Closed
Bug 1412876
Opened 7 years ago
Closed 4 years ago
Intermittent PROCESS-CRASH | autophone-s1s2 | application crashed [@ js::CompartmentChecker::fail]
Categories
(Core :: JavaScript Engine, defect, P3)
Tracking
()
RESOLVED
WORKSFORME
| Tracking | Status | |
|---|---|---|
| firefox58 | --- | affected |
People
(Reporter: bc, Unassigned)
References
Details
(4 keywords, Whiteboard: [#jsapi:crashes-retriage])
Crash Data
Attachments
(1 file)
|
(deleted),
text/plain
|
Details |
https://treeherder.mozilla.org/#/jobs?repo=autoland&revision=d7f7d7cb6a4bd1cd76ce6929944e4eb952de0bbb&filter-searchStr=autophone
PROCESS-CRASH | autophone-s1s2 | application crashed [@ js::CompartmentChecker::fail]
This test basically loads a blank page <https://github.com/mozilla/autophone/blob/master/files/s1s2/blank.html> then shuts down.
This occurred on a Pixel running Android 7.1.
|
||
Comment 1•7 years ago
|
||
Compartment mismatch in InterpreterFrame::epilogue() calling EnvironmentIter::EnvironmentIter().
Group: core-security → javascript-core-security
Keywords: csectype-uaf,
sec-high
|
||
Comment 2•7 years ago
|
||
Jeff, could you take a look? Apparently
assertSameCompartment(cx, frame);
is failing, which means the dynamic Environment objects aren't in the same compartment as cx. Super odd; I wonder what JS code is running here (and what craziness we could possibly be doing to cause this).
Flags: needinfo?(jwalden+bmo)
Priority: -- → P1
|
||
Updated•7 years ago
|
Assignee: nobody → jwalden+bmo
|
||
Comment 3•7 years ago
|
||
Setting up a build environment/etc. sufficient to start debugging this at all is a chunk of work, that quite frankly it's been hard to justify compared to other work with more immediate wins. Particularly for a once-a-day thing, as that graph goes. Hoping to get to this soon, once UTF-8 script parsing is completed in the JS shell -- but compared to that clear value, I can't see how this can take precedence.
|
|
||
Updated•7 years ago
|
Priority: P1 → P3
|
|
||
Updated•7 years ago
|
Flags: needinfo?(jwalden+bmo)
|
||
Comment 4•6 years ago
|
||
Adding to crash triage queue since this seems stalled. We should determine if this still occurs.
Assignee: jwalden+bmo → nobody
Whiteboard: [#jsapi:crashes-retriage]
|
|
||
Comment 5•6 years ago
|
||
This doesn't need to be rated sec-high: it's a now-rare crash (8 in the last 90 days, most recent version is 62.0 and 60.3esr) and it's failing on a breakpoint. Yes, it's a worrying component mismatch, but it's one we're catching.
Keywords: sec-high → sec-moderate
|
|
||
Comment 6•6 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #5)
> Yes, it's a worrying component mismatch, but it's one we're catching.
Compartment checking isn't enabled in release builds, only Nightly, if that matters...
Flags: needinfo?(dveditz)
|
|
||
Comment 7•6 years ago
|
||
The one I'm seeing in crash-stats appears to be a release assert:
https://hg.mozilla.org/releases/mozilla-release/annotate/d2e449c73dac/js/src/jsscript.cpp#l1455
The above is 57.0.1, and I've seen 60esr crashes, too. It's spelled differently on trunk but is still a release assert:
https://searchfox.org/mozilla-central/rev/8f0db72fb6e35414fb9a6fc88af19c69f332425f/js/src/vm/JSScript.cpp#1435
Yeah, I still worry, but not quite a sec-high worth of worry. "sec-moderate" is still an UNSAFE and potentially exploitable bug.
Flags: needinfo?(dveditz)
|
|
||
Comment 8•6 years ago
|
||
Ah, interesting. It looks like that was done as part of the compartment to realm changes.
|
|
||
Updated•4 years ago
|
Crash Signature: [@ js::CompartmentChecker::fail] → [@ js::CompartmentChecker::fail]
[@ js::ContextChecks::check]
|
|
||
Comment 9•4 years ago
|
||
I only see a single crash for a supported version that isn't a nullptr issue (and those are also extremely rare). I think we can close this bug.
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → WORKSFORME
|
|
||
Updated•1 year ago
|
Group: javascript-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•