Closed
Bug 1166036
Opened 9 years ago
Closed 9 years ago
Intermittent test_capture.html | application crashed [@ std::_Hash<std::_Uset_traits<mozilla::gfx::DrawTargetD2D1 *,std::_Uhash_compare<mozilla::gfx::DrawTargetD2D1 *,std::hash<mozilla::gfx::DrawTargetD2D1 *>,std::equal_to<mozilla::gfx::DrawTargetD2D1 *>
Categories
(Core :: Graphics: Layers, defect)
Tracking
()
RESOLVED
INCOMPLETE
| Tracking | Status | |
|---|---|---|
| firefox41 | --- | affected |
People
(Reporter: RyanVM, Unassigned)
References
Details
(4 keywords)
Setting as s-s based on the 0x5a5a5a5a5a5a5a5a I'm seeing on the stack. https://treeherder.mozilla.org/logviewer.html#?job_id=9935114&repo=mozilla-inbound 06:26:50 INFO - 1837 INFO TEST-START | dom/canvas/test/test_capture.html 06:26:50 INFO - ###!!! [Parent][OnMaybeDequeueOne] Error: Channel closing: too late to send/recv, messages will be lost 06:26:53 INFO - TEST-INFO | Main app process: exit status 1 06:26:53 INFO - 1838 INFO Checking that all video elements become red after first drawColor(red). 06:26:53 INFO - 1839 INFO Drawing color 255,0,0,255 06:26:53 INFO - 1840 INFO TEST-PASS | dom/canvas/test/test_capture.html | vauto hould not be drawn to before stable state 06:26:53 INFO - 1841 INFO TEST-PASS | dom/canvas/test/test_capture.html | vrate Should not be drawn to before stable state 06:26:53 INFO - 1842 INFO TEST-PASS | dom/canvas/test/test_capture.html | vmanual Should not be drawn to before stable state 06:26:53 INFO - 1843 INFO Testing vauto against [255,0,0,255] 06:26:53 INFO - 1844 INFO TEST-PASS | dom/canvas/test/test_capture.html | vauto should become red automatically 06:26:53 INFO - 1845 INFO Testing vrate against [255,0,0,255] 06:26:53 INFO - 1846 INFO TEST-PASS | dom/canvas/test/test_capture.html | vrate should become red automatically 06:26:53 INFO - 1847 INFO Testing vmanual against [255,0,0,255] 06:26:53 INFO - 1848 INFO TEST-PASS | dom/canvas/test/test_capture.html | vmanual should become red when we get to stable state (first frame) 06:26:53 INFO - 1849 INFO Checking that drawColor(green) propagates properly to video elements. 06:26:53 INFO - 1850 INFO Drawing color 0,255,0,255 06:26:53 INFO - 1851 INFO Testing vauto against [0,255,0,255] 06:26:53 INFO - 1852 INFO TEST-PASS | dom/canvas/test/test_capture.html | vauto should become green automatically 06:26:53 INFO - 1853 INFO Testing vrate against [0,255,0,255] 06:26:53 INFO - 1854 INFO TEST-PASS | dom/canvas/test/test_capture.html | vrate should become green automatically 06:26:53 INFO - 1855 INFO Testing vmanual against [255,0,0,255] 06:26:53 INFO - 1856 INFO TEST-PASS | dom/canvas/test/test_capture.html | vmanual should still be red 06:26:53 INFO - 1857 INFO Requesting frame from vmanual 06:26:53 INFO - 1858 INFO Testing vmanual against [0,255,0,255] 06:26:53 INFO - 1859 INFO TEST-PASS | dom/canvas/test/test_capture.html | vmanual should become green after requstFrame() 06:26:53 INFO - 1860 INFO Checking that requestFrame() immediately before and after drawColor() calls results in the expected frame seen in the stream. 