Closed Bug 1390102 Opened 7 years ago Closed 3 years ago

Crash in mozilla::BufferList<T>::WriteBytes

Categories

(Core :: JavaScript Engine, defect, P2)

Product:
Core
Component:
JavaScript Engine
Version:
56 Branch
Platform:
x86
Windows 10
Type:
defect

Tracking

()

Status:
RESOLVED INCOMPLETE
Tracking Flags:
Tracking Status
firefox56 --- affected
firefox57 --- wontfix

People

(Reporter: baffclan, Assigned: djvj)

Details

(Keywords: crash)

Crash Data

This bug was filed from the Socorro interface and is 
report bp-e131b495-998e-41f5-9fd7-d0ea70170814.
=============================================================

Crashing Thread (0)
Frame 	Module 	Signature 	Source
0 	xul.dll 	mozilla::BufferList<js::TempAllocPolicy>::WriteBytes(char const*, unsigned __int64) 	obj-firefox/dist/include/mozilla/BufferList.h:388
1 	xul.dll 	JSStructuredCloneWriter::writeString(unsigned int, JSString*) 	js/src/vm/StructuredClone.cpp:1127
2 	xul.dll 	JSStructuredCloneWriter::startWrite(JS::Handle<JS::Value>) 	js/src/vm/StructuredClone.cpp:1467
3 	xul.dll 	JSStructuredCloneWriter::write(JS::Handle<JS::Value>) 	js/src/vm/StructuredClone.cpp:1747
4 	xul.dll 	WriteStructuredClone(JSContext*, JS::Handle<JS::Value>, JSStructuredCloneData*, JS::StructuredCloneScope, JS::CloneDataPolicy, JSStructuredCloneCallbacks const*, void*, JS::Value const&) 	js/src/vm/StructuredClone.cpp:616
5 	xul.dll 	JSAutoStructuredCloneBuffer::write(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::CloneDataPolicy, JSStructuredCloneCallbacks const*, void*) 	js/src/vm/StructuredClone.cpp:2762
6 	xul.dll 	mozilla::dom::StructuredCloneHolderBase::Write(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::CloneDataPolicy) 	dom/base/StructuredCloneHolder.cpp:189
7 	xul.dll 	mozilla::dom::StructuredCloneHolder::Write(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::CloneDataPolicy, mozilla::ErrorResult&) 	dom/base/StructuredCloneHolder.cpp:282
8 	xul.dll 	mozilla::dom::StructuredCloneHolder::Write(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&) 	dom/base/StructuredCloneHolder.cpp:268
9 	xul.dll 	mozilla::dom::StructuredCloneBlob::Constructor(mozilla::dom::GlobalObject&, JS::Handle<JS::Value>, JS::Handle<JSObject*>, mozilla::ErrorResult&) 	dom/base/StructuredCloneBlob.cpp:71
10 	xul.dll 	mozilla::dom::StructuredCloneHolderBinding::_constructor 	obj-firefox/dom/bindings/StructuredCloneHolderBinding.cpp:179
11 		@0x3eeb0ed5dcc 	


Application Basics: 
Name: Firefox
Version: 56.0b2
Build ID: 20170810180547
Update Channel: beta
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
OS: Windows_NT 10.0
Kannan please investigate if this is actionable.
Assignee: nobody → kvijayan
status-firefox56: --- → affected
Flags: needinfo?(kvijayan)
Priority: -- → P1
Looking today.
Investigated this.  I _think_ it's a null-pointer based access.  The low crash addr and the read violation suggests a "large offset from null", but I'm not 100% sure about that.

I took a good look through the code looking for something to pop out, but it all seems pretty solid.  This needs local repro to be actionable.
Flags: needinfo?(kvijayan)
status-firefox57: --- → wontfix
Priority: P1 → P2
QA Whiteboard: qa-not-actionable
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.