Open Bug 1688587 Opened 9 months ago Updated 2 months ago

Crash in [@ free | core::ptr::drop_in_place | webrender::render_backend::RenderBackend::process_transaction]

Categories

(Core :: Graphics: WebRender, defect)

Unspecified
macOS
defect

Tracking

()

People

(Reporter: gsvelto, Unassigned)

References

(Depends on 1 open bug, Blocks 1 open bug)

Details

(Keywords: crash, csectype-uaf)

Crash Data

Crash report: https://crash-stats.mozilla.org/report/index/77040078-cbfb-4011-b292-53a000210125

Reason: EXC_BAD_ACCESS / KERN_INVALID_ADDRESS

Top 4 frames of crashing thread:

0 libmozglue.dylib free memory/build/malloc_decls.h:54
1 XUL core::ptr::drop_in_place /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:184
2 XUL webrender::render_backend::RenderBackend::process_transaction gfx/wr/webrender/src/render_backend.rs:949
3 libGL.dylib glGetShaderSource 

Another likely instance of bug 1676343. Ticks all the boxes as usual:

  • Use-after-free that happens only on macOS
  • Versions 10.15 and older are affected
  • Happens in a piece of code where the locking should be sound given it never fails on other platforms
Severity: -- → S3
Depends on: 1726029
You need to log in before you can comment on or make changes to this bug.