This bug was filed from the Socorro interface and is report bp-69261ff0-3c07-4512-82b1-8516d2150309. ============================================================= Stack Frames: 0 nss3.dll PR_Unlock nsprpub/pr/src/threads/combined/prulock.c 1 xul.dll mozilla::plugins::FinishInjectorInitTask::PostToMainThread() dom/plugins/ipc/PluginModuleParent.cpp 2 xul.dll mozilla::plugins::PluginModuleChromeParent::GetToolhelpSnapshot(void*) dom/plugins/ipc/PluginModuleParent.cpp 3 ntdll.dll RtlpWorkerCallout 4 ntdll.dll RtlpExecuteWorkerRequest 5 ntdll.dll RtlpApcCallout 6 ntdll.dll RtlpExecuteWorkerRequest 7 kernel32.dll BaseThreadStart This is new in the 2015-03-08 Nightly build and didn't happen before (but we already have few reports from the -03-09 build as well). I'm marking this is security as almost all crashes here get high exploitability rating and have address 0x5a5a5a62 which is a small offset from the memory poisoning and therefore smells like use-after-free.
[Tracking Requested - why for this release]: Forgot to mention this is the #1 crash in yesterday's Nightly build with >50% of all crashes.
tracking-firefox39: --- → ?
Tracking for 39 since this is a regression, topcrash, probably security issue.
status-firefox38: --- → unaffected
status-firefox39: --- → affected
tracking-firefox39: ? → +
The FinishInjectorInitTask is being destroyed in a way that we weren't expecting. It should be pretty easy for me to find that case and deal with it appropriately.
Created attachment 8574987 [details] [diff] [review] Ensure that PostToMainThread is done before returning from Run
Attachment #8574987 - Flags: review?(dmajor)
Status: NEW → RESOLVED
Last Resolved: 4 years ago
status-firefox39: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla39
We should check back on crash-stats to verify the fix in a day or so.
No crashes reported with the first Nightly build (2015031103) after the fixed landed. Overall Nightly crash volume is dropping because of it. :-)
Status: RESOLVED → VERIFIED
status-firefox39: fixed → verified
status-firefox-esr31: --- → unaffected
status-b2g-v2.0: --- → unaffected
status-b2g-v2.0M: --- → unaffected
status-b2g-v2.1: --- → unaffected
status-b2g-v2.1S: --- → unaffected
status-b2g-v2.2: --- → unaffected
You need to log in before you can comment on or make changes to this bug.