Open Bug 1707518 Opened 5 months ago Updated 2 months ago

Crash in [@ mozilla::dom::BrowsingContext::PreOrderWalkVoid]


(Core :: DOM: Navigation, defect, P2)




Tracking Status
firefox-esr78 --- affected
firefox88 --- affected
firefox89 --- affected
firefox90 --- affected


(Reporter: aryx, Assigned: peterv)



(Keywords: crash)

Crash Data

Signature changed in the 89 development cycle due to bug 1572084 from [@ mozilla::dom::BrowsingContext::PreOrderWalk] (5 crashes from 5 installations) to [@ mozilla::dom::BrowsingContext::PreOrderWalkVoid] (4 crashes from 4 installations)

Crash report:


Top 6 frames of crashing thread:

0 XUL mozilla::dom::BrowsingContext::PreOrderWalkVoid docshell/base/BrowsingContext.cpp:1007
1 XUL XPCRootSetElem::RemoveFromRootSet js/xpconnect/src/XPCJSRuntime.cpp:3122
2 XUL nsXPCWrappedJS::Release js/xpconnect/src/XPCWrappedJS.cpp:280
3 XUL nsSHistory::PurgeHistory docshell/shistory/nsSHistory.cpp:1051
4 XUL NS_InvokeByIndex 
5 XUL XPCWrappedNative::CallMethod js/xpconnect/src/XPCWrappedNative.cpp:1142

This stack doesn't make much sense. The crash in comment 0 is a null-deref crash. nsSHistory::PurgeHistory calls PreOrder walk, but I don't understand why the two frames related to XPCWJS are in the stack. I don't see any reason that XPCWJS::Release would be called there. Maybe the stack walker is getting confused by some lambda goo.

See Also: → 1707578

Assigning to Peter because he is going to look at possibly-duplicate bug 1707578.

Assignee: nobody → peterv
Severity: -- → S3
Priority: -- → P2

I found what looks like another instance of this crash. Some of the crashes under this new signature and the old ones too appear to be UAFs, but most do not.

Crash Signature: [@ mozilla::dom::BrowsingContext::PreOrderWalkVoid] [@ mozilla::dom::BrowsingContext::PreOrderWalk] → [@ mozilla::dom::BrowsingContext::PreOrderWalkVoid] [@ mozilla::dom::BrowsingContext::PreOrderWalk] [@ PLDHashTable::Iterator::Iterator | mozilla::dom::syncedcontext::Transaction<T>::Commit]
You need to log in before you can comment on or make changes to this bug.