Open Bug 1473684 Opened 7 years ago Updated 3 years ago

Crash in mozilla::dom::binding_detail::GenericMethod<T>

Categories

(Core :: DOM: Core & HTML, defect, P3)

Product:
Core
Component:
DOM: Core & HTML
Version:
61 Branch
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox-esr52 --- wontfix
firefox-esr60 --- affected
firefox61 --- affected
firefox62 --- affected
firefox63 --- affected

People

(Reporter: philipp, Unassigned)

Details

(Keywords: crash, csectype-wildptr, testcase-wanted, Whiteboard: qa-not-actionable)

Crash Data

This bug was filed from the Socorro interface and is report bp-f7d46687-d0b2-4754-a583-556f10180705. ============================================================= Top 10 frames of crashing thread: 0 @0xbf0bfd52 1 xul.dll mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions> dom/bindings/BindingUtils.cpp:3285 2 xul.dll js::InternalCallOrConstruct js/src/vm/Interpreter.cpp:471 3 xul.dll static bool InternalCall js/src/vm/Interpreter.cpp:520 4 xul.dll static bool Interpret js/src/vm/Interpreter.cpp:3122 5 xul.dll js::RunScript js/src/vm/Interpreter.cpp:421 6 xul.dll js::InternalCallOrConstruct js/src/vm/Interpreter.cpp:493 7 xul.dll js::Call js/src/vm/Interpreter.cpp:539 8 xul.dll js::jit::InterpretResume js/src/jit/VMFunctions.cpp:943 9 xul.dll js::jit::ICMonitoredFallbackStub::addMonitorStubForValue js/src/jit/SharedIC.cpp:477 ============================================================= this is a low volume crash signature starting to show up across platforms in firefox 61.
Hi Boris, any idea what changes might have landed during the 61 cycle that could have caused this crash to appear?
Flags: needinfo?(bzbarsky)
Well, bug 1451516 is an obvious option. At least in terms of the stack looking different before then, because mozilla::dom::binding_detail::GenericMethod didn't exist. What did exist was mozilla::dom::GenericBindingMethod and various genericMethod bits. The crash is on line 3260 in the crashes are I see (on beta) which is the indirect call to the "method" we extract from the jitinfo. So the best explanation is memory corruption there, I suspect. There are similar crashes under GenericMethod and genericMethod in 60, I think.
Flags: needinfo?(bzbarsky)
Crash Signature: [@ mozilla::dom::binding_detail::GenericMethod<T>] → [@ mozilla::dom::binding_detail::GenericMethod<T>] [@ mozilla::dom::GenericBindingMethod]
status-firefox63: ?affected
status-firefox-esr52: unaffectedwontfix
status-firefox-esr60: unaffectedaffected
Keywords: regression
(crashes should be p1, but this doesn't look too actionable)
Priority: -- → P3
Group: dom-core-security
Keywords: testcase-wanted
Can you provide some sort of reproduction steps that I could test?
Flags: needinfo?(madperson)
i don't know of any reproducible scenario unfortunately.
Flags: needinfo?(madperson)
Component: DOM → DOM: Core & HTML
Whiteboard: qa-not-actionable
Severity: critical → S2

This is a low volume crash, and the reports mostly look like unrelated memory corruption. There is a possible exception for startup crashes while dispatching appstartup observer notifications, but those look like they come from a few corrupted installs.

Severity: S2 → S3
You need to log in before you can comment on or make changes to this bug.