Closed Bug 682607 Opened 13 years ago Closed 3 years ago

zlib crash with SIGBUS in [@ MOZ_Z_inflate_fast ]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
38 Branch
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox38 --- wontfix
firefox40 --- wontfix
firefox44 --- wontfix
firefox48 --- wontfix
firefox49 --- wontfix
firefox-esr45 --- wontfix

People

(Reporter: bjacob, Unassigned)

Details

(Keywords: crash, Whiteboard: ShutDownKill)

Crash Data

This is the top Firefox 8.0a2 / Linux crasher with 8 crashes last week, but all 8 crashes seem to be from the same guy. https://crash-stats.mozilla.com/report/list?product=Firefox&version=Firefox%3A8.0a2&platform=linux&query_search=signature&query_type=contains&reason_type=contains&date=&range_unit=weeks&hang_type=any&process_type=any&do_query=1&signature=MOZ_Z_inflate_fast Here's one of the crash reports: https://crash-stats.mozilla.com/report/index/a52d8598-3697-4328-8bbc-244ed2110826 The crash is at http://hg.mozilla.org/releases/mozilla-aurora/annotate/85de577ce6a4/modules/zlib/src/inffast.c#l124 The code is if (bits < 15) { hold += (unsigned long)(PUP(in)) << bits; bits += 8; hold += (unsigned long)(PUP(in)) << bits; // <-- crash here bits += 8; } Here |in| is a char* pointer and PUP is a macro incrementing and dereferencing the pointer. Are we running past the end of an array here? What's SIGBUS anyway on Linux and how is it different from SIGSEGV? Don't know whom to CC, so CCing a few ImageLib people as zlib bugs I've found were in ImageLib component.
Severity: normal → critical
Keywords: crash, topcrash
https://crash-stats.mozilla.com/report/list?signature=MOZ_Z_inflate_fast says this happens across the board in all kinds of Firefox versions and platforms.
OS: Linux → All
Hardware: x86_64 → All
Is this really a top crash based on volume? We had 113 of these on 8.0 in a 4 week timeframe.
Still around even in 9.0 betas, but surely not a topcrash at this point.
Keywords: topcrash
(In reply to Benoit Jacob [:bjacob] from comment #0) > What's SIGBUS anyway on Linux and how is it different from SIGSEGV? I wonder what happens when mmaped files are truncated and then an address beyond the end of the file is read? And whether that is even a possible scenario here. Perhaps this is what bug 598416 was trying to address for WINNT.
Report ID Date Submitted bp-b26dabc6-c013-42fb-8aea-c4b742150123 23/01/2015 01:54 a.m.
status-firefox38: --- → affected
Report ID Date Submitted bp-7e9c5813-fea8-4af1-b05d-c10a72150424 24/04/2015 12:35 p.m.
status-firefox40: --- → affected
Version: unspecified → Trunk
https://crash-stats.mozilla.com/report/index/f60738fc-dc3c-4e85-8275-8d18e2151011 Crashing Thread Frame Module Signature Source 0 xul.dll MOZ_Z_inflate_fast modules/zlib/src/inffast.c 1 xul.dll MOZ_Z_inflate modules/zlib/src/inflate.c 2 xul.dll js::DecompressString(unsigned char const*, unsigned __int64, unsigned char*, unsigned __int64) js/src/vm/Compression.cpp 3 xul.dll js::ScriptSource::chars(JSContext*, js::UncompressedSourceCache::AutoHoldEntry&) js/src/jsscript.cpp 4 xul.dll JSFunction::createScriptForLazilyInterpretedFunction(JSContext*, JS::Handle<JSFunction*>) js/src/jsfun.cpp 5 xul.dll JSFunction::getOrCreateScript(JSContext*) js/src/jsfun.h 6 xul.dll JSFunction::createScriptForLazilyInterpretedFunction(JSContext*, JS::Handle<JSFunction*>) js/src/jsfun.cpp 7 xul.dll JSFunction::getOrCreateScript(JSContext*) js/src/jsfun.h 8 xul.dll Interpret js/src/vm/Interpreter.cpp 9 xul.dll js::RunScript(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp 10 xul.dll js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) js/src/vm/Interpreter.cpp 11 xul.dll js::fun_apply(JSContext*, unsigned int, JS::Value*) js/src/jsfun.cpp 12 xul.dll js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) js/src/vm/Interpreter.cpp 13 xul.dll js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) js/src/vm/Interpreter.cpp 14 xul.dll js::jit::DoCallFallback js/src/jit/BaselineIC.cpp 15 @0x132c4a71a5c
status-firefox44: --- → affected
Component: General → JavaScript Engine
Summary: zlib crash with SIGBUS in MOZ_Z_inflate_fast → zlib crash with SIGBUS in [@ MOZ_Z_inflate_fast ]
Version: Trunk → 44 Branch
Blocks: shutdownkill
Whiteboard: ShutDownKill
Version: 44 Branch → 38 Branch
No longer blocks: shutdownkill
Crash volume for signature 'MOZ_Z_inflate_fast': - nightly (version 51): 0 crashes from 2016-08-01. - aurora (version 50): 0 crashes from 2016-08-01. - beta (version 49): 14 crashes from 2016-08-02. - release (version 48): 52 crashes from 2016-07-25. - esr (version 45): 8 crashes from 2016-05-02. Crash volume on the last weeks (Week N is from 08-22 to 08-28): W. N-1 W. N-2 W. N-3 - nightly 0 0 0 - aurora 0 0 0 - beta 3 4 3 - release 19 12 4 - esr 0 0 1 Affected platforms: Windows, Mac OS X, Linux Crash rank on the last 7 days: Browser Content Plugin - nightly - aurora - beta #2107 - release #961 - esr
status-firefox48: --- → affected
status-firefox49: --- → affected
status-firefox-esr45: --- → affected
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.