Closed
Bug 622456
Opened 14 years ago
Closed 14 years ago
mz's fuzzer triggers crash marking wrapped natives crashes @ WrappedNativeMarker , WrappedNativeTearoffSweeper , XPCWrappedNativeProto::Mark() , js::gc::MarkChildren , js::gc::MarkKind etc...
Categories
(Core :: XPConnect, defect)
Core
XPConnect
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
blocking2.0 | --- | betaN+ |
People
(Reporter: gal, Assigned: bent.mozilla)
References
Details
(Keywords: crash, qawanted, Whiteboard: [sg:critical?][hardblocker] fixed by 605672)
Attachments
(1 file)
(deleted),
text/plain
|
Details |
+++ This bug was initially created as a clone of Bug #622165 +++ spin off from testing of security bug 581539 load mz's fuzzer planned for release next week: http://lcamtuf.coredump.cx/cross_fuzz/cross_fuzz_randomized_20100729_seed.html chofman found a couple crashes that look XPConnect related. These might be all the same bug or not. If we can reproduce one, we should see whether it covers all reports and if not clone further. JS_CallTracer 3.6.13 Linux 2.6.35 x86_64 wyciwyg://83/http://lcamtuf.coredump.cx/cross_fuzz/cross_fuzz_final_20100728.html \N http://crash-stats.mozilla.com/report/index/e6c22613-5093-4c5b-bdc6-f6b892110101 WrappedNativeMarker 3.6.13 Windows NT 6.1.7600 http://lcamtuf.coredump.cx/cross_fuzz/targets/target.html \N http://crash-stats.mozilla.com/report/index/73e32642-6247-4f40-a923-a75a82110101 XUL@0x11985b6 4.0b8pre Mac OS X 10.6.5 10H574 http://lcamtuf.coredump.cx/cross_fuzz/targets/target.html \N http://crash-stats.mozilla.com/report/index/45b7aeca-4dd4-4796-9d30-b294b2110101 WrappedNativeJSGCThingTracer 4.0b8 Windows NT 6.1.7600 http://lcamtuf.coredump.cx/cross_fuzz/targets/%5Bobject%20History%5D RUNNING fuzzer http://crash-stats.mozilla.com/report/index/9b2bb13b-d788-4d91-ba3e-4ddc52110101 XPCNativeSet::Mark() 4.0b8 Windows NT 5.1.2600 Service Pack 3 wyciwyg://42/http://lcamtuf.coredump.cx/cross_fuzz/cross_fuzz_final_20100728.html \N http://crash-stats.mozilla.com/report/index/ed08f663-0d4b-4a59-aaf5-fd6ec2110101
Reporter | ||
Updated•14 years ago
|
Reporter | ||
Comment 1•14 years ago
|
||
QA: Getting a reliably crashing test case would be awesome. The fuzzer is publicly available now if I understand correctly, so this is very high priority to avoid a 0-day.
Keywords: qawanted
![]() |
||
Comment 2•14 years ago
|
||
As a note, if this applies to 3.5 as well as 3.6 (which I assume by being mentioned in comment #0), then we'll need to backport an eventual fix to that as well, I guess, as we're still maintaining that branch as well.
Comment 3•14 years ago
|
||
Ben, can you look into this security bug ASAP? We need a fix within days here if at all possible. Maybe run the fuzzer in a recording if nothing else bears fruit here.
Assignee: nobody → bent.mozilla
blocking2.0: --- → betaN+
Comment 4•14 years ago
|
||
Need to test 3.5, it's missing some wrappers that 3.6 has and may or may not suffer the same problem (or suffer worse).
status1.9.1:
--- → ?
status1.9.2:
--- → wanted
Comment 5•14 years ago
|
||
an updated list of signatures and counts for jan 2. most appear to be wrapper related. 6 WrappedNativeMarker 1 WrappedNativeTearoffSweeper 1 XPCWrappedNativeProto::Mark() 1 _moz_cairo_surface_set_device_offset 2 js::gc::MarkKind 1 mozilla::layers::BasicLayerManager::PushGroupWithCachedSurface(gfxContext*, gfxASurface::gfxContentType, gfxPoint*) that last one in layers code may not be as a result of the fuzzer running, but maybe a different crash as the result of someone poking around in other files on the site. if we spot another instance of this we can spin off another bug.
Updated•14 years ago
|
Attachment #500799 -
Attachment mime type: application/octet-stream → text/plain
Comment 6•14 years ago
|
||
the layers signature is already on file. Bug 591358
Updated•14 years ago
|
Whiteboard: [sg:critical?]
Comment 7•14 years ago
|
||
getting other bugs on file so we can just make this one about WrappedNativeMarker and related issues.
Updated•14 years ago
|
Summary: mz's fuzzer triggers crash marking wrapped natives → mz's fuzzer triggers crash marking wrapped natives crashes @ WrappedNativeMarker , WrappedNativeTearoffSweeper , XPCWrappedNativeProto::Mark() etc...
