Created attachment 8727178 [details] poc.html User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36 Steps to reproduce: Please see the PoC to reproduce the issue. Actual results: The browser crashed citing a null pointer dereference. Expected results: A race condition in IndexedDB leads to a null pointer exception. By repeatedly opening, performing operations, and closing IndexedDB database connections, it is possible to trigger a null pointer exception that crashes the browser. The PoC was tested on Mac OS X 10.11 with the release binary of FireFox 44.0.2 and can cause a crash within a few minutes of opening the poc. Attempts to reproduce the issue on Ubuntu 15.10 and Windows 7 were unsuccessful. The offending line is: dom/indexedDB/ActorsParent.cpp:6700 This becomes an issue when “mStorageConnection” is set to “nullptr” in dom/indexedDB/ActorsParent.cpp:10300. A crash report is available at: https://crash-stats.mozilla.com/report/index/e8160559-442f-413c-a294-444852160306 I'm not certain if this represents a significant security threat, but I will mark is as so just in case.
Does this still reproduce using Nightly (v47, https://nightly.mozilla.org/ ) ?
I just ran my PoC on nightly for about two hours without a crash. I'll let it run until tomorrow AM, but it seems like this issue is fixed in nightly.
I couldn't reproduce on Mac Fx 44.0.2
I never saw any additional crashes on the nightly version. Is there any information I can provide that might assist in helping you reproduce this problem?
I retested with firefox 45 and can't reproduce the crash. My guess is this is fixed now, and may have only been a problem on very specific setups.
I ran this overnight on trunk with no success. It certainly happens in the wild, because this is bug 1195149 and bug 1172822.