1845348 - Crash in [@ nsCOMPtr<T>::~nsCOMPtr | mozilla::SegmentedVector<T>::SegmentImpl<T>::PopLast]

Status: RESOLVED DUPLICATE of bug 1045992

(Core :: XPCOM, defect)

Description

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

Crash signature new in Firefox 115, ~150 crashes from ~100 installations. Some have the use-after-free address. A search for SegmentVector did not find any bugs for similar signatures.

Crash report: https://crash-stats.mozilla.org/report/index/488e3789-da2c-4e39-b9b1-e868a0230725

Reason: EXCEPTION_ACCESS_VIOLATION_READ

Top 10 frames of crashing thread:

0  xul.dll  nsCOMPtr<nsISupports>::~nsCOMPtr  xpcom/base/nsCOMPtr.h:340
0  xul.dll  mozilla::SegmentedVector<nsCOMPtr<nsISupports>, 4096, mozilla::MallocAllocPolicy>::SegmentImpl<508>::PopLast  mfbt/SegmentedVector.h:107
0  xul.dll  mozilla::SegmentedVector<nsCOMPtr<nsISupports>, 4096, mozilla::MallocAllocPolicy>::PopLastN  mfbt/SegmentedVector.h:262
0  xul.dll  mozilla::dom::DeferredFinalizerImpl<nsISupports>::DeferredFinalize  dom/bindings/BindingUtils.h:2804
1  xul.dll  mozilla::IncrementalFinalizeRunnable::ReleaseNow  xpcom/base/CycleCollectedJSRuntime.cpp:1716
2  xul.dll  mozilla::IncrementalFinalizeRunnable::Run  xpcom/base/CycleCollectedJSRuntime.cpp:1753
3  xul.dll  mozilla::RunnableTask::Run  xpcom/threads/TaskController.cpp:555
3  xul.dll  mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal  xpcom/threads/TaskController.cpp:879
4  xul.dll  mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal  xpcom/threads/TaskController.cpp:702
4  xul.dll  mozilla::TaskController::ProcessPendingMTTask  xpcom/threads/TaskController.cpp:491

Comment 1

[Andrew McCreight [:mccr8]]

I filed bug 1845173 about improving the signature for these crashes.