Closed
Bug 682607
Opened 13 years ago
Closed 3 years ago
zlib crash with SIGBUS in [@ MOZ_Z_inflate_fast ]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
People
(Reporter: bjacob, Unassigned)
Details
(Keywords: crash, Whiteboard: ShutDownKill)
Crash Data
This is the top Firefox 8.0a2 / Linux crasher with 8 crashes last week, but all 8 crashes seem to be from the same guy.
https://crash-stats.mozilla.com/report/list?product=Firefox&version=Firefox%3A8.0a2&platform=linux&query_search=signature&query_type=contains&reason_type=contains&date=&range_unit=weeks&hang_type=any&process_type=any&do_query=1&signature=MOZ_Z_inflate_fast
Here's one of the crash reports:
https://crash-stats.mozilla.com/report/index/a52d8598-3697-4328-8bbc-244ed2110826
The crash is at
http://hg.mozilla.org/releases/mozilla-aurora/annotate/85de577ce6a4/modules/zlib/src/inffast.c#l124
The code is
if (bits < 15) {
hold += (unsigned long)(PUP(in)) << bits;
bits += 8;
hold += (unsigned long)(PUP(in)) << bits; // <-- crash here
bits += 8;
}
Here |in| is a char* pointer and PUP is a macro incrementing and dereferencing the pointer.
Are we running past the end of an array here?
What's SIGBUS anyway on Linux and how is it different from SIGSEGV?
Don't know whom to CC, so CCing a few ImageLib people as zlib bugs I've found were in ImageLib component.
Updated•13 years ago
|
Comment 1•13 years ago
|
||
https://crash-stats.mozilla.com/report/list?signature=MOZ_Z_inflate_fast says this happens across the board in all kinds of Firefox versions and platforms.
OS: Linux → All
Hardware: x86_64 → All
Comment 2•13 years ago
|
||
Is this really a top crash based on volume? We had 113 of these on 8.0 in a 4 week timeframe.
Comment 3•13 years ago
|
||
Still around even in 9.0 betas, but surely not a topcrash at this point.
Keywords: topcrash
Comment 4•13 years ago
|
||
(In reply to Benoit Jacob [:bjacob] from comment #0)
> What's SIGBUS anyway on Linux and how is it different from SIGSEGV?
I wonder what happens when mmaped files are truncated and then an address beyond the end of the file is read? And whether that is even a possible scenario here.
Perhaps this is what bug 598416 was trying to address for WINNT.
Comment 5•10 years ago
|
||
Report ID Date Submitted
bp-b26dabc6-c013-42fb-8aea-c4b742150123 23/01/2015 01:54 a.m.
status-firefox38:
--- → affected
Comment 6•10 years ago
|
||
Report ID Date Submitted
bp-7e9c5813-fea8-4af1-b05d-c10a72150424
24/04/2015 12:35 p.m.
status-firefox40:
--- → affected
Version: unspecified → Trunk
Comment 7•9 years ago
|
||
https://crash-stats.mozilla.com/report/index/f60738fc-dc3c-4e85-8275-8d18e2151011
Crashing Thread
Frame Module Signature Source
0 xul.dll MOZ_Z_inflate_fast modules/zlib/src/inffast.c
1 xul.dll MOZ_Z_inflate modules/zlib/src/inflate.c
2 xul.dll js::DecompressString(unsigned char const*, unsigned __int64, unsigned char*, unsigned __int64) js/src/vm/Compression.cpp
3 xul.dll js::ScriptSource::chars(JSContext*, js::UncompressedSourceCache::AutoHoldEntry&) js/src/jsscript.cpp
4 xul.dll JSFunction::createScriptForLazilyInterpretedFunction(JSContext*, JS::Handle<JSFunction*>) js/src/jsfun.cpp
5 xul.dll JSFunction::getOrCreateScript(JSContext*) js/src/jsfun.h
6 xul.dll JSFunction::createScriptForLazilyInterpretedFunction(JSContext*, JS::Handle<JSFunction*>) js/src/jsfun.cpp
7 xul.dll JSFunction::getOrCreateScript(JSContext*) js/src/jsfun.h
8 xul.dll Interpret js/src/vm/Interpreter.cpp
9 xul.dll js::RunScript(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp
10 xul.dll js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) js/src/vm/Interpreter.cpp
11 xul.dll js::fun_apply(JSContext*, unsigned int, JS::Value*) js/src/jsfun.cpp
12 xul.dll js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) js/src/vm/Interpreter.cpp
13 xul.dll js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) js/src/vm/Interpreter.cpp
14 xul.dll js::jit::DoCallFallback js/src/jit/BaselineIC.cpp
15 @0x132c4a71a5c
status-firefox44:
--- → affected
Component: General → JavaScript Engine
Summary: zlib crash with SIGBUS in MOZ_Z_inflate_fast → zlib crash with SIGBUS in [@ MOZ_Z_inflate_fast ]
Version: Trunk → 44 Branch
Updated•9 years ago
|
Updated•9 years ago
|
No longer blocks: shutdownkill
Comment 8•8 years ago
|
||
Crash volume for signature 'MOZ_Z_inflate_fast':
- nightly (version 51): 0 crashes from 2016-08-01.
- aurora (version 50): 0 crashes from 2016-08-01.
- beta (version 49): 14 crashes from 2016-08-02.
- release (version 48): 52 crashes from 2016-07-25.
- esr (version 45): 8 crashes from 2016-05-02.
Crash volume on the last weeks (Week N is from 08-22 to 08-28):
W. N-1 W. N-2 W. N-3
- nightly 0 0 0
- aurora 0 0 0
- beta 3 4 3
- release 19 12 4
- esr 0 0 1
Affected platforms: Windows, Mac OS X, Linux
Crash rank on the last 7 days:
Browser Content Plugin
- nightly
- aurora
- beta #2107
- release #961
- esr
status-firefox48:
--- → affected
status-firefox49:
--- → affected
status-firefox-esr45:
--- → affected
Comment 9•8 years ago
|
||
crash in last nightly
https://crash-stats.mozilla.com/report/index/746fba24-10a1-4611-a5ed-5cb2e2160905
Updated•3 years ago
|
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WORKSFORME
Updated•2 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•