Closed Bug 1272795 Opened 8 years ago Closed 8 years ago

Crash in mozilla::SegmentedVector<T>::PopLastN since Firefox 47

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Version:
47 Branch
Platform:
x86
Windows 10
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1045992
Tracking Flags:
Tracking Status
firefox47 --- affected
firefox48 --- unaffected
firefox49 --- unaffected
firefox50 --- affected

People

(Reporter: philipp, Unassigned)

Details

(Keywords: crash, csectype-uaf)

Crash Data

This bug was filed from the Socorro interface and is 
report bp-f33eee5d-d6ed-4caa-ba05-1696f2160325.
=============================================================
Crashing Thread (0)
Frame 	Module 	Signature 	Source
0 	xul.dll 	mozilla::SegmentedVector<nsCOMPtr<nsISupports>, 4096, mozilla::MallocAllocPolicy>::PopLastN(unsigned int) 	mfbt/SegmentedVector.h:266
1 	xul.dll 	mozilla::dom::DeferredFinalizerImpl<nsISupports>::DeferredFinalize(unsigned int, void*) 	dom/bindings/BindingUtils.h:2896
2 	xul.dll 	mozilla::IncrementalFinalizeRunnable::ReleaseNow(bool) 	xpcom/base/CycleCollectedJSRuntime.cpp:1455
3 	xul.dll 	mozilla::IncrementalFinalizeRunnable::Run() 	xpcom/base/CycleCollectedJSRuntime.cpp:1489
4 	xul.dll 	nsThread::ProcessNextEvent(bool, bool*) 	xpcom/threads/nsThread.cpp:994
5 	xul.dll 	mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) 	ipc/glue/MessagePump.cpp:95
6 	xul.dll 	MessageLoop::RunHandler() 	ipc/chromium/src/base/message_loop.cc:227
7 	xul.dll 	nsThreadManager::GetCurrentThread(nsIThread**) 	xpcom/threads/nsThreadManager.cpp:315
8 	xul.dll 	nsBaseAppShell::Run() 	widget/nsBaseAppShell.cpp:156
9 	xul.dll 	nsAppStartup::Run() 	toolkit/components/startup/nsAppStartup.cpp:281
10 	xul.dll 	XREMain::XRE_mainRun() 	toolkit/xre/nsAppRunner.cpp:4368
11 	xul.dll 	XREMain::XRE_main(int, char** const, nsXREAppData const*) 	toolkit/xre/nsAppRunner.cpp:4465
12 	xul.dll 	XRE_main 	toolkit/xre/nsAppRunner.cpp:4567
13 	explorerframe.dll 	Windows::Internal::ComTaskPool::CTaskWrapper<<lambda_b3b2b56de086b9147614d4545510aca4> >::Run()

this signature is showing up in 47 pre-release builds for the first time.
One of these crashes has a DXGI_ERROR_UNSUPPORTED error when trying to create D3D11 device, but none of the other ones I looked at have it, so likely not related.
Hi philipp,

Do we have any STR or a test case on how to reproduce this issue? Socorro reports shows 70 crashes in the la 3 days alone.
Flags: needinfo?(madperson)
unfortunately not - i was only filing the bug report because i stumbled across the signature while looking at crash stats. there are no user comments as of yet either that would point towards a particular cause of the crash.
at https://bugzilla.mozilla.org/show_bug.cgi?id=1170045#c14 it was said that this might only be a shift in signatures.
Flags: needinfo?(madperson)
Crash Signature: [@ mozilla::SegmentedVector<T>::PopLastN] → [@ mozilla::SegmentedVector<T>::PopLastN] [@ @0x0 | mozilla::SegmentedVector<T>::PopLastN]
The signature from comment 0 is a (near) null deref, but several crashing at the same place show use-after-free signatures
  bp-19b280e9-374c-4379-b6ab-cc2d22160521
  bp-f5f8837c-254f-4e70-ac24-e1fae2160522

One was also a scary EXCEPTION_ACCESS_VIOLATION_EXEC
  bp-6f3ac9c7-ef76-44bc-9051-5e94b2160520
Group: dom-core-security
status-firefox47: wontfixaffected
status-firefox48: wontfixaffected
Component: Untriaged → DOM
Keywords: csectype-uaf, sec-high
This particular signature only shows up in 47 for some reason.
status-firefox48: affectedunaffected
status-firefox49: affectedunaffected
Andrew, do you know about this stuff?
Flags: needinfo?(continuation)
This looks like a dupe of bug 1162024. See also bug 1269245 and bug 997908. The signature changed in 47 because of bug 1170045, so it isn't a real regression.
Flags: needinfo?(continuation)
Keywords: regression
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
This is not really actionable, unfortunately.
Crash volume for signature 'mozilla::SegmentedVector<T>::PopLastN':
 - nightly (version 50): 11 crashes from 2016-06-06.
 - aurora  (version 49): 30 crashes from 2016-06-07.
 - beta    (version 48): 600 crashes from 2016-06-06.
 - release (version 47): 1842 crashes from 2016-05-31.
 - esr     (version 45): 0 crashes from 2016-04-07.

Crash volume on the last weeks:
            W. N-1  W. N-2  W. N-3  W. N-4  W. N-5  W. N-6  W. N-7
 - nightly       1       4       2       1       1       0       1
 - aurora        4       5       6       6       4       4       1
 - beta         84      79      75      67      91     116      60
 - release     261     218     239     235     270     274     219
 - esr           0       0       0       0       0       0       0

Affected platforms: Windows, Mac OS X, Linux
status-firefox50: --- → affected
Group: dom-core-security
Keywords: sec-high
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.