Crash in [@ mozilla::dom::ServiceWorkerPrivate::ServiceWorkerPrivate]
Categories
(Core :: DOM: Service Workers, defect)
Tracking
()
People
(Reporter: agi, Unassigned)
Details
(Keywords: crash)
Crash Data
This looks like a UAF to me so starting out as sec bug.
This bug is for crash report bp-be2c5425-e8f1-43c2-b1e1-c4ae50200706.
Top 10 frames of crashing thread:
0 libxul.so mozilla::dom::ServiceWorkerPrivate::ServiceWorkerPrivate dom/serviceworkers/ServiceWorkerPrivate.cpp:92
1 libxul.so mozilla::dom::ServiceWorkerInfo::ServiceWorkerInfo dom/serviceworkers/ServiceWorkerInfo.cpp:188
2 libxul.so mozilla::dom::ServiceWorkerManager::LoadRegistration dom/serviceworkers/ServiceWorkerManager.cpp:1769
3 libxul.so mozilla::dom::ServiceWorkerManager::LoadRegistrations dom/serviceworkers/ServiceWorkerManager.cpp:1787
4 libxul.so mozilla::dom::ServiceWorkerManager::Init dom/serviceworkers/ServiceWorkerManager.cpp:482
5 libxul.so mozilla::dom::ServiceWorkerManager::GetInstance dom/serviceworkers/ServiceWorkerManager.cpp:1662
6 libxul.so mozilla::dom::Document::DispatchContentLoadedEvents dom/base/Document.cpp:7290
7 libxul.so mozilla::dom::Document::UnblockDOMContentLoaded dom/base/Document.cpp:7399
8 libxul.so mozilla::dom::Document::EndLoad dom/base/Document.cpp:7352
9 libxul.so mozilla::dom::PrototypeDocumentContentSink::DoneWalking dom/prototype/PrototypeDocumentContentSink.cpp:640
Comment 1•4 years ago
|
||
It seems that all recent 14 crashes happen on Fenix and have the same build ID (20200702094606) and install time (2020-07-04 16:18:07) on Android, which makes me assume, this always happens on the very same device. The crash reason is SIGILL / ILL_ILLOPC
, that is illegal opcode
. Apart from that the reported stack looks sane and reproduces identical 14 times over 2 days, so I would not assume this to be a random physical memory corruption that makes the instruction pointer point to illegal code. The code executed seems very basic for service workers and should probably trigger for each use of them, so I wonder how this could have passed unobserved through autoland, if we see a corrupted build here - unless it has been corrupted during/after download/install.
The two older occurrences on Firefox happen slightly later in the code. As we did several improvements around the SW lifecycle since then, I would probably wait for more recent reports, if any.
:asuth, do you see anything actionable here?
Comment 2•4 years ago
|
||
Version "0.0a1" -- is this just a corrupted install? Although the "startup" field says "0" the uptime on these crashes are only 1 or 2 seconds.
scary-looking crash, but if it's just this one dodgy-looking install we don't need to keep it hidden
Reporter | ||
Comment 3•4 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #2)
Version "0.0a1" -- is this just a corrupted install? Although the "startup" field says "0" the uptime on these crashes are only 1 or 2 seconds.
scary-looking crash, but if it's just this one dodgy-looking install we don't need to keep it hidden
0.0a1
is the version for Fenix nightly
Comment 4•4 years ago
|
||
Closing because no crashes reported for 12 weeks.
Updated•2 years ago
|
Description
•