Closed
Bug 1509986
Opened 6 years ago
Closed 6 years ago
[meta] Write barrier crash in ~XPCWrappedJS
Categories
(Core :: XPConnect, defect)
Core
XPConnect
Tracking
()
RESOLVED
FIXED
mozilla66
| Tracking | Status | |
|---|---|---|
| firefox-esr60 | --- | unaffected |
| firefox64 | --- | wontfix |
| firefox65 | --- | fixed |
| firefox66 | --- | fixed |
People
(Reporter: mccr8, Assigned: jandem)
References
Details
(Keywords: meta, sec-other, Whiteboard: [post-critsmash-triage][adv-main65-])
No description provided.
|
Reporter | |
Comment 1•6 years ago
|
||
Oops, I clicked submit too soon. jonco has a possible patch for this in bug 1508102, but I think it makes sense to have a central bug to track these, as they are showing up all over the place on TreeHerder.
|
|
Reporter | |
Updated•6 years ago
|
|
|
Reporter | |
Comment 2•6 years ago
|
||
sfink posted this in bug 1503226:
(In reply to Steve Fink [:sfink] [:s:] from comment #10)
> I looked at this a little. The likely field involved would be mJSObjGlobal,
> a Heap<JSObject*> in nsXPCWrappedJS:
> https://searchfox.org/mozilla-central/source/js/xpconnect/src/xpcprivate.
> h#1939
>
> The JSObject* in question would appear to be 0xcf600000 (the crash is when
> we do some masking to access its chunk's trailer). That seems like an
> unlikely address. Duplicate bugs' crash addresses are
>
> 0x7fb363fffff0
> 0x7f2b311ffff0
> 0x0
> 0xd0cffff8
>
> The first two seem plausible, the nullptr made it through to accessing a
> StoreBuffer perhaps because we happened to hit readable memory that
> contained 0x0, and the last one is similar to this one.
>
> So sticking to the 0xcf600000 one, it seems like the field was corrupt by
> the time it was destroyed.
>
> I don't know enough about the lifecycle of nsXPCWrappedJS, I guess. needinfo
> mccr8.
|
||
Comment 3•6 years ago
|
||
bug 1508102 has a patch and a security rating, so I guess this can be sec-other for now until we see if that fixes it.
Keywords: sec-other
|
|
Reporter | |
Comment 4•6 years ago
|
||
Fixed by bug 1480121.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
|
||
Updated•6 years ago
|
Assignee: nobody → jdemooij
status-firefox64:
--- → wontfix
status-firefox65:
--- → fixed
status-firefox66:
--- → fixed
status-firefox-esr60:
--- → unaffected
Target Milestone: --- → mozilla66
|
|
||
Updated•6 years ago
|
Group: dom-core-security → core-security-release
|
||
Updated•6 years ago
|
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
|
||
Updated•6 years ago
|
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main65-]
|
|
||
Updated•5 years ago
|
Group: core-security-release
|
||
Updated•5 years ago
|
Summary: Write barrier crash in ~XPCWrappedJS → [meta] Write barrier crash in ~XPCWrappedJS
You need to log in
before you can comment on or make changes to this bug.
Description
•