Closed Bug 674776 (CVE-2011-3650) Opened 14 years ago Closed 13 years ago

SIGSEGV while profiling page with many functions (JS debugging)

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
All
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla9
Tracking Flags:
Tracking Status
firefox6 - wontfix
firefox7 - wontfix
firefox8 + fixed
firefox9 + fixed
firefox10 --- fixed
blocking1.9.2 --- .24+
status1.9.2 --- .24-fixed

People

(Reporter: marc, Assigned: billm)

Details

(Keywords: reporter-external, Whiteboard: [sg:critical?] exposed through Firebug [js-triage-done] wanted-standalone-js [qa?])

Attachments

(4 files)

Generator for reproducer
311 bytes, text/plain
Details
reproducer
833.83 KB, application/octet-stream
Details
Simplified testcase (zipped for resource constraints)
1010.83 KB, application/octet-stream
Details
fix
3.50 KB, patch
jorendorff
: review+
asa
: approval-mozilla-aurora+
asa
: approval-mozilla-beta+
christian
: approval1.9.2.24+
Details | Diff | Splinter Review
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30 Steps to reproduce: open many66000.html 2) open firebug 3) do while not crash (and press continue on long running script) 3a) press "OK" (in hello box) 3b) press "profile" Actual results: Process: firefox-bin [6702] Path: /Applications/Firefox.app/Contents/MacOS/firefox-bin Identifier: org.mozilla.firefox Version: 5.0.1 (5.0.1) Code Type: X86-64 (Native) Parent Process: launchd [185] Date/Time: 2011-07-27 11:38:37.194 +0200 OS Version: Mac OS X 10.6.8 (10K540) Report Version: 6 Interval Since Last Report: 949111 sec Crashes Since Last Report: 962 Per-App Interval Since Last Report: 12453 sec Per-App Crashes Since Last Report: 9 Anonymous UUID: A20874EC-7280-445C-9882-755000F0127C Exception Type: EXC_BAD_ACCESS (SIGBUS) Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000127a631ae Crashed Thread: 0 Dispatch queue: com.apple.main-thread Thread 0 Crashed: Dispatch queue: com.apple.main-thread 0 libSystem.B.dylib 0x00007fff826d7514 tiny_free_list_add_ptr + 124 1 libSystem.B.dylib 0x00007fff826d4c27 tiny_malloc_from_free_list + 1196 2 libSystem.B.dylib 0x00007fff826d3abd szone_malloc_should_clear + 242 3 libSystem.B.dylib 0x00007fff826d398a malloc_zone_malloc + 82 4 libSystem.B.dylib 0x00007fff826d1c88 malloc + 44 5 libmozalloc.dylib 0x0000000101ab39ac moz_xmalloc + 12 6 XUL 0x00000001009af604 xpc_LocalizeContext(JSContext*) + 75748 7 XUL 0x0000000100992f67 DumpJSValue + 81591 8 XUL 0x0000000100993826 DumpJSValue + 83830 9 XUL 0x00000001009a7639 xpc_LocalizeContext(JSContext*) + 43033 10 XUL 0x00000001009a1489 xpc_LocalizeContext(JSContext*) + 18025 11 XUL 0x0000000100e3c9c5 nsXPTCStubBase::Stub249() + 533 12 XUL 0x0000000100e3b84b NS_InvokeByIndex_P + 955 13 XUL 0x0000000100bc52bf JSD_DebuggerOnForUser + 49567 14 ??? 0x0000000135b72a10 0 + 5196163600 15 ??? 0x00000001279e5fb0 0 + 4959657904 16 ??? 0x000000011dfc5a58 0 + 4798044760 17 ??? 0x000000011fd464a0 0 + 4828980384 18 ??? 0x000000011da79580 0 + 4792489344 19 ??? 0x00000001029497d0 0 + 4338259920 20 ??? 0x000000011fd59540 0 + 4829058368 21 ??? 0x00000001029a58d0 0 + 4338637008 22 ??? 0x00000001029a3d20 0 + 4338629920 23 ??? 0x000000011fd68f10 0 + 4829122320 24 ??? 0x000000011fd75b70 0 + 4829174640 25 ??? 0x000000011fd7c6d0 0 + 4829202128 26 ??? 0x000000011fd84390 0 + 4829234064 27 ??? 0x000000011fd87550 0 + 4829246800 28 ??? 0x000000011fd893e0 0 + 4829254624 29 ??? 0x000000011fd8cee0 0 + 4829269728 30 ??? 0x000000011fd91780 0 + 4829288320 31 ??? 0x000000011fdcf590 0 + 4829541776 32 ??? 0x000000011fdd3060 0 + 4829556832 33 ??? 0x000000011fdd32f0 0 + 4829557488 34 ??? 0x000000011fdd38b0 0 + 4829558960 35 ??? 0x000000011fdd3930 0 + 4829559088 36 ??? 0x000000011fdd39f0 0 + 4829559280 37 ??? 0x000000011fdd3c90 0 + 4829559952 38 ??? 0x000000011fdd3e50 0 + 4829560400 39 ??? 0x000000011fdd41a0 0 + 4829561248 40 ??? 0x000000011fdd4260 0 + 4829561440 41 ??? 0x000000011fdd43a0 0 + 4829561760 42 ??? 0x000000011fdd46f0 0 + 4829562608 43 ??? 0x000000011fdd4af0 0 + 4829563632 44 ??? 0x000000011fdd4d10 0 + 4829564176 45 ??? 0x000000011fdc42a0 0 + 4829495968 46 ??? 0x000000011fdd4ff0 0 + 4829564912 47 ??? 0x000000011fdd5390 0 + 4829565840 48 ??? 0x000000011fdd5450 0 + 4829566032 49 ??? 0x000000011fdd57a0 0 + 4829566880 50 ??? 0x000000011fdd5880 0 + 4829567104 51 ??? 0x000000011fdd6290 0 + 4829569680 52 ??? 0x000000011fdd60f0 0 + 4829569264 53 ??? 0x000000011fdd61d0 0 + 4829569488 54 ??? 0x000000011fdd6a70 0 + 4829571696 55 ??? 0x000000011fdd6d20 0 + 4829572384 56 ??? 0x000000011fdd7580 0 + 4829574528 57 ??? 0x000000011fdd73f0 0 + 4829574128 58 ??? 0x000000011fdd74f0 0 + 4829574384 59 ??? 0x000000011fdd79a0 0 + 4829575584 60 ??? 0x000000011fdd7d40 0 + 4829576512 61 ??? 0x000000011fdd7e50 0 + 4829576784 62 ??? 0x000000011fdd8090 0 + 4829577360 63 ??? 0x000000011fdd83c0 0 + 4829578176 64 ??? 0x000000011fdd8540 0 + 4829578560 65 ??? 0x000000011fdd8670 0 + 4829578864 66 ??? 0x000000011fdd8860 0 + 4829579360 67 ??? 0x000000011fdd8f80 0 + 4829581184 68 ??? 0x000000011fdd9420 0 + 4829582368 69 ??? 0x000000011fdd8de0 0 + 4829580768 70 ??? 0x000000011fdd93a0 0 + 4829582240 71 ??? 0x000000011fdd9d90 0 + 4829584784 72 ??? 0x000000011fdd9df0 0 + 4829584880 73 ??? 0x000000011fdd9ed0 0 + 4829585104 74 ??? 0x000000011fdd9f50 0 + 4829585232 75 ??? 0x000000011fdda1f0 0 + 4829585904 76 ??? 0x000000011fdda2d0 0 + 4829586128 77 ??? 0x000000011fdda620 0 + 4829586976 78 ??? 0x000000011fdda710 0 + 4829587216 79 ??? 0x000000011fdda930 0 + 4829587760 80 ??? 0x000000011fddabc0 0 + 4829588416 81 ??? 0x000000011fddaf50 0 + 4829589328 82 ??? 0x000000011fddb060 0 + 4829589600 83 ??? 0x000000011fddb2b0 0 + 4829590192 84 ??? 0x000000011fddb570 0 + 4829590896 85 ??? 0x000000011fddbac0 0 + 4829592256 86 ??? 0x000000011fddbb60 0 + 4829592416 87 ??? 0x000000011fddbd60 0 + 4829592928 88 ??? 0x000000011fddc0e0 0 + 4829593824 89 ??? 0x000000011fddc370 0 + 4829594480 90 ??? 0x000000011fddc410 0 + 4829594640 91 ??? 0x000000011fddca80 0 + 4829596288 92 ??? 0x000000011fddc830 0 + 4829595696 93 ??? 0x000000011fddcd00 0 + 4829596928 94 ??? 0x000000011fddcd60 0 + 4829597024 95 ??? 0x000000011fddcf00 0 + 4829597440 96 ??? 0x000000011fddd170 0 + 4829598064 97 ??? 0x000000011fddda10 0 + 4829600272 98 ??? 0x000000011fdddae0 0 + 4829600480 99 ??? 0x000000011fddde00 0 + 4829601280 100 ??? 0x000000011fdddef0 0 + 4829601520 101 ??? 0x000000011fdde1c0 0 + 4829602240 102 ??? 0x000000011fdde380 0 + 4829602688 103 ??? 0x000000011fdde8b0 0 + 4829604016 104 ??? 0x000000011fdded90 0 + 4829605264 105 ??? 0x000000011fddee80 0 + 4829605504 106 ??? 0x000000011fddf0d0 0 + 4829606096 107 ??? 0x000000011fddf4c0 0 + 4829607104 108 ??? 0x000000011fddfc00 0 + 4829608960 109 ??? 0x000000011fddfd80 0 + 4829609344 110 ??? 0x000000011fde00f0 0 + 4829610224 111 ??? 0x000000011fde0200 0 + 4829610496 112 ??? 0x000000011fde0500 0 + 4829611264 113 ??? 0x000000011fde0760 0 + 4829611872 114 ??? 0x000000011fde0a30 0 + 4829612592 115 ??? 0x000000011fde0af0 0 + 4829612784 116 ??? 0x0000000102964730 0 + 4338370352 117 ??? 0x00000001029647d0 0 + 4338370512 118 ??? 0x000000011fde15b0 0 + 4829615536 119 ??? 0x000000011fde11a0 0 + 4829614496 120 ??? 0x000000011e657710 0 + 4804933392 121 ??? 0x000000011e644630 0 + 4804855344 122 ??? 0x000000011e37fc30 0 + 4801952816 123 ??? 0x000000011e39e240 0 + 4802077248 124 ??? 0x000000011e397090 0 + 4802048144 125 ??? 0x000000011ea80710 0 + 4809295632 126 ??? 0x000000011eabb1a0 0 + 4809535904 127 ??? 0x000000011e1c1c80 0 + 4800126080 128 ??? 0x000000011e36a480 0 + 4801864832 129 ??? 0x000000011e358fb0 0 + 4801793968 130 ??? 0x000000011e359010 0 + 4801794064 131 ??? 0x000000011e35bd90 0 + 4801805712 132 ??? 0x000000011e35bdf0 0 + 4801805808 133 ??? 0x000000011e35c4f0 0 + 4801807600 134 ??? 0x000000011e35c550 0 + 4801807696 135 ??? 0x000000011e35c8e0 0 + 4801808608 136 ??? 0x000000011e35f3f0 0 + 4801819632 137 ??? 0x000000011e3a0b10 0 + 4802087696 138 ??? 0x000000011e351160 0 + 4801761632 139 ??? 0x000000011e3511c0 0 + 4801761728 140 ??? 0x000000011e352f50 0 + 4801769296 141 ??? 0x000000011e353fa0 0 + 4801773472 142 ??? 0x000000011e354050 0 + 4801773648 143 ??? 0x000000011e356c70 0 + 4801784944 144 ??? 0x000000011e3440a0 0 + 4801708192 145 ??? 0x000000011e344140 0 + 4801708352 146 ??? 0x000000011e3457b0 0 + 4801714096 147 ??? 0x000000011e345810 0 + 4801714192 148 ??? 0x000000011e346830 0 + 4801718320 149 ??? 0x000000011e34d390 0 + 4801745808 150 ??? 0x000000011e34d440 0 + 4801745984 151 ??? 0x000000011e34e6a0 0 + 4801750688 152 ??? 0x000000011e34f220 0 + 4801753632 153 ??? 0x000000011e3501b0 0 + 4801757616 154 ??? 0x000000011e6b6620 0 + 4805322272 155 ??? 0x000000011e6b6680 0 + 4805322368 156 ??? 0x0000000101e8f080 0 + 4327010432 157 ??? 0x000000011e3ab570 0 + 4802131312 158 ??? 0x000000011e68a5b0 0 + 4805141936 159 ??? 0x000000011e68a610 0 + 4805142032 160 ??? 0x000000011e3ab1c0 0 + 4802130368 161 ??? 0x000000011e3b77e0 0 + 4802181088 162 ??? 0x000000011e3a8430 0 + 4802118704 163 ??? 0x000000011e3a8380 0 + 4802118528 164 ??? 0x000000011e3b9730 0 + 4802189104 165 ??? 0x000000011e3b6d50 0 + 4802178384 166 ??? 0x000000011e3b65e0 0 + 4802176480 167 ??? 0x000000011e3b6640 0 + 4802176576 168 ??? 0x000000011e3b5d60 0 + 4802174304 169 ??? 0x000000011e3b5dc0 0 + 4802174400 170 ??? 0x000000011e3b6110 0 + 4802175248 171 ??? 0x000000011e3b6170 0 + 4802175344 172 ??? 0x000000011e3ae6d0 0 + 4802143952 173 ??? 0x000000011e3be590 0 + 4802209168 174 ??? 0x000000011e3bdb50 0 + 4802206544 175 ??? 0x000000011e3bdaa0 0 + 4802206368 176 ??? 0x000000011e3be4e0 0 + 4802208992 177 ??? 0x000000011e622b50 0 + 4804717392 178 ??? 0x000000011e622040 0 + 4804714560 179 ??? 0x000000011e6220d0 0 + 4804714704 180 ??? 0x000000011e61fac0 0 + 4804704960 181 ??? 0x000000011e61f6e0 0 + 4804703968 182 ??? 0x000000011e61f740 0 + 4804704064 183 ??? 0x000000011e61ebd0 0 + 4804701136 184 ??? 0x000000011e61ec60 0 + 4804701280 185 ??? 0x000000011e61dd40 0 + 4804697408 186 ??? 0x000000011e61dda0 0 + 4804697504 187 ??? 0x000000011e61d9c0 0 + 4804696512 188 ??? 0x000000011e62d660 0 + 4804761184 189 ??? 0x000000011e62d6e0 0 + 4804761312 190 ??? 0x000000011e62ba10 0 + 4804753936 191 ??? 0x000000011e628700 0 + 4804740864 192 ??? 0x000000011e628790 0 + 4804741008 193 ??? 0x000000011e627fa0 0 + 4804738976 194 ??? 0x000000011e625f20 0 + 4804730656 195 ??? 0x000000011e625f80 0 + 4804730752 196 ??? 0x000000011e6247b0 0 + 4804724656 197 ??? 0x000000011e624850 0 + 4804724816 198 ??? 0x000000011e63e490 0 + 4804830352 199 ??? 0x000000011e63e520 0 + 4804830496 200 ??? 0x000000011e650f80 0 + 4804906880 201 ??? 0x000000011e6507f0 0 + 4804904944 202 ??? 0x000000011e650850 0 + 4804905040 203 ??? 0x000000011e64f560 0 + 4804900192 204 ??? 0x000000011e64f5e0 0 + 4804900320 205 ??? 0x000000011e64d070 0 + 4804890736 206 ??? 0x000000011e64c270 0 + 4804887152 207 ??? 0x000000011e64be80 0 + 4804886144 208 ??? 0x000000011e64bf30 0 + 4804886320 209 ??? 0x000000011e64b880 0 + 4804884608 210 ??? 0x000000011e64a970 0 + 4804880752 211 ??? 0x000000011e64aa00 0 + 4804880896 212 ??? 0x000000011e659200 0 + 4804940288 213 ??? 0x000000011e659290 0 + 4804940432 214 ??? 0x000000011e658360 0 + 4804936544 215 ??? 0x000000011e656ed0 0 + 4804931280 216 ??? 0x000000011e656350 0 + 4804928336 217 ??? 0x000000011e654c60 0 + 4804922464 218 ??? 0x000000011e653270 0 + 4804915824 219 ??? 0x000000011e653300 0 + 4804915968 220 ??? 0x000000011e65ce30 0 + 4804955696 221 ??? 0x000000011e65ca80 0 + 4804954752 222 ??? 0x000000011e65cb10 0 + 4804954896 223 ??? 0x000000011e65b6d0 0 + 4804949712 224 ??? 0x000000011e65b2e0 0 + 4804948704 225 ??? 0x000000011e65a7a0 0 + 4804945824 226 ??? 0x000000011e65a800 0 + 4804945920 227 ??? 0x000000011e659fc0 0 + 4804943808 228 ??? 0x000000011e65a050 0 + 4804943952 229 ??? 0x000000011e663e90 0 + 4804984464 230 ??? 0x000000011e662090 0 + 4804976784 231 ??? 0x000000011e6620f0 0 + 4804976880 232 ??? 0x000000011e660cd0 0 + 4804971728 233 ??? 0x000000011e6608f0 0 + 4804970736 234 ??? 0x000000011e660950 0 + 4804970832 235 ??? 0x000000011e660540 0 + 4804969792 236 ??? 0x000000011e6605d0 0 + 4804969936 237 ??? 0x000000011e6601c0 0 + 4804968896 238 ??? 0x000000011e65f790 0 + 4804966288 239 ??? 0x000000011e65f820 0 + 4804966432 240 ??? 0x000000011e65e390 0 + 4804961168 241 ??? 0x000000011e65dfe0 0 + 4804960224 242 ??? 0x000000011e65e040 0 + 4804960320 243 ??? 0x000000011e668ea0 0 + 4805004960 244 ??? 0x000000011e668f00 0 + 4805005056 245 ??? 0x000000011e6680f0 0 + 4805001456 246 ??? 0x000000011e668180 0 + 4805001600 247 ??? 0x000000011e667740 0 + 4804998976 248 ??? 0x000000011e666be0 0 + 4804996064 249 ??? 0x000000011e666c90 0 + 4804996240 250 ??? 0x000000011e6668a0 0 + 4804995232 251 ??? 0x000000011e665640 0 + 4804990528 252 ??? 0x000000011e665260 0 + 4804989536 253 ??? 0x000000011e665300 0 + 4804989696 254 ??? 0x000000011e66e730 0 + 4805027632 255 ??? 0x000000011e66dd40 0 + 4805025088 256 ??? 0x000000011e66d300 0 + 4805022464 257 ??? 0x000000011e66c8d0 0 + 4805019856 258 ??? 0x000000011e66c930 0 + 4805019952 259 ??? 0x000000011e66ba50 0 + 4805016144 260 ??? 0x000000011e66b6e0 0 + 4805015264 261 ??? 0x000000011e66af40 0 + 4805013312 262 ??? 0x000000011e66b2b0 0 + 4805014192 263 ??? 0x000000011e6733b0 0 + 4805047216 264 ??? 0x000000011e672c50 0 + 4805045328 265 ??? 0x000000011e672cb0 0 + 4805045424 266 ??? 0x000000011e670ea0 0 + 4805037728 267 ??? 0x000000011e66ea80 0 + 4805028480 268 ??? 0x000000011e66eae0 0 + 4805028576 269 ??? 0x000000011e66fcf0 0 + 4805033200 270 ??? 0x000000011e6790e0 0 + 4805071072 271 ??? 0x000000011e676bf0 0 + 4805061616 272 ??? 0x000000011e676f60 0 + 4805062496 273 ??? 0x000000011e676fc0 0 + 4805062592 274 ??? 0x000000011e678d60 0 + 4805070176 275 ??? 0x000000011e6786e0 0 + 4805068512 276 ??? 0x000000011e678790 0 + 4805068688 277 ??? 0x000000011e6767f0 0 + 4805060592 278 ??? 0x000000011e675e20 0 + 4805058080 279 ??? 0x000000011e674620 0 + 4805051936 280 ??? 0x000000011e6746a0 0 + 4805052064 281 ??? 0x000000011e673b70 0 + 4805049200 282 ??? 0x000000011e67d9b0 0 + 4805089712 283 ??? 0x000000011e67da10 0 + 4805089808 284 ??? 0x000000011e67b640 0 + 4805080640 285 ??? 0x000000011e67b290 0 + 4805079696 286 ??? 0x000000011e67b2f0 0 + 4805079792 287 ??? 0x000000011e6c2040 0 + 4805369920 288 ??? 0x000000011ea3cc10 0 + 4809018384 289 ??? 0x000000011ea3cc70 0 + 4809018480 290 ??? 0x000000011e34acd0 0 + 4801735888 291 ??? 0x000000011e36db40 0 + 4801878848 292 ??? 0x000000011e3a7a50 0 + 4802116176 293 ??? 0x000000011e3a7ae0 0 + 4802116320 294 ??? 0x000000011e3f5fa0 0 + 4802437024 295 ??? 0x000000011e3f6060 0 + 4802437216 296 ??? 0x000000011e629890 0 + 4804745360 297 ??? 0x000000011e64a5b0 0 + 4804879792 298 ??? 0x000000011e35a090 0 + 4801798288 299 ??? 0x000000011e64fed0 0 + 4804902608 300 ??? 0x000000011e6847c0 0 + 4805117888 301 ??? 0x000000011ea1bd40 0 + 4808883520 302 ??? 0x000000011ea1bdf0 0 + 4808883696 303 ??? 0x000000011e3555d0 0 + 4801779152 304 ??? 0x000000011e3dba20 0 + 4802329120 305 ??? 0x000000011e3dbab0 0 + 4802329264 306 ??? 0x000000011e3dbd00 0 + 4802329856 307 ??? 0x000000011e688970 0 + 4805134704 308 ??? 0x000000011e6889d0 0 + 4805134800 309 ??? 0x000000011e6c2900 0 + 4805372160 310 ??? 0x000000011ea0dec0 0 + 4808826560 311 ??? 0x000000011ea0df80 0 + 4808826752 312 ??? 0x000000011e3629b0 0 + 4801833392 313 ??? 0x000000011e364350 0 + 4801839952 314 ??? 0x000000011e364420 0 + 4801840160 315 ??? 0x000000011e369410 0 + 4801860624 316 ??? 0x000000011e3739f0 0 + 4801903088 317 ??? 0x000000011e372780 0 + 4801898368 318 ??? 0x000000011e372810 0 + 4801898512 319 ??? 0x000000011e377160 0 + 4801917280 320 ??? 0x000000011e3771e0 0 + 4801917408 321 ??? 0x000000011e3758f0 0 + 4801911024 322 ??? 0x000000011e34b500 0 + 4801737984 323 ??? 0x000000011e37d890 0 + 4801943696 324 ??? 0x000000011e34b560 0 + 4801738080 325 ??? 0x000000011e381fe0 0 + 4801961952 326 ??? 0x000000011e3a4700 0 + 4802103040 327 ??? 0x000000011e3aabb0 0 + 4802128816 328 ??? 0x000000011e3aac10 0 + 4802128912 329 ??? 0x000000011e3aac70 0 + 4802129008 330 ??? 0x000000011e3c7020 0 + 4802244640 331 ??? 0x000000011e3d8b40 0 + 4802317120 332 ??? 0x000000011e3e4880 0 + 4802365568 333 ??? 0x000000011e3e48e0 0 + 4802365664 334 ??? 0x000000011e3f52d0 0 + 4802433744 335 ??? 0x000000011e3f5330 0 + 4802433840 336 ??? 0x000000011e604ae0 0 + 4804594400 337 ??? 0x000000011e62bd60 0 + 4804754784 338 ??? 0x000000011e62bdc0 0 + 4804754880 339 ??? 0x000000011e634ae0 0 + 4804791008 340 ??? 0x000000011e634bb0 0 + 4804791216 341 ??? 0x000000011e63a430 0 + 4804813872 342 ??? 0x000000011e64ba60 0 + 4804885088 343 ??? 0x000000011e64ad70 0 + 4804881776 344 ??? 0x000000011e64f1b0 0 + 4804899248 345 ??? 0x000000011e64f210 0 + 4804899344 346 ??? 0x000000011e6566f0 0 + 4804929264 347 ??? 0x000000011e66a000 0 + 4805009408 348 ??? 0x000000011e6663c0 0 + 4804993984 349 ??? 0x000000011e666460 0 + 4804994144 350 ??? 0x000000011e6742b0 0 + 4805051056 351 ??? 0x000000011e67af30 0 + 4805078832 352 ??? 0x000000011e67af90 0 + 4805078928 353 ??? 0x000000011e38c210 0 + 4802003472 354 ??? 0x000000011ea9b290 0 + 4809405072 355 ??? 0x000000011ea9b2f0 0 + 4809405168 356 ??? 0x000000011ea6e1e0 0 + 4809220576 357 ??? 0x000000011e6788b0 0 + 4805068976 358 ??? 0x000000011e3482b0 0 + 4801725104 359 ??? 0x000000011e34e420 0 + 4801750048 360 ??? 0x000000011e360fd0 0 + 4801826768 361 ??? 0x000000011e348310 0 + 4801725200 362 ??? 0x000000011ea59bf0 0 + 4809137136 363 ??? 0x000000011e3dbff0 0 + 4802330608 364 ??? 0x000000011ea9a330 0 + 4809401136 365 ??? 0x000000011ea59b40 0 + 4809136960 366 ??? 0x000000011ea9a250 0 + 4809400912 367 ??? 0x0000000122169630 0 + 4866872880 368 ??? 0x00000001221694e0 0 + 4866872544 369 ??? 0x0000000122169590 0 + 4866872720 370 ??? 0x0000000122169d70 0 + 4866874736 371 ??? 0x0000000122169e40 0 + 4866874944 372 ??? 0x000000012216a100 0 + 4866875648 373 ??? 0x0000000122169fe0 0 + 4866875360 374 ??? 0x000000012216a090 0 + 4866875536 375 ??? 0x000000012216a550 0 + 4866876752 376 ??? 0x000000012216a6a0 0 + 4866877088 377 ??? 0x000000012216a750 0 + 4866877264 378 ??? 0x000000012216a8d0 0 + 4866877648 379 ??? 0x000000012216aa20 0 + 4866877984 380 ??? 0x000000012216aba0 0 + 4866878368 381 ??? 0x000000012216ad80 0 + 4866878848 382 ??? 0x000000012216b1c0 0 + 4866879936 383 ??? 0x000000012216b620 0 + 4866881056 384 ??? 0x000000012216b680 0 + 4866881152 385 ??? 0x000000012216b7a0 0 + 4866881440 386 ??? 0x000000012216b970 0 + 4866881904 387 ??? 0x000000012216ba20 0 + 4866882080 388 ??? 0x000000012216c0c0 0 + 4866883776 389 ??? 0x000000012216bfc0 0 + 4866883520 390 ??? 0x000000012216c240 0 + 4866884160 391 ??? 0x000000012216c370 0 + 4866884464 392 ??? 0x000000012216c460 0 + 4866884704 393 ??? 0x000000012216c9e0 0 + 4866886112 394 ??? 0x000000012216cad0 0 + 4866886352 395 ??? 0x000000012216cca0 0 + 4866886816 396 ??? 0x000000012216d1a0 0 + 4866888096 397 ??? 0x000000012216d600 0 + 4866889216 398 ??? 0x000000012200a5b0 0 + 4865435056 399 ??? 0x0000000122008850 0 + 4865427536 400 ??? 0x000000012200aaf0 0 + 4865436400 401 ??? 0x000000012200ab50 0 + 4865436496 402 ??? 0x000000012200b4c0 0 + 4865438912 403 ??? 0x000000012200b710 0 + 4865439504 404 ??? 0x000000012200a970 0 + 4865436016 405 ??? 0x000000012200aa50 0 + 4865436240 406 ??? 0x000000012200a900 0 + 4865435904 407 ??? 0x000000012200c360 0 + 4865442656 408 ??? 0x000000012200c580 0 + 4865443200 409 ??? 0x000000012200c880 0 + 4865443968 410 ??? 0x000000012200c630 0 + 4865443376 411 ??? 0x000000012200be00 0 + 4865441280 412 ??? 0x000000012200d5c0 0 + 4865447360 413 ??? 0x000000012200d710 0 + 4865447696 414 ??? 0x000000012200d870 0 + 4865448048 415 ??? 0x000000012200da20 0 + 4865448480 416 ??? 0x000000012200dbd0 0 + 4865448912 417 ??? 0x000000012200dd80 0 + 4865449344 418 ??? 0x000000012200df30 0 + 4865449776 419 ??? 0x000000012200e0a0 0 + 4865450144 420 ??? 0x000000012200e210 0 + 4865450512 421 ??? 0x000000012200e380 0 + 4865450880 422 ??? 0x000000012200e4f0 0 + 4865451248 423 ??? 0x000000012200e680 0 + 4865451648 424 ??? 0x000000012200e860 0 + 4865452128 425 ??? 0x000000012200ea70 0 + 4865452656 426 ??? 0x000000012200edc0 0 + 4865453504 427 ??? 0x000000012200f040 0 + 4865454144 428 ??? 0x000000012200f250 0 + 4865454672 429 ??? 0x000000012200f420 0 + 4865455136 430 ??? 0x000000012200f590 0 + 4865455504 431 ??? 0x000000012200f700 0 + 4865455872 432 ??? 0x000000012200f870 0 + 4865456240 433 ??? 0x000000012200f9e0 0 + 4865456608 434 ??? 0x000000012200fb50 0 + 4865456976 435 ??? 0x000000012200fcc0 0 + 4865457344 436 ??? 0x000000012200fe30 0 + 4865457712 437 ??? 0x0000000122038880 0 + 4865624192 438 ??? 0x00000001220394b0 0 + 4865627312 439 ??? 0x000000012202e430 0 + 4865582128 440 ??? 0x000000012202ecf0 0 + 4865584368 441 ??? 0x000000012202e810 0 + 4865583120 442 ??? 0x000000012202efa0 0 + 4865585056 443 ??? 0x000000012202f060 0 + 4865585248 444 ??? 0x000000012202d7f0 0 + 4865578992 445 ??? 0x000000012202d5b0 0 + 4865578416 446 ??? 0x000000012202f790 0 + 4865587088 447 ??? 0x000000012202f3d0 0 + 4865586128 448 ??? 0x000000012202e060 0 + 4865581152 449 ??? 0x000000012202df70 0 + 4865580912 450 ??? 0x0000000122039430 0 + 4865627184 451 ??? 0x000000012202f980 0 + 4865587584 452 ??? 0x000000012202fa50 0 + 4865587792 453 ??? 0x000000012202fb10 0 + 4865587984 454 ??? 0x000000012202fbe0 0 + 4865588192 455 ??? 0x000000012202fca0 0 + 4865588384 456 ??? 0x000000012202fd50 0 + 4865588560 457 ??? 0x000000012201c420 0 + 4865508384 458 ??? 0x000000012203dcc0 0 + 4865645760 459 ??? 0x000000012203ec80 0 + 4865649792 460 ??? 0x00000001220400a0 0 + 4865654944 461 ??? 0x00000001220350d0 0 + 4865609936 462 ??? 0x00000001220351a0 0 + 4865610144 463 ??? 0x0000000122035230 0 + 4865610288 464 ??? 0x00000001220410c0 0 + 4865659072 465 ??? 0x0000000122035650 0 + 4865611344 466 ??? 0x00000001220412a0 0 + 4865659552 467 ??? 0x0000000122041120 0 + 4865659168 468 ??? 0x00000001220411d0 0 + 4865659344 469 ??? 0x0000000122045930 0 + 4865677616 470 ??? 0x00000001220540e0 0 + 4865736928 471 ??? 0x00000001220541b0 0 + 4865737136 472 ??? 0x000000011dfb10d0 0 + 4797960400 473 ??? 0x000000011dfb1130 0 + 4797960496 474 ??? 0x000000011fdf1030 0 + 4829679664 475 ??? 0x000000011dfb6f90 0 + 4797984656 476 ??? 0x000000011dfb6ff0 0 + 4797984752 477 ??? 0x000000011fdec450 0 + 4829660240 478 ??? 0x000000011fdf0fd0 0 + 4829679568 479 ??? 0x000000011fded920 0 + 4829665568 480 ??? 0x000000011dfbac10 0 + 4798000144 481 ??? 0x000000011dfae290 0 + 4797948560 482 ??? 0x000000011fded8b0 0 + 4829665456 483 ??? 0x000000011fdf49e0 0 + 4829694432 484 ??? 0x000000011fdf4c20 0 + 4829695008 485 ??? 0x000000011dfbca90 0 + 4798007952 486 ??? 0x000000011dfbc9e0 0 + 4798007776 487 ??? 0x000000011fdefab0 0 + 4829674160 488 ??? 0x000000011fdefc30 0 + 4829674544 489 ??? 0x000000011dfadea0 0 + 4797947552 490 ??? 0x000000011dfae030 0 + 4797947952 491 ??? 0x000000011dfae1c0 0 + 4797948352 492 ??? 0x0000000122054f90 0 + 4865740688 493 ??? 0x000000011fdef280 0 + 4829672064 494 ??? 0x0000000122055270 0 + 4865741424 495 ??? 0x0000000122055330 0 + 4865741616 496 ??? 0x000000011fdef1d0 0 + 4829671888 497 ??? 0x000000011dfba720 0 + 4797998880 498 ??? 0x000000011dfbab50 0 + 4797999952 499 ??? 0x000000011dfba900 0 + 4797999360 500 ??? 0x000000011fdf0140 0 + 4829675840 501 ??? 0x000000011fdf0320 0 + 4829676320 502 ??? 0x000000011fdf5070 0 + 4829696112 503 ??? 0x000000011fdf4e20 0 + 4829695520 504 ??? 0x000000011fdf4ee0 0 + 4829695712 505 ??? 0x000000011fdf0010 0 + 4829675536 506 ??? 0x000000011fdefec0 0 + 4829675200 507 ??? 0x000000011dfbb0d0 0 + 4798001360 508 ??? 0x000000011dfbb1c0 0 + 4798001600 509 ??? 0x000000011dfbb330 0 + 4798001968 510 ??? 0x000000011dfbb580 0 + 4798002560 511 ??? 0x000000011dfbb4b0 0 + 4798002352 Process: firefox-bin [6579] Path: /Applications/Firefox.app/Contents/MacOS/firefox-bin Identifier: org.mozilla.firefox Version: 5.0.1 (5.0.1) Code Type: X86-64 (Native) Parent Process: launchd [185] Date/Time: 2011-07-27 11:16:49.075 +0200 OS Version: Mac OS X 10.6.8 (10K540) Report Version: 6 Interval Since Last Report: 947802 sec Crashes Since Last Report: 961 Per-App Interval Since Last Report: 11232 sec Per-App Crashes Since Last Report: 8 Anonymous UUID: A20874EC-7280-445C-9882-755000F0127C Exception Type: EXC_CRASH (SIGABRT) Exception Codes: 0x0000000000000000, 0x0000000000000000 Crashed Thread: 0 Dispatch queue: com.apple.main-thread Application Specific Information: *** error for object 0x13f935ec0: incorrect checksum for freed object - object was probably modified after being freed. Thread 0 Crashed: Dispatch queue: com.apple.main-thread 0 libSystem.B.dylib 0x00007fff8271e0b6 __kill + 10 1 libSystem.B.dylib 0x00007fff827be9f6 abort + 83 2 libSystem.B.dylib 0x00007fff827ad62d szone_error + 519 3 libSystem.B.dylib 0x00007fff826d9723 tiny_free_list_remove_ptr + 251 4 libSystem.B.dylib 0x00007fff826d7e35 szone_realloc + 637 5 libSystem.B.dylib 0x00007fff826d7b7b malloc_zone_realloc + 92 6 libSystem.B.dylib 0x00007fff826e3c16 realloc + 169 7 libmozalloc.dylib 0x0000000101ab3b7f moz_xrealloc + 31 8 XUL 0x0000000100043fda catch_exception_raise + 116282 9 XUL 0x00000001001ec6eb mozilla::layers::LayerUserData::~LayerUserData() + 221755 10 XUL 0x00000001001ec60c mozilla::layers::LayerUserData::~LayerUserData() + 221532 11 XUL 0x00000001001ec60c mozilla::layers::LayerUserData::~LayerUserData() + 221532 12 XUL 0x00000001001ec60c mozilla::layers::LayerUserData::~LayerUserData() + 221532 13 XUL 0x00000001001ec60c mozilla::layers::LayerUserData::~LayerUserData() + 221532 14 XUL 0x00000001001ec60c mozilla::layers::LayerUserData::~LayerUserData() + 221532 15 XUL 0x0000000100201769 mozilla::layers::LayerUserData::~LayerUserData() + 307897 16 XUL 0x0000000100201d15 mozilla::layers::LayerUserData::~LayerUserData() + 309349 17 XUL 0x000000010021da6d mozilla::layers::LayerUserData::~LayerUserData() + 423357 18 XUL 0x0000000100604e66 