06:26:53 INFO - 1861 INFO Testing vmanual against [0,255,0,255] 06:26:53 WARNING - TEST-UNEXPECTED-FAIL | dom/canvas/test/test_capture.html | application terminated with exit code 1 06:26:53 INFO - runtests.py | Application ran for: 0:10:05.627000 06:26:53 INFO - zombiecheck | Reading PID log: c:\users\cltbld~1.t-w\appdata\local\temp\tmpc_vqsdpidlog 06:26:53 INFO - ==> process 3332 launched child process 1784 ("C:\slave\test\build\application\firefox\plugin-container.exe" --channel="3332.4.271865730\1627589547" "c:\users\cltbld~1.t-w\appdata\local\temp\tmpbotvok.mozrunner\plugins\nptest.dll" -greomni "C:\slave\test\build\application\firefox\omni.ja" -appomni "C:\slave\test\build\application\firefox\browser\omni.ja" -appdir "C:\slave\test\build\application\firefox\browser" - 3332 "\\.\pipe\gecko-crash-server-pipe.3332" plugin) 06:26:53 INFO - ==> process 3332 launched child process 4024 ("C:\slave\test\build\application\firefox\plugin-container.exe" --channel="3332.5.2059911981\1706873821" "c:\users\cltbld~1.t-w\appdata\local\temp\tmpbotvok.mozrunner\plugins\nptest.dll" -greomni "C:\slave\test\build\application\firefox\omni.ja" -appomni "C:\slave\test\build\application\firefox\browser\omni.ja" -appdir "C:\slave\test\build\application\firefox\browser" - 3332 "\\.\pipe\gecko-crash-server-pipe.3332" plugin) 06:26:53 INFO - mozcrash Downloading symbols from: https://queue.taskcluster.net/v1/task/ZEq_XWDSTZOKkfs0wd7vyQ/artifacts/public/build/firefox-41.0a1.en-US.win64.crashreporter-symbols.zip 06:27:00 INFO - mozcrash Saved minidump as C:\slave\test\build\blobber_upload_dir\4c15d2e7-7ab6-47a6-a808-7c9a92d452b3.dmp 06:27:00 INFO - mozcrash Saved app info as C:\slave\test\build\blobber_upload_dir\4c15d2e7-7ab6-47a6-a808-7c9a92d452b3.extra 06:27:00 WARNING - PROCESS-CRASH | dom/canvas/test/test_capture.html | application crashed [@ std::_Hash<std::_Uset_traits<mozilla::gfx::DrawTargetD2D1 *,std::_Uhash_compare<mozilla::gfx::DrawTargetD2D1 *,std::hash<mozilla::gfx::DrawTargetD2D1 *>,std::equal_to<mozilla::gfx::DrawTargetD2D1 *> >,std::allocator<mozilla::gfx::DrawTargetD2D1 *>,0> >::_Insert<mozilla::gfx::DrawTargetD2D1 * const &,std::_Nil>(mozilla::gfx::DrawTargetD2D1 * const &,std::_Nil)] 06:27:00 INFO - Crash dump filename: c:\users\cltbld~1.t-w\appdata\local\temp\tmpbotvok.mozrunner\minidumps\4c15d2e7-7ab6-47a6-a808-7c9a92d452b3.dmp 06:27:00 INFO - Operating system: Windows NT 06:27:00 INFO - 6.2.9200 06:27:00 INFO - CPU: amd64 06:27:00 INFO - family 6 model 30 stepping 5 06:27:00 INFO - 8 CPUs 06:27:00 INFO - Crash reason: EXCEPTION_ACCESS_VIOLATION_READ 06:27:00 INFO - Crash address: 0xffffffffffffffff 06:27:00 INFO - Thread 0 (crashed) 06:27:00 INFO - 0 xul.dll!std::_Hash<std::_Uset_traits<mozilla::gfx::DrawTargetD2D1 *,std::_Uhash_compare<mozilla::gfx::DrawTargetD2D1 *,std::hash<mozilla::gfx::DrawTargetD2D1 *>,std::equal_to<mozilla::gfx::DrawTargetD2D1 *> >,std::allocator<mozilla::gfx::DrawTargetD2D1 *>,0> >::_Insert<mozilla::gfx::DrawTargetD2D1 * const &,std::_Nil>(mozilla::gfx::DrawTargetD2D1 * const &,std::_Nil) [xhash : 869 + 0x0] 06:27:00 INFO - rbx = 0x5a5a5a5a5a5a5a5a r12 = 0x00000042ccb6aa80 06:27:00 INFO - r13 = 0x00000042ccb6aa88 r14 = 0x00000042804ff050 06:27:00 INFO - r15 = 0x00000042804ff0e0 rip = 0x000007f81d8aeb18 06:27:00 INFO - rsp = 0x00000042ccb6a470 rbp = 0x0000000000000003 06:27:00 INFO - Found by: given as instruction pointer in context 06:27:00 INFO - 1 xul.dll!mozilla::gfx::DrawTargetD2D1::AddDependencyOnSource(mozilla::gfx::SourceSurfaceD2D1 *) [DrawTargetD2D1.cpp:b769ef24faed : 1092 + 0x21] 06:27:00 INFO - rbx = 0x5a5a5a5a5a5a5a5a r12 = 0x00000042ccb6aa80 06:27:00 INFO - r13 = 0x00000042ccb6aa88 r14 = 0x00000042804ff050 06:27:00 INFO - r15 = 0x00000042804ff0e0 rip = 0x000007f81d8af096 06:27:00 INFO - rsp = 0x00000042ccb6a4b0 rbp = 0x0000000000000003 06:27:00 INFO - Found by: call frame info 06:27:00 INFO - 2 xul.dll!mozilla::gfx::DrawTargetD2D1::GetImageForSurface(mozilla::gfx::SourceSurface *,mozilla::gfx::Matrix &,mozilla::gfx::ExtendMode,mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const *) [DrawTargetD2D1.cpp:b769ef24faed : 1439 + 0xa] 06:27:00 INFO - rbx = 0x5a5a5a5a5a5a5a5a r12 = 0x00000042ccb6aa80 06:27:00 INFO - r13 = 0x00000042ccb6aa88 r14 = 0x00000042804ff050 06:27:00 INFO - r15 = 0x00000042804ff0e0 rip = 0x000007f81d8b2ce3 06:27:00 INFO - rsp = 0x00000042ccb6a4f0 rbp = 0x0000000000000003 06:27:00 INFO - Found by: call frame info 06:27:00 INFO - 3 xul.dll!mozilla::gfx::DrawTargetD2D1::DrawSurface(mozilla::gfx::SourceSurface *,mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits> const &,mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits> const &,mozilla::gfx::DrawSurfaceOptions const &,mozilla::gfx::DrawOptions const &) [DrawTargetD2D1.cpp:b769ef24faed : 124 + 0x4] 06:27:00 INFO - rbx = 0x5a5a5a5a5a5a5a5a r12 = 0x00000042ccb6aa80 06:27:00 INFO - r13 = 0x00000042ccb6aa88 r14 = 0x00000042804ff050 06:27:00 INFO - r15 = 0x00000042804ff0e0 rip = 0x000007f81d8b1422 06:27:00 INFO - rsp = 0x00000042ccb6a660 rbp = 0x0000000000000003 06:27:00 INFO - Found by: call frame info 06:27:00 INFO - 4 xul.dll!mozilla::dom::CanvasRenderingContext2D::DrawImage(mozilla::dom::HTMLImageElementOrHTMLCanvasElementOrHTMLVideoElement const &,double,double,double,double,double,double,double,double,unsigned char,mozilla::ErrorResult &) [CanvasRenderingContext2D.cpp:b769ef24faed : 4584 + 0xc1] 06:27:00 INFO - rbx = 0x5a5a5a5a5a5a5a5a r12 = 0x00000042ccb6aa80 06:27:00 INFO - r13 = 0x00000042ccb6aa88 r14 = 0x00000042804ff050 06:27:00 INFO - r15 = 0x00000042804ff0e0 rip = 0x000007f81def0d5a 06:27:00 INFO - rsp = 0x00000042ccb6a880 rbp = 0x0000000000000003 06:27:00 INFO - Found by: call frame info 06:27:00 INFO - 5 xul.dll!mozilla::dom::CanvasRenderingContext2D::DrawImage(mozilla::dom::HTMLImageElementOrHTMLCanvasElementOrHTMLVideoElement const &,double,double,mozilla::ErrorResult &) [CanvasRenderingContext2D.h:b769ef24faed : 217 + 0x35] 06:27:00 INFO - rbx = 0x5a5a5a5a5a5a5a5a r12 = 0x00000042ccb6aa80 06:27:00 INFO - r13 = 0x00000042ccb6aa88 r14 = 0x00000042804ff050 06:27:00 INFO - r15 = 0x00000042804ff0e0 rip = 0x000007f81dcaad12 06:27:00 INFO - rsp = 0x00000042ccb6aa80 rbp = 0x0000000000000003 06:27:00 INFO - Found by: call frame info 06:27:00 INFO - 6 xul.dll!mozilla::dom::CanvasRenderingContext2DBinding::drawImage [CanvasRenderingContext2DBinding.cpp:b769ef24faed : 4121 + 0x9] 06:27:00 INFO - rbx = 0x5a5a5a5a5a5a5a5a r12 = 0x00000042ccb6aa80 06:27:00 INFO - r13 = 0x00000042ccb6aa88 r14 = 0x00000042804ff050 06:27:00 INFO - r15 = 0x00000042804ff0e0 rip = 0x000007f81dcbe3c2 06:27:00 INFO - rsp = 0x00000042ccb6aaf0 rbp = 0x0000000000000003 06:27:00 INFO - Found by: call frame info 06:27:00 INFO - 7 xul.dll!mozilla::dom::GenericBindingMethod(JSContext *,unsigned int,JS::Value *) [BindingUtils.cpp:b769ef24faed : 2609 + 0x15] 06:27:00 INFO - rbx = 0x5a5a5a5a5a5a5a5a r12 = 0x00000042ccb6aa80 06:27:00 INFO - r13 = 0x00000042ccb6aa88 r14 = 0x00000042804ff050 06:27:00 INFO - r15 = 0x00000042804ff0e0 rip = 0x000007f81ce06145 06:27:00 INFO - rsp = 0x00000042ccb6ac30 rbp = 0x0000000000000003 06:27:00 INFO - Found by: call frame info 06:27:00 INFO - 8 xul.dll!js::Invoke(JSContext *,JS::CallArgs,js::MaybeConstruct) [Interpreter.cpp:b769ef24faed : 727 + 0xa0] 06:27:00 INFO - rbx = 0x5a5a5a5a5a5a5a5a r12 = 0x00000042ccb6aa80 06:27:00 INFO - r13 = 0x00000042ccb6aa88 r14 = 0x00000042804ff050 06:27:00 INFO - r15 = 0x00000042804ff0e0 rip = 0x000007f81ce3ebed 06:27:00 INFO - rsp = 0x00000042ccb6acb0 rbp = 0x0000000000000003 06:27:00 INFO - Found by: call frame info 06:27:00 INFO - 9 xul.dll!js::jit::DoCallFallback [BaselineIC.cpp:b769ef24faed : 10424 + 0x1e7] 06:27:00 INFO - rbx = 0x5a5a5a5a5a5a5a5a r12 = 0x00000042ccb6aa80 06:27:00 INFO - r13 = 0x00000042ccb6aa88 r14 = 0x00000042804ff050 06:27:00 INFO - r15 = 0x00000042804ff0e0 rip = 0x000007f81ceb8206 06:27:00 INFO - rsp = 0x00000042ccb6b530 rbp = 0x0000000000000003 06:27:00 INFO - Found by: call frame info 06:27:00 INFO - 10 0x11db8a27736 06:27:00 INFO - rbx = 0x5a5a5a5a5a5a5a5a r12 = 0x00000042ccb6aa80 06:27:00 INFO - r13 = 0x00000042ccb6aa88 r14 = 0x00000042804ff050 06:27:00 INFO - r15 = 0x00000042804ff0e0 rip = 0x0000011db8a27737 06:27:00 INFO - rsp = 0x00000042ccb6b800 rbp = 0x0000000000000003 06:27:00 INFO - Found by: call frame info 06:27:00 INFO - Thread 1
The canvas intermittents showing up...
Flags: needinfo?(bas)
|
||
Comment 2•9 years ago
|
||
(In reply to Milan Sreckovic [:milan] from comment #1) > The canvas intermittents showing up... That 0x5a5a5a5a5a5a5a5a is already there in the JS JIT stackframe which makes me a little suspicious of JS rather than graphics. It appears that aSource and/or mDrawTarget are probably invalid here, the cause of that is not entirely clear to me and I don't see how to relate that to JS or the 5a magic number (which I think is no-man's land on the Windows heap). I also doubt it's security sensitive, It's interesting that this appears to be 64-bit related.
Flags: needinfo?(bas)
As in, the hash table is dead? I think we set it as a sec bug if there is a chance of uaf, but that doesn't mean it's exploitable.
(In reply to Bas Schouten (:bas.schouten) from comment #2) > That 0x5a5a5a5a5a5a5a5a is already there in the JS JIT stackframe which > makes me a little suspicious of JS rather than graphics. I'm not buying those register values. They're all the same in every frame except rip. I loaded the .dmp from comment 0 and I only see a single poison value on the stack, in one of the top frames. Fwiw the crash address isn't right either, it's actually 5a5a5a5a`5a5a5a62, aka poison+8.
|
||
Updated•9 years ago
|
Keywords: csectype-uaf,
sec-high
|
||
Comment 5•9 years ago
|
||
It looks like people tried to figure something out based on the stack without success, and it has only happened once so I'm closing it as incomplete.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → INCOMPLETE
|
||
Updated•9 years ago
|
Group: core-security → core-security-release
|
|
||
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•