Closed Bug 1157284 Opened 10 years ago Closed 10 years ago

crash in WorkerPrivate::NotifyFeatures after closing/refreshing page involving self.close()

Categories

(Core :: DOM: Workers, defect)

defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 1155546

People

(Reporter: luke, Unassigned)

Details

(Keywords: csectype-uaf, sec-critical)

The crash happens after visiting http://lukewagner.github.io/AngryBotsPacked/game.html and clicking 'refresh' a few times (between 1 and 4 times for me). This seems to have appeared somewhat recently in nightlies for me. Here's some reports: https://crash-stats.mozilla.com/report/index/44c57535-94be-4292-99b0-26a682150422 https://crash-stats.mozilla.com/report/index/321851d8-a10d-428b-9368-7cc422150422 It looks like a null deref of 'feature'.
Ah, I think the bug isn't new, but rather I just added a call to 'close' in the worker (right after it finishes its work so we don't have to wait for GC). If you take out the close call in asmjsunpack-worker.js, I can't reproduce the crash. I was also able to reproduce the crash by just closing the tab (no refresh), this time in _fini. https://crash-stats.mozilla.com/report/index/69f40c62-e4d9-4823-b4e5-62ba42150422 Note that the self.close() happens early in page load (before the first WebGL frame is drawn) and the crash only happens when closing the page.
Summary: crash in WorkerPrivate::NotifyFeatures after refreshing app using workers → crash in WorkerPrivate::NotifyFeatures after closing/refreshing page involving self.close()
Oops, should have filed this s-s (I initially thought it was just a regression in the last nightly).
Group: core-security
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.