1382224 - Crash in nsCOMPtr_base::~nsCOMPtr_base | mozilla::SegmentedVector<T>::PopLastN

Status: RESOLVED DUPLICATE of bug 1045992

(Core :: XPCOM, defect)

Description

[Randell Jesup [:jesup] (needinfo me)]

This bug was filed from the Socorro interface and is 
report bp-c46d4d2f-96ef-45ec-8c7a-666770170719.
=============================================================

Called from dom::DeferredFinalizerImpl<nsISupports>::DeferredFinalize(), which is called from :IncrementalFinalizeRunnable::ReleaseNow(bool) (so this might end up being a GC bug, perhaps, or interaction between this bit of DOM and GC).

https://crash-stats.mozilla.com/signature/?product=Firefox&version=56.0a1&version=55.0b&version=55.0b10&version=55.0b9&version=55.0b8&address=~e5e5&signature=nsCOMPtr_base%3A%3A~nsCOMPtr_base%20%7C%20mozilla%3A%3ASegmentedVector%3CT%3E%3A%3APopLastN&date=%3E%3D2017-07-12T13%3A40%3A00.000Z&date=%3C2017-07-19T13%3A40%3A00.000Z&_columns=date&_columns=product&_columns=version&_columns=build_id&_columns=platform&_columns=reason&_columns=address&_columns=install_time&_sort=-date&page=1#reports

Comment 1

[Olli Pettay [:smaug][bugs@pettay.fi]]

Hmm, regression. What happened on July 12

Comment 2

[Olli Pettay [:smaug][bugs@pettay.fi]]

This does look like someone calling release too much. I mean, we have deleted object in deferred release list.

Comment 3

[Andrew McCreight [:mccr8]]

I think this might be a signature change. We've had some issue with a UAF in the deferred finalizer going back years now. I've never managed to figure anything out.

Comment 4

[Andrew McCreight [:mccr8]]

Yeah, you can see linked in this bug a list of some of the prior bugs we've had on this:
https://bugzilla.mozilla.org/show_bug.cgi?id=1243309#c5