Closed
Bug 1318998
Opened 8 years ago
Closed 8 years ago
Crash in mozilla::dom::Element::UnregisterIntersectionObserver
Categories
(Core :: DOM: Core & HTML, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla53
Tracking | Status | |
---|---|---|
firefox-esr45 | --- | unaffected |
firefox51 | --- | unaffected |
firefox52 | --- | disabled |
firefox-esr52 | --- | disabled |
firefox53 | --- | fixed |
People
(Reporter: n.nethercote, Assigned: tschneider)
References
Details
(Keywords: crash, csectype-uaf, sec-high, Whiteboard: [post-critsmash-triage])
Crash Data
This bug was filed from the Socorro interface and is report bp-04552606-54bc-44a9-b328-c9ce62161120. ============================================================= New topcrash, first showing up in Nightly 20161118030222 and occurring 211 times since then, which makes it #1 after ShutdownKill crashes. Happens on Windows, Mac and Linux. It looks like |observer| is null when the crash occurs. Judging from the timing, I suspect this is fallout from the fix to a related crash in bug 1315837 :( tschneider, can you please investigate?
Flags: needinfo?(tschneider)
Assignee | ||
Comment 3•8 years ago
|
||
This should be fixed with current patches from Bug 1315837.
Assignee | ||
Updated•8 years ago
|
Comment 4•8 years ago
|
||
Note that around 50% of crashes have a UAF signature. Also, quite a few crashes on the bug with the apparent fix are UAFs as well (though the fix is partly backed-out on aurora right now)
Group: core-security
Keywords: csectype-uaf,
sec-high
Reporter | ||
Comment 5•8 years ago
|
||
tobytailor, there are a number of crash bugs filed relating to DOM Intersections, and there are crashes on Nightly and Aurora, and also backouts. I confess to being confused by the current state of things. Are you able to summarize?
Flags: needinfo?(tschneider)
Updated•8 years ago
|
Group: core-security → core-security-release
Comment 7•8 years ago
|
||
From bug 1317415, njn said: I have confirmed that disabling the API (bug 1320704) has made these crashes go away for both Nightly and Aurora. See bug 1320704 comment 14 for details.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Assignee | ||
Updated•7 years ago
|
Flags: needinfo?(tschneider)
Comment 8•7 years ago
|
||
Crash volume for signature 'mozilla::dom::Element::UnregisterIntersectionObserver': - nightly (version 53): 933 crashes from 2016-11-14. - aurora (version 52): 616 crashes from 2016-11-14. - beta (version 51): 0 crashes from 2016-11-14. - release (version 50): 0 crashes from 2016-11-01. - esr (version 45): 0 crashes from 2016-07-06. Crash volume on the last weeks (Week N is from 01-02 to 01-08): W. N-1 W. N-2 W. N-3 W. N-4 W. N-5 W. N-6 W. N-7 - nightly 7 6 14 34 68 609 195 - aurora 0 14 18 35 464 85 0 - beta 0 0 0 0 0 0 0 - release 0 0 0 0 0 0 0 - esr 0 0 0 0 0 0 0 Affected platforms: Windows, Mac OS X, Linux Crash rank on the last 7 days: Browser Content Plugin - nightly #59 #10 - aurora #488 #22 - beta - release - esr
status-firefox52:
--- → affected
status-firefox53:
--- → affected
Comment 9•7 years ago
|
||
Basically all the crashes seem to be versions from 201611xx; before the fix. One crash after that but appears to be a different issue.
Updated•7 years ago
|
status-firefox51:
--- → unaffected
Target Milestone: --- → mozilla53
Updated•7 years ago
|
status-firefox-esr45:
--- → unaffected
status-firefox-esr52:
--- → disabled
Updated•7 years ago
|
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Updated•7 years ago
|
Group: core-security-release
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•