Closed Bug 1649765 Opened 4 years ago Closed 4 years ago

Crash in [@ mozilla::dom::ScriptLoader::EncodeBytecode]

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
Unspecified
Windows 10
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1650745

People

(Reporter: sg, Unassigned)

References

(Regression)

Details

(4 keywords)

Crash Data

This bug is for crash report bp-8969564a-c117-4a97-b765-3d67d0200701.

Top 10 frames of crashing thread:

0 xul.dll mozilla::dom::ScriptLoader::EncodeBytecode dom/script/ScriptLoader.cpp:3102
1 xul.dll mozilla::detail::RunnableMethodImpl< xpcom/threads/nsThreadUtils.h:1240
2 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:1234
3 xul.dll NS_ProcessNextEvent xpcom/threads/nsThreadUtils.cpp:513
4 xul.dll mozilla::ipc::MessagePump::Run ipc/glue/MessagePump.cpp:87
5 xul.dll MessageLoop::RunHandler ipc/chromium/src/base/message_loop.cc:327
6 xul.dll MessageLoop::Run ipc/chromium/src/base/message_loop.cc:309
7 xul.dll nsBaseAppShell::Run widget/nsBaseAppShell.cpp:137
8 xul.dll nsAppShell::Run widget/windows/nsAppShell.cpp:430
9 xul.dll XRE_RunAppShell toolkit/xre/nsEmbedFunctions.cpp:913

This started with build id 20200610214041, so this might be related to Bug 1606652 which landed shortly before that?

Group: mozilla-employee-confidential → core-security
Group: core-security → dom-core-security

Denis, this null-ish pointer crash in https://hg.mozilla.org/mozilla-central/file/47f18d1138df7f10a4d6a0a92d00e5b7cfc8ca42/dom/script/ScriptLoader.cpp#l3102 seems related to your changes. Can you take a look when you have a chance? I can also help out if you don't have any obvious ideas.

Flags: needinfo?(dpalmeiro)

Looking, although the line number seems wrong. firefox79 is also probably not affected as bug 1606652 is enabled on nightly only for now.

Simon: are you worried this could be something other than a nullptr crash, that if it's a race some other wild value could be put there? Otherwise this particular stack doesn't look dangerous.

Flags: needinfo?(sgiesecke)
Keywords: csectype-race

(In reply to Daniel Veditz [:dveditz] from comment #3)

Simon: are you worried this could be something other than a nullptr crash, that if it's a race some other wild value could be put there? Otherwise this particular stack doesn't look dangerous.

I have no specific indication. However, the state of the LinkedList seems to have become inconsistent, being !isEmpty() but getFirst() still returning nullptr, which seems to violate its invariants. The origin for this might be a race, but from the crash report I cannot tell.

Flags: needinfo?(sgiesecke)
See Also: → 1650745
See Also: → 1651066
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → DUPLICATE
Group: dom-core-security

Adding signature [@ mozilla::dom::ScriptLoader::GiveUpBytecodeEncoding ] here as these crashes look very similar and started at a similar point of time.

Crash Signature: [@ mozilla::dom::ScriptLoader::EncodeBytecode] → [@ mozilla::dom::ScriptLoader::EncodeBytecode] [@ mozilla::dom::ScriptLoader::GiveUpBytecodeEncoding ]
Has Regression Range: --- → yes
Keywords: regression
You need to log in before you can comment on or make changes to this bug.