Closed
Bug 1415382
Opened 7 years ago
Closed 7 years ago
Crash in js::CurrentThreadCanAccessRuntime
Categories
(Core :: XPCOM, defect)
Tracking
()
RESOLVED
INCOMPLETE
People
(Reporter: jesup, Unassigned)
Details
(Keywords: crash, csectype-uaf, sec-high)
Crash Data
This bug was filed from the Socorro interface and is
report bp-19fdde8b-7b3f-410a-b480-0d1c20171105.
=============================================================
UAFs go back to at least 38ESR.
It appears 'rt' is the value that's pointing to a freed memory section.
Comment 1•7 years ago
|
||
Most of the signatures start with:
js::CurrentThreadCanAccessRuntime
js::gc::detail::CellIsMarkedGrayIfKnown
mozilla::JSGCThingParticipant::TraverseNative
CCGraphBuilder::BuildGraph
nsCycleCollector::MarkRoots
nsCycleCollector::Collect
nsCycleCollector_collectSlice
nsJSContext::RunCycleCollectorSlice
So this looks like bad pointers being passed in from the CC.
Component: JavaScript: GC → XPCOM
Reporter | ||
Comment 2•7 years ago
|
||
Note: rate seems to be going up steadily.
Updated•7 years ago
|
Group: core-security → dom-core-security
Comment 4•7 years ago
|
||
This is a generic GC heap corruption issue. There's not enough information to do anything.
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(continuation)
Resolution: --- → INCOMPLETE
Updated•6 years ago
|
Group: dom-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•