Crash at [@ CCGraphBuilder::NoteXPCOMChild | mozilla::dom::IDBTransaction::cycleCollection::TraverseNative]
Categories
(Core :: Storage: IndexedDB, defect, P3)
Tracking
()
People
(Reporter: shawnjohnjr, Unassigned)
Details
See:
https://crash-stats.mozilla.org/report/index/58d0ccd2-8178-4d60-b7cc-77eee0211115
Crashing Thread (29), Name: DOM Worker
Frame Module Signature Source Trust
0 xul.dll CCGraphBuilder::NoteXPCOMChild(nsISupports*) xpcom/base/nsCycleCollector.cpp:2152 context
1 xul.dll mozilla::dom::IDBTransaction::cycleCollection::TraverseNative(void*, nsCycleCollectionTraversalCallback&) dom/indexedDB/IDBTransaction.cpp:959 cfi
2 xul.dll CCGraphBuilder::BuildGraph(js::SliceBudget&) xpcom/base/nsCycleCollector.cpp:2058 cfi
3 xul.dll nsCycleCollector::MarkRoots(js::SliceBudget&) xpcom/base/nsCycleCollector.cpp:2663 cfi
4 xul.dll nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) xpcom/base/nsCycleCollector.cpp:3411 cfi
5 xul.dll nsCycleCollector_collect(nsICycleCollectorListener*) xpcom/base/nsCycleCollector.cpp:3910 cfi
6 xul.dll mozilla::dom::workerinternals::anonymous namespace'::WorkerJSRuntime::CustomGCCallback(JSGCStatus) dom/workers/RuntimeService.cpp:861 cfi 7 xul.dll js::gc::GCRuntime::maybeCallGCCallback(JSGCStatus, JS::GCReason) js/src/gc/GC.cpp:3611 cfi 8 xul.dll js::gc::GCRuntime::gcCycle(bool, js::SliceBudget const&, mozilla::Maybe<JS::GCOptions> const&, JS::GCReason) js/src/gc/GC.cpp:3688 cfi 9 xul.dll js::gc::GCRuntime::collect(bool, js::SliceBudget const&, mozilla::Maybe<JS::GCOptions> const&, JS::GCReason) js/src/gc/GC.cpp:3890 cfi 10 xul.dll js::gc::GCRuntime::gc(JS::GCOptions, JS::GCReason) js/src/gc/GC.cpp:3971 cfi 11 xul.dll mozilla::dom::WorkerPrivate::DoRunLoop(JSContext*) dom/workers/WorkerPrivate.cpp:3084 cfi 12 xul.dll mozilla::dom::workerinternals::anonymous namespace'::WorkerThreadPrimaryRunnable::Run() dom/workers/RuntimeService.cpp:2242 cfi
13 xul.dll nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:1142 cfi
14 xul.dll mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:300 cfi
15 xul.dll MessageLoop::RunHandler() ipc/chromium/src/base/message_loop.cc:324 cfi
16 xul.dll MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:306 cfi
17 xul.dll static nsThread::ThreadFunc(void*) xpcom/threads/nsThread.cpp:390 cfi
18 nss3.dll _PR_NativeRunThread(void*) nsprpub/pr/src/threads/combined/pruthr.c:399 cfi
19 nss3.dll pr_root(void*) nsprpub/pr/src/md/windows/w95thred.c:139 cfi
20 ucrtbase.dll thread_start<unsigned int (__cdecl*)(void*), 1> cfi
21 kernel32.dll BaseThreadInitThunk cfi
22 ntdll.dll RtlUserThreadStart cfi
23 kernelbase.dll TerminateProcessOnMemoryExhaustion scan
|
||
Comment 1•3 years ago
|
||
I cracked this up and I see:
> [Inlineframe] xul.dll!CanonicalizeXPCOMParticipant(nsISupports * aIn) Zeile 846 C++
xul.dll!CCGraphBuilder::NoteXPCOMChild(nsISupports * aChild) Zeile 2152 C++
[Inlineframe] xul.dll!CycleCollectionNoteChildImpl<mozilla::dom::IDBDatabase,1>::Run(nsCycleCollectionTraversalCallback & aCallback, mozilla::dom::IDBDatabase * aChild) Zeile 56 C++
[Inlineframe] xul.dll!CycleCollectionNoteChild(nsCycleCollectionTraversalCallback & aCallback, mozilla::dom::IDBDatabase * aChild, const char * aName, unsigned int aFlags) Zeile 75 C++
[Inlineframe] xul.dll!ImplCycleCollectionTraverse(nsCycleCollectionTraversalCallback & aCallback, RefPtr<mozilla::dom::IDBDatabase> & aField, const char * aName, unsigned int aFlags) Zeile 408 C++
xul.dll!mozilla::dom::IDBTransaction::cycleCollection::TraverseNative(void * p, nsCycleCollectionTraversalCallback & cb) Zeile 960 C++
and in particular
if (!aChild || !(aChild = CanonicalizeXPCOMParticipant(aChild))) {
00007FF80D0AE8BA 4D 85 F6 test r14,r14
00007FF80D0AE8BD 0F 84 C0 03 00 00 je CCGraphBuilder::NoteXPCOMChild+413h (07FF80D0AEC83h)
00007FF80D0AE8C3 48 C7 44 24 58 00 00 00 00 mov qword ptr [rsp+58h],0
00007FF80D0AE8CC 49 8B 06 mov rax,qword ptr [r14]
00007FF80D0AE8CF 48 8B 00 mov rax,qword ptr [rax] <---- ***** nullptr *****
00007FF80D0AE8D2 48 8D 35 97 36 E9 FF lea rsi,[nsStyledElement::QueryInterface (07FF80CF41F70h)]
00007FF80D0AE8D9 48 39 F0 cmp rax,rsi
00007FF80D0AE8DC 74 1C je CCGraphBuilder::NoteXPCOMChild+8Ah (07FF80D0AE8FAh)
00007FF80D0AE8DE 48 8D 0D EB 74 FB FF lea rcx,[nsTextNode::QueryInterface (07FF80D065DD0h)]
00007FF80D0AE8E5 48 39 C8 cmp rax,rcx
00007FF80D0AE8E8 74 10 je CCGraphBuilder::NoteXPCOMChild+8Ah (07FF80D0AE8FAh)
00007FF80D0AE8EA 48 8D 0D 1F 3E EC FF lea rcx,[mozilla::dom::HTMLInputElement::QueryInterface (07FF80CF72710h)]
00007FF80D0AE8F1 48 39 C8 cmp rax,rcx
00007FF80D0AE8F4 0F 85 F7 03 00 00 jne CCGraphBuilder::NoteXPCOMChild+481h (07FF80D0AECF1h)
return;
}
If I interpret well the disassembly, this is the access to the virtual QueryInterface function pointer that somehow fails?
|
||
Comment 2•3 years ago
|
||
This seems to be very rare case. Not sure what could have caused this. Some random memory corruption is a possibility.
|
Reporter | |
Comment 3•3 years ago
|
||
I remembered many crash signature at CanonicalizeXPCOMParticipant, is somehow related to UAF problem. Maybe somewhere holds IDBTransaction raw pointer?
Description
•