Closed Bug 1651442 Opened 4 years ago Closed 4 years ago

Crash in [@ mozilla::dom::ServiceWorkerPrivate::ServiceWorkerPrivate]

Categories

(Core :: DOM: Service Workers, defect)

Product:
Core
Component:
DOM: Service Workers
Platform:
Unspecified
Android
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: agi, Unassigned)

Details

(Keywords: crash)

Crash Data

This looks like a UAF to me so starting out as sec bug.

This bug is for crash report bp-be2c5425-e8f1-43c2-b1e1-c4ae50200706.

Top 10 frames of crashing thread:

0 libxul.so mozilla::dom::ServiceWorkerPrivate::ServiceWorkerPrivate dom/serviceworkers/ServiceWorkerPrivate.cpp:92
1 libxul.so mozilla::dom::ServiceWorkerInfo::ServiceWorkerInfo dom/serviceworkers/ServiceWorkerInfo.cpp:188
2 libxul.so mozilla::dom::ServiceWorkerManager::LoadRegistration dom/serviceworkers/ServiceWorkerManager.cpp:1769
3 libxul.so mozilla::dom::ServiceWorkerManager::LoadRegistrations dom/serviceworkers/ServiceWorkerManager.cpp:1787
4 libxul.so mozilla::dom::ServiceWorkerManager::Init dom/serviceworkers/ServiceWorkerManager.cpp:482
5 libxul.so mozilla::dom::ServiceWorkerManager::GetInstance dom/serviceworkers/ServiceWorkerManager.cpp:1662
6 libxul.so mozilla::dom::Document::DispatchContentLoadedEvents dom/base/Document.cpp:7290
7 libxul.so mozilla::dom::Document::UnblockDOMContentLoaded dom/base/Document.cpp:7399
8 libxul.so mozilla::dom::Document::EndLoad dom/base/Document.cpp:7352
9 libxul.so mozilla::dom::PrototypeDocumentContentSink::DoneWalking dom/prototype/PrototypeDocumentContentSink.cpp:640

It seems that all recent 14 crashes happen on Fenix and have the same build ID (20200702094606) and install time (2020-07-04 16:18:07) on Android, which makes me assume, this always happens on the very same device. The crash reason is SIGILL / ILL_ILLOPC , that is illegal opcode. Apart from that the reported stack looks sane and reproduces identical 14 times over 2 days, so I would not assume this to be a random physical memory corruption that makes the instruction pointer point to illegal code. The code executed seems very basic for service workers and should probably trigger for each use of them, so I wonder how this could have passed unobserved through autoland, if we see a corrupted build here - unless it has been corrupted during/after download/install.

The two older occurrences on Firefox happen slightly later in the code. As we did several improvements around the SW lifecycle since then, I would probably wait for more recent reports, if any.

:asuth, do you see anything actionable here?

Flags: needinfo?(bugmail)

Version "0.0a1" -- is this just a corrupted install? Although the "startup" field says "0" the uptime on these crashes are only 1 or 2 seconds.

scary-looking crash, but if it's just this one dodgy-looking install we don't need to keep it hidden

Group: core-security

(In reply to Daniel Veditz [:dveditz] from comment #2)

Version "0.0a1" -- is this just a corrupted install? Although the "startup" field says "0" the uptime on these crashes are only 1 or 2 seconds.

scary-looking crash, but if it's just this one dodgy-looking install we don't need to keep it hidden

0.0a1 is the version for Fenix nightly

Closing because no crashes reported for 12 weeks.

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → WORKSFORME
Flags: needinfo?(bugmail)
You need to log in before you can comment on or make changes to this bug.