Closed Bug 1420348 Opened 7 years ago Closed 7 years ago

Crash in mozilla::ipc::IProtocol::OtherPid called from dom::asmjscache::PAsmJSCacheEntryParent:::SendOnOpenCacheFile()

Categories

(Core :: IPC, defect)

Product:
Core
Component:
IPC
Version:
55 Branch
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1331209
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox57 --- wontfix
firefox58 --- fixed
firefox59 --- unaffected

People

(Reporter: jesup, Unassigned)

Details

(4 keywords, Whiteboard: [adv-main58-])

Crash Data

This bug was filed from the Socorro interface and is
report bp-4498f8bf-2d80-464d-8dac-a80df0171122.
=============================================================

Top 10 frames of crashing thread:

0 xul.dll mozilla::ipc::IProtocol::OtherPid ipc/glue/ProtocolUtils.cpp:468
1 xul.dll mozilla::dom::asmjscache::PAsmJSCacheEntryParent::SendOnOpenCacheFile ipc/ipdl/PAsmJSCacheEntryParent.cpp:72
2 xul.dll mozilla::dom::asmjscache::`anonymous namespace'::ParentRunnable::Run dom/asmjscache/AsmJSCache.cpp:930
3 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:1039
4 xul.dll NS_ProcessNextEvent xpcom/threads/nsThreadUtils.cpp:521
5 xul.dll mozilla::ipc::MessagePumpForNonMainThreads::Run ipc/glue/MessagePump.cpp:368
6 xul.dll MessageLoop::RunHandler ipc/chromium/src/base/message_loop.cc:319
7 xul.dll MessageLoop::Run ipc/chromium/src/base/message_loop.cc:299
8 xul.dll nsThread::ThreadFunc xpcom/threads/nsThread.cpp:427
9 nss3.dll _PR_NativeRunThread nsprpub/pr/src/threads/combined/pruthr.c:397

=============================================================

Note: other bugs appear in the OtherPid() signature; this appears to be the source of all or almost all of the UAF crashes.

Frequency in 57 seems *way* up; we had 513 crashes in the last week, but only 22XX crashes in the last 6 months -> spike in 57.
https://crash-stats.mozilla.com/signature/?product=Firefox&proto_signature=~SendOnOpenCacheFile&signature=mozilla%3A%3Aipc%3A%3AIProtocol%3A%3AOtherPid&date=%3E%3D2017-05-23T22%3A09%3A27.000Z&date=%3C2017-11-23T20%3A09%3A27.000Z&_columns=date&_columns=product&_columns=version&_columns=build_id&_columns=platform&_columns=reason&_columns=address&_columns=install_time&_sort=version&_sort=-date&page=1

It *looks* like the bug causing the spike started in 57b12 or perhaps in 57b99

billm/jimm: IPC, or push over to the AsmJS people?
Flags: needinfo?(wmccloskey)
Flags: needinfo?(jmathies)
Group: core-security → dom-core-security
Looks maybe-similar to bug 1331209?
Flags: needinfo?(jmathies) → needinfo?(luke)
I think it's the same.
Flags: needinfo?(luke)
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox57: affectedwontfix
status-firefox58: affectedfixed
status-firefox59: ?unaffected
Flags: needinfo?(wmccloskey)
Resolution: --- → DUPLICATE
Whiteboard: [adv-main58-]
Group: dom-core-security
You need to log in before you can comment on or make changes to this bug.