Closed Bug 1913774 Opened 1 year ago Closed 1 year ago

Crash in [@ objc_msgSend | -[_NSTrackingAreaAKManager _updateActiveTrackingAreasForWindowLocation:modifierFlags:]]

Categories

(Core :: Widget: Cocoa, defect)

Product:
Core
Component:
Widget: Cocoa
Version:
Firefox 122
Platform:
Desktop
macOS
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1880582

People

(Reporter: yannis, Unassigned)

Details

Crash Data

In this parent process use-after-free macOS crash, objc_msgSend dereferences a poisoned value. It seems that the crash started to spike with Firefox 124 although it could have preexisted, with very low but non-zero crash volume in 122 and 123. It is still a topcrasher parent crash today. Example of a recent Nightly crash here. Call stack:

0 	libobjc.A.dylib 	objc_msgSend
1 	AppKit 	-[_NSTrackingAreaAKManager _updateActiveTrackingAreasForWindowLocation:modifierFlags:]
2 	AppKit 	__58-[_NSTrackingAreaAKManager _activeTrackingAreasNeedUpdate]_block_invoke
3 	AppKit 	___NSMainRunLoopPerformBlockInModes_block_invoke
4 	CoreFoundation 	__CFRUNLOOP_IS_CALLING_OUT_TO_A_BLOCK__
5 	CoreFoundation 	__CFRunLoopDoBlocks
6 	CoreFoundation 	__CFRunLoopRun
7 	CoreFoundation 	CFRunLoopRunSpecific
8 	HIToolbox 	RunCurrentEventLoopInMode
9 	HIToolbox 	ReceiveNextEventCommon
10 	HIToolbox 	_BlockUntilNextEventMatchingListInModeWithFilter
11 	AppKit 	_DPSNextEvent
12 	AppKit 	-[NSApplication(NSEventRouting) _nextEventMatchingEventMask:untilDate:inMode:dequeue:]
13 	XUL 	-[GeckoNSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] 	widget/cocoa/nsAppShell.mm:196
14 	AppKit 	-[NSApplication run]
15 	XUL 	-[GeckoNSApplication run] 	widget/cocoa/nsAppShell.mm:174
16 	XUL 	nsAppShell::Run() 	widget/cocoa/nsAppShell.mm:871
17 	XUL 	nsAppStartup::Run() 	toolkit/components/startup/nsAppStartup.cpp:296
18 	XUL 	XREMain::XRE_mainRun() 	toolkit/xre/nsAppRunner.cpp:5827
19 	XUL 	XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) 	toolkit/xre/nsAppRunner.cpp:6052
20 	XUL 	XRE_main(int, char**, mozilla::BootstrapConfig const&) 	toolkit/xre/nsAppRunner.cpp:6128
21 	firefox 	do_main(int, char**, char**) 	browser/app/nsBrowserApp.cpp:233
21 	firefox 	main 	browser/app/nsBrowserApp.cpp:470
22 	dyld 	start

Some user comments mention that this occured after closing a window or a tab.

Group: core-security → core-security-release
Status: NEW → RESOLVED
Closed: 1 year ago
Duplicate of bug: 1880582
Resolution: --- → DUPLICATE
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.