Crash in nsProfiler.getProfile on 64-bit Linux debug build

NEW
Unassigned

Status

()

Core
Gecko Profiler
--
critical
5 years ago
11 months ago

People

(Reporter: zwol, Unassigned)

Tracking

(Blocks: 1 bug, {crash})

Trunk
x86_64
Linux
crash
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

5 years ago
1) Install https://addons.mozilla.org/en-us/firefox/addon/aboutjank/ in a trunk debug build.
2) Open about:jank in a tab.
3) Do something else in another tab for a little while.
4) Reload the about:jank tab (this is supposed to show the profiling results).  Kaboom.

gdb backtrace:

#4  <signal handler called>
#5  __strlen_sse42 () at ../sysdeps/x86_64/multiarch/strlen-sse4.S:32
#6  0x00007f3839585f21 in length (
    __s=0x7f3800000f30 <Address 0x7f3800000f30 out of bounds>)
    at /home/packages/gcc/4.7/w/gcc-4.7-4.7.2/build/x86_64-linux-gnu/libstdc++-v3/include/bits/char_traits.h:261
#7  std::operator<< <std::char_traits<char> > (__out=..., 
    __s=0x7f3800000f30 <Address 0x7f3800000f30 out of bounds>)
    at /home/packages/gcc/4.7/w/gcc-4.7-4.7.2/build/x86_64-linux-gnu/libstdc++-v3/include/ostream:533
#8  0x00007f38366dd8d2 in operator<< (stream=..., entry=...)
    at /home/zack/src/mozilla/S-mc/tools/profiler/TableTicker.cpp:1000
#9  0x00007f38366dd918 in operator<< (stream=..., profile=...)
    at /home/zack/src/mozilla/S-mc/tools/profiler/TableTicker.cpp:980
#10 0x00007f38366ddb01 in mozilla_sampler_get_profile ()
    at /home/zack/src/mozilla/S-mc/tools/profiler/TableTicker.cpp:1082
#11 0x00007f38366dc441 in nsProfiler::GetProfile (this=<optimized out>, 
    aProfile=0x7fff333ade58)
    at /home/zack/src/mozilla/S-mc/tools/profiler/nsProfiler.cpp:104
#12 0x00007f3836ae3eab in NS_InvokeByIndex_P (that=<optimized out>, 
    methodIndex=<optimized out>, paramCount=<optimized out>, 
    params=<optimized out>)
    at /home/zack/src/mozilla/S-mc/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:164
#13 0x00007f38363fa680 in Invoke (this=0x7fff333ade18)
    at /home/zack/src/mozilla/S-mc/js/xpconnect/src/XPCWrappedNative.cpp:3085
#14 Call (this=0x7fff333ade18)
    at /home/zack/src/mozilla/S-mc/js/xpconnect/src/XPCWrappedNative.cpp:2419
#15 XPCWrappedNative::CallMethod (ccx=..., mode=<optimized out>)
    at /home/zack/src/mozilla/S-mc/js/xpconnect/src/XPCWrappedNative.cpp:2385
#16 0x00007f38363fe5ff in XPC_WN_CallMethod (cx=0x7f3817aca710, argc=0, 
    vp=0x7f38241060a8)
    at /home/zack/src/mozilla/S-mc/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1417
#17 0x00007f38370baffd in CallJSNative (args=..., native=<optimized out>, 
    cx=0x7f3817aca710)
    at /home/zack/src/mozilla/S-mc/js/src/jscntxtinlines.h:327

The profile entry it's trying to print appears to be garbage:

(gdb) frame 9
(gdb) p profile.mEntries[readPos]
$5 = {{mTagData = 0x7f3800000f30 <Address 0x7f3800000f30 out of bounds>, 
    mTagChars = "0\017\000\000\070\177\000", mTagPtr = 0x7f3800000f30, 
    mTagFloat = 6.9109158922077916e-310, 
    mTagAddress = 0x7f3800000f30 <Address 0x7f3800000f30 out of bounds>, 
    mTagOffset = 139878494900016, mTagLine = 3888}, mTagName = 110 'n'}

I don't know enough about this code to investigate further.
(Reporter)

Updated

5 years ago
Summary: Crash in nsIProfiler.getProfile on 64-bit Linux debug build → Crash in nsProfiler.getProfile on 64-bit Linux debug build

Updated

5 years ago
Severity: normal → critical
Keywords: crash
(Reporter)

Comment 1

5 years ago
I don't think there's any way to get at nsProfiler from unprivileged JS, so this isn't a remotely triggerable crash (well, unless you can trick someone into installing your malicious extension, but then it's game over anyway).

Updated

11 months ago
Blocks: 1329181
You need to log in before you can comment on or make changes to this bug.