132
97 	XUL 	nsAppShell::ProcessGeckoEvents 	widget/src/cocoa/nsAppShell.mm:399
98 	CoreFoundation 	__CFRunLoopDoSources0 	
99 	CoreFoundation 	__CFRunLoopRun 	
100 	CoreFoundation 	CFRunLoopRunSpecific 	
137 	Foundation 	Foundation@0x2eed 	
138 	CoreFoundation 	_CFAutoreleasePoolPush 	
139 	libSystem.B.dylib 	libSystem.B.dylib@0x66c7 	
140 	AppKit 	stub helpers 	
141 	AppKit 	-[NSApplication run] 	
142 	XUL 	nsAppShell::Run 	widget/src/cocoa/nsAppShell.mm:746
143 	XUL 	nsAppStartup::Run 	toolkit/components/startup/src/nsAppStartup.cpp:220
144 	XUL 	XRE_main 	toolkit/xre/nsAppRunner.cpp:3786
145 	firefox-bin 	main 	browser/app/nsBrowserApp.cpp:158
146 	firefox-bin 	firefox-bin@0x1953
Assignee: nobody → general
Component: General → JavaScript Engine
Priority: P1 → --
Product: Firefox → Core
QA Contact: general → general
Summary: Firefox 4 crashing when I try to delete emails using Yahoo! Mail Beta → Firefox 4 crashing when I try to delete emails using Yahoo! Mail Beta [@ js::mjit::JaegerShot ]
Version: 4.0 Branch → 2.0 Branch
(In reply to comment #1)
> I don't see this as an attack vector.

I disagree. Obviously you wouldn't attack someone by sending them to Yahoo and hope for a crash, but if Yahoo code crashes reasonably reliably then the crashing script could be isolated and reduced to a potential attack case.

The real question is whether this signature looks exploitable since the question about whether it can be caused by remote web content has been answered. Crashing in JITted code is scary in general. It might be a "safe" crash, might even be likely to be safe, but given the type of crash we need to put the burden of proof on the JS developers to prove it's safe rather than assume it is.

We need to be able to reproduce this to be able to fix it though. A reduced testcase we can attach to the bug would be great (but I'm not holding my breath).

Vevekanand: you marked this as a "regression" which I assume means it didn't happen to you in earlier versions. Which earlier version? 4.0 I hope because there were far fewer changes between 4.0 and 4.0.1 to investigate than there were between 3.6.x and 4.0.1
Group: core-security
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: testcase-wanted
I just started using the Yahoo Mail beta so I will see if I can reproduce this.
(In reply to comment #6)
> (In reply to comment #1)
> > I don't see this as an attack vector.
> 
> I disagree. Obviously you wouldn't attack someone by sending them to Yahoo
> and hope for a crash, but if Yahoo code crashes reasonably reliably then the
> crashing script could be isolated and reduced to a potential attack case.

Oups sorry.
fwiw I don't remember ever having crashed on Yahoo Mail Beta on my Mac, but I think I've been using Fx5/6 nightlies since I switched to the Yahoo Beta. Will play around with my 4.0.x test profile and see if I can reproduce.

Looking at crash-stats this appears to be a huge spike in 4.0.1 and very little seen in more recent versions (then again, very few users on development builds). Yahoo mail beta mentioned A LOT in the comments, deleting mail mentioned several times.

https://crash-stats.mozilla.com/report/list?query_search=signature&query_type=contains&reason_type=contains&date=now&range_value=2&range_unit=weeks&hang_type=any&process_type=any&signature=js%3A%3Amjit%3A%3AJaegerShot

Comment 10

6 years ago
luke agreed to take a look at this in order to figure out whodunnit
Assignee: general → luke

Comment 11

6 years ago
Al, can you try to reproduce as well?
I have tried a number of different scenarios around deleting mail in the Yahoo beta on both 10.5. and 10.6 using 4.0.1 and I have yet to reproduce the crash.

Comment 13

6 years ago
I am also having trouble reproducing.  Could you list any installed extensions?  Along the same lines, do you still get the crash when you disable all extensions/plugins?

Comment 14

6 years ago
(In reply to comment #13)
Oops, these are right there in the crash report!  I tried installing ABP and Firebug (enabling Script debugging), and still no crashes on 10.6.  I wasn't able to find the extension labeled delicious@vjkarunapg.com.
(Reporter)

Comment 15

6 years ago
(In reply to comment #6)
> Vevekanand: you marked this as a "regression" which I assume means it didn't
> happen to you in earlier versions. Which earlier version? 4.0 I hope because
> there were far fewer changes between 4.0 and 4.0.1 to investigate than there
> were between 3.6.x and 4.0.1

Yes. I havent seen this happening before. But I am not sure if its happening after updating to 4.0.1 thus I marked it as regression.
(Reporter)

Comment 16

6 years ago
(In reply to comment #13)
> I am also having trouble reproducing.  Could you list any installed
> extensions?  Along the same lines, do you still get the crash when you
> disable all extensions/plugins?

