Closed Bug 1200580 Opened 10 years ago Closed 10 years ago

Crash in mozilla::DisplayItemClip::IntersectWith

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED
Tracking Flags:
Tracking Status
firefox41 --- unaffected
firefox42 --- affected
firefox43 + fixed
firefox-esr38 --- unaffected

People

(Reporter: mikehenrty, Unassigned)

References

Details

(Keywords: crash, csectype-uaf, sec-high, Whiteboard: [adv-main43+] Fixed in bug 1181135, requires non-default pref)

Attachments

(2 files)

lldb bt
13.38 KB, text/plain
Details
[Marionette JS Test Case] Make Mulet Crash
503 bytes, application/x-javascript
Details
When running a certain Gaia Integration tests with Mulet on an optimized build (debug and prod), we are getting the crash from below. To run the test, download latest Mulet and run the following command: RUNTIME=/PATH/TO/MULET/firefox TEST_FILES=/PATH/TO/gaia/apps/system/test/marionette/pinning_the_web_test.js make test-integration This crashes about 50% of the time on my Mac Pro. It is also crashing on Linux in c-i: https://treeherder.mozilla.org/logviewer.html#?job_id=2634427&repo=b2g-inbound * thread #1: tid = 0x3e4fa, 0x00000001043db9c9 XUL`mozilla::DisplayItemClip::IntersectWith(mozilla::DisplayItemClip const&) + 409, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=EXC_I386_GPFLT) * frame #0: 0x00000001043db9c9 XUL`mozilla::DisplayItemClip::IntersectWith(mozilla::DisplayItemClip const&) + 409 frame #1: 0x00000001043e6e37 XUL`mozilla::ContainerState::ProcessDisplayItems(nsDisplayList*) + 903 frame #2: 0x00000001043edd35 XUL`mozilla::FrameLayerBuilder::BuildContainerLayerFor(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsIFrame*, nsDisplayItem*, nsDisplayList*, mozilla::ContainerLayerParameters const&, mozilla::gfx::Matrix4x4 const*, unsigned int) + 8533 frame #3: 0x000000010444b177 XUL`nsDisplayList::PaintRoot(nsDisplayListBuilder*, nsRenderingContext*, unsigned int) + 999 frame #4: 0x000000010447ca2c XUL`nsLayoutUtils::PaintFrame(nsRenderingContext*, nsIFrame*, nsRegion const&, unsigned int, unsigned int) + 4780 frame #5: 0x000000010449c346 XUL`PresShell::RenderDocument(nsRect const&, unsigned int, unsigned int, gfxContext*) + 1414 frame #6: 0x0000000103a4393e XUL`mozilla::dom::CanvasRenderingContext2D::DrawWindow(nsGlobalWindow&, double, double, double, double, nsAString_internal const&, unsigned int, mozilla::ErrorResult&) + 1374 frame #7: 0x0000000103644fad XUL`mozilla::dom::CanvasRenderingContext2DBinding::drawWindow(JSContext*, JS::Handle<JSObject*>, mozilla::dom::CanvasRenderingContext2D*, JSJitMethodCallArgs const&) + 1293 frame #8: 0x0000000103a06eb1 XUL`mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) + 401 frame #9: 0x000000010547ef9c XUL`js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 444 frame #10: 0x000000010549082d XUL`Interpret(JSContext*, js::RunState&) + 35629 frame #11: 0x0000000105487cbd XUL`js::RunScript(JSContext*, js::RunState&) + 381 frame #12: 0x000000010547f3c5 XUL`js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 1509 frame #13: 0x0000000105468042 XUL`js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) + 610 frame #14: 0x00000001057f1fef XUL`JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) + 111 frame #15: 0x0000000102c365b2 XUL`nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) + 5250 frame #16: 0x000000010246c230 XUL`PrepareAndDispatch + 576 frame #17: 0x000000010246b07b XUL`SharedStub + 91 frame #18: 0x000000010241340a XUL`(anonymous namespace)::MessageLoopIdleTask::Run() + 58 frame #19: 0x00000001024134a7 XUL`(anonymous namespace)::MessageLoopTimerCallback::Notify(nsITimer*) + 23 frame #20: 0x0000000102467322 XUL`nsTimerImpl::Fire() + 994 frame #21: 0x000000010245af47 XUL`nsTimerEvent::Run() + 215 frame #22: 0x000000010245ee11 XUL`nsThread::ProcessNextEvent(bool, bool*) + 1041 frame #23: 0x0000000102488301 XUL`NS_ProcessPendingEvents(nsIThread*, unsigned int) + 81 frame #24: 0x000000010419d874 XUL`nsBaseAppShell::NativeEventCallback() + 116 frame #25: 0x00000001041f7509 XUL`nsAppShell::ProcessGeckoEvents(void*) + 297 frame #26: 0x00007fff8cc6ca01 CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17 frame #27: 0x00007fff8cc5eb8d CoreFoundation`__CFRunLoopDoSources0 + 269 frame #28: 0x00007fff8cc5e1bf CoreFoundation`__CFRunLoopRun + 927 frame #29: 