Closed
Bug 1337814
Opened 8 years ago
Closed 8 years ago
Hit MOZ_CRASH(element wasn't found in this list!) at LinkedList.h:635
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
FIXED
mozilla54
Tracking | Status | |
---|---|---|
firefox-esr45 | --- | unaffected |
firefox51 | --- | unaffected |
firefox52 | --- | unaffected |
firefox-esr52 | --- | unaffected |
firefox53 | --- | unaffected |
firefox54 | + | fixed |
People
(Reporter: cbook, Assigned: farre)
References
()
Details
(4 keywords)
Attachments
(4 files, 2 obsolete files)
169.68 KB,
text/plain
|
Details | |
6.44 KB,
text/plain
|
Details | |
1.09 KB,
patch
|
smaug
:
review+
|
Details | Diff | Splinter Review |
1.02 KB,
patch
|
smaug
:
review+
|
Details | Diff | Splinter Review |
Hit MOZ_CRASH(element wasn't found in this list!) at c:\builds\moz2_slave\m-cen-w32-d-000000000000000000\build\src\obj-firefox\dist\include\mozilla/LinkedList.h:635
Found via bughunter and reproduced on latest m-c windows tinderbox trunk debug build.
Seems this is a debug only crash.
Steps to reproduce:
-> Load https://www.linkedin.com/company-beta/1680?pathWildcard=1680
--> Crash on load
Filing as sec bug because we get asan heap-use-after-free that seems related for youtube urls
Reporter | ||
Comment 1•8 years ago
|
||
nathan, do you know who could take a look at this crash ?
Flags: needinfo?(nfroyd)
Reporter | ||
Comment 2•8 years ago
|
||
[Tracking Requested - why for this release]:
so far only trunk reports on bughunter for windows and linux so far, so seems some kind of trunk regression
status-firefox54:
--- → affected
tracking-firefox54:
--- → ?
Comment 3•8 years ago
|
||
Andreas, perhaps, since this involves idle requests/idle callbacks.
Component: General → DOM
Flags: needinfo?(nfroyd) → needinfo?(afarre)
Reporter | ||
Comment 4•8 years ago
|
||
Assignee | ||
Updated•8 years ago
|
Assignee: nobody → afarre
Comment 6•8 years ago
|
||
This sounds very similar to bug 1315232, in terms of the test cases.
See Also: → 1315232
Comment 7•8 years ago
|
||
I hit this almost instantly when logging into LinkedIn and scrolling/loading the contact list on "My Network" [1].
[1] https://www.linkedin.com/mynetwork/
Comment 8•8 years ago
|
||
fwiw, we first saw the MOZ_CRASH and ASAN heap-use-after-free on 2017-01-29.
Updated•8 years ago
|
status-firefox53:
--- → unaffected
Comment 10•8 years ago
|
||
(In reply to Tim Taubert [:ttaubert] from comment #7)
> I hit this almost instantly when logging into LinkedIn and scrolling/loading
> the contact list on "My Network" [1].
Can you try that in an ASan build and attach the stack to this bug, please (if you have one handy)? Thanks.
Flags: needinfo?(ttaubert)
Assignee | ||
Comment 12•8 years ago
|
||
Attachment #8834991 -
Flags: review?(bugs)
Assignee | ||
Comment 13•8 years ago
|
||
Attachment #8834992 -
Flags: review?(bugs)
Comment 14•8 years ago
|
||
(In reply to Andrew McCreight [:mccr8] from comment #10)
> Can you try that in an ASan build and attach the stack to this bug, please
> (if you have one handy)? Thanks.
So I downloaded the opt and debug versions of the m-c ASan builds. I can easily reproduce but the opt build doesn't give me a useful stack trace, and the debug build hits MOZ_CRASH() :/
Flags: needinfo?(ttaubert)
Updated•8 years ago
|
Attachment #8834991 -
Flags: review?(bugs) → review+
Comment 15•8 years ago
|
||
Comment on attachment 8834992 [details] [diff] [review]
0002-Bug-1337814-Remove-rIC-callback-from-pending-callbac.patch
> {
> AssertIsOnMainThread();
> RefPtr<IdleRequest> request(aRequest);
>- nsresult result = request->IdleRun(AsInner(), aDeadline, aDidTimeout);
> RemoveIdleCallback(request);
>+ nsresult result = request->IdleRun(AsInner(), aDeadline, aDidTimeout);
>+
> return result;
Why not just
return request->IdleRun(AsInner(), aDeadline, aDidTimeout);
Attachment #8834992 -
Flags: review?(bugs) → review+
Assignee | ||
Comment 16•8 years ago
|
||
Attachment #8834992 -
Attachment is obsolete: true
Assignee | ||
Updated•8 years ago
|
Attachment #8835012 -
Flags: review?(bugs)
Assignee | ||
Comment 17•8 years ago
|
||
Tweaked commit message.
Attachment #8835012 -
Attachment is obsolete: true
Attachment #8835012 -
Flags: review?(bugs)
Attachment #8835016 -
Flags: review?(bugs)
Updated•8 years ago
|
Updated•8 years ago
|
Attachment #8835016 -
Flags: review?(bugs) → review+
Assignee | ||
Comment 19•8 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/bf910e9138d0
Bug 1337814 - Add test for cancelling currently executing rIC callback. r=smaug
https://hg.mozilla.org/integration/mozilla-inbound/rev/7ec7752867ac
Bug 1337814 - Remove rIC callback from pending callbacks before running it. r=smaug
https://hg.mozilla.org/mozilla-central/rev/bf910e9138d0
https://hg.mozilla.org/mozilla-central/rev/7ec7752867ac
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla54
Updated•8 years ago
|
status-firefox51:
--- → unaffected
status-firefox52:
--- → unaffected
status-firefox-esr45:
--- → unaffected
status-firefox-esr52:
--- → unaffected
Reporter | ||
Comment 21•8 years ago
|
||
are we sure this is just 54 ? in bug 1337707 calixte mentioned 51 and 52 as crash signatures.
Will also do more testing now
Flags: needinfo?(afarre)
Comment 22•8 years ago
|
||
(In reply to Carsten Book [:Tomcat] from comment #21)
> are we sure this is just 54 ? in bug 1337707 calixte mentioned 51 and 52 as
> crash signatures.
It won't hurt to check older branches, but these signatures are mostly just generic memory corruption signatures, so it isn't surprising to see them on lower volume elsewhere.
Flags: needinfo?(afarre)
Updated•8 years ago
|
Group: core-security → core-security-release
Updated•8 years ago
|
Group: core-security-release
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•