I have disabled all the addons and the issue is still reproducible.
(Reporter)

Comment 17

6 years ago
Here is my further investigation

1. If you delete fewer messages then it doesnt crash.
2. To make it crash you need to keep on pressing delete button and vary the speed of pressing the delete button as well.

I have disabled all the addons and was still able to crash Firefox. Here is the crash report

https://crash-stats.mozilla.com/report/index/bp-1d562352-f62e-4c40-a849-620ce2110509


I have created new profile and was still able to crash Firefox. Here is the crash report.

https://crash-stats.mozilla.com/report/index/f4f24e02-6ef9-4a13-bbfb-3a8f32110509


Then I started the Firefox in Safe mode and on first start it automatically crashed. Here is the crash report.

https://crash-stats.mozilla.com/report/index/9be26227-deb0-4fbb-96db-6b6cb2110509


But after restarting in safe mode again I wasnt able to reproduce the issue and even after deleting around 100-150 emails Firefox didnt crash.

BTW. I work for Yahoo! Mail and it is difficult to track whats breaking Firefox since I dont get any error message or warning or anything of that sort. 

I tried tracking this with Dynatrace on Window but this issue doesnt exist on windows which made it even difficult to trace.

Even if you guys could possibly find any problem with Yahoo! Mail JS I will be glad to fix but I need to know whats causing this.
blocking2.0: --- → ?
status2.0: --- → wanted

Comment 18

6 years ago
Vivekanand, I'm trying to understand exactly how to get a crash.

Do you use the mouse and click the Delete button on the screen or do you delete the messages by using the keyboard?

When you are in the Inbox deleting messages, do you delete messages from the list without reading them, or do you open them first so they are readable when deleting them?

When you try to delete a message and get a crash, does the message really get deleted, or is it still in the Inbox when you visit Yahoo next time?
Vivekanand what langauge is Yahoo mail for you is it in english ?
(Reporter)

Comment 20

6 years ago
(In reply to comment #18)
> Vivekanand, I'm trying to understand exactly how to get a crash.
> 
> Do you use the mouse and click the Delete button on the screen or do you
> delete the messages by using the keyboard?

I use keyboard.

> 
> When you are in the Inbox deleting messages, do you delete messages from the
> list without reading them, or do you open them first so they are readable
> when deleting them?
I dont let them render. Delete them before rendering. Sometimes they are in the middle of rendering. Sometimes they are in the middle of loading.

> 
> When you try to delete a message and get a crash, does the message really
> get deleted, or is it still in the Inbox when you visit Yahoo next time?
Since I delete around 30-40 messages can not figure out one message out of it. The crash happens instantly when I am in the process of pressing the delete button.
(Reporter)

Comment 21

6 years ago
(In reply to comment #19)
> Vivekanand what langauge is Yahoo mail for you is it in english ?
Yes. My language is english.
Duplicate of this bug: 657523
Bug 657523, which was marked as a dupe, indicates you need 30-50 emails opened in tabs in order to see this behavior. That may be why I wasn't able to repro in the first pass.
I tried again to reproduce on a Windows machine in the lab but still have not had any luck yet.
(Reporter)

Comment 25

6 years ago
I dont see any benefit of trying to reproduce on Windows machine when the bug is only experienced on MAC.

Please try it on Mac...
It makes a lot of sense to me since the bug that was duped - https://bugzilla.mozilla.org/show_bug.cgi?id=657523#c3 - as a person crashing on Windows XP.

I have tried it on Mac and have yet to reproduce it.

(In reply to comment #25)
> I dont see any benefit of trying to reproduce on Windows machine when the
> bug is only experienced on MAC.
> 
> Please try it on Mac...
(Reporter)

Comment 27

6 years ago
Ah.. ok. Sorry about that.

What can I help you to reproduce the issue? Any specific pattern that I should follow. Any logs to extract from somewhere?

I would love to collaborate.
Crashes [@ js::mjit::JaegerShot] are overwhelmingly Mac OS X, with a smattering of Linux; zero Windows crashes with that signature. If bug 655660 is a duplicate (sure sounds like it) then it must have a different signature. I did find a bunch with essentially the same signature: [@ js::mjit::JaegerShot(JSContext*)] but no comments mentioning Yahoo mail -- very unlike the Mac crashes with dozens of people saying they were on yahoo mail beta.

