Closed
Bug 1436544
Opened 6 years ago
Closed 6 years ago
Crash in mozilla::dom::EventSourceImpl::ReadyState
Categories
(Core :: DOM: Workers, defect, P3)
Tracking
()
RESOLVED
INCOMPLETE
Tracking | Status | |
---|---|---|
firefox-esr52 | --- | unaffected |
firefox58 | --- | wontfix |
firefox59 | --- | wontfix |
firefox60 | --- | unaffected |
People
(Reporter: philipp, Unassigned)
References
Details
(4 keywords)
Crash Data
This bug was filed from the Socorro interface and is report bp-7675d551-53a8-4a87-934d-bc7250180203. ============================================================= Top 10 frames of crashing thread: 0 xul.dll mozilla::dom::EventSourceImpl::ReadyState dom/base/EventSource.cpp:163 1 xul.dll mozilla::dom::EventSourceImpl::Close dom/base/EventSource.cpp:389 2 xul.dll mozilla::dom::EventSource::cycleCollection::Unlink dom/base/EventSource.cpp:2063 3 xul.dll nsCycleCollector::CollectWhite xpcom/base/nsCycleCollector.cpp:3401 4 xul.dll nsCycleCollector::Collect xpcom/base/nsCycleCollector.cpp:3769 5 xul.dll nsCycleCollector_collect xpcom/base/nsCycleCollector.cpp:4315 6 xul.dll `anonymous namespace'::WorkerJSRuntime::CustomGCCallback dom/workers/RuntimeService.cpp:1056 7 xul.dll mozilla::CycleCollectedJSRuntime::OnGC xpcom/base/CycleCollectedJSRuntime.cpp:1500 8 xul.dll mozilla::CycleCollectedJSRuntime::GCCallback xpcom/base/CycleCollectedJSRuntime.cpp:829 9 xul.dll js::gc::GCRuntime::callGCCallback js/src/jsgc.cpp:1656 ============================================================= it's a bit hard to say when those crashes started due to the purging of old crash reports, but they appear to be regressing somewhat recently. user comments are often referring to facebook or games there as a source of the crash. a portion of addresses indicates a UAF situation.
Updated•6 years ago
|
Group: core-security → dom-core-security
Keywords: csectype-uaf,
sec-high
Comment 1•6 years ago
|
||
This looks similar to bug 1436574, except that it is for a specific class, and there are more instances of the crash. It would seem like we're crashing at some point in between when we scan the object and when we unlink it. This crash is on workers, and there's no incremental CC on workers, so I'm not sure what could cause this.
See Also: → 1436574
Comment 2•6 years ago
|
||
Assigning unowned critical/high security bugs to triage owner. Please find an appropriate assignee for this bug.
Assignee: nobody → mdaly
Updated•6 years ago
|
Assignee: mdaly → amarchesini
Priority: -- → P1
Comment 4•6 years ago
|
||
It seems that we don't have any crash report since 59.0b11. Wondering what triggered this change. Is it maybe changed something in GC recently?
Flags: needinfo?(amarchesini) → needinfo?(jcoppeard)
Reporter | ||
Comment 5•6 years ago
|
||
this was the (small) changelog from b10 to b11: https://hg.mozilla.org/releases/mozilla-beta/pushloghtml?fromchange=FIREFOX_59_0b10_RELEASE&tochange=daeb05a6586b5c3ec5b7c4ba1a980f50e3620937&full=1
Updated•6 years ago
|
status-firefox60:
--- → ?
Comment 6•6 years ago
|
||
(In reply to Andrea Marchesini [:baku] from comment #4) Not that I can think of. This doesn't really look GC related to me.
Flags: needinfo?(jcoppeard)
Comment 7•6 years ago
|
||
I don't think we should put too much effort understanding why this bug appeared for a month and then disappeared. Marion, can we reduce the priority here?
Flags: needinfo?(mdaly)
Updated•6 years ago
|
Assignee: amarchesini → nobody
Comment 8•6 years ago
|
||
Yes, the crash signature dropped to zero. Let's call this a P3 for now. If it pops up again we'll update the priority. If the crash signature never appears again in 6 months we'll resolve as incomplete
Flags: needinfo?(mdaly)
Updated•6 years ago
|
Priority: P1 → P3
Updated•6 years ago
|
Severity: critical → normal
Updated•6 years ago
|
Comment 9•6 years ago
|
||
No reports in 52ESR and no reports from builds after May so I'm going to close this.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → INCOMPLETE
Updated•6 years ago
|
Group: dom-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•