1020506 - crash in arena_dalloc | je_free | nsACString_internal::SetLength(unsigned int)

Status: RESOLVED DUPLICATE of bug 1035075

(Core :: Networking, defect)

Description

[David Bolter [:davidb] (NeedInfo me for attention)]

This bug was filed from the Socorro interface and is 
report bp-07d14514-5697-4a15-a907-7d3872140531.
=============================================================

Filing in networking to start; I'm not sure where this belongs.

Note crash dump analysis rates exploitability high.

More reports are here: https://crash-stats.mozilla.com/report/list?product=Firefox&signature=arena_dalloc+|+je_free+|+nsACString_internal%3A%3ASetLength%28unsigned+int%29

Comment 1

[Daniel Veditz [:dveditz]]

Something has messed up the allocator's memory, we need to find and fix it.

Comment 2

[Eric Rahm [:erahm]]

I'm pretty sure this is actually a Networking issue, my guess is jemalloc is being handed junk memory. A random sampling of the stacks indicates the same path each time with the most likely root cause being the call to |mPAC.GetProxyForURI| [1] in |nsPACMan::ProcessPending|.

[1] http://hg.mozilla.org/releases/mozilla-release/annotate/529a45c94e5a/netwerk/base/src/nsPACMan.cpp#l550

Comment 3

[Jason Duell]

Patrick, you know the PAC code best, but we can also hand this to Valentin or Dragana, etc.

Comment 4

[Patrick McManus [:mcmanus]]

1035075 might be similar.. a uaf in the pac code.. not sure exactly what has changed in that space - some of the js team made some updates for api changes with js that might be causing the issue. I asked steve if he wanted to look at 1035075

Comment 5

[David Bolter [:davidb] (NeedInfo me for attention)]

FWIW, a bunch of crash reporter comments are about crashing during shutdown (but not exclusively).

Comment 6

[Patrick McManus [:mcmanus]]

davidb - I think based on 1035075 it is a shutdown issue and I've got a patch to address that. So I'm going to dup it.