Open
Bug 1483204
Opened 6 years ago
Updated 2 years ago
Crash in mozilla::dom::TimeoutManager::RunTimeout
Categories
(Core :: DOM: Core & HTML, defect, P3)
Tracking
()
NEW
Tracking | Status | |
---|---|---|
firefox-esr52 | --- | unaffected |
firefox-esr60 | --- | affected |
firefox61 | --- | wontfix |
firefox62 | --- | wontfix |
firefox63 | --- | wontfix |
firefox64 | --- | fix-optional |
People
(Reporter: marcia, Assigned: farre)
Details
(Keywords: crash, regression)
Crash Data
This bug was filed from the Socorro interface and is
report bp-de02d8ca-b4cc-4eea-8329-980a80180813.
=============================================================
Seen in nightly crash stats, but also in 62. Marked this one as security sensitive since it is a possible UAF: https://bit.ly/2MOuWkc. In Nightly we have 41 crashes/6 installs in the last 7 days.
As far as correlations, I noticed this: (81.25% in signature vs 06.09% overall) Addon "Ghostery – Privacy Ad Blocker" = true. No comments in any of the reports.
Top 10 frames of crashing thread:
0 xul.dll mozilla::dom::TimeoutManager::RunTimeout dom/base/TimeoutManager.cpp:698
1 xul.dll mozilla::dom::TimeoutExecutor::MaybeExecute dom/base/TimeoutExecutor.cpp:172
2 xul.dll mozilla::dom::TimeoutExecutor::Notify dom/base/TimeoutExecutor.cpp:240
3 xul.dll nsTimerImpl::Fire xpcom/threads/nsTimerImpl.cpp:704
4 xul.dll nsTimerEvent::Run xpcom/threads/TimerThread.cpp:290
5 xul.dll mozilla::ThrottledEventQueue::Inner::ExecuteRunnable xpcom/threads/ThrottledEventQueue.cpp:188
6 xul.dll mozilla::ThrottledEventQueue::Inner::Executor::Run xpcom/threads/ThrottledEventQueue.cpp:72
7 xul.dll mozilla::SchedulerGroup::Runnable::Run xpcom/threads/SchedulerGroup.cpp:337
8 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:1051
9 xul.dll NS_ProcessNextEvent xpcom/threads/nsThreadUtils.cpp:519
=============================================================
Updated•6 years ago
|
Updated•6 years ago
|
Flags: needinfo?(afarre)
Priority: -- → P1
Assignee | ||
Comment 1•6 years ago
|
||
Haven't looked closely at this yet, but it feels fishy. TimeoutManager::mWindow is a reference, so if we have a TimeoutManager we should definitely have a window. It has been labelled as a potential startup crash, but it feels more like a shutdown crash.
I wonder if the extension mentioned creates a window to run a timeout but destroys the window while succeeding running the timeout.
I'll take this a investigate further.
Assignee: nobody → afarre
Flags: needinfo?(afarre)
Assignee | ||
Comment 2•6 years ago
|
||
It helps if you read the entire crash report. The majority of these crashes are actually a diagnostic assert in TimeoutManager::RescheduleTimeout, namely:
bool
TimeoutManager::RescheduleTimeout(Timeout* aTimeout,
const TimeStamp& aLastCallbackTime,
const TimeStamp& aCurrentNow)
{
MOZ_DIAGNOSTIC_ASSERT(aLastCallbackTime <= aCurrentNow);
...
Assignee | ||
Comment 3•6 years ago
|
||
Removing those we get a crash signature that is a bit shorter https://bit.ly/2BxxuBU.
Updated•6 years ago
|
Group: dom-core-security
Comment 4•6 years ago
|
||
No crash in 63 beta and only one crash in 64, marking as fix-optional for 63.
Comment 5•6 years ago
|
||
This is still very low volume. I'm letting it fall off the regression triage.
Updated•6 years ago
|
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
Updated•2 years ago
|
Severity: critical → S2
You need to log in
before you can comment on or make changes to this bug.
Description
•