Closed
Bug 1342411
Opened 9 years ago
Closed 9 years ago
Crash in RefPtr<T>::RefPtr<T> | nsTArray_Impl<T>::AppendElement<T> | TakeFrameRequestCallbacksFrom
Categories
(Core :: Layout, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1342823
People
(Reporter: philipp, Unassigned)
Details
(4 keywords)
Crash Data
This bug was filed from the Socorro interface and is
report bp-604301eb-e6a4-4b6c-9b3f-032a02170224.
=============================================================
Crashing Thread (0)
Frame Module Signature Source
0 xul.dll RefPtr<mozilla::dom::FrameRequestCallback>::RefPtr<mozilla::dom::FrameRequestCallback>(mozilla::dom::FrameRequestCallback*) obj-firefox/dist/include/mozilla/RefPtr.h:111
1 xul.dll nsTArray_Impl<DocumentFrameCallbacks, nsTArrayInfallibleAllocator>::AppendElement<nsIDocument*&, nsTArrayInfallibleAllocator>(nsIDocument*&) obj-firefox/dist/include/nsTArray.h:2078
2 xul.dll TakeFrameRequestCallbacksFrom layout/base/nsRefreshDriver.cpp:1474
3 xul.dll nsRefreshDriver::RunFrameRequestCallbacks(mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp:1560
4 xul.dll nsRefreshDriver::Tick(__int64, mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp:1720
5 xul.dll mozilla::RefreshDriverTimer::TickDriver(nsRefreshDriver*, __int64, mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp:285
6 xul.dll mozilla::InactiveRefreshDriverTimer::TickOne() layout/base/nsRefreshDriver.cpp:755
7 xul.dll mozilla::InactiveRefreshDriverTimer::TimerTickOne(nsITimer*, void*) layout/base/nsRefreshDriver.cpp:764
these crashes on 32bit browser versions on windows have been around for a while, but their volume increased mid-december 2016.
some correlations for Firefox Release:
(100.0% in signature vs 34.13% overall) ipc_fatal_error_msg = null
(100.0% in signature vs 37.97% overall) reason = EXCEPTION_ACCESS_VIOLATION_READ
(65.82% in signature vs 00.25% overall) address = 0xffffffffe5e5e5e9
(49.45% in signature vs 11.36% overall) useragent_locale = ru
|
||
Updated•9 years ago
|
|
|
||
Updated•9 years ago
|
Group: core-security → layout-core-security
Component: Untriaged → Layout
|
||
Comment 1•9 years ago
|
||
I think this is a dupe of bug 1230817. The reason it looks like a regression
(I suspect) is that we renamed nsRefPtr -> RefPtr around that time.
(I've added the new signature to bug 1230817.)
We probably don't want to resolve this bug as a duplicate though,
since that would reveal it's a security issue.
|
|
||
Comment 2•9 years ago
|
||
Hmm, no, I was wrong. The nsRefPtr rename is a lot older than this. (bug 1207245)
So this is probably a regression of some sort.
|
|
||
Comment 3•9 years ago
|
||
The spike seems to start around Dec 14 2016, which is very close to the release
of 50.1.0 on 2016-12-13. I can't find any crashes in 50.0* for example.
I think this is the list of changes that comprise 50.1.0:
https://hg.mozilla.org/releases/mozilla-release/pushloghtml?fromchange=FIREFOX_50_0_2_RELEASE&tochange=FIREFOX_50_1_0_RELEASE
|
|
||
Comment 4•9 years ago
|
||
It seems we crash here:
https://hg.mozilla.org/releases/mozilla-release/annotate/8612c3320053/layout/base/nsRefreshDriver.cpp#l1480
called from here:
https://hg.mozilla.org/releases/mozilla-release/annotate/8612c3320053/layout/base/nsRefreshDriver.cpp#l1566
Any ideas? (see also discussion in bug 1230817)
|
|
||
Comment 5•9 years ago
|
||
100% of the crashes are on Windows NT x86. No particular URLs stand out.
|
||
Updated•9 years ago
|
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
|
||
Comment 7•9 years ago
|
||
Too late for 51 and 52 will be released this week. Mark 51 won't fix.
|
|
||
Updated•9 years ago
|
status-firefox51:
wontfix → ---
status-firefox52:
affected → ---
status-firefox53:
affected → ---
status-firefox54:
affected → ---
|
|
||
Updated•5 years ago
|
Group: layout-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•