Use-after-free during startup on OSX with Fission enabled and e10s disabled
Categories
(Core :: DOM: Navigation, defect)
Tracking
()
| Fission Milestone | M4 |
People
(Reporter: mccr8, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: csectype-uaf)
Attachments
(1 file)
|
10.81 KB,
text/plain
|
Details |
When I run mochitests locally on OSX, we hit what looks like a UAF on startup:
Thread 0 (crashed)
0 XUL!mozilla::ipc::IPDLParamTraits<mozilla::dom::BrowsingContext*>::Write(IPC::Message*, mozilla::ipc::IProtocol*, mozilla::dom::BrowsingContext*) [BrowsingContext.cpp : 1004 + 0x8]
rax = 0xe5e5e5e5e5e5e5e5 rdx = 0x0000000000000000
rcx = 0xe5e5e5e5e5e5e5e5 rbx = 0x000000010612bdc0
1 XUL!mozilla::dom::PWindowGlobalChild::SendDidEmbedBrowsingContext(mozilla::dom::BrowsingContext*) [PWindowGlobalChild.cpp: : 175 + 0xe]
rbp = 0x00007ffee9d53d00 rsp = 0x00007ffee9d53cb0
rip = 0x000000010f935fee
Found by: previous frame's frame pointer
2 XUL!mozilla::dom::BrowsingContext::SetEmbedderElement(mozilla::dom::Element*) [BrowsingContext.cpp : 301 + 0xc]
rbp = 0x00007ffee9d53d60 rsp = 0x00007ffee9d53d10
|
Reporter | |
Comment 1•5 years ago
|
||
|
|
Reporter | |
Comment 2•5 years ago
|
||
Any ideas, Nika?
This could just be a side effect of the weird way we're shutting down partway through startup on OSX Mochitests.
|
|
Reporter | |
Comment 4•5 years ago
|
||
I guess this seems like a UAF we hit if e10s is disabled and Fission is enabled, which is not a supported configuration, so we don't need to worry about this. Presumably you are going to crash immediately before we load any content, so it doesn't seem dangerous.
|
||
Updated•5 years ago
|
Description
•