Closed Bug 1314318 Opened 9 years ago Closed 7 years ago

Shutdown crash in mozilla::dom::indexedDB::PBackgroundIndexedDBUtilsChild::DestroySubtree

Categories

(Core :: Graphics, defect)

Product:
Core
Component:
Graphics
Version:
48 Branch
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox49 --- wontfix
firefox50 --- wontfix
firefox51 --- wontfix
firefox52 --- wontfix
firefox-esr52 --- affected
firefox53 --- wontfix
firefox54 --- ?
firefox55 --- ?

People

(Reporter: marcia, Unassigned)

References

Details

(Keywords: crash, csectype-uaf, sec-moderate)

Crash Data

This bug was filed from the Socorro interface and is report bp-1116729b-c7c9-4dfe-9258-fe7c22161101. ============================================================= Seen while looking at beta 11 crashes: http://bit.ly/2f9uGfA Present in Beta 6 but crashes increased in Beta 11.
(100.0% in signature vs 00.37% overall) address = 0xffffffffe5e5e5f1 (100.0% in signature vs 02.31% overall) shutdown_progress = xpcom-shutdown (100.0% in signature vs 37.56% overall) reason = EXCEPTION_ACCESS_VIOLATION_READ This might be a use-after-free bug, given the address.
Group: dom-core-security, core-security
The entire set of correlations is: (100.0% in signature vs 00.37% overall) address = 0xffffffffe5e5e5f1 (100.0% in signature vs 02.31% overall) shutdown_progress = xpcom-shutdown (100.0% in signature vs 37.56% overall) reason = EXCEPTION_ACCESS_VIOLATION_READ (98.13% in signature vs 49.79% overall) build_id = 20161027110534 (70.09% in signature vs 20.62% overall) "DXVA2D3D9+" in app_notes = true (71.03% in signature vs 24.41% overall) "DXVA2D3D9?" in app_notes = true (57.01% in signature vs 13.71% overall) adapter_vendor_id = NVIDIA Corporation Given the DXVA2D3D9 correlation, it looks related to video-playing. The URLs support this hypotesis. Most stack traces contain `mozilla::layers::PImageBridgeChild::DestroySubtree` before `mozilla::dom::indexedDB::PBackgroundIndexedDBUtilsChild::DestroySubtree`. The most occurring stack trace (~94%) is: mozilla::dom::indexedDB::PBackgroundIndexedDBUtilsChild::DestroySubtree | mozilla::layers::PImageBridgeChild::DestroySubtree | mozilla::layers::PImageBridgeChild::OnChannelClose | mozilla::layers::ImageBridgeShutdownStep2 | RunnableFunction<T>::Run | MessageLoop::RunTask | MessageLoop::DeferOrRunPendingTask | MessageLoop::DoWork
Group: media-core-security
Component: DOM: IndexedDB → Audio/Video
Hi Jean-Yves, Jesup, could you please take a look at the crash reports on this one? Due to the UAF nature, we may need to consider this a high priority bug and potentially release blocking for 50. Can you please help find an alternate owner?
Flags: needinfo?(rjesup)
Flags: needinfo?(jyavenard)
This signature basically appeared with 50 Beta 6 (before 50 Beta 6 there was just one crash with 50 Beta 2). https://crash-stats.mozilla.com/search/?signature=%3Dmozilla%3A%3Adom%3A%3AindexedDB%3A%3APBackgroundIndexedDBUtilsChild%3A%3ADestroySubtree&product=Firefox&date=%3E%3D2016-10-01T18%3A06%3A52.000Z&date=%3C2016-11-01T18%3A06%3A52.000Z&_sort=-date&_facets=signature&_facets=url&_facets=user_comments&_facets=version&_facets=proto_signature&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#facet-version Between Beta 6 and Beta 9 we don't have reliable results because of a bug in Socorro (we might have reliable results in a while, I'll comment back when we do), with Beta 10 we do have reliable results and 0 crashes.
