Closed Bug 1157284 Opened 9 years ago Closed 9 years ago

crash in WorkerPrivate::NotifyFeatures after closing/refreshing page involving self.close()

Categories

(Core :: DOM: Workers, defect)

Product:
Core
Component:
DOM: Workers
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1155546

People

(Reporter: luke, Unassigned)

Details

(Keywords: csectype-uaf, sec-critical) 

The crash happens after visiting http://lukewagner.github.io/AngryBotsPacked/game.html and clicking 'refresh' a few times (between 1 and 4 times for me). 
This seems to have appeared somewhat recently in nightlies for me.

Here's some reports:
https://crash-stats.mozilla.com/report/index/44c57535-94be-4292-99b0-26a682150422
https://crash-stats.mozilla.com/report/index/321851d8-a10d-428b-9368-7cc422150422
It looks like a null deref of 'feature'.
Ah, I think the bug isn't new, but rather I just added a call to 'close' in the worker (right after it finishes its work so we don't have to wait for GC).  If you take out the close call in asmjsunpack-worker.js, I can't reproduce the crash.

I was also able to reproduce the crash by just closing the tab (no refresh), this time in _fini.
  https://crash-stats.mozilla.com/report/index/69f40c62-e4d9-4823-b4e5-62ba42150422
Note that the self.close() happens early in page load (before the first WebGL frame is drawn) and the crash only happens when closing the page.
Summary: crash in WorkerPrivate::NotifyFeatures after refreshing app using workers → crash in WorkerPrivate::NotifyFeatures after closing/refreshing page involving self.close()
Oops, should have filed this s-s (I initially thought it was just a regression in the last nightly).
Group: core-security
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
Group: core-security → core-security-release
Group: core-security-release
Keywords: csectype-uaf, sec-critical
You need to log in before you can comment on or make changes to this bug.