Closed Bug 1564895 Opened 5 years ago Closed 5 years ago

More references to an object than its refcount, for class Response

Categories

(Core :: DOM: File, defect, P1)

Product:
Core
Component:
DOM: File
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox-esr68 --- unaffected
firefox68 --- unaffected
firefox69 + fixed
firefox70 + fixed

People

(Reporter: marcia, Assigned: baku)

References

(Regression)

Details

(4 keywords)

Crash Data

This bug is for crash report bp-3dcdc69b-233c-44b5-87bc-0e9270190710.

Seen while looking at nightly and beta crash stats: https://bit.ly/30v5BSO. This crash started in the 69 nightly cycle and carried into beta. Crashes in 69 nightly go back to at least 20190601213613. This is currently the #3 overall crash in 69.0b3.

Here are some correlations:

(96.00% in signature vs 30.06% overall) os_arch = amd64 [96.00% vs 19.08% if platform = Windows NT]
(100.0% in signature vs 30.72% overall) plugin_filename = null
(100.0% in signature vs 32.84% overall) contains_memory_report = null
(100.0% in signature vs 33.21% overall) app_init_dlls = null
(30.00% in signature vs 07.15% overall) "WebGL?" in app_notes = true [84.62% vs 14.87% if startup_crash = null]
(100.0% in signature vs 42.03% overall) Module "mozavcodec.dll" = true [100.0% vs 51.00% if platform_version = 10.0.17763]
(100.0% in signature vs 42.07% overall) Module "mozavutil.dll" = true [100.0% vs 57.32% if platform_version = 10.0.17134]
(100.0% in signature vs 41.99% overall) Module "dxva2.dll" = true [100.0% vs 57.40% if platform_version = 10.0.17134]
(100.0% in signature vs 41.99% overall) Module "evr.dll" = true [100.0% vs 57.40% if platform_version = 10.0.17134]
(100.0% in signature vs 42.00% overall) Module "mf.dll" = true [100.0% vs 57.40% if platform_version = 10.0.17134]
(100.0% in signature vs 42.01% overall) Module "mfplat.dll" = true [100.0% vs 57.42% if platform_version = 10.0.17134]
(90.00% in signature vs 33.26% overall) Module "RTWorkQ.dll" = true [100.0% vs 57.42% if platform_version = 10.0.17134]
(86.00% in signature vs 31.82% overall) bios_manufacturer = American Megatrends Inc. [86.00% vs 37.20% if platform = Windows NT]

Top 10 frames of crashing thread:

0 xul.dll void nsCycleCollector::ScanRoots xpcom/base/nsCycleCollector.cpp:2968
1 xul.dll nsCycleCollector::Collect xpcom/base/nsCycleCollector.cpp:3434
2 xul.dll nsCycleCollector_collect xpcom/base/nsCycleCollector.cpp:3949
3 xul.dll void mozilla::CycleCollectedJSRuntime::OnGC xpcom/base/CycleCollectedJSRuntime.cpp:1426
4 xul.dll js::gc::GCRuntime::maybeCallGCCallback js/src/gc/GC.cpp:7612
5 xul.dll js::gc::GCRuntime::gcCycle js/src/gc/GC.cpp:7701
6 xul.dll js::gc::GCRuntime::collect js/src/gc/GC.cpp:7865
7 xul.dll JS::NonIncrementalGC js/src/gc/GC.cpp:8792
8 xul.dll void mozilla::dom::WorkerPrivate::GarbageCollectInternal dom/workers/WorkerPrivate.cpp:4555
9 xul.dll nsTimerImpl::Fire xpcom/threads/nsTimerImpl.cpp:561

Jon, can you please look at this Fx69 topcrash?

status-firefox-esr60: --- → unaffected
status-firefox-esr68: --- → unaffected
tracking-firefox69: --- → +
tracking-firefox70: --- → +
Flags: needinfo?(jcoppeard)

Looks like this is hitting an assertion in the cycle collector.

Flags: needinfo?(continuation)

Ah, I missed that there was a CC assertion message. Thanks for pointing that out.

The cycle collector fields in the crash reports I looked at were all:
More references to an object than its refcount, for class Response

This sounds a lot like bug 1564821, which is a UAF of a Response object. Baku has a patch up for that, so hopefully that will fix this. If not, maybe some other issue is lurking.

Group: dom-core-security
Flags: needinfo?(jcoppeard)
Flags: needinfo?(continuation)
Regressed by: 1557781
Component: XPCOM → DOM: File
Summary: Crash in [@ nsCycleCollector::ScanRoots] → More references to an object than its refcount, for class Response
Depends on: 1564821

Probably a dupe, but I'll rate it until we can confirm that.

Keywords: csectype-uaf, sec-high

Looks like a fix is landing this morning in bug 1564821.

No longer blocks: 1567419
Depends on: 1567419

The priority flag is not set for this bug.
:hsinyi, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(htsai)
Flags: needinfo?(htsai)
Priority: -- → P1

Hi Andrew,
Do you think we have enough data to rate if this is a dupe. of bug 1564821? What's the next step here? Thanks!

Flags: needinfo?(continuation)

Yeah, the Response variant of this crash seems to have gone away. I'm not sure which of the two bugs this depends on fixed it, so I'll mark it worksforme.

Status: NEW → RESOLVED
Closed: 5 years ago
Flags: needinfo?(continuation)
Resolution: --- → WORKSFORME
Assignee: nobody → amarchesini
Group: dom-core-security
See Also: → 1612857
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.