Closed Bug 1532090 Opened 6 years ago Closed 6 years ago

Crash in [@ DoMarking<T>], webextension background processes stop

Categories

(Core :: XPConnect, defect)

Product:
Core
Component:
XPConnect
Platform:
Unspecified
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1530364
Tracking Flags:
Tracking Status
firefox-esr60 --- wontfix
firefox65 --- wontfix
firefox66 --- wontfix
firefox67 --- fixed

People

(Reporter: willkg, Unassigned)

Details

(Keywords: crash, csectype-uaf)

Crash Data

This bug is for crash report bp-a46083f0-34de-4a79-b17f-c353d0190302.

Top 10 frames of crashing thread:

0 libxul.so void DoMarking<JSObject> js/src/vm/ObjectGroup.h:228
1 libxul.so js::WeakMap<js::HeapPtr<JSObject*>, js::HeapPtr<JSObject*> >::markIteratively js/src/gc/Marking.cpp:564
2 libxul.so js::WeakMap<js::HeapPtr<JSObject*>, js::HeapPtr<JSObject*> >::trace js/src/gc/WeakMap-inl.h:98
3 libxul.so xpc::TraceXPCGlobal js/src/gc/WeakMapPtr.cpp:69
4 libxul.so js::GCMarker::processMarkStackTop js/public/Class.h:872
5 libxul.so js::GCMarker::markUntilBudgetExhausted js/src/gc/Marking.cpp:1607
6 libxul.so js::gc::GCRuntime::incrementalSlice js/src/gc/GC.cpp:5849
7 libxul.so js::gc::GCRuntime::gcCycle js/src/gc/GC.cpp:7398
8 libxul.so js::gc::GCRuntime::collect js/src/gc/GC.cpp:7569
9 libxul.so JS::IncrementalGCSlice js/src/gc/GC.cpp:7673

Here's the signature report:

https://crash-stats.mozilla.org/signature/?product=Firefox&signature=DoMarking%3CT%3E

I'm running an up-to-date Firefox nightly on Linux. Firefox has been crashing like this multiple times a day for the last few days. Every time it crashes, it seems like the background processes for webextensions all stop and then they don't work. Then I need to restart Firefox. As far as I can tell, nothing else is affected.

There are several other bugs with this signature, but I don't think they're related.

Also, I'm getting this crash. It has the same symptoms in that the webextension background processes all go away:

https://crash-stats.mozilla.org/report/index/68bd91d7-fcdb-49ae-b2aa-2fb080190302

After it happens, I see a lot of this in the browser console:

Error: Could not establish connection. Receiving end does not exist. promisify.js:13:7
Error: WebExtension context not found! ExtensionParent.jsm:1041:13

Let me know if I can provide any further information.

Product: Firefox → WebExtensions

This looks like a runtime bug of some sort. It will probably turn out to be one of those bugs that's someone else's fault that gets blamed on the GC, but I don't have any better ideas.

Component: Untriaged → JavaScript: GC
Product: WebExtensions → Core

The stack in comment 0 looks like that in bug 1530364, except during marking rather than destruction of the XPCWrappedNativeScope.

Note that DoMarking is a common signature for GC crashes and most of those are probably memory corruption or the like.

See Also: → 1530364
Group: javascript-core-security
Keywords: csectype-uaf
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
See Also: 1530364
Group: javascript-core-security → dom-core-security
Component: JavaScript: GC → XPConnect

This sounded like the same issue as the other bug, down to the prevalence of web extensions, so I just duped it.

Group: dom-core-security
You need to log in before you can comment on or make changes to this bug.