0x00007fff8cc5dbd8 CoreFoundation`CFRunLoopRunSpecific + 296 frame #30: 0x00007fff8f3a356f HIToolbox`RunCurrentEventLoopInMode + 235 frame #31: 0x00007fff8f3a32ea HIToolbox`ReceiveNextEventCommon + 431 frame #32: 0x00007fff8f3a312b HIToolbox`_BlockUntilNextEventMatchingListInModeWithFilter + 71 frame #33: 0x00007fff947de8ab AppKit`_DPSNextEvent + 978 frame #34: 0x00007fff947dde58 AppKit`-[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 346 frame #35: 0x00000001041f6ae6 XUL`-[GeckoNSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 86 frame #36: 0x00007fff947d3af3 AppKit`-[NSApplication run] + 594 frame #37: 0x00000001041f7c8c XUL`nsAppShell::Run() + 236 frame #38: 0x0000000104ade349 XUL`nsAppStartup::Run() + 41 frame #39: 0x0000000104b3748d XUL`XREMain::XRE_mainRun() + 3325 frame #40: 0x0000000104b37835 XUL`XREMain::XRE_main(int, char**, nsXREAppData const*) + 645 frame #41: 0x0000000104b37c43 XUL`XRE_main + 227 frame #42: 0x0000000100001bfd firefox`main + 1773 frame #43: 0x00000001000011b4 firefox`start + 52
Attached file lldb bt
sorry for my horrible lldb skills.... Roc, any idea whats going on here?
Flags: needinfo?(roc)
Note, this bug is easier to reproduce if you apply my patch from: https://github.com/mozilla-b2g/gaia/pull/31584 That said, this bug also happens on master.
Here is a reduced test case that happens on the latest Master of mulet. You can also reproduce the crash manually by running Mulet then clicking on the Rocketbar, then typing in `about:blank` and clicking return. I would say this crash happens about 50% of the time.
Ah crap, I guess there are no symbols there, ignore comment 4.
Markus seems to know this code as well.
Flags: needinfo?(mstange)
I'm currently looking into a very similar crash in bug 1198492, bug 1198798 and bug 1181135. I should know more by the end of the day.
Flags: needinfo?(roc)
Flags: needinfo?(mstange)
No longer blocks: 1168955
calling this a use-after-free based on the lldb bt showing mHdr is 0x5a5a5a5a....
Keywords: csectype-uaf, sec-high
The patches in bug 1156238 and bug 1181135 should fix this. This bug only affects Firefox 42 and 43.
Depends on: 1156238, 1181135
No longer depends on: 1181135
Depends on: 1181135
Group: core-security → layout-core-security
Markus, do you think bug 1181135 alone fixed this, or is bug also 1156238 needed? If needed, could you prioritize the reviews in that bug? Thanks.
Flags: needinfo?(mstange)
Bug 1156238 is not needed.
Flags: needinfo?(mstange)
OK, great. Let's dupe this then since that bug is already public. Daniel, since my Core credentials was removed I can no longer mark things private. Could you hide the testcase attachment, comment 0 and comment 3, before making this bug public please? Thanks.
Status: NEW → RESOLVED
Closed: 10 years ago
No longer depends on: 1156238, 1181135
Flags: needinfo?(dveditz)
Resolution: --- → DUPLICATE
It's usually better to have a security bug be "fixed by" its dupe than actually mark it as a dupe. otherwise we lose track of the fact that we fixed a security bug, which has implications for verification, advisories, and potential branch back-ports. We don't need to hide those testcases, we just need to keep the bug hidden until the fix ships.
status-firefox41: --- → unaffected
status-firefox42: --- → affected
status-firefox43: --- → fixed
status-firefox-esr38: --- → unaffected
tracking-firefox43: --- → +
Depends on: 1181135
Flags: needinfo?(dveditz)
Resolution: DUPLICATE → FIXED
Whiteboard: Fixed in bug 1181135, requires non-default pref
Group: layout-core-security → core-security-release
Hi Michael, does this fix work for you?
Flags: needinfo?(mhenretty)
Hi Matt, thanks for following up. Indeed this seems to have at least fixed the bug that was causing our integration test to fail. As supporting evidence, we have since removed the workaround [1] that we initially put in place for this problem. 1.) https://github.com/mozilla-b2g/gaia/commit/5aa7b14d5d652f0821a7be9591caa50051cdd97b#diff-cd1a583e0231e554eae454cdda4df856R13
Flags: needinfo?(mhenretty)
Super, thanks Michael. I'm marking verified based on this. Much appreciated.
Status: RESOLVED → VERIFIED
Whiteboard: Fixed in bug 1181135, requires non-default pref → [adv-main43+] Fixed in bug 1181135, requires non-default pref
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: