Closed Bug 701399 Opened 13 years ago Closed 13 years ago

crash in JSC::Yarr::execute

Categories

(Core :: JavaScript Engine, defect)

10 Branch
x86
All
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla10

People

(Reporter: kairo, Unassigned)

References

()

Details

(Keywords: crash, regression, Whiteboard: [sg:critical])

Crash Data

This bug was filed from the Socorro interface and is 
report bp-719c0e9d-f023-4cbc-b293-180482111110 .
============================================================= 

This may be related to or even a dupe of bug 701396 in the end, but https://crash-stats.mozilla.com/report/list?signature=JSC%3A%3AYarr%3A%3Aexecute%28JSC%3A%3AYarr%3A%3AYarrCodeBlock%26%2C%20wchar_t%20const*%2C%20unsigned%20int%2C%20unsigned%20int%2C%20int*%29 lists a number of different versions, including Firefox 8, and not just trunk, even though there has been a spike in this on trunk in the last days (since it became 11.0a1) just as with that other signature.

Still possible that the crashes with older versions than trunk are yet another bug, given that the stacks look different for 8.0, I guess both coming from JS RegExp code is normal as we may only use Yarr for that. If the older ones are a different bug, we may need to file that one as a separate thing as well.

Comments sounds like people were playing Flash, going to websites or starting up, so probably web content causing this crash, just like with bug 701396.
Adding Mac signature.
Crash Signature: [@ JSC::Yarr::execute(JSC::Yarr::YarrCodeBlock&, wchar_t const*, unsigned int, unsigned int, int*)] → [@ JSC::Yarr::execute(JSC::Yarr::YarrCodeBlock&, wchar_t const*, unsigned int, unsigned int, int*)] [@ JSC::Yarr::execute ]
windows 7 x64 
Confirm
Crash Signature: [@ JSC::Yarr::execute(JSC::Yarr::YarrCodeBlock&, wchar_t const*, unsigned int, unsigned int, int*)] [@ JSC::Yarr::execute ] → [@ JSC::Yarr::execute(JSC::Yarr::YarrCodeBlock&, wchar_t const*, unsigned int, unsigned int, int*)] [@ JSC::Yarr::execute ] [@ @0x0 | JSC::Yarr::execute ]
1. http://video.sina.com.cn/index.shtml
2. Crash 

Mac OS X Nightly

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000003
0x00000003 in ?? ()
(gdb) bt
#0  0x00000003 in ?? ()
#1  0x0733b704 in JSC::Yarr::YarrCodeBlock::execute (this=0x22bc5770, input=0x22bca618, start=0, length=41, output=0x2bec6014) at yarr/YarrJIT.h:72
#2  0x0733b2b5 in JSC::Yarr::execute (jitObject=@0x22bc5770, input=0x22bca618, start=0, length=41, output=0x2bec6014) at /work/mozilla/builds/nightly/mozilla/js/src/yarr/YarrJIT.cpp:2461
#3  0x07262af4 in js::RegExpPrivateCode::execute (this=0x22bc5770, cx=0x22b1d880, chars=0x22bca618, length=41, start=0, output=0x2bec6014, outputCount=1157102722) at vm/RegExpObject-inl.h:334
#4  0x07260552 in js::RegExpPrivate::execute (this=0x22bc5770, cx=0x22b1d880, chars=0x22bca618, length=41, lastIndex=0xbfffa9c4, allocScope=@0xbfffa8ec, output=0xbfffa8e8) at /work/mozilla/builds/nightly/mozilla/js/src/vm/RegExpObject.cpp:212

Linux Nightly

#0  0x0000000003359b60 in ?? ()
#1  0x00007ffff52f1396 in JSC::Yarr::YarrCodeBlock::execute (this=0x1d32e10, 
    input=0x362bc78, start=0, length=41, output=0x2de4208)
    at /work/mozilla/builds/nightly/mozilla/js/src/yarr/YarrJIT.h:72
#2  0x00007ffff52f099e in JSC::Yarr::execute (jitObject=..., input=0x362bc78, 
    start=0, length=41, output=0x2de4208)
    at /work/mozilla/builds/nightly/mozilla/js/src/yarr/YarrJIT.cpp:2461
#3  0x00007ffff521d04a in js::RegExpPrivateCode::execute (this=0x1d32e10, cx=
    0x1978960, chars=0x362bc78, length=41, start=0, output=0x2de4208, 
    outputCount=4)
    at /work/mozilla/builds/nightly/mozilla/js/src/vm/RegExpObject-inl.h:334
#4  0x00007ffff521a648 in js::RegExpPrivate::execute (this=0x1d32e10, cx=
    0x1978960, chars=0x362bc78, length=41, lastIndex=0x7fffffff7b40, 
    allocScope=..., output=0x7fffffff7a38)
    at /work/mozilla/builds/nightly/mozilla/js/src/vm/RegExpObject.cpp:212

WinXP Nightly bp-6b5b93e5-ac92-4de4-a490-a98b02111111
[@ JSC::Yarr::Vector<JSC::Yarr::PatternAlternative*, int>::deleteAllValues() ] 

Note Crash Automation was able to reproduce on Aurora Linux once, but I have not been able to reproduce. 

I think this bug and bug 701396 are dupes.
Crash Signature: [@ JSC::Yarr::execute(JSC::Yarr::YarrCodeBlock&, wchar_t const*, unsigned int, unsigned int, int*)] [@ JSC::Yarr::execute ] [@ @0x0 | JSC::Yarr::execute ] → [@ JSC::Yarr::execute(JSC::Yarr::YarrCodeBlock&, wchar_t const*, unsigned int, unsigned int, int*)] [@ JSC::Yarr::execute ] [@ @0x0 | JSC::Yarr::execute ] [@ JSC::Yarr::Vector<JSC::Yarr::PatternAlternative*, int>::deleteAllValues() ]
OS: Windows 7 → All
Nightly Linux 32bit bp-8932f062-2363-42c9-853f-e77a82111111
[@ regexp_trace ]
Crash Signature: [@ JSC::Yarr::execute(JSC::Yarr::YarrCodeBlock&, wchar_t const*, unsigned int, unsigned int, int*)] [@ JSC::Yarr::execute ] [@ @0x0 | JSC::Yarr::execute ] [@ JSC::Yarr::Vector<JSC::Yarr::PatternAlternative*, int>::deleteAllValues() ] → [@ JSC::Yarr::execute(JSC::Yarr::YarrCodeBlock&, wchar_t const*, unsigned int, unsigned int, int*)] [@ JSC::Yarr::execute ] [@ @0x0 | JSC::Yarr::execute ] [@ JSC::Yarr::Vector<JSC::Yarr::PatternAlternative* int>::deleteAllValues() ] [@ regexp_trace ]
I trigger this within a minute if I enable out of date addons, never happens otherwise.
I can easily hit this crash while trying to configure a vaio z on store.sony.com , on OSX 64bit and Linux 64bit.

Linux crash
https://crash-stats.mozilla.com/report/index/bp-cbd7fbc2-662d-42ad-8732-3c6f02111114

OSX crash
https://crash-stats.mozilla.com/report/index/bp-43ecec02-1742-45b0-be83-8e5302111114
It's #2 top crasher in 10.0a2 and 11.0a1.
Given signature bp-719c0e9d-f023-4cbc-b293-180482111110 this is potentially exploitable unless there's some proof the bogus jitObject can only be NULL and not any other bogus value.
Group: core-security
Keywords: testcase-wanted
Whiteboard: [sg:critical]
Keywords: regression
Version: Trunk → 10 Branch
Crash Signature: int>::deleteAllValues() ] [@ regexp_trace ] → int>::deleteAllValues() ] [@ regexp_trace ] [@ @0x0 | JSC::Yarr::execute(JSC::Yarr::YarrCodeBlock&, wchar_t const*, unsigned int, unsigned int, int*) ]
We had no crashes on trunk with this signature with builds from 2011-11-15 or -16 yet, the last ones we have are from -14 builds.
Yeah, this must have been fixed by Chris a couple of days ago.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → WORKSFORME
Changing resolution to fixed. Don't forget to land the fix on Aurora. This is still rampant there.
Resolution: WORKSFORME → FIXED
For all crash signatures, the latest 10.0a2 crashes happen in 20111118 build.
Target Milestone: --- → mozilla10
There are one crash in 10.0a2/20111121 and another one in 11.0a1/20111122. So it's no fully fixed:
bp-7459695f-044e-45c1-b6bf-2983c2111123
bp-47fba1f9-a2e4-42f9-8c27-2c0d52111123
Group: core-security
You need to log in before you can comment on or make changes to this bug.