Closed Bug 1337814 Opened 7 years ago Closed 7 years ago

Hit MOZ_CRASH(element wasn't found in this list!) at LinkedList.h:635

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla54
Tracking Flags:
Tracking Status
firefox-esr45 --- unaffected
firefox51 --- unaffected
firefox52 --- unaffected
firefox-esr52 --- unaffected
firefox53 --- unaffected
firefox54 + fixed

People

(Reporter: cbook, Assigned: farre)

References

(Blocks 1 open bug,
URL
)

Details

(4 keywords)

Attachments

(4 files, 2 obsolete files)

bughunter stack
169.68 KB, text/plain
Details
asan report
6.44 KB, text/plain
Details
0001-Bug-1337814-Add-test-for-cancelling-currently-execut.patch
1.09 KB, patch
smaug
: review+
Details | Diff | Splinter Review
0002-Bug-1337814-Remove-rIC-callback-from-pending-callbac.patch
1.02 KB, patch
smaug
: review+
Details | Diff | Splinter Review
Attached file bughunter stack 
Hit MOZ_CRASH(element wasn't found in this list!) at c:\builds\moz2_slave\m-cen-w32-d-000000000000000000\build\src\obj-firefox\dist\include\mozilla/LinkedList.h:635

Found via bughunter and reproduced on latest m-c windows tinderbox trunk debug build.

Seems this is a debug only crash.

Steps to reproduce:
-> Load https://www.linkedin.com/company-beta/1680?pathWildcard=1680
--> Crash on load 

Filing as sec bug because we get asan heap-use-after-free that seems related for youtube urls
nathan, do you know who could take a look at this crash ?
Flags: needinfo?(nfroyd)
[Tracking Requested - why for this release]:

so far only trunk reports on bughunter for windows and linux so far, so seems some kind of trunk regression
status-firefox54: --- → affected
tracking-firefox54: --- → ?
Andreas, perhaps, since this involves idle requests/idle callbacks.
Component: General → DOM
Flags: needinfo?(nfroyd) → needinfo?(afarre)
Attached file asan report 

    
    

    
  
Added :smaug. Looking at it now.
Flags: needinfo?(afarre)

    
  
Assignee: nobody → afarre

    
    

    
  
This sounds very similar to bug 1315232, in terms of the test cases.
See Also:  → 1315232

    
    

    
  
I hit this almost instantly when logging into LinkedIn and scrolling/loading the contact list on "My Network" [1].

[1] https://www.linkedin.com/mynetwork/

    
    

    
  
fwiw, we first saw the MOZ_CRASH and ASAN heap-use-after-free on 2017-01-29.

    
    

    
  
(In reply to Tim Taubert [:ttaubert] from comment #7)
> I hit this almost instantly when logging into LinkedIn and scrolling/loading
> the contact list on "My Network" [1].

Can you try that in an ASan build and attach the stack to this bug, please (if you have one handy)? Thanks.
Flags: needinfo?(ttaubert)

    
    

    
  
(In reply to Andrew McCreight [:mccr8] from comment #10)
> Can you try that in an ASan build and attach the stack to this bug, please
> (if you have one handy)? Thanks.

So I downloaded the opt and debug versions of the m-c ASan builds. I can easily reproduce but the opt build doesn't give me a useful stack trace, and the debug build hits MOZ_CRASH() :/
Flags: needinfo?(ttaubert)

        Attachment #8834991 -
        Flags: review?(bugs) → review+

    
    

    
  
Comment on attachment 8834992 [details] [diff] [review]
0002-Bug-1337814-Remove-rIC-callback-from-pending-callbac.patch

> {
>   AssertIsOnMainThread();
>   RefPtr<IdleRequest> request(aRequest);
>-  nsresult result = request->IdleRun(AsInner(), aDeadline, aDidTimeout);
>   RemoveIdleCallback(request);
>+  nsresult result = request->IdleRun(AsInner(), aDeadline, aDidTimeout);
>+
>   return result;

Why not just 
return request->IdleRun(AsInner(), aDeadline, aDidTimeout);

        Attachment #8834992 -
        Flags: review?(bugs) → review+

    
    

    
  


  

        Attachment #8834992 -
        Attachment is obsolete: true

    
  

        Attachment #8835012 -
        Flags: review?(bugs)

    
    

    
  


  
Tweaked commit message.

        Attachment #8835012 -
        Attachment is obsolete: true

        Attachment #8835012 -
        Flags: review?(bugs)

        Attachment #8835016 -
        Flags: review?(bugs)

    
    

    
  
Tracking 54+ for this sec critical issue.

          tracking-firefox54:
          ?+
Blocks: 1315232
See Also: 1315232

        Attachment #8835016 -
        Flags: review?(bugs) → review+

    
    

    
  
https://hg.mozilla.org/integration/mozilla-inbound/rev/bf910e9138d0
Bug 1337814 - Add test for cancelling currently executing rIC callback. r=smaug

https://hg.mozilla.org/integration/mozilla-inbound/rev/7ec7752867ac
Bug 1337814 - Remove rIC callback from pending callbacks before running it. r=smaug

    
    

    
  
are we sure this is just 54 ? in bug 1337707 calixte mentioned 51 and 52 as crash signatures. 

Will also do more testing now
Flags: needinfo?(afarre)
Blocks: 738653

    
    

    
  
(In reply to Carsten Book [:Tomcat] from comment #21)
> are we sure this is just 54 ? in bug 1337707 calixte mentioned 51 and 52 as
> crash signatures. 

It won't hurt to check older branches, but these signatures are mostly just generic memory corruption signatures, so it isn't surprising to see them on lower volume elsewhere.
Flags: needinfo?(afarre)
Group: core-security → core-security-release
Group: core-security-release
Component: DOM → DOM: Core & HTML

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: