Closed
Bug 1337052
Opened 8 years ago
Closed 8 years ago
Crash in nsTArray_Impl<T>::RemoveElementsAt | nsTArray_Impl<T>::RemoveElementsAt | FireForgetSkippable
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1337814
| Tracking | Status | |
|---|---|---|
| firefox53 | --- | unaffected |
| firefox54 | --- | affected |
People
(Reporter: calixte, Unassigned)
References
Details
(Keywords: crash, csectype-wildptr, sec-critical)
Crash Data
This bug was filed from the Socorro interface and is
report bp-232aa120-f1f7-433d-b69f-789a32170206.
=============================================================
There are 61 crashes in nightly with build-id 20170205030206.
Flags: needinfo?(bugs)
|
Reporter | |
Comment 1•8 years ago
|
||
There are 51 crashes with signature "@0x0 | nsTArray_Impl<T>::RemoveElementsAt | nsTArray_Impl<T>::RemoveElementsAt | FireForgetSkippable" and 4 with signature "xul.dll@0x25bd9c8 | nsTArray_Impl<T>::RemoveElementsAt | nsTArray_Impl<T>::RemoveElementsAt | FireForgetSkippable"
Crash Signature: [@ nsTArray_Impl<T>::RemoveElementsAt | nsTArray_Impl<T>::RemoveElementsAt | FireForgetSkippable] → [@ nsTArray_Impl<T>::RemoveElementsAt | nsTArray_Impl<T>::RemoveElementsAt | FireForgetSkippable]
[@ @0x0 | nsTArray_Impl<T>::RemoveElementsAt | nsTArray_Impl<T>::RemoveElementsAt | FireForgetSkippable ]
[@ xul.dll@0x25bd9c8 | nsTArray_Impl<T>::RemoveEl…
|
||
Comment 2•8 years ago
|
||
per calixte, this is a wild ptr (or UAF) exec crash in 54, during cycle collection.
Group: core-security
Keywords: csectype-wildptr,
sec-critical
|
||
Comment 3•8 years ago
|
||
Assuming this is a regression from 0204 build, regression range could be
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=7aa5e444af0ff686714d6165bd0e7e6d1abd0970&tochange=3e555770a90a41e04bbb4ac41b65fa2f1db6977d
|
|
||
Comment 4•8 years ago
|
||
All the stacks have something weird after the call in FireForgetSkippable.
Memory corruption?
|
|
||
Comment 5•8 years ago
|
||
On linux I think I'm seeing crashes starting earlier.
Possible regression range
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=f985243bb630b2c78cd57731c8d8ab191aa09527&tochange=2aede0a97bc685e163196cc451b947a04ae6a598
|
|
Reporter | |
Updated•8 years ago
|
Crash Signature: nsTArray_Impl<T>::RemoveElementsAt | nsTArray_Impl<T>::RemoveElementsAt | FireForgetSkippable ] → nsTArray_Impl<T>::RemoveElementsAt | nsTArray_Impl<T>::RemoveElementsAt | FireForgetSkippable ]
[@ xul.dll@0x25b0450 | nsTArray_Impl<T>::RemoveElementsAt | nsTArray_Impl<T>::RemoveElementsAt | FireForgetSkippable ]
|
|
||
Comment 6•8 years ago
|
||
This looks similar to https://bugzilla.mozilla.org/show_bug.cgi?id=1315232
|
||
Updated•8 years ago
|
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
|
|
||
Updated•8 years ago
|
Flags: needinfo?(bugs)
|
|
||
Comment 8•8 years ago
|
||
We should make sure these signatures actually go away, of course.
|
|
||
Comment 9•8 years ago
|
||
sure, especially because couple of other interesting patches landed around the same time we started to see these crashes.
|
|
||
Comment 10•8 years ago
|
||
I guess I'll leave it unduplicated for now.
Status: RESOLVED → REOPENED
status-firefox53:
--- → unaffected
Depends on: 1337814
Resolution: DUPLICATE → ---
|
||
Updated•8 years ago
|
Group: core-security → dom-core-security
|
|
||
Comment 11•8 years ago
|
||
I don't see any crashes on builds newer than 2-5.
Status: REOPENED → RESOLVED
Closed: 8 years ago → 8 years ago
Resolution: --- → DUPLICATE
|
Assignee | |
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
|
|
||
Updated•5 years ago
|
Group: dom-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•