Closed Bug 1436544 Opened 6 years ago Closed 6 years ago

Crash in mozilla::dom::EventSourceImpl::ReadyState

Categories

(Core :: DOM: Workers, defect, P3)

Product:
Core
Component:
DOM: Workers
Platform:
All
Windows
Type:
defect

Tracking

()

Status:
RESOLVED INCOMPLETE
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox58 --- wontfix
firefox59 --- wontfix
firefox60 --- unaffected

People

(Reporter: philipp, Unassigned)

References

Details

(4 keywords)

Crash Data

This bug was filed from the Socorro interface and is
report bp-7675d551-53a8-4a87-934d-bc7250180203.
=============================================================

Top 10 frames of crashing thread:

0 xul.dll mozilla::dom::EventSourceImpl::ReadyState dom/base/EventSource.cpp:163
1 xul.dll mozilla::dom::EventSourceImpl::Close dom/base/EventSource.cpp:389
2 xul.dll mozilla::dom::EventSource::cycleCollection::Unlink dom/base/EventSource.cpp:2063
3 xul.dll nsCycleCollector::CollectWhite xpcom/base/nsCycleCollector.cpp:3401
4 xul.dll nsCycleCollector::Collect xpcom/base/nsCycleCollector.cpp:3769
5 xul.dll nsCycleCollector_collect xpcom/base/nsCycleCollector.cpp:4315
6 xul.dll `anonymous namespace'::WorkerJSRuntime::CustomGCCallback dom/workers/RuntimeService.cpp:1056
7 xul.dll mozilla::CycleCollectedJSRuntime::OnGC xpcom/base/CycleCollectedJSRuntime.cpp:1500
8 xul.dll mozilla::CycleCollectedJSRuntime::GCCallback xpcom/base/CycleCollectedJSRuntime.cpp:829
9 xul.dll js::gc::GCRuntime::callGCCallback js/src/jsgc.cpp:1656

=============================================================

it's a bit hard to say when those crashes started due to the purging of old crash reports, but they appear to be regressing somewhat recently. user comments are often referring to facebook or games there as a source of the crash.
a portion of addresses indicates a UAF situation.
Group: core-security → dom-core-security
Keywords: csectype-uaf, sec-high
This looks similar to bug 1436574, except that it is for a specific class, and there are more instances of the crash. It would seem like we're crashing at some point in between when we scan the object and when we unlink it. This crash is on workers, and there's no incremental CC on workers, so I'm not sure what could cause this.
See Also: → 1436574
Assigning unowned critical/high security bugs to triage owner. Please find an appropriate assignee for this bug.
Assignee: nobody → mdaly
Assignee: mdaly → amarchesini
Priority: -- → P1
:baku can you take a look at this?
Flags: needinfo?(amarchesini)
It seems that we don't have any crash report since 59.0b11. Wondering what triggered this change.
Is it maybe changed something in GC recently?
Flags: needinfo?(amarchesini) → needinfo?(jcoppeard)
(In reply to Andrea Marchesini [:baku] from comment #4)
Not that I can think of.  This doesn't really look GC related to me.
Flags: needinfo?(jcoppeard)
I don't think we should put too much effort understanding why this bug appeared for a month and then disappeared.
Marion, can we reduce the priority here?
Flags: needinfo?(mdaly)
Assignee: amarchesini → nobody
Yes, the crash signature dropped to zero. Let's call this a P3 for now. 

If it pops up again we'll update the priority. 

If the crash signature never appears again in 6 months we'll resolve as incomplete
Flags: needinfo?(mdaly)
Priority: P1 → P3
Severity: critical → normal
status-firefox60: ?unaffected
No reports in 52ESR and no reports from builds after May so I'm going to close this.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → INCOMPLETE
Group: dom-core-security
You need to log in before you can comment on or make changes to this bug.