mozilla::layers::ReadbackSink::~ReadbackSink() + 3566006 19 XUL 0x00000001005ff541 mozilla::layers::ReadbackSink::~ReadbackSink() + 3543185 20 XUL 0x0000000100ca07f5 JSD_DebuggerOnForUser + 947925 21 XUL 0x0000000100c9a852 JSD_DebuggerOnForUser + 923442 22 XUL 0x0000000100ca9c5d JSD_DebuggerOnForUser + 985917 23 com.apple.AppKit 0x00007fff887380c7 -[NSWindow sendEvent:] + 8769 24 XUL 0x0000000100c933b2 JSD_DebuggerOnForUser + 893586 25 com.apple.AppKit 0x00007fff8866c8f1 -[NSApplication sendEvent:] + 4198 26 com.apple.AppKit 0x00007fff886036de -[NSApplication run] + 474 27 XUL 0x0000000100c907ad JSD_DebuggerOnForUser + 882317 28 XUL 0x0000000100b010b4 js::JSProxyHandler::isOuterWindow() + 609284 29 XUL 0x0000000100016940 XRE_main + 11984 30 org.mozilla.firefox 0x0000000100000af7 start + 471 31 org.mozilla.firefox 0x0000000100000954 start + 52 Process: firefox-bin [7802] Path: /Applications/Firefox.app/Contents/MacOS/firefox-bin Identifier: org.mozilla.firefox Version: 5.0.1 (5.0.1) Code Type: X86-64 (Native) Parent Process: launchd [185] Date/Time: 2011-07-28 01:50:35.346 +0200 OS Version: Mac OS X 10.6.8 (10K540) Report Version: 6 Interval Since Last Report: 962749 sec Crashes Since Last Report: 966 Per-App Interval Since Last Report: 13694 sec Per-App Crashes Since Last Report: 10 Anonymous UUID: A20874EC-7280-445C-9882-755000F0127C Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000972b81dd8 Crashed Thread: 0 Dispatch queue: com.apple.main-thread Thread 0 Crashed: Dispatch queue: com.apple.main-thread 0 XUL 0x0000000101142f09 js_fgets(char*, int, __sFILE*) + 61177 1 XUL 0x0000000100bbbc93 JSD_DebuggerOnForUser + 11123 2 XUL 0x0000000100bc1ff4 JSD_DebuggerOnForUser + 36564 3 XUL 0x0000000100bc69b3 JSD_DebuggerOnForUser + 55443 4 XUL 0x0000000100bba2d7 JSD_DebuggerOnForUser + 4535 5 XUL 0x0000000101051467 JS_HandleTrap + 135 6 XUL 0x00000001010951aa JS_HashTableRemove + 20282 7 XUL 0x00000001010ac7bf JS_HashTableRemove + 116047 8 XUL 0x00000001010b0b74 JS_HashTableRemove + 133380 9 XUL 0x0000000101020826 JS_CallFunction + 294 10 XUL 0x00000001010209d9 JS_EvaluateUCScriptForPrincipalsVersion + 105 11 XUL 0x0000000100614998 mozilla::layers::ReadbackSink::~ReadbackSink() + 3630312 12 XUL 0x000000010044f153 mozilla::layers::ReadbackSink::~ReadbackSink() + 1772707 13 XUL 0x000000010044fdbf mozilla::layers::ReadbackSink::~ReadbackSink() + 1775887 Expected results: non-crashing OOM message and safe garbage-collection
Attached file reproducer
reproducer created with "python manyvars.py 66000 >many66000.html" Note: gzipped to fly under size-check radar
OS: Other → Mac OS X
Assignee: nobody → general
Component: General → JavaScript Engine
Product: Firefox → Core
QA Contact: general → general
Summary: SIGSEGV while profiling page with many functions → SIGSEGV while profiling page with many functions (JS debugging)
Version: 5 Branch → unspecified
Whiteboard: js-triage-needed
Is there a way to expose the JSD interfaces with a stock Firefox (e.g. do the new dev tools do anything like that?)? Is it possible Firebug is abusing the interfaces, or just exposing a bug in core code?
Whiteboard: js-triage-needed → [sg:critical?] exposed through Firebug [js-triage-needed]
David, who should own this sg:critical bug?
status-firefox6: --- → wontfix
status-firefox7: --- → affected
status-firefox8: --- → affected
status-firefox9: --- → affected
tracking-firefox6: --- → -
tracking-firefox7: --- → +
tracking-firefox8: --- → +
tracking-firefox9: --- → +
(In reply to Daniel Veditz from comment #2) > Is there a way to expose the JSD interfaces with a stock Firefox (e.g. do > the new dev tools do anything like that?)? Is it possible Firebug is abusing > the interfaces, or just exposing a bug in core code? not currently, no. We've just landed the first pieces of JSD2 but they're currently inaccessible from XPCOM. It's possible Firebug is doing something funky in its profiler, but we'd need to investigate. CCing dcamp and honza.
I was able to crash Firefox once: https://crash-stats.mozilla.com/report/index/bp-810f9385-48f3-4568-a56b-1671f2110822 The second time: I repeated the scenario from comment #0 10-15 times -> no crash. I am always seeing "no activity to profile" in Firebug Console panels since no function on the page is actually executed. > Is it possible Firebug is abusing the interfaces, or just exposing > a bug in core code? I don't understand how should I test this. Are there any symptoms I could observe? Honza
