More references to an object than its refcount, for class Response
Categories
(Core :: DOM: File, defect, P1)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr60 | --- | unaffected |
firefox-esr68 | --- | unaffected |
firefox68 | --- | unaffected |
firefox69 | + | fixed |
firefox70 | + | fixed |
People
(Reporter: marcia, Assigned: baku)
References
(Regression)
Details
(4 keywords)
Crash Data
This bug is for crash report bp-3dcdc69b-233c-44b5-87bc-0e9270190710.
Seen while looking at nightly and beta crash stats: https://bit.ly/30v5BSO. This crash started in the 69 nightly cycle and carried into beta. Crashes in 69 nightly go back to at least 20190601213613. This is currently the #3 overall crash in 69.0b3.
Here are some correlations:
(96.00% in signature vs 30.06% overall) os_arch = amd64 [96.00% vs 19.08% if platform = Windows NT]
(100.0% in signature vs 30.72% overall) plugin_filename = null
(100.0% in signature vs 32.84% overall) contains_memory_report = null
(100.0% in signature vs 33.21% overall) app_init_dlls = null
(30.00% in signature vs 07.15% overall) "WebGL?" in app_notes = true [84.62% vs 14.87% if startup_crash = null]
(100.0% in signature vs 42.03% overall) Module "mozavcodec.dll" = true [100.0% vs 51.00% if platform_version = 10.0.17763]
(100.0% in signature vs 42.07% overall) Module "mozavutil.dll" = true [100.0% vs 57.32% if platform_version = 10.0.17134]
(100.0% in signature vs 41.99% overall) Module "dxva2.dll" = true [100.0% vs 57.40% if platform_version = 10.0.17134]
(100.0% in signature vs 41.99% overall) Module "evr.dll" = true [100.0% vs 57.40% if platform_version = 10.0.17134]
(100.0% in signature vs 42.00% overall) Module "mf.dll" = true [100.0% vs 57.40% if platform_version = 10.0.17134]
(100.0% in signature vs 42.01% overall) Module "mfplat.dll" = true [100.0% vs 57.42% if platform_version = 10.0.17134]
(90.00% in signature vs 33.26% overall) Module "RTWorkQ.dll" = true [100.0% vs 57.42% if platform_version = 10.0.17134]
(86.00% in signature vs 31.82% overall) bios_manufacturer = American Megatrends Inc. [86.00% vs 37.20% if platform = Windows NT]
Top 10 frames of crashing thread:
0 xul.dll void nsCycleCollector::ScanRoots xpcom/base/nsCycleCollector.cpp:2968
1 xul.dll nsCycleCollector::Collect xpcom/base/nsCycleCollector.cpp:3434
2 xul.dll nsCycleCollector_collect xpcom/base/nsCycleCollector.cpp:3949
3 xul.dll void mozilla::CycleCollectedJSRuntime::OnGC xpcom/base/CycleCollectedJSRuntime.cpp:1426
4 xul.dll js::gc::GCRuntime::maybeCallGCCallback js/src/gc/GC.cpp:7612
5 xul.dll js::gc::GCRuntime::gcCycle js/src/gc/GC.cpp:7701
6 xul.dll js::gc::GCRuntime::collect js/src/gc/GC.cpp:7865
7 xul.dll JS::NonIncrementalGC js/src/gc/GC.cpp:8792
8 xul.dll void mozilla::dom::WorkerPrivate::GarbageCollectInternal dom/workers/WorkerPrivate.cpp:4555
9 xul.dll nsTimerImpl::Fire xpcom/threads/nsTimerImpl.cpp:561
Comment 1•5 years ago
|
||
Jon, can you please look at this Fx69 topcrash?
Comment 2•5 years ago
•
|
||
Looks like this is hitting an assertion in the cycle collector.
Comment 3•5 years ago
|
||
Ah, I missed that there was a CC assertion message. Thanks for pointing that out.
The cycle collector fields in the crash reports I looked at were all:
More references to an object than its refcount, for class Response
This sounds a lot like bug 1564821, which is a UAF of a Response object. Baku has a patch up for that, so hopefully that will fix this. If not, maybe some other issue is lurking.
Updated•5 years ago
|
Comment 4•5 years ago
|
||
Probably a dupe, but I'll rate it until we can confirm that.
Comment 5•5 years ago
|
||
Looks like a fix is landing this morning in bug 1564821.
Updated•5 years ago
|
Comment 6•5 years ago
|
||
The priority flag is not set for this bug.
:hsinyi, could you have a look please?
For more information, please visit auto_nag documentation.
Updated•5 years ago
|
Comment 7•5 years ago
|
||
Hi Andrew,
Do you think we have enough data to rate if this is a dupe. of bug 1564821? What's the next step here? Thanks!
Comment 8•5 years ago
|
||
Yeah, the Response variant of this crash seems to have gone away. I'm not sure which of the two bugs this depends on fixed it, so I'll mark it worksforme.
Updated•5 years ago
|
Comment 9•5 years ago
|
||
Fixed in 69/70 by the patch in bug 1564821.
Updated•4 years ago
|
Updated•2 years ago
|
Description
•