Comment 8•14 years ago
|
||
these two might also be related js::gc::MarkChildren 4.0b8 Windows NT 6.1.7600 http://lcamtuf.coredump.cx/cross_fuzz/targets/target.html \N http://crash-stats.mozilla.com/report/index/b55cc2bd-b6ea-4b46-89be-f2b582110103 js::gc::MarkKind 4.0b8 Windows NT 6.1.7600 wyciwyg://38/http://lcamtuf.coredump.cx/cross_fuzz/cross_fuzz_final_20100728.html \N http://crash-stats.mozilla.com/report/index/71475eb2-69df-4e28-a567-f483e2110103
Summary: mz's fuzzer triggers crash marking wrapped natives crashes @ WrappedNativeMarker , WrappedNativeTearoffSweeper , XPCWrappedNativeProto::Mark() etc... → mz's fuzzer triggers crash marking wrapped natives crashes @ WrappedNativeMarker , WrappedNativeTearoffSweeper , XPCWrappedNativeProto::Mark() , js::gc::MarkChildren , js::gc::MarkKind etc...
Comment 9•14 years ago
|
||
I ran the fuzzer in the lab on various hardware and various release builds and trunk, and I have a few different stacks that are not in chofmann's list in Comment 5. I did hit the XPCNativeSet::Mark()on Win XP as well as a different JS stack. Should I file new bugs for these new stacks?
Comment 10•14 years ago
|
||
yeah, file new bugs with any new stacks for now, and we can dup later.
Reporter | ||
Comment 11•14 years ago
|
||
Just the stacks won't be of much use. We need reproducible test cases. We should change the fuzzer to start with predetermined seeds.
Comment 12•14 years ago
|
||
It does that if you put a seed in location.hash (and if none is found there, a random one is picked and put in the URL). Your mileage reproducing crashes this way may vary, because there is also an element of network timing involved; making a local copy of the fuzzer in file:/// will likely reduce this dependence.
Reporter | ||
Comment 13•14 years ago
|
||
Cool. marcia, want to try that? If you can get a reproducible testcase for the Mark() and GC related crashes, that would be awesome.
Comment 14•14 years ago
|
||
(In reply to comment #12) > It does that if you put a seed in location.hash (and if none is found there, a > random one is picked and put in the URL). > > Your mileage reproducing crashes this way may vary, because there is also an > element of network timing involved; yeah, just tried this http://lcamtuf.coredump.cx/cross_fuzz/cross_fuzz_randomized_20100729_seed.html#1 and got the _moz_cairo_surface_set_device_offset and js::gc::MarkKind on two consecutive test runs http://crash-stats.mozilla.com/report/index/bp-875efff3-adbe-4f63-9303-4ba1c2110104 http://crash-stats.mozilla.com/report/index/bp-875efff3-adbe-4f63-9303-4ba1c2110104 > making a local copy of the fuzzer in > file:/// will likely reduce this dependence. will try this.
Comment 15•14 years ago
|
||
I'm getting some pretty good success hitting crashes quickly with a local copy and file:/// .../lcamtuf.coredump.cx/cross_fuzz/cross_fuzz_final_20100728.html#1 hitting js::gc::MarkKind http://crash-stats.mozilla.com/report/index/bp-5e2560f3-3165-446b-a2f6-43f0f2110104 http://crash-stats.mozilla.com/report/index/5034d86f-2687-4c0c-bfab-a09032110104 js::gc::MarkKind but I'm also seeing a few other signatures http://crash-stats.mozilla.com/report/index/bp-6dc01f9c-5fb9-43d2-8f55-8b4db2110104 nsSJISProber::HandleData http://crash-stats.mozilla.com/report/index/9acb4ee0-8b40-424d-a576-6acac2110104 WrappedNativeTearoffSweeper
Reporter | ||
Comment 16•14 years ago
|
||
The Sweeper signature is probably related. The HandleData seems to be something else but its very hard to tell from here.
Updated•14 years ago
|
Blocks: crossfuzz-pvt
Comment 17•14 years ago
|
||
I put the tarball of the fuzzer and some hints about setting up for running the fuzzer locally on firefox in bug https://bugzilla.mozilla.org/show_bug.cgi?id=623189#c1
Updated•14 years ago
|
Whiteboard: [sg:critical?] → [sg:critical?], hardblocker
Updated•14 years ago
|
Whiteboard: [sg:critical?], hardblocker → [sg:critical?][hardblocker]
Assignee | ||
Comment 18•14 years ago
|
||
I think that this was fixed with bug 605672. That was apparently supposed to be included in beta 8 but was backed out just before branching, then it was relanded. I can easily crash with beta8 on windows (and I diagnosed the problem separately in the same way as bug 605672). I am unable to crash on trunk.
Assignee | ||
Updated•14 years ago
|
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
Comment 20•14 years ago
|
||
Clearing branch blocking flags as we are now tracking bug 605672.
Updated•14 years ago
|
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
Comment 21•14 years ago
|
||
Since the summary is completely different I'd rather mark this "fixed by 605672" rather than a duplicate.
Status: REOPENED → RESOLVED
Closed: 14 years ago → 14 years ago
Depends on: 605672
Resolution: --- → FIXED
Whiteboard: [sg:critical?][hardblocker] → [sg:critical?][hardblocker] fixed by 605672
Updated•9 years ago
|
Not accessible to reporter
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•9 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•