Closed Bug 722771 Opened 12 years ago Closed 6 years ago

PreciseGCRunnable.mCx can be deleted before the runnable runs

Categories

(Core :: XPConnect, defect)

Product:
Core
Component:
XPConnect
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED INACTIVE

People

(Reporter: jruderman, Unassigned)

References

Details

(Keywords: crash)

Attachments

(1 file)

gdb output
6.64 KB, text/plain
Details
Attached file gdb output 
The mCx field of a PreciseGCRunnable can become dangling if the window is closed. With MallocScribble=1, this will usually crash [@ JSRuntime::onOwnerThread].

The testcase from the fuzzer looks something like this, but I had trouble reducing it all the way.

  fuzzPriv.schedulePreciseGC();
  window.open("data:text/html,1");
  fuzzPriv.closeTabThenQuit();
Is there any reason we can't just use the safe JS context here?
Per policy at https://wiki.mozilla.org/Bug_Triage/Projects/Bug_Handling/Bug_Husbandry#Inactive_Bugs. If this bug is not an enhancement request or a bug not present in a supported release of Firefox, then it may be reopened.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → INACTIVE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: