Closed
Bug 1683035
Opened 4 years ago
Closed 4 years ago
Crash in [@ mozilla::dom::quota::DirectoryLockImpl::NotifyOpenListener]
Categories
(Core :: Storage: Quota Manager, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1682100
People
(Reporter: gsvelto, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash, csectype-uaf)
Crash Data
Crash report: https://crash-stats.mozilla.org/report/index/2db02eee-2b8f-4415-b6fe-fbc7c0201216
Reason: EXCEPTION_ACCESS_VIOLATION_WRITE
Top 10 frames of crashing thread:
0 xul.dll mozilla::dom::quota::DirectoryLockImpl::NotifyOpenListener dom/quota/ActorsParent.cpp:2954
1 xul.dll mozilla::dom::quota::DirectoryLockImpl::~DirectoryLockImpl dom/quota/ActorsParent.cpp:2883
2 xul.dll mozilla::dom::quota::DirectoryLockImpl::Release dom/quota/ActorsParent.cpp:842
3 xul.dll mozilla::dom::quota::`anonymous namespace'::NormalOriginOperationBase::UnblockOpen dom/quota/ActorsParent.cpp:8282
4 xul.dll mozilla::dom::quota::`anonymous namespace'::OriginOperationBase::Run dom/quota/ActorsParent.cpp:8080
5 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:1200
6 xul.dll mozilla::ipc::MessagePumpForNonMainThreads::Run ipc/glue/MessagePump.cpp:332
7 xul.dll MessageLoop::RunHandler ipc/chromium/src/base/message_loop.cc:327
8 xul.dll MessageLoop::Run ipc/chromium/src/base/message_loop.cc:309
9 xul.dll static nsThread::ThreadFunc xpcom/threads/nsThread.cpp:441
This crash was detected by PHC and it's an use-after-free of a DirectoryLockImpl
object. The object was allocated at this stack:
Alloc stack:
#0 mozilla::dom::quota::QuotaManager::OpenDirectory(mozilla::dom::quota::PersistenceType, mozilla::dom::quota::GroupAndOrigin const&, mozilla::dom::quota::Client::Type, bool, RefPtr<mozilla::dom::quota::OpenDirectoryListener>) (xul.pdb)
#1 mozilla::dom::`anonymous namespace'::PrepareDatastoreOp::BeginDatastorePreparationInternal() (xul.pdb)
#2 mozilla::dom::`anonymous namespace'::PrepareDatastoreOp::NestedRun() (xul.pdb)
#3 mozilla::dom::`anonymous namespace'::LSRequestBase::Run() (xul.pdb)
#4 nsThread::ProcessNextEvent(bool, bool*) (xul.pdb)
#5 mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) (xul.pdb)
#6 MessageLoop::RunHandler() (xul.pdb)
#7 MessageLoop::Run() (xul.pdb)
#8 static nsThread::ThreadFunc(void*) (xul.pdb)
#9 _PR_NativeRunThread(void*) (nss3.pdb)
#10 pr_root(void*) (nss3.pdb)
#11 thread_start<unsigned int (__cdecl*)(void *),1> (ucrtbase.pdb)
#12 BaseThreadInitThunk (kernel32.pdb)
#13 RtlUserThreadStart (ntdll.pdb)
And freed at this one:
#0 mozilla::dom::quota::DirectoryLockImpl::~DirectoryLockImpl() (xul.pdb)
#1 mozilla::dom::quota::DirectoryLockImpl::Release() (xul.pdb)
#2 mozilla::dom::quota::`anonymous namespace'::NormalOriginOperationBase::UnblockOpen() (xul.pdb)
#3 mozilla::dom::quota::`anonymous namespace'::OriginOperationBase::Run() (xul.pdb)
#4 nsThread::ProcessNextEvent(bool, bool*) (xul.pdb)
#5 mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) (xul.pdb)
#6 MessageLoop::RunHandler() (xul.pdb)
#7 MessageLoop::Run() (xul.pdb)
#8 static nsThread::ThreadFunc(void*) (xul.pdb)
#9 _PR_NativeRunThread(void*) (nss3.pdb)
#10 pr_root(void*) (nss3.pdb)
#11 thread_start<unsigned int (__cdecl*)(void *),1> (ucrtbase.pdb)
#12 BaseThreadInitThunk (kernel32.pdb)
#13 RtlUserThreadStart (ntdll.pdb)
Updated•4 years ago
|
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → DUPLICATE
Updated•4 years ago
|
Group: core-security → dom-core-security
Updated•1 year ago
|
Group: dom-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•