Closed
Bug 795284
Opened 12 years ago
Closed 12 years ago
Write after free related to mozilla::TracerRunnable::~TracerRunnable()
Categories
(Core :: DOM: UI Events & Focus Handling, defect)
Tracking
()
RESOLVED
FIXED
mozilla18
Tracking | Status | |
---|---|---|
firefox18 | --- | fixed |
firefox-esr10 | --- | unaffected |
firefox-esr17 | --- | unaffected |
People
(Reporter: jseward, Assigned: jseward)
References
Details
(Keywords: sec-moderate, valgrind, Whiteboard: [adv-main18+])
Attachments
(2 files)
23.56 KB,
text/plain
|
Details | |
644 bytes,
patch
|
blassey
:
review+
|
Details | Diff | Splinter Review |
Multiple read- and write-after-free and double free errors observed at
shutdown on Fennec.
STR: build with profiler (SPS) support. Start Fennec. Start the
profiler using "Toggle Sampling" in the main menu. Then use main menu
to quit. There are multiple invalid memory accesses, ending in a
segfault (which may or may not be related).
Assignee | ||
Comment 1•12 years ago
|
||
Here is the V output. Although there are a whole bunch of errors
reported, it is clear that they are all accesses to the same 24-byte
block that has already been freed. So I think these all result from
the same underlying problem.
Assignee | ||
Comment 2•12 years ago
|
||
Probably caused by incorrect use of nsCOMPtr, in CleanUpWidgetTracing
in widget/android/AndroidBridge.cpp (thanks Ms2get for confirmation):
nsCOMPtr<TracerRunnable> sTracerRunnable;
bool InitWidgetTracing() {
if (!sTracerRunnable)
sTracerRunnable = new TracerRunnable();
return true;
}
void CleanUpWidgetTracing() {
if (sTracerRunnable)
delete sTracerRunnable;
sTracerRunnable = nullptr;
}
Assignee | ||
Comment 3•12 years ago
|
||
Comment 4•12 years ago
|
||
Any reason you haven't flagged review? This patch seems like it fixes a clear problem and it's ready to land.
Updated•12 years ago
|
Attachment #666943 -
Flags: review?(blassey.bugs)
Comment 5•12 years ago
|
||
Ok blassey can review this, turns out I needed to find an intersection between the android widget peers and someone who can access this bug.
Updated•12 years ago
|
Attachment #666943 -
Flags: review?(blassey.bugs) → review+
Updated•12 years ago
|
Keywords: checkin-needed
Updated•12 years ago
|
Assignee: nobody → jseward
Status: NEW → ASSIGNED
Comment 6•12 years ago
|
||
Pushed to Try.
https://tbpl.mozilla.org/?tree=Try&rev=70bffe879810
Comment 7•12 years ago
|
||
When did this regress? If it regressed sometime ago and affects the branches, we may first have to request sec-approval.
Comment 8•12 years ago
|
||
The event tracer is only used by profiling and a few limited internal tools. While this code as shipped I don't think it's worth uplifting.
Comment 9•12 years ago
|
||
Setting sec-low based on comment 8. sec-approval does not need to be requested on the patch, so it can land after Try turns green.
Keywords: sec-low
Comment 10•12 years ago
|
||
Flags: in-testsuite+
Keywords: checkin-needed
Comment 11•12 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
status-firefox18:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla18
Updated•12 years ago
|
status-firefox-esr10:
--- → unaffected
Keywords: sec-low → sec-moderate
Comment 12•12 years ago
|
||
Did this affect Firefox 17 (and, therefore ESR 17)?
Updated•12 years ago
|
Whiteboard: [adv-main18+]
Updated•12 years ago
|
Group: core-security
status-firefox-esr17:
--- → unaffected
Updated•6 years ago
|
Component: Event Handling → User events and focus handling
You need to log in
before you can comment on or make changes to this bug.
Description
•