Hmm, it's crashing all the time, this time on windows. eax=646e6130 ebx=01e371a0 ecx=00000000 edx=3c6dc47c esi=3c7aa679 edi=3c600000 eip=0057612b esp=0012cafc ebp=0012cb38 iopl=0 nv up ei ng nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210286 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Mozilla Firefox\mozjs.dll - mozjs!js_CallNewScriptHook+0x1cb: 0057612b 8b483c mov ecx,dword ptr [eax+3Ch] ds:0023:646e616c=???????? 0:000> kp *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Mozilla Firefox\xul.dll - ChildEBP RetAddr WARNING: Stack unwind information not available. Following frames may be wrong. 0012cb38 106b0670 mozjs!js_CallNewScriptHook+0x1cb 0012cbb4 10994f2b xul!gfxFontTestItem::gfxFontTestItem+0x134c 0012cbe4 10567273 xul!XRE_LockProfileDirectory+0xd6a7 0012cc0c 105c09c7 xul!gfxUnknownSurface::operator=+0x3abb 0012cc38 0050219e xul!mozilla::layers::SwapChainD3D9::Release+0x2f84 0012cc68 0052a741 mozjs!JS_HandleTrap+0xae 0012cd08 0055cd91 mozjs!JS_CompareValues+0x8341 0012cd20 0055cd91 mozjs!js::ParseJSONWithReviver+0x16fc1 0012cd38 0055cd91 mozjs!js::ParseJSONWithReviver+0x16fc1 0012cd50 0055cd91 mozjs!js::ParseJSONWithReviver+0x16fc1 0012cd68 0055cd91 mozjs!js::ParseJSONWithReviver+0x16fc1 0012cd80 0055cd91 mozjs!js::ParseJSONWithReviver+0x16fc1 0012cd98 0055cd91 mozjs!js::ParseJSONWithReviver+0x16fc1 0012cd9c 00000000 mozjs!js::ParseJSONWithReviver+0x16fc1 AdapterDeviceID: 95c4 AdapterVendorID: 1002 Add-ons: firebug@software.joehewitt.com:1.8.1,{972ce4c6-7e08-4474-a285-3208198ce6fd}:6.0 AvailableVirtualMemory: 1277558784 BuildID: 20110811165603 CrashTime: 1314309151 EMCheckCompatibility: true FramePoisonBase: 00000000f0de0000 FramePoisonSize: 65536 InstallTime: 1314308451 Notes: AdapterVendorID: 1002, AdapterDeviceID: 95c4, AdapterDriverVersion: 8.771.0.0 D3D10 Layers? D3D10 Layers- D3D9 Layers? D3D9 Layers+ ProductName: Firefox ReleaseChannel: release StartupTime: 1314309020 SystemMemoryUsePercentage: 92 Theme: classic/1.0 Throttleable: 1 TotalVirtualMemory: 2147352576 URL: file:///C:/Documents%20and%20Settings/xxxxx/My%20Documents/Downloads/many80000.html Vendor: Mozilla Version: 6.0 Winsock_LSP: MSAFD Tcpip [TCP/IP] : 2 : 1 : %SystemRoot%\system32\mswsock.dll MSAFD Tcpip [UDP/IP] : 2 : 2 : %SystemRoot%\system32\mswsock.dll MSAFD Tcpip [RAW/IP] : 2 : 3 : %SystemRoot%\system32\mswsock.dll RSVP UDP Service Provider : 6 : 2 : %SystemRoot%\system32\rsvpsp.dll RSVP TCP Service Provider : 6 : 1 : %SystemRoot%\system32\rsvpsp.dll MSAFD NetBIOS [\Device\NetBT_Tcpip_{B8F9EEE1-6314-47EE-911C-9348CA08F7DD}] SEQPACKET 5 : 2 : 5 : %SystemRoot%\system32\mswsock.dll MSAFD NetBIOS [\Device\NetBT_Tcpip_{B8F9EEE1-6314-47EE-911C-9348CA08F7DD}] DATAGRAM 5 : 2 : 2 : %SystemRoot%\system32\mswsock.dll MSAFD NetBIOS [\Device\NetBT_Tcpip_{C9261A52-2EFF-42D1-8D4B-8912983EBA20}] SEQPACKET 4 : 2 : 5 : %SystemRoot%\system32\mswsock.dll MSAFD NetBIOS [\Device\NetBT_Tcpip_{C9261A52-2EFF-42D1-8D4B-8912983EBA20}] DATAGRAM 4 : 2 : 2 : %SystemRoot%\system32\mswsock.dll MSAFD NetBIOS [\Device\NetBT_Tcpip_{4F8D2818-151D-4D7E-9C92-D837C14F66EF}] SEQPACKET 3 : 2 : 5 : %SystemRoot%\system32\mswsock.dll MSAFD NetBIOS [\Device\NetBT_Tcpip_{4F8D2818-151D-4D7E-9C92-D837C14F66EF}] DATAGRAM 3 : 2 : 2 : %SystemRoot%\system32\mswsock.dll MSAFD NetBIOS [\Device\NetBT_Tcpip_{5F3968C3-09FB-41D7-9F74-9A4EC98A8B50}] SEQPACKET 0 : 2 : 5 : %SystemRoot%\system32\mswsock.dll MSAFD NetBIOS [\Device\NetBT_Tcpip_{5F3968C3-09FB-41D7-9F74-9A4EC98A8B50}] DATAGRAM 0 : 2 : 2 : %SystemRoot%\system32\mswsock.dll MSAFD NetBIOS [\Device\NetBT_Tcpip_{7DA11467-4540-4F3D-AB9B-215F637FE578}] SEQPACKET 1 : 2 : 5 : %SystemRoot%\system32\mswsock.dll MSAFD NetBIOS [\Device\NetBT_Tcpip_{7DA11467-4540-4F3D-AB9B-215F637FE578}] DATAGRAM 1 : 2 : 2 : %SystemRoot%\system32\mswsock.dll MSAFD NetBIOS [\Device\NetBT_Tcpip_{24670179-8EFE-4C09-B51E-C22D48656518}] SEQPACKET 2 : 2 : 5 : %SystemRoot%\system32\mswsock.dll MSAFD NetBIOS [\Device\NetBT_Tcpip_{24670179-8EFE-4C09-B51E-C22D48656518}] DATAGRAM 2 : 2 : 2 : %SystemRoot%\system32\mswsock.dll MSAFD NetBIOS [\Device\NetBT_Tcpip_{6758F470-A2D1-480B-BAEE-40EE0E56D338}] SEQPACKET 6 : 2 : 5 : %SystemRoot%\system32\mswsock.dll MSAFD NetBIOS [\Device\NetBT_Tcpip_{6758F470-A2D1-480B-BAEE-40EE0E56D338}] DATAGRAM 6 : 2 : 2 : %SystemRoot%\system32\mswsock.dll This report also contains technical information about the state of the application when it crashed.
And crashing on Linux (Firefox 6 from mozilla bz2 distro on Fedora 14): Program received signal SIGSEGV, Segmentation fault. 0x01b1045b in ?? () from /home/schonef/Downloads/firefox/libxul.so (gdb) disass $pc,$pc+1 Dump of assembler code from 0x1b1045b to 0x1b1045c: => 0x01b1045b: mov (%edi,%eax,4),%esi End of assembler dump. (gdb) i r eax 0xff7e0000 -8519680 ecx 0x3 3 edx 0x0 0 ebx 0x1f299c4 32676292 esp 0xbfadf220 0xbfadf220 ebp 0x86100000 0x86100000 esi 0xaafec920 -1426142944 edi 0x861dc47c -2044869508 eip 0x1b1045b 0x1b1045b eflags 0x210282 [ SF IF RF ID ] cs 0x73 115 ss 0x7b 123 ds 0x7b 123 es 0x7b 123 fs 0x0 0 gs 0x33 51 (gdb) bt #0 0x01b1045b in ?? () from /home/schonef/Downloads/firefox/libxul.so #1 0x880ed920 in ?? () #2 0x86100000 in ?? () Backtrace stopped: previous frame inner to this frame (corrupt stack?)
(In reply to Marc Schoenefeld from comment #6) > Hmm, > > it's crashing all the time, this time on windows. By 'crashing all the time', do you mean, even when you don't do something in Firebug? I was poking at this briefly the other day, and it crashed for me on Windows without Firebug. I had it down to an NPE. I was waiting for the chance to check out the Firebug angle before posting, because if that was an NPE too, then it's not sg:critical.
Assignee: general → wmccloskey
Bill, were you able to reproduce this?
No. I tried it on Windows with Firefox 6 and Firebug, but it didn't crash.