We need crash ID's on Windows from mily to see if bug 655660 is really related, but in the meanwhile it looks like our best chance for reproducing this will be on Mac. This stack has 650+ crashes on Mac in a week with small marketshare, vs. only 120 in a week for the variant on Windows with 90% of the market.
(Reporter)

Comment 29

6 years ago
Is anybody working on this bug? There seems to be no activity since last 10 days. 
BTW, I am able to crash Aurora builds as well with the same error. [@ js::mjit::JaegerShot]
(In reply to comment #29)
> Is anybody working on this bug? There seems to be no activity since last 10
> days. 
> BTW, I am able to crash Aurora builds as well with the same error. [@
> js::mjit::JaegerShot]

We don't have enough information to do anything right now--we were unable to reproduce the crash for local debugging. 

We might able to move forward if you could send us a core dump. Note that a core dump contains the contents of all the memory from your browser, which could include sensitive data. See 

  https://developer.mozilla.org/en/Remote_debugging#Core_dumps_on_Mac_and_Linux

for instructions. Let me know if you have questions.
Looks like we have steps to reproduce from bug 658757#c5 where it has been reproduced on Win 7 and Linux (although not indicated in the bug). It might actually be the same bug.
status-firefox5: --- → affected
tracking-firefox5: --- → ?

Updated

6 years ago
Duplicate of this bug: 658757
I just tried to reproduce this in the lab on Windows 7, following the STR in the bug in Comment 31. But others have noted that it cannot consistently be reproduced.
If those STR work for some people, some of the time, maybe it always crashes on a certain line of code or a certain operation. Even if we can't reproduce it ourselves (I wasn't able to on Mac just now--I'll try on Windows when I get a chance), if we could gather stats on the crash JS source location, maybe we could find the bug by inspection or add some instrumentation to do further diagnostics. I don't think it's very easy to catch the JS location without a bunch of breakpad heavy lifting, though.
Minusing for tracking-firefox5, but we sure would like to see this fixed ASAP. Dave M, any thoughts on how quickly/safely we can get a fix for this into, say, Aurora/FF6?
tracking-firefox5: ? → -
guessing probably sg:critical based on the stacks.
status-firefox6: --- → affected
tracking-firefox6: --- → ?
Whiteboard: [sg:critical?]
(In reply to comment #35)
> Minusing for tracking-firefox5, but we sure would like to see this fixed
> ASAP. Dave M, any thoughts on how quickly/safely we can get a fix for this
> into, say, Aurora/FF6?

Well, we have no STR (the ones in the other bug worked for neither Marcia nor me), so no ETA for now.

I tried to open one of the minidumps in the other bug (which was for 32-bit Linux), but it didn't have the jitcode memory, so there's nothing to learn there. (Maybe only on Windows do we get the memory around eip?)

We might be able to make some progress if someone could give us a full core dump.
(Reporter)

Comment 38

6 years ago
I tried creating a core dump but its not happening. I follow the steps mentioned in the link above but no use.

I have used ulimit -c unlimited and started firefox from console. When it crashes nothing happens and no core dump is created inside /cores folder.

All I get is Firefox crash reporter.

When I start firefox from console I get a message saying 'FBTrace is not installed...' 

HTH
I have tried again to reproduce this on Mac and Windows 7 but with no luck. I realize there is an important extra step in Bug 658757 Comment 5 which involves changing the preview view. But even with that and deleting the emails rapidly I was not able to reproduce.

Updated

6 years ago
status-firefox7: --- → affected
tracking-firefox6: ? → +
tracking-firefox7: --- → +
(In reply to comment #38)
> I tried creating a core dump but its not happening. I follow the steps
> mentioned in the link above but no use.
> 
> I have used ulimit -c unlimited and started firefox from console. When it
> crashes nothing happens and no core dump is created inside /cores folder.
> 
> All I get is Firefox crash reporter.

Hmmm. Maybe you need to disable the crash reporter from that run. You can do that by using the command line:

  MOZ_CRASHREPORTER_DISABLE=1  normal_cmdline_to_run_fx

If that works, let me know so I can update the instructions (but certainly feel free to do that yourself if you like.)

> When I start firefox from console I get a message saying 'FBTrace is not
> installed...' 

That seems to be a message from Firebug or a Firebug-related plugin. I don't think it's related to not getting a core dump. But now I do wonder if FB is somehow related to the crash.

Updated

6 years ago
Duplicate of this bug: 662758
Crash Signature: [@ js::mjit::JaegerShot ]
I can reproduce this, Linux x86-64, Aurora 2011-06-21 build.
Created attachment 541582 [details] [diff] [review]
yup, this is really the bug

Also, I bet a glazed ham that this is *the* EnterMethodJIT crash bug. Every single weird JIT crash anomaly I debugged as part of the categorization tool appeared while looking into this Yahoo thing.
Assignee: luke → dvander
Status: NEW → ASSIGNED
Attachment #541582 - Flags: review?(cdleary)

Comment 44

6 years ago
we should mail a ham to Vivekanand :)
Attachment #541582 - Flags: review?(cdleary) → review+
http://hg.mozilla.org/tracemonkey/rev/d403daff812c - would like to verify Windows x86 tomorrow, after that will check into m-c to see what happens to crash stats.
Whiteboard: [sg:critical?] → [sg:critical][fixed-in-tracemonkey]
(Reporter)

Comment 46

6 years ago
Good to see atleast this has changed its status to 'assigned'

@Luke most welcome! Shall I put my address here? ;-)
Indeed, thank you Vivekanand for reporting this with accurate steps-to-reproduce!

http://hg.mozilla.org/mozilla-central/rev/a042d0d4c792
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED

Comment 48

6 years ago
dvander, can you make a testcase? It would be nice to understand why the fuzzers missed this bug, and it would be nice to have a regression test.
Is it appropriate to nominate this for aurora?  If it fixes a topcrash, it seems like it may be good to take.  (Is it low risk?  It's not clear to me from looking at the patch *why* it fixes a crash, so it's hard for me to evaluate.)
Comment on attachment 541582 [details] [diff] [review]
yup, this is really the bug

Requesting approval for aurora.

Benefit: Potentially fixes a large class of method JIT crash bugs, including at least one reproducible Yahoo mail crash bug.

Risk: Increases the size of a data structure by 0-4 bytes. Total browser increase would be measured in KB.
Attachment #541582 - Flags: approval-mozilla-aurora?

Comment 52

6 years ago
Comment on attachment 541582 [details] [diff] [review]
yup, this is really the bug

Please land on releases/mozilla-aurora
Attachment #541582 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
(In reply to comment #48)
> dvander, can you make a testcase? It would be nice to understand why the
> fuzzers missed this bug, and it would be nice to have a regression test.

You have to generate code with like |x.y = z| where |y| is not on |x| and |x| has an extremely long prototype chain - probably like 50 objects. Long protos might reveal some interesting stuff. The bug here was that the offset stored a distance between two points in memory, and with enough prototype checks it overflowed ~10 bits and patched garbage.

Anyway, sorry, I think I missed the aurora checkin for this so now it's already there after taking m-c.
status-firefox7: affected → fixed
We missed the mozilla6 aurora window but the patch looks safe enough for the beta branch and it's still a pretty common crash. Should we take it there?
status1.9.1: --- → unaffected
status1.9.2: --- → unaffected
Comment on attachment 541582 [details] [diff] [review]
yup, this is really the bug

We missed the mozilla6 aurora window but the patch looks safe enough for the beta branch. It's still a pretty common crash and the intent of clegnitto's aurora approval was to get it into Firefox 6, not just on some aurora branch sometime. Can we get beta approval?
Attachment #541582 - Flags: approval-mozilla-beta?

Comment 56

6 years ago
Comment on attachment 541582 [details] [diff] [review]
yup, this is really the bug

releases/mozilla-beta approval as well!
Attachment #541582 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
http://hg.mozilla.org/releases/mozilla-beta/rev/af53ceda8b4a
status-firefox6: affected → fixed
Why such crazy long proto chains? Anyone know?

/be

Comment 59

6 years ago
re: comment 46.

We have no hams, but if you send your address to chofmann@mozilla.org I'll send you a firefox/mozilla t-shirt. ;-)

Comment 60

6 years ago
I'll send you a ham.  Try me.
(Reporter)

Comment 61

6 years ago
@chris, thats awesome!!! I would love to show it off!

Have sent my address to mentioned email address. 

Thanks in advance :-)
Blocks: 670603
Alias: CVE-2011-2991
(Reporter)

Comment 62

6 years ago
(In reply to chris hofmann from comment #59)
> re: comment 46.
> 
> We have no hams, but if you send your address to chofmann@mozilla.org I'll
> send you a firefox/mozilla t-shirt. ;-)

Did my email went unnoticed? Shall I send it again, Chris? Apologies if I sound greedy about the t-shirt :-)
qa-: Vivekanand Bolajwar, can you please test Firefox 7.0b6  to see if this is fixed?
Whiteboard: [sg:critical][fixed-in-tracemonkey] → [sg:critical][fixed-in-tracemonkey][qa-]
Group: core-security
Flags: sec-bounty+
Keywords: testcase-wanted
You need to log in before you can comment on or make changes to this bug.