1909077 - Crash in [@ nsINode::IsAttr]

Status: NEW

(Core :: Cycle Collector, defect)

Description

[BugBot [:suhaib / :marco/ :calixte]]

Crash report: https://crash-stats.mozilla.org/report/index/81ec2f5b-7c1b-4c98-ba60-3b9d30240629

Reason: EXCEPTION_ACCESS_VIOLATION_READ

Top 10 frames of crashing thread:

0  xul.dll  nsINode::IsAttr const  dom/base/nsINode.h:655
0  xul.dll  nsINode::UnoptimizableCCNode const  dom/base/nsINode.cpp:1465
0  xul.dll  nsINode::Traverse  dom/base/nsINode.cpp:1491
1  xul.dll  mozilla::dom::FragmentOrElement::cycleCollection::TraverseNative  dom/base/FragmentOrElement.cpp:1781
2  xul.dll  nsCycleCollectionParticipant::TraverseNativeAndJS  xpcom/base/nsCycleCollectionParticipant.h:228
2  xul.dll  CCGraphBuilder::BuildGraph  xpcom/base/nsCycleCollector.cpp:2126
3  xul.dll  nsCycleCollector::MarkRoots  xpcom/base/nsCycleCollector.cpp:2743
4  xul.dll  nsCycleCollector::Collect  xpcom/base/nsCycleCollector.cpp:3507
5  xul.dll  nsCycleCollector_collectSlice  xpcom/base/nsCycleCollector.cpp:4030
6  xul.dll  nsJSContext::RunCycleCollectorSlice  dom/base/nsJSEnvironment.cpp:1476

By querying Nightly crashes reported within the last 2 months, here are some insights about the signature:

• First crash report: 2024-06-04
• Process type: Content
• Is startup crash: No
• Has user comments: No
• Is null crash: Yes - 3 out of 8 crashes happened on null or near null memory address
• Is use after free crash: Yes - 5 out of 8 crashes happened on or near an allocator poison value

Comment 1

[Jan Jaeschke [:jjaschke]]

Volume is relatively low, but if indeed there's UAF involved, it might be reasonable to put this as S2. Andrew, what do you think?

Comment 2

[Andrew McCreight [:mccr8]]

Ah, sorry, I meant to give it a severity. Unfortunately this is one of our endless memory corruption GC/CC bugs where the UAF just indicates some code elsewhere has an issue, so we have no actual information.