Closed
Bug 1754713
Opened 4 years ago
Closed 4 years ago
Crash in [@ mozilla::detail::SupportCheckedUnsafePtrImpl<T>::~SupportCheckedUnsafePtrImpl | mozilla::dom::Worker::cycleCollection::Unlink]
Categories
(Core :: DOM: Workers, defect)
Core
DOM: Workers
Tracking
()
RESOLVED
DUPLICATE
of bug 1752856
| Tracking | Status | |
|---|---|---|
| firefox-esr91 | --- | unaffected |
| firefox97 | --- | unaffected |
| firefox98 | --- | affected |
| firefox99 | --- | affected |
People
(Reporter: aryx, Unassigned)
Details
(Keywords: crash)
Crash Data
28 crashes from 21 installations across operating systems, first crash had been observed with Firefox 98.0a1 20220126034745
Crash report: https://crash-stats.mozilla.org/report/index/b3ed3766-9d44-4e46-a617-1c4ab0220210
MOZ_CRASH Reason: MOZ_CRASH(Found dangling CheckedUnsafePtr)
Top 10 frames of crashing thread:
0 xul.dll mozilla::detail::SupportCheckedUnsafePtrImpl<mozilla::CrashOnDanglingCheckedUnsafePtr, mozilla::CheckingSupport::Enabled>::~SupportCheckedUnsafePtrImpl dom/quota/CheckedUnsafePtr.h:284
1 xul.dll mozilla::dom::Worker::cycleCollection::Unlink dom/workers/Worker.cpp:188
2 xul.dll nsCycleCollector::CollectWhite xpcom/base/nsCycleCollector.cpp:3074
3 xul.dll nsCycleCollector::Collect xpcom/base/nsCycleCollector.cpp:3430
4 xul.dll nsCycleCollector_collectSlice xpcom/base/nsCycleCollector.cpp:3921
5 xul.dll static mozilla::CCGCScheduler::CCRunnerFired dom/base/nsJSEnvironment.cpp:1569
6 xul.dll virtual bool __thiscall std::_Func_impl_no_alloc<bool
7 xul.dll mozilla::IdleTaskRunner::Run xpcom/threads/IdleTaskRunner.cpp:124
8 xul.dll mozilla::IdleTaskRunnerTask::Run xpcom/threads/IdleTaskRunner.cpp:45
9 xul.dll mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal xpcom/threads/TaskController.cpp:770
|
||
Updated•4 years ago
|
Group: core-security
|
|
||
Comment 1•4 years ago
•
|
||
[Inlineframe] xul.dll!mozilla::CrashOnDanglingCheckedUnsafePtr::NotifyCheckFailure() Zeile 247 C++
[Inlineframe] xul.dll!mozilla::CheckingPolicyAccess::NotifyCheckFailure(mozilla::CrashOnDanglingCheckedUnsafePtr & aPolicy) Zeile 215 C++
[Inlineframe] xul.dll!mozilla::CheckCheckedUnsafePtrs<mozilla::CrashOnDanglingCheckedUnsafePtr>::Check(nsTArray<mozilla::detail::CheckedUnsafePtrBaseCheckingEnabled *> & aCheckedUnsafePtrs) Zeile 239 C++
xul.dll!mozilla::detail::SupportCheckedUnsafePtrImpl<mozilla::CrashOnDanglingCheckedUnsafePtr,mozilla::CheckingSupport::Enabled>::~SupportCheckedUnsafePtrImpl() Zeile 284 C++
[Inlineframe] xul.dll!mozilla::dom::WorkerPrivate::Release() Zeile 126 C++
[Inlineframe] xul.dll!mozilla::RefPtrTraits<mozilla::dom::WorkerPrivate>::Release(mozilla::dom::WorkerPrivate * aPtr) Zeile 50 C++
[Inlineframe] xul.dll!RefPtr<mozilla::dom::WorkerPrivate>::ConstRemovingRefPtrTraits<mozilla::dom::WorkerPrivate>::Release(mozilla::dom::WorkerPrivate * aPtr) Zeile 381 C++
[Inlineframe] xul.dll!RefPtr<mozilla::dom::WorkerPrivate>::assign_assuming_AddRef(mozilla::dom::WorkerPrivate * aNewPtr) Zeile 69 C++
[Inlineframe] xul.dll!RefPtr<mozilla::dom::WorkerPrivate>::operator=(void *) Zeile 168 C++
> [Inlineframe] xul.dll!mozilla::dom::Worker::Terminate() Zeile 175 C++
xul.dll!mozilla::dom::Worker::cycleCollection::Unlink(void * p) Zeile 188 C++
xul.dll!nsCycleCollector::CollectWhite() Zeile 3074 C++
When we destroy the Worker object we find someone else holding still a reference to WorkerPrivate, but we do not know, who this could be from the stack.
|
|
||
Comment 2•4 years ago
|
||
I assume this is not really a very concerning sec-issue in the end, it is similar to bug 1752120.
Flags: needinfo?(echuang)
|
||
Updated•4 years ago
|
Status: NEW → RESOLVED
Closed: 4 years ago
Flags: needinfo?(echuang)
Resolution: --- → DUPLICATE
|
||
Updated•2 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•