Closed Bug 1718286 Opened 3 years ago Closed 3 years ago

Crash in [@ nsTArray_Impl<T>::Clear | mozilla::dom::ResizeObserver::GatherActiveObservations]

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
91 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- unaffected
firefox89 --- unaffected
firefox90 --- unaffected
firefox91 blocking fixed

People

(Reporter: aryx, Unassigned)

References

(Regression)

Details

(4 keywords)

Crash Data

29 content crashes from 12 installations, all with Firefox 91.0a1 20210625093436 on Windows.

It's a regression from bug 1717620. Emilio, shall it get backed out?

Crash report: https://crash-stats.mozilla.org/report/index/dd2fac1b-c2c1-4a5a-a25b-c95670210625

Reason: EXCEPTION_ACCESS_VIOLATION_READ

Top 10 frames of crashing thread:

0 xul.dll nsTArray_Impl<RefPtr<mozilla::dom::ResizeObservation>, nsTArrayInfallibleAllocator>::Clear xpcom/ds/nsTArray.h:1936
1 xul.dll mozilla::dom::ResizeObserver::GatherActiveObservations dom/base/ResizeObserver.cpp:253
2 xul.dll mozilla::dom::ResizeObserverController::Notify dom/base/ResizeObserverController.cpp:104
3 xul.dll nsRefreshDriver::Tick layout/base/nsRefreshDriver.cpp:2243
4 xul.dll mozilla::RefreshDriverTimer::TickRefreshDrivers layout/base/nsRefreshDriver.cpp:326
5 xul.dll mozilla::RefreshDriverTimer::Tick layout/base/nsRefreshDriver.cpp:342
6 xul.dll mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver layout/base/nsRefreshDriver.cpp:704
7 xul.dll mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync layout/base/nsRefreshDriver.cpp:617
8 xul.dll mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync layout/base/nsRefreshDriver.cpp:538
9 xul.dll mozilla::dom::VsyncChild::RecvNotify dom/ipc/VsyncChild.cpp:68
Severity: -- → S2

See e.g. bp-283ae5fd-fb40-43e7-8789-48e610210625 for [@ mozilla::dom::ResizeObserver::GatherActiveObservations].

Crash Signature: [@ nsTArray_Impl<T>::Clear | mozilla::dom::ResizeObserver::GatherActiveObservations] → [@ mozilla::dom::ResizeObserver::GatherActiveObservations] [@ nsTArray_Impl<T>::Clear | mozilla::dom::ResizeObserver::GatherActiveObservations]
Flags: needinfo?(emilio)
OS: Windows → All
Hardware: Unspecified → All

Is there any chance fuzzers have seen this? If this is very frequent please back out otherwise I'd rather try to repro it.

Flags: needinfo?(emilio) → needinfo?(jkratzer)
Status: NEW → RESOLVED
Closed: 3 years ago
status-firefox91: affectedfixed
tracking-firefox91: --- → blocking
Resolution: --- → FIXED
Target Milestone: --- → 91 Branch
See Also: → 1719126

(In reply to Emilio Cobos Álvarez (:emilio) from comment #2)

Is there any chance fuzzers have seen this? If this is very frequent please back out otherwise I'd rather try to repro it.

:emilio, no unfortunately not.

Flags: needinfo?(jkratzer)

Carrying over the sec keywords from bug 1719126 for tracking purposes. No need for an advisory in a nightly-only bug though.

Keywords: csectype-uaf, sec-high
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.