Recently, Mozilla has detected a large number of crashes in Firefox , mainly on users who use Linux systems, especially those based on older versions of Debian.
After investigation, Mozilla finally found that the problem was not caused by Firefox itself, but by the Linux kernel and Google's JavaScript code.
These crashes happened quite suddenly, when Mozilla first detected that thousands of users of a Debian distribution called Huayra were affected, specifically Huayra 5 (based on Debian 10). Subsequent ongoing testing found that this problem affects almost all distributions based on older versions of Debian.
Crash events do not happen randomly, but are 100% reproducible. Firefox crashes whenever a user searches for an image on Google, a problem that affects all versions of the Firefox browser -- from the latest to very old versions.
Combining the above two conditions, Mozilla researchers determined that the problem was not caused by Firefox, but by Google and the old version of Linux, and began to analyze the cause of the problem.
Mozilla then began analyzing Firefox's behavior when it crashed and found that the crash occurred during stack probing. The JIT touched the area where variables are saved for the next JavaScript call, and somehow caused an overflow.
The first oddity is that Mozilla discovered that Google recently made changes to its image search page, which now has a JS function, and Google assigns 20,000 variables in this single function. Further analysis revealed that this function may be code generated by AI.
Although such a problem was discovered, in theory Firefox should still not crash, because Linux will automatically expand the stack, and the Mozilla team has reserved enough space, and then they confirmed it by looking at the memory of the affected process at this point.
Before doing this, we did a stack inspection and verified that the amount of extra stack memory we allocated would not overflow the native stack limit we had set for ourselves. So there seems to be a divide between our self-imposed limits and operating system limits. This is somewhat distro-dependent, but confusing: for example, it affects Debian 10 but not Debian 11.
The Mozilla team then focused the inspection on the Linux kernel, and it turned out that the Linux kernel used to have a check that prevented access to the stack from being too far from the stack pointer. In particular, accesses beyond 64KiB+256 bytes will crash instead of expanding the stack. This problem was fixed in Linux 4.20, so users of newer distributions are not affected.
According to testing, Google seems to have fixed this issue in image search, but Mozilla is still working on a solution to see if it can be solved once and for all for users who are still using the old system, so that the same situation does not happen in the future.