Hit MOZ_CRASH(element wasn't found in this list!) at LinkedList.h:635

RESOLVED FIXED in Firefox 54

Status

()

Core
DOM
RESOLVED FIXED
10 months ago
7 months ago

People

(Reporter: Tomcat, Assigned: farre)

Tracking

(Blocks: 2 bugs, 4 keywords)

unspecified
mozilla54
crash, csectype-uaf, regression, sec-critical
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox-esr45 unaffected, firefox51 unaffected, firefox52 unaffected, firefox-esr52 unaffected, firefox53 unaffected, firefox54+ fixed)

Details

(URL)

Attachments

(4 attachments, 2 obsolete attachments)

(Reporter)

Description

10 months ago
Created attachment 8834954 [details]
bughunter stack

Hit MOZ_CRASH(element wasn't found in this list!) at c:\builds\moz2_slave\m-cen-w32-d-000000000000000000\build\src\obj-firefox\dist\include\mozilla/LinkedList.h:635

Found via bughunter and reproduced on latest m-c windows tinderbox trunk debug build.

Seems this is a debug only crash.

Steps to reproduce:
-> Load https://www.linkedin.com/company-beta/1680?pathWildcard=1680
--> Crash on load 

Filing as sec bug because we get asan heap-use-after-free that seems related for youtube urls
(Reporter)

Comment 1

10 months ago
nathan, do you know who could take a look at this crash ?
Flags: needinfo?(nfroyd)
(Reporter)

Comment 2

10 months ago
[Tracking Requested - why for this release]:

so far only trunk reports on bughunter for windows and linux so far, so seems some kind of trunk regression
status-firefox54: --- → affected
tracking-firefox54: --- → ?
Andreas, perhaps, since this involves idle requests/idle callbacks.
Component: General → DOM
Flags: needinfo?(nfroyd) → needinfo?(afarre)
(Reporter)

Comment 4

10 months ago
Created attachment 8834957 [details]
asan report
(Assignee)

Comment 5

10 months ago
Added :smaug. Looking at it now.
Flags: needinfo?(afarre)
(Assignee)

Updated

10 months ago
Assignee: nobody → afarre
This sounds very similar to bug 1315232, in terms of the test cases.
See Also: → bug 1315232

Comment 7

10 months ago
I hit this almost instantly when logging into LinkedIn and scrolling/loading the contact list on "My Network" [1].

[1] https://www.linkedin.com/mynetwork/

Comment 8

10 months ago
fwiw, we first saw the MOZ_CRASH and ASAN heap-use-after-free on 2017-01-29.

Updated

10 months ago
Duplicate of this bug: 1337707

Updated

10 months ago
status-firefox53: --- → unaffected
Keywords: csectype-uaf, regression, sec-critical
(In reply to Tim Taubert [:ttaubert] from comment #7)
> I hit this almost instantly when logging into LinkedIn and scrolling/loading
> the contact list on "My Network" [1].

Can you try that in an ASan build and attach the stack to this bug, please (if you have one handy)? Thanks.
Flags: needinfo?(ttaubert)

Updated

10 months ago
Duplicate of this bug: 1337804
(Assignee)

Comment 12

10 months ago
Created attachment 8834991 [details] [diff] [review]
0001-Bug-1337814-Add-test-for-cancelling-currently-execut.patch
Attachment #8834991 - Flags: review?(bugs)
(Assignee)

Comment 13

10 months ago
Created attachment 8834992 [details] [diff] [review]
0002-Bug-1337814-Remove-rIC-callback-from-pending-callbac.patch
Attachment #8834992 - Flags: review?(bugs)
(In reply to Andrew McCreight [:mccr8] from comment #10)
> Can you try that in an ASan build and attach the stack to this bug, please
> (if you have one handy)? Thanks.

So I downloaded the opt and debug versions of the m-c ASan builds. I can easily reproduce but the opt build doesn't give me a useful stack trace, and the debug build hits MOZ_CRASH() :/
Flags: needinfo?(ttaubert)

Updated

10 months ago
Attachment #8834991 - Flags: review?(bugs) → review+

Comment 15

10 months ago
Comment on attachment 8834992 [details] [diff] [review]
0002-Bug-1337814-Remove-rIC-callback-from-pending-callbac.patch

> {
>   AssertIsOnMainThread();
>   RefPtr<IdleRequest> request(aRequest);
>-  nsresult result = request->IdleRun(AsInner(), aDeadline, aDidTimeout);
>   RemoveIdleCallback(request);
>+  nsresult result = request->IdleRun(AsInner(), aDeadline, aDidTimeout);
>+
>   return result;

Why not just 
return request->IdleRun(AsInner(), aDeadline, aDidTimeout);
Attachment #8834992 - Flags: review?(bugs) → review+
(Assignee)

Comment 16

10 months ago
Created attachment 8835012 [details] [diff] [review]
0002-Bug-1337814-Remove-rIC-callback-from-pending-callbac.patch
Attachment #8834992 - Attachment is obsolete: true
(Assignee)

Updated

10 months ago
Attachment #8835012 - Flags: review?(bugs)
(Assignee)

Comment 17

10 months ago
Created attachment 8835016 [details] [diff] [review]
0002-Bug-1337814-Remove-rIC-callback-from-pending-callbac.patch

Tweaked commit message.
Attachment #8835012 - Attachment is obsolete: true
Attachment #8835012 - Flags: review?(bugs)
Attachment #8835016 - Flags: review?(bugs)
Tracking 54+ for this sec critical issue.
tracking-firefox54: ? → +

Updated

10 months ago
Blocks: 1315232
See Also: bug 1315232

Updated

10 months ago
Attachment #8835016 - Flags: review?(bugs) → review+
(Assignee)

Comment 19

10 months ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/bf910e9138d0
Bug 1337814 - Add test for cancelling currently executing rIC callback. r=smaug

https://hg.mozilla.org/integration/mozilla-inbound/rev/7ec7752867ac
Bug 1337814 - Remove rIC callback from pending callbacks before running it. r=smaug

Comment 20

10 months ago
https://hg.mozilla.org/mozilla-central/rev/bf910e9138d0
https://hg.mozilla.org/mozilla-central/rev/7ec7752867ac
Status: NEW → RESOLVED
Last Resolved: 10 months ago
status-firefox54: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla54
status-firefox51: --- → unaffected
status-firefox52: --- → unaffected
status-firefox-esr45: --- → unaffected
status-firefox-esr52: --- → unaffected
(Reporter)

Comment 21

10 months ago
are we sure this is just 54 ? in bug 1337707 calixte mentioned 51 and 52 as crash signatures. 

Will also do more testing now
Flags: needinfo?(afarre)

Updated

10 months ago
Blocks: 738653
(In reply to Carsten Book [:Tomcat] from comment #21)
> are we sure this is just 54 ? in bug 1337707 calixte mentioned 51 and 52 as
> crash signatures. 

It won't hurt to check older branches, but these signatures are mostly just generic memory corruption signatures, so it isn't surprising to see them on lower volume elsewhere.
Flags: needinfo?(afarre)

Updated

10 months ago
Duplicate of this bug: 1337052

Updated

10 months ago
Blocks: 1337052
Group: core-security → core-security-release
Duplicate of this bug: 1337052
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.