Closed
Bug 1449615
Opened 6 years ago
Closed 1 year ago
crash (double-free assert) in arena_dalloc | je_free | js::gc::Arena::finalize<T>
Categories
(Core :: JavaScript: GC, defect, P5)
Tracking
()
RESOLVED
INCOMPLETE
People
(Reporter: dveditz, Unassigned)
References
(Blocks 1 open bug)
Details
(4 keywords, Whiteboard: [#jsapi:crashes-retriage])
Crash Data
+++ This bug was initially created as a clone of Bug #1032425 +++ Bug 1032425 described a crash in this signature, but something new seemed to start in 60 beta (I didn't see any 60 nightly crashes)--I'm not seeing crashes in other recent Release versions either. A MOZ_RELEASE_ASSERT() about a possible double-free is pretty common. Going to call this "sec-moderate" for now because it's a release assert, but maybe there are exploitable cases slipping by that the assert doesn't catch (not all of the crashes are asserts or near-null).
|
Reporter | |
Comment 1•6 years ago
|
||
The asserts in the first two arena_dalloc signatures were added in bug 1411084. The assert in huge_dalloc was added in bug 1439474
Flags: needinfo?(mh+mozilla)
Summary: crash (doublt-free assert) in arena_dalloc | je_free | js::gc::Arena::finalize<T> → crash (double-free assert) in arena_dalloc | je_free | js::gc::Arena::finalize<T>
|
||
Updated•6 years ago
|
|
||
Comment 3•6 years ago
|
||
FWIW, bug 1411084 didn't add asserts, it moved existing ones.
Flags: needinfo?(mh+mozilla)
|
||
Updated•6 years ago
|
Whiteboard: [#jsapi:crashes-retriage]
|
||
Comment 4•6 years ago
|
||
Seems like this mostly went away? (in June on beta, July on release)
Flags: needinfo?(sphink)
|
|
||
Comment 5•6 years ago
|
||
Signature changes? That might match switching to clang-cl.
|
|
||
Updated•6 years ago
|
Crash Signature: [@ arena_dalloc | je_free | js::gc::Arena::finalize<T>]
[@ arena_dalloc | js::gc::Arena::finalize<T> ]
[@ huge_dalloc | je_free | js::gc::Arena::finalize<T> ] → [@ arena_dalloc | je_free | js::gc::Arena::finalize<T>]
[@ arena_dalloc | js::gc::Arena::finalize<T> ]
[@ huge_dalloc | je_free | js::gc::Arena::finalize<T> ]
[@ arena_t::DallocSmall | BaseAllocator::free | je_free | js::gc::Arena::finalize<T> ]
[@ Ba…
|
||
Updated•3 years ago
|
Blocks: sm-defects-crashes
|
||
Updated•2 years ago
|
Severity: critical → S2
|
||
Updated•1 year ago
|
OS: Windows NT → Windows
|
|
||
Updated•1 year ago
|
|
||
Comment 6•1 year ago
|
||
Infrequent GC crashes such as this are not a high impact issue.
Severity: S2 → S3
|
||
Comment 7•1 year ago
|
||
I only see one crash in the last week with this signature and it is null so let's just mark this incomplete.
Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → INCOMPLETE
|
||
Comment 8•1 year ago
|
||
Since the bug is closed, the stalled keyword is now meaningless.
For more information, please visit BugBot documentation.
Keywords: stalled
|
|
Reporter | |
Updated•5 months ago
|
Group: javascript-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•