This bug was filed from the Socorro interface and is report bp-69261ff0-3c07-4512-82b1-8516d2150309. ============================================================= Stack Frames: 0 nss3.dll PR_Unlock nsprpub/pr/src/threads/combined/prulock.c 1 xul.dll mozilla::plugins::FinishInjectorInitTask::PostToMainThread() dom/plugins/ipc/PluginModuleParent.cpp 2 xul.dll mozilla::plugins::PluginModuleChromeParent::GetToolhelpSnapshot(void*) dom/plugins/ipc/PluginModuleParent.cpp 3 ntdll.dll RtlpWorkerCallout 4 ntdll.dll RtlpExecuteWorkerRequest 5 ntdll.dll RtlpApcCallout 6 ntdll.dll RtlpExecuteWorkerRequest 7 kernel32.dll BaseThreadStart This is new in the 2015-03-08 Nightly build and didn't happen before (but we already have few reports from the -03-09 build as well). I'm marking this is security as almost all crashes here get high exploitability rating and have address 0x5a5a5a62 which is a small offset from the memory poisoning and therefore smells like use-after-free.
[Tracking Requested - why for this release]: Forgot to mention this is the #1 crash in yesterday's Nightly build with >50% of all crashes.
Tracking for 39 since this is a regression, topcrash, probably security issue.
The FinishInjectorInitTask is being destroyed in a way that we weren't expecting. It should be pretty easy for me to find that case and deal with it appropriately.
Created attachment 8574987 [details] [diff] [review] Ensure that PostToMainThread is done before returning from Run
We should check back on crash-stats to verify the fix in a day or so.
No crashes reported with the first Nightly build (2015031103) after the fixed landed. Overall Nightly crash volume is dropping because of it. :-)