Crash in [@ memcpy | js::XDRImmutableScriptData<T>]
Categories
(Core :: JavaScript Engine, defect, P5)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr78 | --- | unaffected |
| firefox82 | --- | unaffected |
| firefox83 | --- | wontfix |
| firefox84 | --- | wontfix |
People
(Reporter: philipp, Unassigned)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: crash, regression)
Crash Data
Crash report: https://crash-stats.mozilla.org/report/index/6b6873f0-d720-4440-93b2-a18620201102
Reason: EXCEPTION_IN_PAGE_ERROR_READ / STATUS_IO_DEVICE_ERROR
Top 10 frames of crashing thread:
0 vcruntime140.dll memcpy f:\dd\vctools\crt\vcruntime\src\string\amd64\memcpy.asm:447
1 xul.dll js::XDRImmutableScriptData<js::XDR_DECODE> js/src/vm/JSScript.cpp:897
2 xul.dll static js::frontend::StencilXDR::SharedData<js::XDR_DECODE> js/src/frontend/StencilXdr.cpp:886
3 xul.dll js::XDRScript<js::XDR_DECODE> js/src/vm/JSScript.cpp:1148
4 xul.dll js::XDRInterpretedFunction<js::XDR_DECODE> js/src/vm/JSFunction.cpp:674
5 xul.dll js::XDRScript<js::XDR_DECODE> js/src/vm/JSScript.cpp:1146
6 xul.dll js::XDRState<js::XDR_DECODE>::codeScript js/src/vm/Xdr.cpp:406
7 xul.dll js::MultiScriptsDecodeTask::parse js/src/vm/HelperThreads.cpp:848
8 xul.dll js::ParseTask::runHelperThreadTask js/src/vm/HelperThreads.cpp:612
9 xul.dll static js::HelperThread::ThreadMain js/src/vm/HelperThreads.cpp:2350
this crash signature is starting to show up in firefox 83.0b builds on windows.
|
||
Comment 1•4 years ago
|
||
This looks like XDR buffer is shorter than expected, while decoding bytecode:
MOZ_TRY(xdr->codeBytes(code, codeLength));
XDRResult codeBytes(void* bytes, size_t len) {
...
if (mode == XDR_ENCODE) {
... } else {
const uint8_t* ptr = buf->read(len);
if (!ptr) {
return fail(JS::TranscodeResult_Failure_BadDecode);
}
memcpy(bytes, ptr, len);
}
return Ok();
}
This could happen if the buffer is cropped at the middle of the bytecode while:
- encoding, or
- writing to file, or
- reading from file
Or the file/XDR buffer content is corrupted before that point and it's reading wrong point of the buffer
|
|
||
Comment 2•4 years ago
|
||
If I'm reading the dump/code correctly, the dest/src/length of memcpy looks reasonable value.
|
||
Updated•4 years ago
|
|
|
||
Comment 3•4 years ago
|
||
(In reply to Tooru Fujisawa [:arai] from comment #1)
This could happen if the buffer is cropped at the middle of the bytecode while:
- encoding, or
- writing to file, or
- reading from file
Or the file/XDR buffer content is corrupted before that point and it's reading wrong point of the buffer
This wasn't correct.
buf->read checks if the buffer has enough length
https://searchfox.org/mozilla-central/rev/919f7400e2e12bc963ee2ae8400ef961972c3059/js/src/vm/Xdr.h#442
So, if it overruns the buffer after that, it means the underlying buffer isn't allocated correctly, and there's mismatch between buffer.length() and buffer's allocated size,
or there's data corruption around buffer pointer
|
||
Comment 4•4 years ago
|
||
This doesn't seem actionable anymore. Most likely this is a new signature for crashes we've had for years.
|
||
Updated•4 years ago
|
|
||
Updated•3 years ago
|
|
||
Updated•3 years ago
|
|
||
Updated•3 years ago
|
Description
•