This bug was filed from the Socorro interface and is report bp-e4db3c04-42e9-415a-9a8d-14ae70171113. ============================================================= Seen while looking at crash stats: http://bit.ly/2moNMWi. Crashes are seen in 59/58 and 57. Marking as sec sensitive since several crashes appear to be UAF (https://crash-stats.mozilla.com/report/index/471e1461-81a7-43e4-9a47-a9f450171110 is one example) URLs https://outlook.office.com/ https://gomovies.pet/film/game-of-thrones-season-2-1621.k5yJ/watching.html?ep=783562 https://www.facebook.com/ http://www.lolesports.com/en_US/worlds/world_championship_2017/matches/elimination/R3M1 https://www.eprice.it/carrello.aspx Top 10 frames of crashing thread: 0 xul.dll style::stylist::CascadeData::clear_cascade_data servo/components/style/stylist.rs:2216 1 xul.dll style::stylist::CascadeData::clear servo/components/style/stylist.rs:2227 2 xul.dll geckoservo::glue::Servo_StyleSet_FlushStyleSheets servo/ports/geckolib/glue.rs:1098 3 xul.dll mozilla::ServoStyleSet::UpdateStylist layout/style/ServoStyleSet.cpp:1434 4 xul.dll nsIDocument::FlushUserFontSet dom/base/nsDocument.cpp:13489 5 xul.dll nsIDocument::GetUserFontSet dom/base/nsDocument.cpp:13466 6 xul.dll nsDocLoader::DocLoaderIsEmpty uriloader/base/nsDocLoader.cpp:698 7 xul.dll nsDocLoader::OnStopRequest uriloader/base/nsDocLoader.cpp:632 8 xul.dll mozilla::net::nsLoadGroup::RemoveRequest netwerk/base/nsLoadGroup.cpp:629 9 xul.dll nsDocument::DoUnblockOnload dom/base/nsDocument.cpp:9292 =============================================================

[Tracking Requested - why for this release]: new UAF

Per IRL discussion, Emilio said he could take a look to see if this is a variant of some of our known Stylo fuzz bugs.

This is probably just the hashmaps crashes from bug 1406996... It's not clear to me it's UAF, but it could be (when I was investigating bug 1414999, the old pres context memory was clobbered by the style hashmaps, so if we manage to get along without noticing...)

(In reply to Emilio Cobos Álvarez [:emilio] from comment #3) > It's not clear to me it's UAF bp-5b24d6fc-d6e4-4cdf-95d0-177430171115 seems to be using free-poisoned addresses. There's a small chance it's something uninitialized and allocated on a freed chunk, but UAF is a better bet.

This crash is very low volume. There were only about 100 crash reports across all channels last week.

Jet: please find appropriate folks to work on these security bugs.

I told Freddy that I'll switch from the rust maps to OrderMap on nightly to see if that had any effect on the crash rate.

Still crashes with ordermap: https://crash-stats.mozilla.com/search/?signature=~ordermap&date=%3E%3D2018-02-05T01%3A28%3A11.000Z&date=%3C2018-02-12T01%3A28%3A11.000Z&_sort=-date&_facets=signature&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#facet-signature Freddy, what should we do about this?

Back out and weep, I suppose. Thank you for testing this, Emilio. At least, it gives us confidence that the bug lies elsewhere.

Noting for the record that this bug is not actionable as it stands, per my discussion with Emilio.