Closed Bug 1318998 Opened 8 years ago Closed 8 years ago

Crash in mozilla::dom::Element::UnregisterIntersectionObserver

Categories

(Core :: DOM: Core & HTML, defect, P1)

Product:
Core
Component:
DOM: Core & HTML
Platform:
Unspecified
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla53
Tracking Flags:
Tracking Status
firefox-esr45 --- unaffected
firefox51 --- unaffected
firefox52 --- disabled
firefox-esr52 --- disabled
firefox53 --- fixed

People

(Reporter: n.nethercote, Assigned: tschneider)

References

Details

(Keywords: crash, csectype-uaf, sec-high, Whiteboard: [post-critsmash-triage])

Crash Data

This bug was filed from the Socorro interface and is 
report bp-04552606-54bc-44a9-b328-c9ce62161120.
=============================================================

New topcrash, first showing up in Nightly 20161118030222 and occurring 211 times since then, which makes it #1 after ShutdownKill crashes. Happens on Windows, Mac and Linux.

It looks like |observer| is null when the crash occurs.

Judging from the timing, I suspect this is fallout from the fix to a related crash in bug 1315837 :(  tschneider, can you please investigate?
Flags: needinfo?(tschneider)
On it.
Flags: needinfo?(tschneider)
Taking comment 1 literally :)
Assignee: nobody → tschneider
Priority: -- → P1
This should be fixed with current patches from Bug 1315837.
No longer blocks: 1315837
Depends on: 1315837
Note that around 50% of crashes have a UAF signature.  Also, quite a few crashes on the bug with the apparent fix are UAFs as well (though the fix is partly backed-out on aurora right now)
Group: core-security
Keywords: csectype-uaf, sec-high
tobytailor, there are a number of crash bugs filed relating to DOM Intersections, and there are crashes on Nightly and Aurora, and also backouts. I confess to being confused by the current state of things. Are you able to summarize?
Flags: needinfo?(tschneider)
Group: core-security → core-security-release
Olli is disabling intersection observers in bug 1320704.
Depends on: 1320704
From bug 1317415, njn said:
I have confirmed that disabling the API (bug 1320704) has made these crashes go away for both Nightly and Aurora. See bug 1320704 comment 14 for details.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Flags: needinfo?(tschneider)
Crash volume for signature 'mozilla::dom::Element::UnregisterIntersectionObserver':
 - nightly (version 53): 933 crashes from 2016-11-14.
 - aurora  (version 52): 616 crashes from 2016-11-14.
 - beta    (version 51): 0 crashes from 2016-11-14.
 - release (version 50): 0 crashes from 2016-11-01.
 - esr     (version 45): 0 crashes from 2016-07-06.

Crash volume on the last weeks (Week N is from 01-02 to 01-08):
            W. N-1  W. N-2  W. N-3  W. N-4  W. N-5  W. N-6  W. N-7
 - nightly       7       6      14      34      68     609     195
 - aurora        0      14      18      35     464      85       0
 - beta          0       0       0       0       0       0       0
 - release       0       0       0       0       0       0       0
 - esr           0       0       0       0       0       0       0

Affected platforms: Windows, Mac OS X, Linux

Crash rank on the last 7 days:
           Browser   Content   Plugin
 - nightly #59       #10
 - aurora  #488      #22
 - beta
 - release
 - esr
status-firefox52: --- → affected
status-firefox53: --- → affected
Basically all the crashes seem to be versions from 201611xx; before the fix.  One crash after that but appears to be a different issue.
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Group: core-security-release
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.