Closed
Bug 1157284
Opened 10 years ago
Closed 10 years ago
crash in WorkerPrivate::NotifyFeatures after closing/refreshing page involving self.close()
Categories
(Core :: DOM: Workers, defect)
Core
DOM: Workers
Tracking
()
RESOLVED
DUPLICATE
of bug 1155546
People
(Reporter: luke, Unassigned)
Details
(Keywords: csectype-uaf, sec-critical)
The crash happens after visiting http://lukewagner.github.io/AngryBotsPacked/game.html and clicking 'refresh' a few times (between 1 and 4 times for me).
This seems to have appeared somewhat recently in nightlies for me.
Here's some reports:
https://crash-stats.mozilla.com/report/index/44c57535-94be-4292-99b0-26a682150422
https://crash-stats.mozilla.com/report/index/321851d8-a10d-428b-9368-7cc422150422
It looks like a null deref of 'feature'.
Reporter | ||
Comment 1•10 years ago
|
||
Ah, I think the bug isn't new, but rather I just added a call to 'close' in the worker (right after it finishes its work so we don't have to wait for GC). If you take out the close call in asmjsunpack-worker.js, I can't reproduce the crash.
I was also able to reproduce the crash by just closing the tab (no refresh), this time in _fini.
https://crash-stats.mozilla.com/report/index/69f40c62-e4d9-4823-b4e5-62ba42150422
Note that the self.close() happens early in page load (before the first WebGL frame is drawn) and the crash only happens when closing the page.
Summary: crash in WorkerPrivate::NotifyFeatures after refreshing app using workers → crash in WorkerPrivate::NotifyFeatures after closing/refreshing page involving self.close()
Reporter | ||
Comment 3•10 years ago
|
||
Oops, should have filed this s-s (I initially thought it was just a regression in the last nightly).
Group: core-security
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•8 years ago
|
Group: core-security-release
Keywords: csectype-uaf,
sec-critical
You need to log in
before you can comment on or make changes to this bug.
Description
•