Use-after-free crash in [@ mozilla::net::ProxyAutoConfig::MyIPAddressTryHost]
Categories
(Core :: Networking: HTTP, defect, P1)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr91 | --- | unaffected |
firefox95 | --- | unaffected |
firefox96 | --- | unaffected |
firefox97 | --- | fixed |
People
(Reporter: mccr8, Assigned: kershaw)
References
(Regression)
Details
(4 keywords, Whiteboard: [necko-triaged])
Crash Data
Attachments
(1 obsolete file)
Crash report: https://crash-stats.mozilla.org/report/index/015a2800-7f3a-4174-860a-356dc0211216
Reason: EXCEPTION_ACCESS_VIOLATION_READ
Top 4 frames of crashing thread:
0 xul.dll mozilla::net::ProxyAutoConfig::MyIPAddressTryHost netwerk/base/ProxyAutoConfig.cpp:995
1 xul.dll mozilla::net::ProxyAutoConfig::MyIPAddress netwerk/base/ProxyAutoConfig.cpp:1071
2 xul.dll mozilla::net::PACMyIpAddress netwerk/base/ProxyAutoConfig.cpp:587
3 None @0x0000030cb889a0e9
There are a couple of crashes with this signature. The rax register contains a jemalloc poison value.
Reporter | ||
Comment 1•3 years ago
|
||
It looks like this feature is Nightly-only for now.
Reporter | ||
Comment 2•3 years ago
|
||
Maybe [@ mozilla::net::ProxyAutoConfig::MyIPAddress ] is the same crash on Windows? Not a lot of these, but they also have a poison value in rax.
Assignee | ||
Comment 3•3 years ago
|
||
I think the problem is that ProxyAutoConfig
is released too early at here. In ProxyAutoConfig, we spin the event loop for waiting the DNS result. At this point, if ProxyAutoConfigChild::ActorDestroy
is called, we got this crash.
Assignee | ||
Comment 4•3 years ago
|
||
Assignee | ||
Comment 5•3 years ago
|
||
Sorry, this bug was closed by mistake.
Comment 6•3 years ago
|
||
Comment on attachment 9255892 [details]
Bug 1746537, r=#necko
Revision D134137 was moved to bug 1746543. Setting attachment 9255892 [details] to obsolete.
Comment 7•3 years ago
|
||
Set release status flags based on info from the regressing bug 1745385
Comment 8•3 years ago
|
||
No recent crashes it would appear. Did bug 1746543 fix this crash too?
Assignee | ||
Comment 9•3 years ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM] from comment #8)
No recent crashes it would appear. Did bug 1746543 fix this crash too?
Yes, I think so. We can close this one.
Updated•3 years ago
|
Updated•3 years ago
|
Updated•1 year ago
|
Description
•