Closed Bug 1279967 Opened 9 years ago Closed 9 years ago

Crash in mozilla::dom::PBlobChild::DestroySubtree

Categories

(Core :: IPC, defect)

Product:
Core
Component:
IPC
Version:
48 Branch
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1277614

People

(Reporter: h02332, Unassigned)

Details

Crash Data

This bug was filed from the Socorro interface and is report bp-e45b2661-2641-45e1-8382-f72352160613. ============================================================= { "crash_info": { "address": "0x0", "crashing_thread": 0, "type": "EXC_BAD_ACCESS / EXC_I386_GPFLT" }, "crashing_thread": { "frames": [ { "file": "hg:hg.mozilla.org/integration/mozilla-inbound:obj-firefox/x86_64/ipc/ipdl/PBlobChild.cpp:4253296f212b", "frame": 0, "function": "mozilla::dom::PBlobChild::DestroySubtree(mozilla::ipc::IProtocolManager<mozilla::ipc::IProtocol>::ActorDestroyReason)", "function_offset": "0x1b", "line": 626, "module": "XUL", "module_offset": "0x9b866b", "offset": "0x1069c566b", "registers": { "r10": "0x0000000000000003", "r11": "0x000000018ff00de0", "r12": "0x00007fff59fe1100", "r13": "0x0000000000000003", "r14": "0x0000000000000003", "r15": "0x0000000120020d40", "r8": "0x000000010fd01080", "r9": "0x000000000000000e", "rax": "0xe5e5e5e5e5e5e5e5", "rbp": "0x00007fff59fe10e0", "rbx": "0x0000000000000004", "rcx": "0x0000000000000005", "rdi": "0x0000000120020d40", "rdx": "0x000000000000000c", "rip": "0x00000001069c566b", "rsi": "0x00000000e5e5e5e5", "rsp": "0x00007fff59fe10b0" }, "trust": "context" }, { "file": "hg:hg.mozilla.org/integration/mozilla-inbound:obj-firefox/x86_64/ipc/ipdl/PContentChild.cpp:4253296f212b", "frame": 1, "function": "mozilla::dom::PContentChild::DestroySubtree(mozilla::ipc::IProtocolManager<mozilla::ipc::IProtocol>::ActorDestroyReason)", "function_offset": "0x14e", "line": 10453, "module": "XUL", "module_offset": "0xae162e", "offset": "0x106aee62e", "trust": "cfi" },
Group: firefox-core-security → core-security
Component: Security → IPC
Product: Firefox → Core
This looks like a duplicate of bug 1277614.
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
This particular crash looks like a safe null-deref, but hard to tell without a way to reproduce. The stack looks like this is probably a duplicate of bug 1277614 which should now be fixed on Firefox 48/49/50. The "e5e5e5" in r14 and rsi hint at use-after-free which would be consistent with bug 1277614. You appear to be using a "mozilla-inbound" build (high churn, worse than "Nightly") yet are two cycles (3 months!) behind. I strongly urge you not to do that. If you're going to stick with a release for a long time pick a more stable branch, and preferably one that gets updates.
Group: core-security
Hi! Hoyt here.. I think Comment #2 is directed at me.. so just a few quick notes.. The UA Report us from FF Developer 49.0xx .. I filed the Bug Report on Jun-13-2016 so whatever the current Rev was for FFDev that is what I using at the time.. In context, it was a Fuzzing Session driven from the Burpsuite API. I don't have any Reproduction due to the State File being unrecoverable. :-( The Bug Report was made due to FFDev Crashing, then giving me the splash screen from about:crashes that various Reports weren't submitted.. so I just submitted automagically, but there was some issue, so I instead entered in Bugzilla. Sorry for any noise, but I wasn't sure about..' 2 cycles and 3 months behind' Nightly etc.. .. the UA is FF Developer 49a.x... maybe that is the disconnect.. -Hoyt
You need to log in before you can comment on or make changes to this bug.