1490016 - Crash in GraphWalker<T>::DoWalk

Status: RESOLVED DUPLICATE of bug 500105

(Core :: XPCOM, defect)

Description

[Marcia Knous [:marcia]]

This bug was filed from the Socorro interface and is
report bp-abcf9c93-c350-4408-bfc2-56d0e0180906.
=============================================================

Seen while looking at release crash stats (not sure if this is the correct component). There is an old bug associated with this signature - Bug 500105, but while looking at reports I see some in 62 that are possible UAFs: https://bit.ly/2oU6XFK

facebook and youtube.com are the most common URLs in 62.0.

Top 10 frames of crashing thread:

0 xul.dll GraphWalker<ScanBlackVisitor>::DoWalk xpcom/base/nsCycleCollector.cpp:1518
1 xul.dll GraphWalker<ScanBlackVisitor>::Walk xpcom/base/nsCycleCollector.cpp:1489
2 xul.dll nsCycleCollector::ScanBlackNodes xpcom/base/nsCycleCollector.cpp:3256
3 xul.dll nsCycleCollector::ScanRoots xpcom/base/nsCycleCollector.cpp:3286
4 xul.dll nsCycleCollector::Collect xpcom/base/nsCycleCollector.cpp:3776
5 xul.dll nsCycleCollector_collectSlice xpcom/base/nsCycleCollector.cpp:4343
6 xul.dll nsJSContext::RunCycleCollectorSlice dom/base/nsJSEnvironment.cpp:1546
7 xul.dll static bool ICCRunnerFired dom/base/nsJSEnvironment.cpp:1605
8 xul.dll std::_Func_impl_no_alloc<bool  vs2017_15.6.6/VC/include/functional:16707566
9 xul.dll mozilla::IdleTaskRunner::Run xpcom/threads/IdleTaskRunner.cpp:63

=============================================================

Comment 1

[Andrew McCreight [:mccr8]]

Yeah, any GC or CC crash can result in a UAF. I don't think anything in gained by having a separate hidden bug for this signature.

Comment 2

[Arthur K. (he/him)]

I just hit using TB 78RC2: https://crash-stats.mozilla.org/report/index/c8782125-241c-489a-81d9-7b91c0200712#tab-bugzilla

I can't comment in bug 500105 since comments have been closed.