Closed Bug 1840922 Opened 2 years ago Closed 2 years ago

Crash in [@ CallbackHolder::CallbackHolder::<T>::operator()]

Categories

(Core :: DOM: Workers, defect)

Product:
Core
Component:
DOM: Workers
Platform:
Unspecified
Windows 11
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1839703

People

(Reporter: mccr8, Unassigned)

References

Details

(Keywords: crash, csectype-uaf, sec-high)

Crash Data

Crash report: https://crash-stats.mozilla.org/report/index/ebac788d-46a0-41d4-8a9a-dd0d70230622

Reason: EXCEPTION_ACCESS_VIOLATION_READ

Top 10 frames of crashing thread:

0  xul.dll  CallbackHolder::CallbackHolder::<lambda_1>::operator const  xpcom/io/nsPipe3.cpp:73
0  xul.dll  NS_NewCancelableRunnableFunction<`lambda at /builds/worker/checkouts/gecko/xpcom/io/nsPipe3.cpp:71:35'>::FuncCancelableRunnable::Run  xpcom/threads/nsThreadUtils.h:667
1  xul.dll  mozilla::dom::  dom/workers/WorkerPrivate.cpp:202
2  xul.dll  mozilla::dom::WorkerRunnable::Run  dom/workers/WorkerRunnable.cpp:377
3  xul.dll  nsThread::ProcessNextEvent  xpcom/threads/nsThread.cpp:1234
3  xul.dll  NS_ProcessNextEvent  xpcom/threads/nsThreadUtils.cpp:479
4  xul.dll  mozilla::dom::WorkerPrivate::DoRunLoop  dom/workers/WorkerPrivate.cpp:3287
5  xul.dll  mozilla::dom::workerinternals::  dom/workers/RuntimeService.cpp:2149
6  xul.dll  nsThread::ProcessNextEvent  xpcom/threads/nsThread.cpp:1234
6  xul.dll  NS_ProcessNextEvent  xpcom/threads/nsThreadUtils.cpp:479

This is very similar to bug 1839703: lots of DOM worker thread crashes on Firefox 115, access on a strong reference in a closure on a lambda. Very odd. Two different signatures for this one.

The other similar crash is this one:
bp-929349b4-fd6f-412b-b64b-d069f0230623

0  xul.dll  nsCOMPtr<nsIInputStreamCallback>::~nsCOMPtr  xpcom/base/nsCOMPtr.h:340
0  xul.dll  CallbackHolder::CallbackHolder::<lambda_1>::~  xpcom/io/nsPipe3.cpp:71
0  xul.dll  mozilla::detail::MaybeStorage<`lambda at /builds/worker/checkouts/gecko/xpcom/io/nsPipe3.cpp:71:35', 0>::~MaybeStorage  mfbt/Maybe.h:269
0  xul.dll  NS_NewCancelableRunnableFunction<`lambda at /builds/worker/checkouts/gecko/xpcom/io/nsPipe3.cpp:71:35'>::FuncCancelableRunnable::~FuncCancelableRunnable  xpcom/threads/nsThreadUtils.h:679
0  xul.dll  NS_NewCancelableRunnableFunction<`lambda at /builds/worker/checkouts/gecko/xpcom/io/nsPipe3.cpp:71:35'>::FuncCancelableRunnable::~FuncCancelableRunnable  xpcom/threads/nsThreadUtils.h:679
1  xul.dll  mozilla::Runnable::Release  xpcom/threads/nsThreadUtils.cpp:62
1  xul.dll  mozilla::DiscardableRunnable::Release  xpcom/threads/nsThreadUtils.cpp:87
1  xul.dll  mozilla::CancelableRunnable::Release  xpcom/threads/nsThreadUtils.cpp:90
2  xul.dll  xul.dll@0xf03cf0  
3  xul.dll  mozilla::dom::WorkerRunnable::Release  dom/workers/WorkerRunnable.cpp:209

Hi Randell, is the fix from bug 1839703 supposed to help here, too?

Flags: needinfo?(rjesup)

Yes, I think these are likely the same issue

Status: NEW → RESOLVED
Closed: 2 years ago
Duplicate of bug: CVE-2023-3600
Flags: needinfo?(rjesup)
Resolution: --- → DUPLICATE
Group: dom-core-security
You need to log in before you can comment on or make changes to this bug.