Closed Bug 1186435 Opened 4 years ago Closed 4 years ago
crash in ns
DNSRecord::Get Next Addr(unsigned short, mozilla::net::Net Addr*)
This bug was filed from the Socorro interface and is report bp-64939acf-e72b-4211-85d4-b5f8c2150722. ============================================================= Top Frames: 0 xul.dll nsDNSRecord::GetNextAddr(unsigned short, mozilla::net::NetAddr*) netwerk/dns/nsDNSService2.cpp 1 xul.dll nsSocketTransport::RecoverFromError() netwerk/base/nsSocketTransport2.cpp 2 xul.dll nsSocketTransport::OnSocketDetached(PRFileDesc*) netwerk/base/nsSocketTransport2.cpp 3 xul.dll nsSocketTransportService::DetachSocket(nsSocketTransportService::SocketContext*, nsSocketTransportService::SocketContext*) netwerk/base/nsSocketTransportService2.cpp 4 xul.dll nsSocketTransportService::DoPollIteration(bool, mozilla::BaseTimeDuration<mozilla::TimeDurationValueCalculator>*) netwerk/base/nsSocketTransportService2.cpp 5 xul.dll nsSocketTransportService::Run() netwerk/base/nsSocketTransportService2.cpp 6 xul.dll nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp [...] This crash signature started spiking in Nightly on 2015-07-20, a number of the addresses in 32bit like bp-1097f423-b6e1-4055-bd5f-5cd962150722 are 0x5a5a5a62 which is a small offset from our poison, pointing to use-after-free, so I'm marking this as a security bug. On 64bit crashes, the rax register has the poison value 0x5a5a5a5a5a5a5a5a as can be seen by looking at the "Raw Dump" tab on the report I'm filing this from. This signature seems to happen on all OSes and older versions, but the spike on Nightly 42 is Windows-only so far: https://crash-stats.mozilla.com/report/list?product=Firefox&range_value=7&range_unit=days&date=2015-07-21&signature=nsDNSRecord%3A%3AGetNextAddr%28unsigned+short%2C+mozilla%3A%3Anet%3A%3ANetAddr*%29&version=Firefox%3A42.0a1
Regression range: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=9c919ce631ea&tochange=5df788c56ae7 Possibly Bug 1143922 or Bug 1175803?
No clue at the moment, and I am unfortunately not a network peer. Dragana, you have worked on similar problems (Bug 955900, Bug 1132358) any ideas? Is that the same problem as in Bug 1132358; maybe it's yet another cornercase?
Flags: needinfo?(mozilla) → needinfo?(dd.mozilla)
Valentin, could this be from the recent mem leak patch you landed?
It seems most likely that bug 1183781 is to blame. Not sure why at the moment, but I think the safest thing is to back out the changeset.
Bug 1183781 backed out.
The backout seems to have worked. No crashes from nightly 0723.
You need to log in before you can comment on or make changes to this bug.