Closed Bug 1415382 Opened 7 years ago Closed 7 years ago

Crash in js::CurrentThreadCanAccessRuntime

Categories

(Core :: XPCOM, defect)

56 Branch
x86
Windows 7
defect
Not set
critical

Tracking

()

RESOLVED INCOMPLETE

People

(Reporter: jesup, Unassigned)

Details

(Keywords: crash, csectype-uaf, sec-high)

Crash Data

This bug was filed from the Socorro interface and is report bp-19fdde8b-7b3f-410a-b480-0d1c20171105. ============================================================= UAFs go back to at least 38ESR. It appears 'rt' is the value that's pointing to a freed memory section.
Most of the signatures start with: js::CurrentThreadCanAccessRuntime js::gc::detail::CellIsMarkedGrayIfKnown mozilla::JSGCThingParticipant::TraverseNative CCGraphBuilder::BuildGraph nsCycleCollector::MarkRoots nsCycleCollector::Collect nsCycleCollector_collectSlice nsJSContext::RunCycleCollectorSlice So this looks like bad pointers being passed in from the CC.
Component: JavaScript: GC → XPCOM
Note: rate seems to be going up steadily.
Group: core-security → dom-core-security
Andrew, any ideas how to proceed here?
Flags: needinfo?(continuation)
This is a generic GC heap corruption issue. There's not enough information to do anything.
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(continuation)
Resolution: --- → INCOMPLETE
Group: dom-core-security
You need to log in before you can comment on or make changes to this bug.