138 crashes in 50b11 :-( UAF Crash when shutting down compositor. Mainthread is in gfxPlatform::ShutdownLayersIPC(), all in windows. Interesting that there are no crashes in 51 or 52, so looking to uplifts may be useful. The one crash before b6 though may mean it's been in there longer, and beta in general has much higher usage, so things can be missed by aurora/nightly. NI to Milan, since this is compositor shutdown. Perhaps shutdown while plying a video.
Component: Audio/Video → Graphics
Flags: needinfo?(rjesup)
Flags: needinfo?(milan)
Flags: needinfo?(ajones)
Summary: Crash in mozilla::dom::indexedDB::PBackgroundIndexedDBUtilsChild::DestroySubtree → Shutdown crash in mozilla::dom::indexedDB::PBackgroundIndexedDBUtilsChild::DestroySubtree
Other stacks are in mozilla::layers::ImageBridgeChild::ShutDown(). I don't see any indication in that stack that video is playing at shutdown, though it might have been before shutdown started. https://crash-stats.mozilla.com/report/index/9629b01e-faa9-4bf9-901c-e9b5f2161101#allthreads
Since it already existed in b2 and b6, it doesn't necessarily make sense to focus on b11, but if I was looking at the b10 to b11 log [1], bug 1312958 could be something to look at given the mention of shutdown and UAF? [1] https://hg.mozilla.org/releases/mozilla-beta/pushloghtml?fromchange=FIREFOX_50_0b10_RELEASE&tochange=FIREFOX_50_0b11_RELEASE
Flags: needinfo?(milan)
I was wrong in my comment, one crash was actually in 50.0a2, not 50.0b2: https://crash-stats.mozilla.com/report/index/6d9bb7a5-382e-455a-ab93-5b6e02160906. It's with a different address, 0xffffffffffffffff, but similar stack trace.
This goes back to 48.
Crash Signature: [@ mozilla::dom::indexedDB::PBackgroundIndexedDBUtilsChild::DestroySubtree] → [@ mozilla::dom::indexedDB::PBackgroundIndexedDBUtilsChild::DestroySubtree] [@ mozilla::layers::PCompositableChild::DestroySubtree] [@ mozilla::dom::indexedDB::PBackgroundIDBFactoryRequestParent::DestroySubtree] [@ mozilla::layers::PLayerParent::Destro…
status-firefox49: --- → affected
Mainly affects Windows, but there also one crash on Linux: https://crash-stats.mozilla.com/report/index/f0b52044-3456-4e5a-b99f-f1abf2161015.
OS: Windows 10 → All
Version: 50 Branch → 48 Branch
It might have been fixed in 51, since we have 0 crashes with 51.0a2 for now (we've had crashes in the past with 48.0a2, 49.0a2 and 50.0a2).
Yes, I agree these are signature changes (PGO perhaps); all seem to go back to sImageBridgeChildSingleton->Close();
Chris - I'll let you deal with this in my absence.
Flags: needinfo?(ajones) → needinfo?(cpearce)
Flags: needinfo?(jyavenard)
Group: core-security → gfx-core-security
Stack traces with `mozilla::layers::CompositorBridgeChild::DeallocPTextureChild` also look similar.
Crash Signature: mozilla::net::PChannelDiverterChild::DestroySubtree] [@ mozilla::layers::PImageContainerChild::DestroySubtree] [@ mozilla::layers::PImageContainerParent::DestroySubtree] [@ mozilla::net::PTransportProviderParent::DestroySubtree] → mozilla::net::PChannelDiverterChild::DestroySubtree] [@ mozilla::layers::PImageContainerChild::DestroySubtree] [@ mozilla::layers::PImageContainerParent::DestroySubtree] [@ mozilla::net::PTransportProviderParent::DestroySubtree] [@ mozilla::layers::C…
Crash Signature: mozilla::layers::CompositorBridgeChild::DeallocPTextureChild] → mozilla::layers::CompositorBridgeChild::DeallocPTextureChild] [@ mozilla::dom::icc::PIccRequestChild::DestroySubtree]
Currently #7 top browser crash on 50.1.0 - adding keyword.
Keywords: topcrash
Too late for firefox 52, mass-wontfix.
status-firefox52: affectedwontfix
Flags: needinfo?(cpearce)
I'm not seeing any recent versions in these crashes.
Group: media-core-security, gfx-core-security, dom-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WORKSFORME
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.