Closed
Bug 1272795
Opened 8 years ago
Closed 8 years ago
Crash in mozilla::SegmentedVector<T>::PopLastN since Firefox 47
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1045992
Tracking | Status | |
---|---|---|
firefox47 | --- | affected |
firefox48 | --- | unaffected |
firefox49 | --- | unaffected |
firefox50 | --- | affected |
People
(Reporter: philipp, Unassigned)
Details
(Keywords: crash, csectype-uaf)
Crash Data
This bug was filed from the Socorro interface and is report bp-f33eee5d-d6ed-4caa-ba05-1696f2160325. ============================================================= Crashing Thread (0) Frame Module Signature Source 0 xul.dll mozilla::SegmentedVector<nsCOMPtr<nsISupports>, 4096, mozilla::MallocAllocPolicy>::PopLastN(unsigned int) mfbt/SegmentedVector.h:266 1 xul.dll mozilla::dom::DeferredFinalizerImpl<nsISupports>::DeferredFinalize(unsigned int, void*) dom/bindings/BindingUtils.h:2896 2 xul.dll mozilla::IncrementalFinalizeRunnable::ReleaseNow(bool) xpcom/base/CycleCollectedJSRuntime.cpp:1455 3 xul.dll mozilla::IncrementalFinalizeRunnable::Run() xpcom/base/CycleCollectedJSRuntime.cpp:1489 4 xul.dll nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:994 5 xul.dll mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:95 6 xul.dll MessageLoop::RunHandler() ipc/chromium/src/base/message_loop.cc:227 7 xul.dll nsThreadManager::GetCurrentThread(nsIThread**) xpcom/threads/nsThreadManager.cpp:315 8 xul.dll nsBaseAppShell::Run() widget/nsBaseAppShell.cpp:156 9 xul.dll nsAppStartup::Run() toolkit/components/startup/nsAppStartup.cpp:281 10 xul.dll XREMain::XRE_mainRun() toolkit/xre/nsAppRunner.cpp:4368 11 xul.dll XREMain::XRE_main(int, char** const, nsXREAppData const*) toolkit/xre/nsAppRunner.cpp:4465 12 xul.dll XRE_main toolkit/xre/nsAppRunner.cpp:4567 13 explorerframe.dll Windows::Internal::ComTaskPool::CTaskWrapper<<lambda_b3b2b56de086b9147614d4545510aca4> >::Run() this signature is showing up in 47 pre-release builds for the first time.
One of these crashes has a DXGI_ERROR_UNSUPPORTED error when trying to create D3D11 device, but none of the other ones I looked at have it, so likely not related.
Hi philipp, Do we have any STR or a test case on how to reproduce this issue? Socorro reports shows 70 crashes in the la 3 days alone.
Flags: needinfo?(madperson)
Reporter | ||
Comment 3•8 years ago
|
||
unfortunately not - i was only filing the bug report because i stumbled across the signature while looking at crash stats. there are no user comments as of yet either that would point towards a particular cause of the crash. at https://bugzilla.mozilla.org/show_bug.cgi?id=1170045#c14 it was said that this might only be a shift in signatures.
Flags: needinfo?(madperson)
Updated•8 years ago
|
Crash Signature: [@ mozilla::SegmentedVector<T>::PopLastN] → [@ mozilla::SegmentedVector<T>::PopLastN]
[@ @0x0 | mozilla::SegmentedVector<T>::PopLastN]
Updated•8 years ago
|
Comment 4•8 years ago
|
||
The signature from comment 0 is a (near) null deref, but several crashing at the same place show use-after-free signatures bp-19b280e9-374c-4379-b6ab-cc2d22160521 bp-f5f8837c-254f-4e70-ac24-e1fae2160522 One was also a scary EXCEPTION_ACCESS_VIOLATION_EXEC bp-6f3ac9c7-ef76-44bc-9051-5e94b2160520
Comment 5•8 years ago
|
||
This particular signature only shows up in 47 for some reason.
Comment 7•8 years ago
|
||
This looks like a dupe of bug 1162024. See also bug 1269245 and bug 997908. The signature changed in 47 because of bug 1170045, so it isn't a real regression.
Flags: needinfo?(continuation)
Keywords: regression
Updated•8 years ago
|
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
Comment 9•8 years ago
|
||
This is not really actionable, unfortunately.
Comment 10•8 years ago
|
||
Crash volume for signature 'mozilla::SegmentedVector<T>::PopLastN': - nightly (version 50): 11 crashes from 2016-06-06. - aurora (version 49): 30 crashes from 2016-06-07. - beta (version 48): 600 crashes from 2016-06-06. - release (version 47): 1842 crashes from 2016-05-31. - esr (version 45): 0 crashes from 2016-04-07. Crash volume on the last weeks: W. N-1 W. N-2 W. N-3 W. N-4 W. N-5 W. N-6 W. N-7 - nightly 1 4 2 1 1 0 1 - aurora 4 5 6 6 4 4 1 - beta 84 79 75 67 91 116 60 - release 261 218 239 235 270 274 219 - esr 0 0 0 0 0 0 0 Affected platforms: Windows, Mac OS X, Linux
status-firefox50:
--- → affected
Assignee | ||
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•