crash in js::GCMarker::mark<T>(JSObject*)

RESOLVED DUPLICATE of bug 1207620

Status

()

--
critical
RESOLVED DUPLICATE of bug 1207620
3 years ago
3 years ago

People

(Reporter: lizzard, Unassigned)

Tracking

({crash})

43 Branch
Unspecified
Windows NT
crash
Points:
---

Firefox Tracking Flags

(firefox43 affected)

Details

(crash signature)

+++ This bug was initially created as a clone of Bug #1207620 +++

This bug was filed from the Socorro interface and is 
report bp-768c2eb6-2937-4bbc-aef4-402c82150922.
=============================================================

This signature is showing up as a topcrash for 43. It first appeared on 2015-06-16. 

I just noticed on looking over crashes for 43 that are marked "high", that this is often marked as such, though the report I filed in bug 1207620 is "low exploitability". Though maybe this isn't actionable, I thought it worth filing a new bug to see if there's anything useful here. 

Here's a link to a list of the high exploitability crash reports with this signature:

https://crash-stats.mozilla.com/signature/?product=Firefox&version=43.0a2&exploitability=high&signature=js%3A%3AGCMarker%3A%3Amark%3CT%3E%28JSObject*%29&_columns=date&_columns=product&_columns=version&_columns=build_id&_columns=platform&_columns=reason&_columns=address&page=1#reports

Updated

3 years ago
Crash Signature: [@ js::GCMarker::mark<T>(JSObject*)] → [@ js::GCMarker::mark<T>(JSObject*)] [@ js::GCMarker::mark<T>]
This is a pretty generic signature for memory corruption that happened at some point and doesn't cause problems until GC tries to clean up. There might be one new bug, or it could be just that signatures in the GC code changed making it _look_ like a new crash when it's really just a catch-all for the same many different memory corruptions that just trips us up in a slightly different place.
Keywords: sec-high
I don't think it is too useful to have this here and hidden, given that we know that it is known that this is a possible sign of memory corruptions. I'm just going to dupe this to the public bug.
Group: javascript-core-security
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Keywords: sec-high
Resolution: --- → DUPLICATE
Duplicate of bug: 1207620
No longer depends on: 1207620
You need to log in before you can comment on or make changes to this bug.