Closed Bug 1576827 Opened 6 years ago Closed 6 years ago

Crash in [@ nsTArray_Impl<T>::~nsTArray_Impl | mozilla::net::CookieSettings::~CookieSettings]

Categories

(Core :: Networking: Cookies, defect)

All
Unspecified
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 1544127
Tracking Status
firefox-esr60 --- unaffected
firefox-esr68 --- unaffected
firefox68 --- unaffected
firefox69 --- wontfix
firefox70 --- wontfix
firefox71 --- wontfix

People

(Reporter: philipp, Unassigned)

References

Details

(4 keywords)

Crash Data

This bug is for crash report bp-bd770288-e7f0-4ff3-94bb-ce99a0190824.

Top 10 frames of crashing thread:

0 xul.dll void nsTArray_Impl<RefPtr<nsIPermission>, nsTArrayInfallibleAllocator>::~nsTArray_Impl xpcom/ds/nsTArray.h:881
1 xul.dll mozilla::net::CookieSettings::~CookieSettings netwerk/cookie/CookieSettings.cpp:99
2 xul.dll mozilla::net::CookieSettings::Release netwerk/cookie/CookieSettings.cpp:282
3 xul.dll mozilla::net::LoadInfo::~LoadInfo netwerk/base/LoadInfo.h:167
4 xul.dll mozilla::net::LoadInfo::Release netwerk/base/LoadInfo.cpp:586
5 xul.dll mozilla::net::HttpBaseChannel::~HttpBaseChannel netwerk/protocol/http/HttpBaseChannel.cpp:258
6 xul.dll void mozilla::net::nsHttpChannel::~nsHttpChannel netwerk/protocol/http/nsHttpChannel.cpp:357
7 xul.dll unsigned long mozilla::net::DataChannelChild::Release xpcom/ds/nsHashPropertyBag.cpp:236
8 xul.dll mozilla::dom::DeferredFinalizerImpl<nsISupports>::DeferredFinalize dom/bindings/BindingUtils.h:2697
9 xul.dll mozilla::IncrementalFinalizeRunnable::ReleaseNow xpcom/base/CycleCollectedJSRuntime.cpp:1267

this low-volume crash signature is starting to show up during the 69.0b cycle and looking security sensitive in some instances.

Keywords: sec-high

could you triage this bug? thanks!

Flags: needinfo?(valentin.gosu)

Doesn't this belong to the LoadInfo UAF family?

I looked at the code in CookieSettings and its use of mCookiePermissions, and I can't see any obvious misuse.
I think Honza's thought that it probably relates to bug 1544127 is correct.

Do you think this should be duped to bug 1544127?

(In reply to Liz Henry (:lizzard) from comment #5)

Do you think this should be duped to bug 1544127?

Probably yes, they are closely related and the cause is probably the same.

(In reply to Liz Henry (:lizzard) from comment #5)

Do you think this should be duped to bug 1544127?

I would say so - the only other way would be if CookieSettings::CookiePermission is called off-main-thread.
Maybe we should turn the assert into a MOZ_RELEASE_ASSERT ?

Flags: needinfo?(valentin.gosu)

(In reply to Valentin Gosu [:valentin] (he/him) from comment #7)

(In reply to Liz Henry (:lizzard) from comment #5)

Do you think this should be duped to bug 1544127?

I would say so - the only other way would be if CookieSettings::CookiePermission is called off-main-thread.
Maybe we should turn the assert into a MOZ_RELEASE_ASSERT ?

I agree with that, I'll file a bug, but I think DIAGNOSTIC will do.

Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
Group: network-core-security
You need to log in before you can comment on or make changes to this bug.