Closed Bug 1624251 Opened 5 years ago Closed 5 years ago

Crash in [@ objc_retain | -[NSProgress cancel]]

Categories

(Core :: Widget: Cocoa, defect, P1)

Product:
Core
Component:
Widget: Cocoa
Platform:
Unspecified
macOS
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla76
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox74 --- wontfix
firefox75 --- wontfix
firefox76 --- fixed

People

(Reporter: gsvelto, Assigned: christoph-wa)

References

(Regression)

Details

(Keywords: crash, regression)

Crash Data

Attachments

(1 file)

Bug 1624251 - Fix use-after-free in nsMacFinderProgress
47 bytes, text/x-phabricator-request
Details | Review

This bug is for crash report bp-5ab2b585-02c1-49f0-97db-c59e00200322.

Top 10 frames of crashing thread:

0 libobjc.A.dylib objc_retain 
1 Foundation -[NSProgress cancel] 
2 Foundation __NSXPCCONNECTION_IS_CALLING_OUT_TO_EXPORTED_OBJECT_S0__ 
3 Foundation -[NSXPCConnection _decodeAndInvokeMessageWithEvent:flags:] 
4 Foundation message_handler 
5 libxpc.dylib _xpc_connection_call_event_handler 
6 libxpc.dylib _xpc_connection_mach_event 
7 libdispatch.dylib _dispatch_client_callout4 
8 libdispatch.dylib _dispatch_mach_msg_invoke 
9 libdispatch.dylib _dispatch_lane_serial_drain

Low-volume crash but looks like a nasty one: the NSProgress code is accessing either a NULL or an already freed pointer. Note that this is not happening on the main thread.

Scouring our code-base I found only one use of NSProgress in nsMacFinderProgress.mm.

I'm not familiar with this code but there's something that looks odd. In the destructor we release both the cancellationHandler and the object itself but without calling unpublish first. In the End() method we call unpublish before releasing the object but we don't release the cancellationHandler.

Since this code is being called on a separate thread is it possible we're doing something wrong in one of those two sequences causing a callback to access a nil'd or free'd object?

Christoph, do you have time to take a look at this?

Flags: needinfo?(christoph-wa)
Regressed by: 909760
Has Regression Range: --- → yes
Priority: -- → P1

I'll take a look. I remember having troubles with a memory leak, which lead to this destructor.

Flags: needinfo?(christoph-wa)
Assignee: nobody → christoph-wa
Status: NEW → ASSIGNED
Pushed by spohl@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/40fe811eab33 Fix use-after-free in nsMacFinderProgress r=spohl

https://hg.mozilla.org/mozilla-central/rev/40fe811eab33

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox76: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla76
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: