Closed
Bug 1122750
Opened 9 years ago
Closed 9 years ago
Crash [@ mozilla::detail::AtomicBaseIncDec<int, (mozilla::MemoryOrdering)2u>::operator-- ]
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox35 | --- | wontfix |
| firefox36 | + | fixed |
| firefox37 | + | fixed |
| firefox38 | + | fixed |
| firefox-esr31 | --- | unaffected |
| b2g-v1.4 | --- | unaffected |
| b2g-v2.0 | --- | unaffected |
| b2g-v2.0M | --- | unaffected |
| b2g-v2.1 | --- | unaffected |
| b2g-v2.1S | --- | unaffected |
| b2g-v2.2 | --- | fixed |
| b2g-master | --- | fixed |
People
(Reporter: ntroast, Assigned: bent.mozilla)
References
Details
(Keywords: crash, regression, sec-high, Whiteboard: [b2g-crash][caf-crash 442][caf priority: p1][CR 782853][adv-main36-])
Crash Data
Attachments
(3 files)
|
718 bytes,
text/plain
|
Details | |
|
733.25 KB,
text/plain
|
Details | |
|
2.00 KB,
patch
|
khuey
:
review+
Sylvestre
:
approval-mozilla-aurora+
Sylvestre
:
approval-mozilla-beta+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
We have been observing the following crash signature during monkey runs. [@ mozilla::detail::AtomicBaseIncDec<int, (mozilla::MemoryOrdering)2u>::operator-- | mozilla::dom::BlobParent::IDTableEntry::Release | nsRefPtr<mozilla::dom::BlobParent::IDTableEntry>::~nsRefPtr | mozilla::dom::BlobParent::~BlobParent ] STR not availiable. Cafbot will upload the minidump shortly.
|
||
Comment 1•9 years ago
|
||
|
|
||
Comment 2•9 years ago
|
||
|
Assignee | |
Comment 3•9 years ago
|
||
What branch is this based on?
|
|
||
Updated•9 years ago
|
Whiteboard: [CR 782853]
|
|
||
Updated•9 years ago
|
Whiteboard: [CR 782853] → [caf priority: p1][CR 782853]
|
|
||
Updated•9 years ago
|
Whiteboard: [caf priority: p1][CR 782853] → [b2g-crash][caf-crash 442][caf priority: p1][CR 782853]
|
||
Comment 4•9 years ago
|
||
(In reply to ben turner [:bent] (use the needinfo? flag!) from comment #3) > What branch is this based on? This is v2.2. The last crash we saw was with Gaia: http://git.mozilla.org/?p=releases/gaia.git;a=commit;h=69ac77cfa938fae2763ac426a80ca6e5feb6ad25 Gecko: http://git.mozilla.org/?p=releases/gecko.git;a=commit;h=16a3a81985429f9831283b38a1d79af3a741dedb
|
|
Assignee | |
Updated•9 years ago
|
Group: dom-core-security
|
|
Assignee | |
Comment 5•9 years ago
|
||
Ugh, IPDL automatically destroys actors if the constructor message fails, so we're double-deleting at the moment...
|
|
Assignee | |
Comment 6•9 years ago
|
||
Looks like this was introduces in bug 994190.
status-b2g-v2.1:
--- → unaffected
status-b2g-v2.2:
--- → affected
status-b2g-master:
--- → affected
status-firefox35:
--- → affected
status-firefox36:
--- → affected
status-firefox37:
--- → affected
status-firefox38:
--- → affected
|
|
Assignee | |
Comment 7•9 years ago
|
||
This should be rare though... It requires a child process to die at just the right moment before sending one of these messages.
|
||
Updated•9 years ago
|
|
|
||
Updated•9 years ago
|
status-firefox-esr31:
--- → unaffected
tracking-firefox36:
--- → +
tracking-firefox37:
--- → +
tracking-firefox38:
--- → +
Attachment #8551430 -
Flags: review?(khuey) → review+
|
|
Assignee | |
Comment 8•9 years ago
|
||
Comment on attachment 8551430 [details] [diff] [review] Patch, v1 [Security approval request comment] How easily could an exploit be constructed based on the patch? Hard, requires narrow timing between child process crash and parent process message being sent Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? No, but the changes to the code make the problem pretty obvious... Which older supported branches are affected by this flaw? See flags If not all supported branches, which bug introduced the flaw? See above Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? Should be identical for all branches How likely is this patch to cause regressions; how much testing does it need? This is an obviously correct fix, I don't expect any regressions.
Attachment #8551430 -
Flags: sec-approval?
|
||
Comment 11•9 years ago
|
||
Comment on attachment 8551430 [details] [diff] [review] Patch, v1 sec-approval+ for trunk. Please make and nominate patches for affected branches.
Attachment #8551430 -
Flags: sec-approval? → sec-approval+
|
|
Assignee | |
Comment 12•9 years ago
|
||
Comment on attachment 8551430 [details] [diff] [review] Patch, v1 Approval Request Comment (See above)
Attachment #8551430 -
Flags: approval-mozilla-beta?
Attachment #8551430 -
Flags: approval-mozilla-aurora?
|
|
Assignee | |
Comment 13•9 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/8bab67d1c792
|
||
Updated•9 years ago
|
blocking-b2g: 2.2? → 2.2+
Flags: needinfo?(bbajaj)
|
||
Updated•9 years ago
|
Attachment #8551430 -
Flags: approval-mozilla-beta?
Attachment #8551430 -
Flags: approval-mozilla-beta+
Attachment #8551430 -
Flags: approval-mozilla-aurora?
Attachment #8551430 -
Flags: approval-mozilla-aurora+
|
||
Comment 14•9 years ago
|
||
This was merged to m-c: https://hg.mozilla.org/mozilla-central/rev/8bab67d1c792 https://hg.mozilla.org/releases/mozilla-aurora/rev/d947f5f0abca https://hg.mozilla.org/releases/mozilla-beta/rev/508190797a80
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
status-b2g-v1.4:
--- → unaffected
status-b2g-v2.0:
--- → unaffected
status-b2g-v2.0M:
--- → unaffected
status-b2g-v2.1S:
--- → unaffected
Resolution: --- → FIXED
Target Milestone: --- → mozilla38
|
|
||
Updated•9 years ago
|
Group: dom-core-security
|
||
Comment 16•9 years ago
|
||
This bug was reported by codeaurora.org. IMO, we can enable QC confidential group.
Group: qualcomm-confidential
|
||
Comment 17•9 years ago
|
||
Kevin, I don't think this is necessary, there is no confidential information in this bug.
|
||
Updated•9 years ago
|
No longer blocks: CAF-v2.2-metabug
|
|
||
Comment 18•9 years ago
|
||
(In reply to Kevin Hu [:khu] from comment #16) > This bug was reported by codeaurora.org. IMO, we can enable QC confidential > group. Just FYI, this group is not really needed in general. QC confidential data has no place on bugzilla.
Group: qualcomm-confidential
|
|
||
Comment 19•9 years ago
|
||
Could this bug be triggered outside of Firefox OS?
Flags: needinfo?(bent.mozilla)
|
|
||
Updated•9 years ago
|
Whiteboard: [b2g-crash][caf-crash 442][caf priority: p1][CR 782853] → [b2g-crash][caf-crash 442][caf priority: p1][CR 782853][adv-main36-]
|
||
Updated•9 years ago
|
Group: core-security → core-security-release
|
|
||
Updated•8 years ago
|
Group: core-security-release
|
||
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•