Closed Bug 1650745 Opened 4 years ago Closed 4 years ago

Crash in [@ mozilla::dom::ScriptLoader::EncodeBytecode]

Categories

(Core :: Performance, defect, P2)

Product:
Core
Component:
Performance
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox-esr78 --- unaffected
firefox77 --- unaffected
firefox78 --- unaffected
firefox79 --- disabled
firefox80 --- disabled
firefox81 --- disabled
firefox82 --- fixed

People

(Reporter: gsvelto, Assigned: denispal)

References

(Regression)

Details

(4 keywords)

Crash Data

This bug is for crash report bp-0f7bd42a-e321-4ee3-9b9a-7194d0200702.

Top 10 frames of crashing thread:

0 xul.dll mozilla::dom::ScriptLoader::EncodeBytecode dom/script/ScriptLoader.cpp:3099
1 xul.dll mozilla::detail::RunnableMethodImpl< xpcom/threads/nsThreadUtils.h:1240
2 xul.dll mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal xpcom/threads/TaskController.cpp:459
3 xul.dll mozilla::detail::RunnableFunction<`lambda at /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:82:7'>::Run xpcom/threads/nsThreadUtils.h:577
4 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:1234
5 xul.dll NS_ProcessNextEvent xpcom/threads/nsThreadUtils.cpp:513
6 xul.dll mozilla::ipc::MessagePump::Run ipc/glue/MessagePump.cpp:87
7 xul.dll MessageLoop::RunHandler ipc/chromium/src/base/message_loop.cc:327
8 xul.dll MessageLoop::Run ipc/chromium/src/base/message_loop.cc:309
9 xul.dll nsBaseAppShell::Run widget/nsBaseAppShell.cpp:137

Disregard the crashes that aren't in nightly because they're unrelated. This is a NULL pointer exception which started with buildid 20200610214041. Given the date and the fact that the crash is happening in a runnable I suspect that this might be a regression from bug 1606652. Denis, can you have a look and check if my hunch is correct?

Flags: needinfo?(dpalmeiro)

Based on the build id, it is very likely it's regressed by bug 1606652. These crashes seem to go back all the way to February, but it appears that my change has exposed more cases and made it much more frequent. I will try to reproduce this with the given url's.

Group: mozilla-employee-confidential, core-security
Flags: needinfo?(dpalmeiro)
Regressed by: 1606652
See Also: → 1649765
Has Regression Range: --- → yes
Group: mozilla-employee-confidential
Group: core-security → dom-core-security

Set release status flags based on info from the regressing bug 1606652

status-firefox78: --- → unaffected
status-firefox79: --- → affected
status-firefox80: --- → affected
status-firefox-esr68: --- → unaffected
status-firefox-esr78: --- → unaffected

dom.script_loader.external_scripts.speculative_omt_parse.enabled is only enabled for nightly builds.

status-firefox77: --- → unaffected
status-firefox79: affecteddisabled

I don't remember why I marked a null deref as sec-moderate. maybe because it's a race? Any crashes that show worse symptoms than a null deref?

Keywords: sec-moderatecsectype-race, testcase-wanted

No, it appears like a plain NULL-deref. I've scoured a couple dozen crashes and there's no signs of nastier stuff. The worst part of it is that it's a race.

Severity: -- → S2
Priority: -- → P2
Group: dom-core-security
Keywords: regression
Assignee: nobody → dpalmeiro

Adding signature [@ mozilla::dom::ScriptLoader::GiveUpBytecodeEncoding ] here as these crashes look very similar and started at a similar point of time.

Crash Signature: [@ mozilla::dom::ScriptLoader::EncodeBytecode] → [@ mozilla::dom::ScriptLoader::EncodeBytecode] [@ mozilla::dom::ScriptLoader::GiveUpBytecodeEncoding ]
Depends on: 1662435
Depends on: 1663051

Fixed by 1663051.

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.