Closed
Bug 1694009
Opened 5 years ago
Closed 4 months ago
Crash in [@ CCGraphBuilder::NoteXPCOMChild | XPCWrappedNative::cycleCollection::TraverseNative] use after free
Categories
(Core :: Cycle Collector, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: wsmwk, Unassigned)
Details
(Keywords: crash, Whiteboard: [tbird crash])
Crash Data
#127 crash for 78.7.1. Flat crash rate for last 6 months, version 68-78.
Crash report: https://crash-stats.mozilla.org/report/index/a173633a-3075-4351-9691-77d160210220
Reason: EXCEPTION_ACCESS_VIOLATION_READ
Top 10 frames of crashing thread:
0 xul.dll CCGraphBuilder::NoteXPCOMChild xpcom/base/nsCycleCollector.cpp:2158
1 xul.dll XPCWrappedNative::cycleCollection::TraverseNative js/xpconnect/src/XPCWrappedNative.cpp:86
2 xul.dll CCGraphBuilder::BuildGraph xpcom/base/nsCycleCollector.cpp:2064
3 xul.dll nsCycleCollector::MarkRoots xpcom/base/nsCycleCollector.cpp:2665
4 xul.dll nsCycleCollector::Collect xpcom/base/nsCycleCollector.cpp:3413
5 xul.dll nsCycleCollector_collectSlice xpcom/base/nsCycleCollector.cpp:3920
6 xul.dll static nsJSContext::RunCycleCollectorSlice dom/base/nsJSEnvironment.cpp:1597
7 xul.dll ICCRunnerFired dom/base/nsJSEnvironment.cpp:1647
8 xul.dll virtual bool __thiscall std::_Func_impl_no_alloc<bool
9 xul.dll mozilla::IdleTaskRunner::Run xpcom/threads/IdleTaskRunner.cpp:54
|
||
Comment 1•5 years ago
|
||
https://hg.mozilla.org/releases/mozilla-esr78/file/tip/xpcom/base/nsCycleCollector.cpp#l2158 shouldn't crash. Or should that check be if (!(*aChild) || ...
Or something like that?
Flags: needinfo?(benc)
|
Reporter | |
Updated•4 years ago
|
Flags: needinfo?(continuation)
|
||
Comment 2•4 years ago
|
||
My guess would be that the crash is inside CanonicalizeXPCOMParticipant, and that it is being inlined.
Flags: needinfo?(continuation)
|
|
Reporter | |
Updated•4 years ago
|
Version: unspecified → 68
|
|
Reporter | |
Comment 3•4 years ago
|
||
Firefox bp-47636857-46c7-4bd2-b476-4ad4e0211003
Thunderbird version 91 crash rate is about same as 78.
- bp-baf90c5c-9d7a-4f2f-8518-2a6eb0211030 Crash Address 0xe5e5e5e5
- bp-087796c9-960f-410b-8d39-9397f0211031 Crash Address 0x0000000000000000
Severity: -- → S4
Component: General → XPCOM
Flags: needinfo?(benc)
Product: Thunderbird → Core
Whiteboard: [tbird crash]
Version: 68 → 68 Branch
|
|
||
Updated•3 years ago
|
Component: XPCOM → Cycle Collector
|
|
Reporter | |
Comment 4•4 months ago
|
||
Crash versions currently only v102
Status: NEW → RESOLVED
Closed: 4 months ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•