Closed Bug 1968429 Opened 4 months ago Closed 4 months ago

Crash in [@ nsTArray_Impl<T>::end | nsTArray_Impl<T>::cend | nsAutoTObserverArray<T>::NonObservingRange]

Categories

(Core :: Cycle Collector, defect)

Product:
Core
Component:
Cycle Collector
Platform:
Other
All
Type:
defect

Tracking

()

Status:
RESOLVED INCOMPLETE
Tracking Flags:
Tracking Status
firefox140 --- affected

People

(Reporter: release-mgmt-account-bot, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, csectype-uaf)

Crash Data

Crash report: https://crash-stats.mozilla.org/report/index/0ceda412-4e73-47c3-93ad-a76870250519

Reason: EXCEPTION_ACCESS_VIOLATION_READ

Top 10 frames of crashing thread:

0  xul.dll  nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_RelocateUsingMemutils>::Length const  xpcom/ds/nsTArray.h:439
0  xul.dll  nsTArray_Impl<mozilla::EventListenerManager::Listener, nsTArrayInfallibleAllocator>::end const  xpcom/ds/nsTArray.h:1286
0  xul.dll  nsTArray_Impl<mozilla::EventListenerManager::Listener, nsTArrayInfallibleAllocator>::cend const  xpcom/ds/nsTArray.h:1288
0  xul.dll  nsAutoTObserverArray<mozilla::EventListenerManager::Listener, 1>::NonObservingRange const  xpcom/ds/nsTObserverArray.h:511
0  xul.dll  mozilla::EventListenerManager::MarkForCC  dom/events/EventListenerManager.cpp:2189
1  xul.dll  mozilla::dom::FragmentOrElement::MarkNodeChildren  dom/base/FragmentOrElement.cpp:1381
1  xul.dll  mozilla::dom::FragmentOrElement::CanSkip  dom/base/FragmentOrElement.cpp:1607
1  xul.dll  mozilla::dom::FragmentOrElement::cycleCollection::CanSkipReal  dom/base/FragmentOrElement.cpp:1740
1  xul.dll  nsCycleCollectionParticipant::CanSkip  xpcom/base/nsCycleCollectionParticipant.h:356
1  xul.dll  RemoveSkippableVisitor::Visit  xpcom/base/nsCycleCollector.cpp:2776

By querying Nightly crashes reported within the last 2 months, here are some insights about the signature:

  • First crash report: 2025-03-29
  • Process type: Multiple distinct types
  • Is startup crash: No
  • Has user comments: No
  • Is null crash: No
  • Is use after free crash: Yes - 1 out of 10 crashes happened on or near an allocator poison value

Looks like maybe 10% of these crashes are on the poison value, in the last 6 months. I'm not sure how actionable this is.

Group: core-security → dom-core-security
Component: General → Cycle Collector
Keywords: csectype-uaf
Severity: -- → S3

Lots of potential bit-flips here. This seems like a great candidate for our new memory testing infrastructure. We don't have the data indexed in crash-stats yet (see bug 1948941), but once we do we might be able to verify how many of these potential bit-flips are happening on faulty machines.

Good catch. Yeah, this looks very junky. Let's just close it. Olli and I looked at some crash reports and couldn't figure anything out.

Status: NEW → RESOLVED
Closed: 4 months ago
Resolution: --- → INCOMPLETE
Group: dom-core-security
You need to log in before you can comment on or make changes to this bug.