Closed
Bug 1382219
Opened 7 years ago
Closed 7 years ago
Crash in memcpy | mozilla::loader::OutputBuffer::codeString
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla56
Tracking | Status | |
---|---|---|
firefox-esr52 | --- | unaffected |
firefox54 | --- | unaffected |
firefox55 | --- | fixed |
firefox56 | --- | fixed |
People
(Reporter: jesup, Assigned: kmag)
References
Details
(4 keywords)
Crash Data
This bug was filed from the Socorro interface and is
report bp-fc1ef905-eef6-4f38-8272-0fd130170719.
=============================================================
Called from mozilla::ScriptPreloader::CachedScript::Code<mozilla::loader::OutputBuffer>()
Clear UAF, fairly frequent given it's appearing in 55bN and 56
https://crash-stats.mozilla.com/signature/?product=Firefox&version=56.0a1&version=55.0b&version=55.0b10&version=55.0b9&version=55.0b8&address=~e5e5&signature=memcpy%20%7C%20mozilla%3A%3Aloader%3A%3AOutputBuffer%3A%3AcodeString&date=%3E%3D2017-07-12T13%3A40%3A00.000Z&date=%3C2017-07-19T13%3A40%3A00.000Z&_columns=date&_columns=product&_columns=version&_columns=build_id&_columns=platform&_columns=reason&_columns=address&_columns=install_time&_sort=-date&page=1
Updated•7 years ago
|
status-firefox54:
--- → unaffected
status-firefox55:
--- → affected
status-firefox56:
--- → affected
status-firefox-esr52:
--- → unaffected
Updated•7 years ago
|
Group: core-security → javascript-core-security
Comment 2•7 years ago
|
||
This is probably a regression from Kris's preloader work.
Flags: needinfo?(nihsanullah) → needinfo?(kmaglione+bmo)
Assignee | ||
Comment 3•7 years ago
|
||
The only way I can think of that this might happen is if we invalidate the startup cache (probably because of an extension installation) in the middle of a cache write operation, and free cached scripts before they're encoded.
There's supposed to be locking to prevent that, but there are separate monitors for the cache write operation and ordinary cache manipulation, and the write thread only holds one of them.
Flags: needinfo?(kmaglione+bmo)
Assignee | ||
Updated•7 years ago
|
Assignee: nobody → kmaglione+bmo
Updated•7 years ago
|
Comment 5•7 years ago
|
||
Last crashes on crash-stats are from 55.0b12, which strongly supports this having been fixed by bug 1382329 (shipped in b13).
Status: NEW → RESOLVED
Closed: 7 years ago
Depends on: 1382329
Flags: needinfo?(kmaglione+bmo)
Keywords: regressionwindow-wanted,
testcase-wanted
Resolution: --- → FIXED
Target Milestone: --- → mozilla56
Updated•7 years ago
|
Group: javascript-core-security → core-security-release
Updated•7 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•