You did follow this procedure? 1) open many66000.html (depending on your setup it may be necessary to generate a reproducer with more functions) 2) open firebug 3) do while not crash (and press continue on long running script) 3a) press "OK" (in hello box) 3b) press "profile" how many times did you try to loop the "profile" 3a,3b steps ? in my experiments it often took only 1-3 times to crash
Simplified testcase (MacBook Air 4GB, OSX 10.6.7, Ffx6) i) get firebug installed ii) open -a "Firefox" many80000.html iii) get crash, without any clicks Process: firefox-bin [4053] Path: /Applications/Firefox.app/Contents/MacOS/firefox-bin Identifier: org.mozilla.firefox Version: 6.0 (6.0) Code Type: X86-64 (Native) Parent Process: launchd [187] Date/Time: 2011-09-02 12:40:21.914 +0200 OS Version: Mac OS X 10.6.8 (10K549) Report Version: 6 Interval Since Last Report: 920607 sec Crashes Since Last Report: 282 Per-App Interval Since Last Report: 179952 sec Per-App Crashes Since Last Report: 5 Anonymous UUID: A20874EC-7280-445C-9882-755000F0127C Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x000000093d9b88d8 Crashed Thread: 0 Dispatch queue: com.apple.main-thread Thread 0 Crashed: Dispatch queue: com.apple.main-thread 0 XUL 0x0000000101179b19 js_fgets(char*, int, __sFILE*) + 56889 1 XUL 0x0000000100bde113 JSD_DebuggerOnForUser + 11123 2 XUL 0x0000000100be4474 JSD_DebuggerOnForUser + 36564 3 XUL 0x0000000100be8e33 JSD_DebuggerOnForUser + 55443 4 XUL 0x0000000100bdc757 JSD_DebuggerOnForUser + 4535 5 XUL 0x000000010108fa37 JS_HandleTrap + 135 6 XUL 0x00000001010d423a JS_HashTableRemove + 29466 7 XUL 0x00000001010ed5ef JS_HashTableRemove + 132815 8 XUL 0x00000001010ed923 JS_HashTableRemove + 133635 9 XUL 0x0000000101064f16 JS_CallFunction + 294 10 XUL 0x00000001010650d9 JS_EvaluateUCScriptForPrincipalsVersion + 105 11 XUL 0x0000000100631888 mozilla::layers::ReadbackSink::~ReadbackSink() + 3659704 12 XUL 0x000000010046a643 mozilla::layers::ReadbackSink::~ReadbackSink() + 1795443 13 XUL 0x000000010046b2af mozilla::layers::ReadbackSink::~ReadbackSink() + 1798623 14 XUL 0x000000010046c475 mozilla::layers::ReadbackSink::~ReadbackSink() + 1803173 15 XUL 0x0000000100469111 mozilla::layers::ReadbackSink::~ReadbackSink() + 1790017 16 XUL 0x0000000100554565 mozilla::layers::ReadbackSink::~ReadbackSink() + 2753685 17 XUL 0x00000001005533a3 mozilla::layers::ReadbackSink::~ReadbackSink() + 2749139 18 XUL 0x0000000100754419 mozilla::layers::ReadbackSink::~ReadbackSink() + 4850505 19 XUL 0x0000000100756265 mozilla::layers::ReadbackSink::~ReadbackSink() + 4858261 20 XUL 0x000000010075989d mozilla::layers::ReadbackSink::~ReadbackSink() + 4872141 21 XUL 0x0000000100e5a2a3 XRE_AddStaticComponent + 27043 22 XUL 0x0000000100e1642e mac_plugin_interposing_child_OnSetCursor + 678126 23 XUL 0x0000000100ced5dd JSD_DebuggerOnForUser + 1122365 24 XUL 0x0000000100cb7207 JSD_DebuggerOnForUser + 900199 25 com.apple.CoreFoundation 0x00007fff83644401 __CFRunLoopDoSources0 + 1361 26 com.apple.CoreFoundation 0x00007fff836425f9 __CFRunLoopRun + 873 27 com.apple.CoreFoundation 0x00007fff83641dbf CFRunLoopRunSpecific + 575 28 com.apple.HIToolbox 0x00007fff8379c7ee RunCurrentEventLoopInMode + 333 29 com.apple.HIToolbox 0x00007fff8379c5f3 ReceiveNextEventCommon + 310 30 com.apple.HIToolbox 0x00007fff8379c4ac BlockUntilNextEventMatchingListInMode + 59 31 com.apple.AppKit 0x00007fff8849beb2 _DPSNextEvent + 708 32 com.apple.AppKit 0x00007fff8849b801 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 155 33 com.apple.AppKit 0x00007fff8846168f -[NSApplication run] + 395 34 XUL 0x0000000100cb6b9d JSD_DebuggerOnForUser + 898557 35 XUL 0x0000000100b23164 js::JSProxyHandler::isOuterWindow() + 602612 36 XUL 0x00000001000169ef XRE_main + 12015 37 org.mozilla.firefox 0x0000000100000af7 start + 471 38 org.mozilla.firefox 0x0000000100000954 start + 52
Attached patch fixSplinter Review
This should fix it. It was one of those trap things. I added a few more js_GetOpcode calls to take care of it. I have a 2MB testcase that triggers every time in the shell and the patch fixes it. I'll check the testcase in along with the patch. I'm guessing it's too big to attach here.
Attachment #557918 - Flags: review?(jorendorff)
Attachment #557918 - Flags: review?(jorendorff) → review+
https://hg.mozilla.org/mozilla-central/rev/c207eea54777
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Whiteboard: [sg:critical?] exposed through Firebug [js-triage-needed] → [sg:critical?] exposed through Firebug [js-triage-done]
This is to convert the big test case into a smaller one that generates the code and then calls evaluate. Suggested by jorendorff. https://hg.mozilla.org/integration/mozilla-inbound/rev/267250a4595e
Whiteboard: [sg:critical?] exposed through Firebug [js-triage-done] → [sg:critical?] exposed through Firebug [js-triage-done] wanted-standalone-js
Is this fix good for aurora and beta? If so, please request approval, if not, can this fix be backported w/o tons of work?
Comment on attachment 557918 [details] [diff] [review] fix I don't think any of this code has changed in a while, so the patch should apply to aurora and beta. I think the risk should be pretty low, and it avoids a crash.
Attachment #557918 - Flags: approval-mozilla-beta?
Attachment #557918 - Flags: approval-mozilla-aurora?
billm, thanks for the preliminary risk analysis. Could you tell us what could go wrong or what to look out for if something did go wrong?
I'm not sure how likely it is that this will be hit by accident. It requires a really huge JS script. I'm mainly worried about security. The bug causes to create a bad JS object pointer (since it's basically an array-out-of-bounds error). From there, you can do lots of bad things. I think sg:crit is the right designation.
Sorry, we meant risk of regressions / way this patch can go wrong if we do take it.
This patch won't alter behavior aside from fixing the bug. There's a chance that the patch itself is buggy, but it's pretty small so that doesn't seem too likely.
Attachment #557918 - Flags: approval-mozilla-beta?
Attachment #557918 - Flags: approval-mozilla-beta+
Attachment #557918 - Flags: approval-mozilla-aurora?
Attachment #557918 - Flags: approval-mozilla-aurora+
https://hg.mozilla.org/releases/mozilla-beta/rev/9844fb4852ee I forgot that this already went to Aurora in the last merge, so I only had to land it on beta.
I verified that this got merged to aurora already, so marking this fixed for 8 and 9 (and 10 too, while I'm at it)!
status-firefox10: --- → fixed
status-firefox8: affectedfixed
status-firefox9: affectedfixed
qa+ for verification with the testcase in comment 0.
Whiteboard: [sg:critical?] exposed through Firebug [js-triage-done] wanted-standalone-js → [sg:critical?] exposed through Firebug [js-triage-done] wanted-standalone-js [qa+]
Does this affect 3.6.x?
blocking1.9.2: --- → ?
status1.9.2: --- → ?
Comment on attachment 557918 [details] [diff] [review] fix This applies to 1.9.2. I don't see any reason not to take it. This code hasn't changed much.
Attachment #557918 - Flags: approval1.9.2.24?
Comment on attachment 557918 [details] [diff] [review] fix Approved for 1.9.2.24. Please land on releases/mozilla-1.9.2 on the default branch ASAP.
Attachment #557918 - Flags: approval1.9.2.24? → approval1.9.2.24+
I can't reproduce the crash with Firebug 1.7.3, Firefox 3.6.23, and Windows XP. I've been unable to verify the fix in 3.6.24 because of that.
Does this issue get a CVE id?
Alias: CVE-2011-3650
blocking1.9.2: ? → .24+
With Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:11.0a1) Gecko/20111204 Firefox/11.0a1 and Firebug 1.9.0b3 installed the browser totally freezes when using the testcase from comment 12. Why don't we abort the script execution? Should this be filed as a new bug? Bill, can you please give us a response so we can continue to verity this patch? Thanks.
Whiteboard: [sg:critical?] exposed through Firebug [js-triage-done] wanted-standalone-js [qa+] → [sg:critical?] exposed through Firebug [js-triage-done] wanted-standalone-js [qa?]
(In reply to Henrik Skupin (:whimboo) from comment #34) > With Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:11.0a1) Gecko/20111204 > Firefox/11.0a1 and Firebug 1.9.0b3 installed the browser totally freezes > when using the testcase from comment 12. Why don't we abort the script > execution? Should this be filed as a new bug? > > Bill, can you please give us a response so we can continue to verity this > patch? Thanks. I loaded the page from comment 12. It freezes for about a second for me. Is that what you're talking about? This isn't really unexpected, since we have to parse 5.6MB of JS code, and parsing happens atomically. We have future plans to make parsing be resumable, but I don't think that's relevant to this bug. As long as it doesn't crash, this bug is not being triggered.
Group: core-security
rforbes-bugspam-for-setting-that-bounty-flag-20130719
Flags: sec-bounty+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: