Closed Bug 1048111 Opened 10 years ago Closed 10 years ago

SystemMessageHandledListener appears to leave dead entries in the linked list

Categories

(Core :: DOM: Content Processes, defect)

Product:
Core
Component:
DOM: Content Processes
Platform:
x86_64
Windows 7
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: khuey, Unassigned)

References

Details

(Keywords: csectype-uaf, sec-critical) 

When SystemMessageHandledListener times out and Notify is called, OnSystemMessageHandled is never called.  That means we never pull the listener out of the linked list and when it is deleted we have a dead entry in the list.  This appears to be what is happening in bug 1046956.  Marcia's crashreport https://crash-stats.mozilla.com/report/index/4ce0108e-f1ef-4468-b1d1-71dcf2140731 crashes at an address near 0x5a5a5a5a which is the code for deleted memory.
Removing the wake lock seems to change the timing or something.
Although the LinkedListElement's dtor calls removeelement, so this isn't what's going on.
Is this something you could look at, Sean?  Thanks.
Flags: needinfo?(selin)
This isn't actually happening.  See comment 2.
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(selin)
Resolution: --- → INVALID
Group: core-security
You need to log in before you can comment on or make changes to this bug.