Closed Bug 1684741 Opened 4 years ago Closed 4 years ago

Crash in [@ mozilla::ipc::IProtocol::ActorDealloc]

Categories

(Core :: DOM: Service Workers, defect)

Product:
Core
Component:
DOM: Service Workers
Platform:
Unspecified
All
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1683490

People

(Reporter: gsvelto, Unassigned)

Details

(Keywords: crash, csectype-uaf)

Crash Data

Crash report: https://crash-stats.mozilla.org/report/index/2729b88e-17c0-48d4-886d-9315a0210103

Reason: EXCEPTION_ACCESS_VIOLATION_READ

Top 10 frames of crashing thread:

0 xul.dll mozilla::ipc::IProtocol::ActorDealloc ipc/glue/ProtocolUtils.h:335
1 xul.dll mozilla::ipc::ActorLifecycleProxy::~ActorLifecycleProxy ipc/glue/ProtocolUtils.cpp:277
2 xul.dll std::_Func_impl_no_alloc<`lambda at /builds/worker/workspace/obj-build/ipc/ipdl/PMediaTransportParent.cpp:1116:44', void, const mozilla::dom::NotReallyMovableButLetsPretendItIsRTCStatsCollection&>::_Delete_this vs2017_15.8.4/VC/include/functional:1240
3 xul.dll mozilla::Maybe<`lambda at /builds/worker/checkouts/gecko/dom/ipc/ContentChild.cpp:1364:7'>::reset mfbt/Maybe.h:665
4 xul.dll mozilla::MozPromise<CopyableTArray<bool>, nsresult, 1>::ThenValueBase::ResolveOrRejectRunnable::Run xpcom/threads/MozPromise.h:476
5 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:1200
6 xul.dll mozilla::ipc::MessagePumpForNonMainThreads::Run ipc/glue/MessagePump.cpp:332
7 xul.dll MessageLoop::RunHandler ipc/chromium/src/base/message_loop.cc:327
8 xul.dll MessageLoop::Run ipc/chromium/src/base/message_loop.cc:309
9 xul.dll static nsThread::ThreadFunc xpcom/threads/nsThread.cpp:441

The stack points to IPC code but I might be wrong with this one so feel free to move it to another component. This is an UAF.

Group: core-security → dom-core-security

I looked at about 8 of these crashes on release. For instance, bp-0491d902-f058-4fff-8bf4-21e440201231

The bulk of the release crashes have shutdown progress of xpcom-shutdown, so it looks like a shutdown race. These crashes are happening on the IPDL Background thread. For most of the crashes, the main thread is spinning the event loop in ParentImpl::ShutdownObserver::Observe().

Thinking about this some more, it looks like it is just a dupe of bug 1683490, so I'll dupe it over.

Status: NEW → RESOLVED
Closed: 4 years ago
Component: IPC → DOM: Service Workers
Resolution: --- → DUPLICATE
Group: dom-core-security
You need to log in before you can comment on or make changes to this bug.