crash in JSC::Yarr::execute

RESOLVED FIXED in mozilla10

Status

()

defect
--
critical
RESOLVED FIXED
8 years ago
4 years ago

People

(Reporter: kairo, Unassigned)

Tracking

(Blocks 1 bug, {crash, regression})

10 Branch
mozilla10
x86
All
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical], crash signature, )

Reporter

Description

8 years ago
This bug was filed from the Socorro interface and is 
report bp-719c0e9d-f023-4cbc-b293-180482111110 .
============================================================= 

This may be related to or even a dupe of bug 701396 in the end, but https://crash-stats.mozilla.com/report/list?signature=JSC%3A%3AYarr%3A%3Aexecute%28JSC%3A%3AYarr%3A%3AYarrCodeBlock%26%2C%20wchar_t%20const*%2C%20unsigned%20int%2C%20unsigned%20int%2C%20int*%29 lists a number of different versions, including Firefox 8, and not just trunk, even though there has been a spike in this on trunk in the last days (since it became 11.0a1) just as with that other signature.

Still possible that the crashes with older versions than trunk are yet another bug, given that the stacks look different for 8.0, I guess both coming from JS RegExp code is normal as we may only use Yarr for that. If the older ones are a different bug, we may need to file that one as a separate thing as well.

Comments sounds like people were playing Flash, going to websites or starting up, so probably web content causing this crash, just like with bug 701396.
Adding Mac signature.
Crash Signature: [@ JSC::Yarr::execute(JSC::Yarr::YarrCodeBlock&, wchar_t const*, unsigned int, unsigned int, int*)] → [@ JSC::Yarr::execute(JSC::Yarr::YarrCodeBlock&, wchar_t const*, unsigned int, unsigned int, int*)] [@ JSC::Yarr::execute ]

Comment 2

8 years ago
windows 7 x64 
Confirm
Crash Signature: [@ JSC::Yarr::execute(JSC::Yarr::YarrCodeBlock&, wchar_t const*, unsigned int, unsigned int, int*)] [@ JSC::Yarr::execute ] → [@ JSC::Yarr::execute(JSC::Yarr::YarrCodeBlock&, wchar_t const*, unsigned int, unsigned int, int*)] [@ JSC::Yarr::execute ] [@ @0x0 | JSC::Yarr::execute ]

Comment 3

8 years ago
1. http://video.sina.com.cn/index.shtml
2. Crash 

Mac OS X Nightly

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000003
0x00000003 in ?? ()
(gdb) bt
#0  0x00000003 in ?? ()
#1  0x0733b704 in JSC::Yarr::YarrCodeBlock::execute (this=0x22bc5770, input=0x22bca618, start=0, length=41, output=0x2bec6014) at yarr/YarrJIT.h:72
#2  0x0733b2b5 in JSC::Yarr::execute (jitObject=@0x22bc5770, input=0x22bca618, start=0, length=41, output=0x2bec6014) at /work/mozilla/builds/nightly/mozilla/js/src/yarr/YarrJIT.cpp:2461
#3  0x07262af4 in js::RegExpPrivateCode::execute (this=0x22bc5770, cx=0x22b1d880, chars=0x22bca618, length=41, start=0, output=0x2bec6014, outputCount=1157102722) at vm/RegExpObject-inl.h:334
#4  0x07260552 in js::RegExpPrivate::execute (this=0x22bc5770, cx=0x22b1d880, chars=0x22bca618, length=41, lastIndex=0xbfffa9c4, allocScope=@0xbfffa8ec, output=0xbfffa8e8) at /work/mozilla/builds/nightly/mozilla/js/src/vm/RegExpObject.cpp:212

Linux Nightly

#0  0x0000000003359b60 in ?? ()
#1  0x00007ffff52f1396 in JSC::Yarr::YarrCodeBlock::execute (this=0x1d32e10, 
    input=0x362bc78, start=0, length=41, output=0x2de4208)
    at /work/mozilla/builds/nightly/mozilla/js/src/yarr/YarrJIT.h:72
#2  0x00007ffff52f099e in JSC::Yarr::execute (jitObject=..., input=0x362bc78, 
    start=0, length=41, output=0x2de4208)
    at /work/mozilla/builds/nightly/mozilla/js/src/yarr/YarrJIT.cpp:2461
#3  0x00007ffff521d04a in js::RegExpPrivateCode::execute (this=0x1d32e10, cx=
    0x1978960, chars=0x362bc78, length=41, start=0, output=0x2de4208, 
    outputCount=4)
    at /work/mozilla/builds/nightly/mozilla/js/src/vm/RegExpObject-inl.h:334
#4  0x00007ffff521a648 in js::RegExpPrivate::execute (this=0x1d32e10, cx=
    0x1978960, chars=0x362bc78, length=41, lastIndex=0x7fffffff7b40, 
    allocScope=..., output=0x7fffffff7a38)
    at /work/mozilla/builds/nightly/mozilla/js/src/vm/RegExpObject.cpp:212

WinXP Nightly bp-6b5b93e5-ac92-4de4-a490-a98b02111111
[@ JSC::Yarr::Vector<JSC::Yarr::PatternAlternative*, int>::deleteAllValues() ] 

Note Crash Automation was able to reproduce on Aurora Linux once, but I have not been able to reproduce. 

I think this bug and bug 701396 are dupes.
Blocks: 532972
Crash Signature: [@ JSC::Yarr::execute(JSC::Yarr::YarrCodeBlock&, wchar_t const*, unsigned int, unsigned int, int*)] [@ JSC::Yarr::execute ] [@ @0x0 | JSC::Yarr::execute ] → [@ JSC::Yarr::execute(JSC::Yarr::YarrCodeBlock&, wchar_t const*, unsigned int, unsigned int, int*)] [@ JSC::Yarr::execute ] [@ @0x0 | JSC::Yarr::execute ] [@ JSC::Yarr::Vector<JSC::Yarr::PatternAlternative*, int>::deleteAllValues() ]
OS: Windows 7 → All

Comment 4

8 years ago
Nightly Linux 32bit bp-8932f062-2363-42c9-853f-e77a82111111
[@ regexp_trace ]
Crash Signature: [@ JSC::Yarr::execute(JSC::Yarr::YarrCodeBlock&, wchar_t const*, unsigned int, unsigned int, int*)] [@ JSC::Yarr::execute ] [@ @0x0 | JSC::Yarr::execute ] [@ JSC::Yarr::Vector<JSC::Yarr::PatternAlternative*, int>::deleteAllValues() ] → [@ JSC::Yarr::execute(JSC::Yarr::YarrCodeBlock&, wchar_t const*, unsigned int, unsigned int, int*)] [@ JSC::Yarr::execute ] [@ @0x0 | JSC::Yarr::execute ] [@ JSC::Yarr::Vector<JSC::Yarr::PatternAlternative* int>::deleteAllValues() ] [@ regexp_trace ]

Comment 5

8 years ago
I trigger this within a minute if I enable out of date addons, never happens otherwise.

Comment 6

8 years ago
I can easily hit this crash while trying to configure a vaio z on store.sony.com , on OSX 64bit and Linux 64bit.

Linux crash
https://crash-stats.mozilla.com/report/index/bp-cbd7fbc2-662d-42ad-8732-3c6f02111114

OSX crash
https://crash-stats.mozilla.com/report/index/bp-43ecec02-1742-45b0-be83-8e5302111114
It's #2 top crasher in 10.0a2 and 11.0a1.
Given signature bp-719c0e9d-f023-4cbc-b293-180482111110 this is potentially exploitable unless there's some proof the bogus jitObject can only be NULL and not any other bogus value.
Group: core-security
Keywords: testcase-wanted
Whiteboard: [sg:critical]

Updated

8 years ago
Keywords: regression
Version: Trunk → 10 Branch

Updated

8 years ago
Crash Signature: [@ JSC::Yarr::execute(JSC::Yarr::YarrCodeBlock&, wchar_t const*, unsigned int, unsigned int, int*)] [@ JSC::Yarr::execute ] [@ @0x0 | JSC::Yarr::execute ] [@ JSC::Yarr::Vector<JSC::Yarr::PatternAlternative* int>::deleteAllValues() ] [@ regexp_trace ] → [@ JSC::Yarr::execute(JSC::Yarr::YarrCodeBlock&, wchar_t const*, unsigned int, unsigned int, int*)] [@ JSC::Yarr::execute ] [@ @0x0 | JSC::Yarr::execute ] [@ JSC::Yarr::Vector<JSC::Yarr::PatternAlternative* int>::deleteAllValues() ] [@ regexp_trace ] …
Reporter

Comment 9

8 years ago
We had no crashes on trunk with this signature with builds from 2011-11-15 or -16 yet, the last ones we have are from -14 builds.

Comment 10

8 years ago
fixed by bug 701332 ?
Yeah, this must have been fixed by Chris a couple of days ago.
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → WORKSFORME

Comment 12

8 years ago
Changing resolution to fixed. Don't forget to land the fix on Aurora. This is still rampant there.
Resolution: WORKSFORME → FIXED
For all crash signatures, the latest 10.0a2 crashes happen in 20111118 build.
Target Milestone: --- → mozilla10
There are one crash in 10.0a2/20111121 and another one in 11.0a1/20111122. So it's no fully fixed:
bp-7459695f-044e-45c1-b6bf-2983c2111123
bp-47fba1f9-a2e4-42f9-8c27-2c0d52111123
Group: core-security
You need to log in before you can comment on or make changes to this bug.