Closed Bug 885668 Opened 7 years ago Closed 7 years ago

crash in nsScriptSecurityManager::GetFunctionObjectPrincipal @ JS_GetFunctionScript

Categories

(Core :: Security: CAPS, defect, critical)

24 Branch
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla25
Tracking Status
firefox23 --- unaffected
firefox24 + verified
firefox25 + verified

People

(Reporter: scoobidiver, Assigned: bholley)

References

Details

(Keywords: crash, regression, topcrash)

Crash Data

Attachments

(1 file)

It first showed up in 24.0a1/20130615. The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=b197bed90a98&tochange=3d16d59c9317

Signature 	JS_GetFunctionScript(JSContext*, JSFunction*) More Reports Search
UUID	7afded64-b3b6-47bd-8181-fa34a2130619
Date Processed	2013-06-19 19:27:12
Uptime	59
Last Crash	1.6 minutes before submission
Install Age	11.8 minutes since version was first installed.
Install Time	2013-06-19 19:14:59
Product	Firefox
Version	24.0a1
Build ID	20130619031048
Release Channel	nightly
OS	Windows NT
OS Version	5.1.2600 Service Pack 2
Build Architecture	x86
Build Architecture Info	GenuineIntel family 15 model 3 stepping 4
Crash Reason	EXCEPTION_BREAKPOINT
Crash Address	0x173f8de
App Notes 	
AdapterVendorID: 0x8086, AdapterDeviceID: 0x2572, AdapterSubsysID: 12bc103c, AdapterDriverVersion: 6.14.10.4396
D3D10 Layers? D3D10 Layers- D3D9 Layers? D3D9 Layers- 
Processor Notes 	sp-processor07_phx1_mozilla_com_26539:2012
EMCheckCompatibility	True
Adapter Vendor ID	0x8086
Adapter Device ID	0x2572
Total Virtual Memory	2147352576
Available Virtual Memory	1919021056
System Memory Use Percentage	80
Available Page File	132780032
Available Physical Memory	103968768

Frame 	Module 	Signature 	Source
0 	mozjs.dll 	JS_GetFunctionScript 	js/src/jsdbgapi.cpp:523
1 	xul.dll 	nsScriptSecurityManager::GetFunctionObjectPrincipal 	caps/src/nsScriptSecurityManager.cpp:1973
2 	xul.dll 	nsScriptSecurityManager::CheckFunctionAccess 	caps/src/nsScriptSecurityManager.cpp:1589
3 	xul.dll 	mozilla::dom::CallbackObject::CallSetup::CallSetup 	dom/bindings/CallbackObject.cpp:113
4 	xul.dll 	mozilla::dom::Function::Call<nsCOMPtr<nsISupports> > 	obj-firefox/dist/include/mozilla/dom/FunctionBinding.h:52
5 	xul.dll 	nsGlobalWindow::RunTimeoutHandler 	dom/base/nsGlobalWindow.cpp:10209
6 	xul.dll 	nsGlobalWindow::RunTimeout 	dom/base/nsGlobalWindow.cpp:10447
7 	xul.dll 	nsGlobalWindow::TimerCallback 	dom/base/nsGlobalWindow.cpp:10694
...

More reports at:
https://crash-stats.mozilla.com/report/list?signature=JS_GetFunctionScript%28JSContext*%2C+JSFunction*%29
Whiteboard: [native-crash]
It's #18 crasher in 24.0a2 and #12 in 25.0a1.
Keywords: topcrash
Whiteboard: [native-crash]
Actually, #8 on 25.0a1 and #12 on 24.0a2 now, on both we have ~70 crashes from ~50 installations within a week.
Tracking as this a topcrash.

:kairo/:bsmedberg discussed that we'll find an owner for this in the platform meeting.
Tracy mentioned we may have seen similar bugs in the past which could be related to data mgnr and would add more info on this bug which could help us move forward in some direction.Tracy any other URL's co-relations that we may have will be helpful.
Flags: needinfo?(twalker)
Keywords: needURLs
(In reply to bhavana bajaj [:bajaj] from comment #3)
> Tracy any other URL's co-relations that we may have will be helpful.
I am replying for Tracy. There are no correlations available because Socorro 52 containing bug 888219 hasn't been pushed to prod.
That request was crossed/confused with another signature I mentioned in the stability meeting.  What's needed here is the culprit that caused the regression:

I think Bug 880917 - "Move JS versioning from the cx to the compartment" is the most likely suspect in the regression range Scoobidiver initially gave. cc'd bholly
Flags: needinfo?(twalker)
Well, all this machinery can actually go away. That might result in us just crashing nearby, but we might as well do that. I'll upload a patch the remove this function.
Infra weirdness on the try push: https://tbpl.mozilla.org/?tree=Try&rev=33d711275f3f
Looks like Bobby is working on it, so assigning. :)
Assignee: nobody → bobbyholley+bmo
Comment on attachment 772341 [details] [diff] [review]
Removed specialized function object principal machinery from CAPS. v1

r=me
Attachment #772341 - Flags: review?(bzbarsky) → review+
Blocks: 893513
(note - there was some roughness on the try push in comment 9, but it appears to be infra related, with zip files failing to extract and so on).
https://hg.mozilla.org/mozilla-central/rev/3e68f2d9dfbe
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla25
:bholley, is this ready for aurora uplift ?
Flags: needinfo?(bobbyholley+bmo)
Comment on attachment 772341 [details] [diff] [review]
Removed specialized function object principal machinery from CAPS. v1

[Approval Request Comment]
Bug caused by (feature/regressing bug #): unknown
User impact if declined: Crashes
Testing completed (on m-c, etc.): baked on m-c
Risk to taking this patch (and alternatives if risky): Low risk. 
String or IDL/UUID changes made by this patch: None
Attachment #772341 - Flags: approval-mozilla-aurora?
Flags: needinfo?(bobbyholley+bmo)
Attachment #772341 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Mozilla/5.0 (Windows NT 5.1; rv:24.0) Gecko/20100101 Firefox/24.0
Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Firefox/24.0

Unable to crash Firefox 24 beta 8 and latest Nightly. Only 6 crashes in Socorro in the last 2 weeks so I think it`s safe to call this verified fixed.
(In reply to Bogdan Maris [QA] [:bogdan_maris] from comment #19)
> Mozilla/5.0 (Windows NT 5.1; rv:24.0) Gecko/20100101 Firefox/24.0
> Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0
> Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101
> Firefox/24.0
> 
> Unable to crash Firefox 24 beta 8 and latest Nightly.

Can you please also check Firefox 25?
Keywords: verifyme
Mozilla/5.0 (Windows NT 5.1; rv:25.0) Gecko/20100101 Firefox/25.0
Mozilla/5.0 (X11; Linux i686; rv:25.0) Gecko/20100101 Firefox/25.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:25.0) Gecko/20100101 Firefox/25.0

Also verified on Aurora 25.0a2, there is only one crash in the last week in Socorro.
Status: RESOLVED → VERIFIED
Keywords: verifyme
You need to log in before you can comment on or make changes to this bug.