Closed Bug 1338767 Opened 9 years ago Closed 7 years ago

Crash in mozilla::DisplayItemClip::GetCommonRoundedRectCount or mozilla::PaintedLayerData::UpdateCommonClipCount

Categories

(Core :: Web Painting, defect, P2)

Product:
Core
Component:
Web Painting
Version:
49 Branch
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox-esr45 --- unaffected
firefox51 --- wontfix
firefox52 - wontfix
firefox-esr52 --- wontfix
firefox-esr60 --- wontfix
firefox53 + wontfix
firefox54 + wontfix
firefox55 + wontfix
firefox56 + wontfix
firefox57 --- wontfix
firefox58 --- wontfix
firefox59 --- wontfix
firefox60 --- wontfix
firefox61 --- fixed
firefox62 --- fixed
firefox63 --- fixed

People

(Reporter: philipp, Assigned: mattwoodrow)

References

Details

(4 keywords)

Crash Data

This bug was filed from the Socorro interface and is report bp-b02c5782-c3d9-4cee-b78a-8c0f42170211. ============================================================= Crashing Thread (0) Frame Module Signature Source 0 xul.dll mozilla::DisplayItemClip::GetCommonRoundedRectCount(mozilla::DisplayItemClip const&, unsigned int) layout/base/DisplayItemClip.cpp:391 1 xul.dll mozilla::PaintedLayerData::UpdateCommonClipCount(mozilla::DisplayItemClip const&) layout/base/FrameLayerBuilder.cpp:2747 2 xul.dll mozilla::ContainerState::ProcessDisplayItems(nsDisplayList*) layout/base/FrameLayerBuilder.cpp:4469 3 xul.dll mozilla::FrameLayerBuilder::BuildContainerLayerFor(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsIFrame*, nsDisplayItem*, nsDisplayList*, mozilla::ContainerLayerParameters const&, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits> const*, unsigned int) layout/base/FrameLayerBuilder.cpp:5538 4 xul.dll nsDisplayOwnLayer::BuildLayer(nsDisplayListBuilder*, mozilla::layers::LayerManager*, mozilla::ContainerLayerParameters const&) layout/base/nsDisplayList.cpp:4939 5 xul.dll nsDisplaySubDocument::BuildLayer(nsDisplayListBuilder*, mozilla::layers::LayerManager*, mozilla::ContainerLayerParameters const&) layout/base/nsDisplayList.cpp:4989 6 xul.dll mozilla::ContainerState::ProcessDisplayItems(nsDisplayList*) layout/base/FrameLayerBuilder.cpp:4310 7 xul.dll mozilla::FrameLayerBuilder::BuildContainerLayerFor(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsIFrame*, nsDisplayItem*, nsDisplayList*, mozilla::ContainerLayerParameters const&, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits> const*, unsigned int) layout/base/FrameLayerBuilder.cpp:5538 8 xul.dll nsDisplayList::PaintRoot(nsDisplayListBuilder*, nsRenderingContext*, unsigned int) layout/base/nsDisplayList.cpp:1861 9 xul.dll nsLayoutUtils::PaintFrame(nsRenderingContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) layout/base/nsLayoutUtils.cpp:3651 10 xul.dll PresShell::Paint(nsView*, nsRegion const&, unsigned int) layout/base/nsPresShell.cpp:6391 11 xul.dll nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) view/nsViewManager.cpp:484 12 xul.dll nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) view/nsViewManager.cpp:415 13 xul.dll nsViewManager::ProcessPendingUpdates() view/nsViewManager.cpp:1118 14 xul.dll nsRefreshDriver::Tick(__int64, mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp:2012 15 xul.dll nsRefreshDriver::DoTick() layout/base/nsRefreshDriver.cpp:1483 16 xul.dll nsRefreshDriver::FinishedWaitingForTransaction() layout/base/nsRefreshDriver.cpp:2108 17 xul.dll nsRefreshDriver::NotifyTransactionCompleted(unsigned __int64) layout/base/nsRefreshDriver.cpp:2162 18 xul.dll mozilla::layers::ClientLayerManager::DidComposite(unsigned __int64, mozilla::TimeStamp const&, mozilla::TimeStamp const&) gfx/layers/client/ClientLayerManager.cpp:463 19 xul.dll mozilla::layers::CompositorBridgeChild::RecvDidComposite(unsigned __int64 const&, unsigned __int64 const&, mozilla::TimeStamp const&, mozilla::TimeStamp const&) gfx/layers/ipc/CompositorBridgeChild.cpp:550 20 xul.dll mozilla::layers::PCompositorBridgeChild::OnMessageReceived(IPC::Message const&) obj-firefox/ipc/ipdl/PCompositorBridgeChild.cpp:1390 21 xul.dll mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) ipc/glue/MessageChannel.cpp:1743 22 xul.dll mozilla::ipc::MessageChannel::DispatchMessageW(IPC::Message&&) ipc/glue/MessageChannel.cpp:1681 23 xul.dll mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) ipc/glue/MessageChannel.cpp:1572 24 xul.dll mozilla::ipc::MessageChannel::MessageTask::Run() ipc/glue/MessageChannel.cpp:1597 25 xul.dll nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:1216 26 xul.dll NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp:361 27 xul.dll mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:124 28 xul.dll MessageLoop::RunHandler() ipc/chromium/src/base/message_loop.cc:225 29 xul.dll MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:205 30 xul.dll nsBaseAppShell::Run() widget/nsBaseAppShell.cpp:156 31 xul.dll nsAppShell::Run() widget/windows/nsAppShell.cpp:262 32 xul.dll nsAppStartup::Run() toolkit/components/startup/nsAppStartup.cpp:283 33 xul.dll XREMain::XRE_mainRun() toolkit/xre/nsAppRunner.cpp:4472 34 xul.dll XREMain::XRE_main(int, char** const, nsXREAppData const*) toolkit/xre/nsAppRunner.cpp:4605 35 xul.dll XRE_main toolkit/xre/nsAppRunner.cpp:4696 36 firefox.exe do_main browser/app/nsBrowserApp.cpp:282 37 firefox.exe wmain toolkit/xre/nsWindowsWMain.cpp:115 38 firefox.exe __scrt_common_main_seh f:/dd/vctools/crt/vcstartup/src/startup/exe_common.inl:253 39 kernel32.dll BaseThreadInitThunk 40 ntdll.dll __RtlUserThreadStart 41 ntdll.dll _RtlUserThreadStart this is a cross-platform crash signature that regressed in volume starting with firefox 49 builds - it's still rather low-volume though.
after looking closer, a portion of them may be UAF though.
Group: core-security
The stacks for the UAFs match those of the more benign near-null derefs. It's an OBR in a routine that returns a number so by itself not that exploitable or revealing. Could be more interesting if there are other uses of the same deleted object. Not sure how to rate this.
Group: core-security → layout-core-security
Component: Layout → Layout: Web Painting
It looks like the test case for bug 1341149 is on this line: if (aClipState.mHasRoundedCorners) { So that sounds related possibly?
Depends on: 1341149
Keywords: sec-high
It does sound related! Nice find.
tracking for 53/54 as sec-high.
tracking-firefox52: ?-
tracking-firefox53: ?+
tracking-firefox54: ?+
Assignee: nobody → cku
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox53: affectedfixed
status-firefox54: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla54
OK, bug 1341149 may have helped with some of these issues, but there's clearly still another issue going on here that affects more than 53+. Fx53b1 is already showing crashes with this signature: https://crash-stats.mozilla.com/report/index/03a798f3-e927-4e87-8933-bac8d2170309 And 52 has scary-looking ones like: https://crash-stats.mozilla.com/report/index/4caa7607-7647-42a2-89bb-8f4792170309 On the other hand, no hits on 54 since 15-Feb and none on 55 either.
Assignee: cku → nobody
Status: RESOLVED → REOPENED
status-firefox53: fixedaffected
Resolution: FIXED → ---
Target Milestone: mozilla54 → ---
We have the scary looking ones in 54 as well, and I'll assume 55 (volume is low enough that it's unlikely to hit in nightly much if at all). We need someone from the layout team to look at this.
status-firefox54: fixedaffected
status-firefox55: --- → affected
Flags: needinfo?(bugs)
Matt: symptoms indicate a freed DisplayItemClip remaining in the DisplayList used for painting. Are you able to extract a test URL from the memory dump?
Flags: needinfo?(bugs) → needinfo?(matt.woodrow)
The URLs are all over the place, facebook, youtube, a few porn sites, some russian new sites. I wasn't able to reproduce a crash by loading any of them. I'd have expected this to have changed as a result of bug 1298218, which reworked how we allocated clipping a fair bit, but it doesn't appear to have. It definitely looks like 'itemClip' in ProcessDisplayItems() has been destroyed. There's quite a few other places in that function that optionally dereference itemClip earlier on, do we have other similar bugs for similar crashes with DisplayItemClip/FrameLayerBuilder? The other option is that something within ProcessDisplayItems itself is causing the memory to be freed/overwritten. I found a few dumps where the 'itemType' variable was available and it was TYPE_TEXT in both of them. Unsure if that's a useful lead, or just a coincidence.
Flags: needinfo?(matt.woodrow)
Jet, what's the next step here?
Flags: needinfo?(bugs)
Markus, do you have any ideas here? The DisplayItemClipChain changes changed the way we allocate/manage clips, so I'd have expected that to at least have had an effect on the crashes here, but they don't seem to have.
Flags: needinfo?(mstange)
(In reply to Matt Woodrow (:mattwoodrow) from comment #12) > The DisplayItemClipChain changes changed the way we allocate/manage clips, Not all that much, though. I don't have any ideas for what to do about this bug.
Flags: needinfo?(mstange)
https://crash-stats.mozilla.com/report/index/e0ef0dfe-ed14-47b2-b0fc-7eaf02170406 may be interesting; the poison value is 'deadbeef', which I find used a bunch in layout. (Also a little in the JIT, ProxyAutoConfig, etc)
There is no crash reported from FF55 so far. It's also unable to reproduce locally with links attached in reports. As the crash rate is still in low volume on 53 and 54 in last 3 months, keep monitoring.
status-firefox55: affectedunaffected
55->? since the general crash volume is too low to take lack-of-crash in Nightly as being the same as "unaffected"
status-firefox55: unaffected?
Too late for 53, but we could still take a patch in 54.
status-firefox53: affectedwontfix
Hi Astley, Can you help take a look at this?
Flags: needinfo?(aschen)
matt, mstange, similar issues had been found recent days as bug 1359233, bug 1359569 that are about UAF. Do we have a general methodology to move this kind of issues forward?
Flags: needinfo?(mstange)
Flags: needinfo?(matt.woodrow)
Flags: needinfo?(aschen)
(In reply to Astley Chen [:astley] (UTC+8) from comment #19) > matt, mstange, similar issues had been found recent days as bug 1359233, bug > 1359569 that are about UAF. > Do we have a general methodology to move this kind of issues forward? Besides not using raw pointers? :-)
Track 55+/56+ as sec-high.
tracking-firefox55: ?+
tracking-firefox56: ?+
In the past 2 months, just 2 crashes in 56, and a few more on 57. Setting 56 to wontfix, because nobody is actively working on it.
status-firefox55: affectedwontfix
status-firefox56: ?wontfix
status-firefox57: --- → affected
Priority: -- → P2
Hi Matt: I have assigned these security bugs to you to reassign them to appropriate developers in your team to investigate and fix them. Thanks! Wennie
Assignee: nobody → matt.woodrow
Low crash rate, no need to track for esr.
status-firefox-esr52: affectedwontfix
tracking-firefox-esr52: ? → ---
Flags: needinfo?(matt.woodrow)
Crash Signature: [@ mozilla::DisplayItemClip::GetCommonRoundedRectCount] → [@ mozilla::DisplayItemClip::GetCommonRoundedRectCount] [@ mozilla::PaintedLayerData::UpdateCommonClipCount ]
Summary: Crash in mozilla::DisplayItemClip::GetCommonRoundedRectCount → Crash in mozilla::DisplayItemClip::GetCommonRoundedRectCount or mozilla::PaintedLayerData::UpdateCommonClipCount
Flags: needinfo?(bugs)
Looks like there haven't been any crashes in 61+, so marking this as fixed.
Status: REOPENED → RESOLVED
Closed: 8 years ago7 years ago
Resolution: --- → FIXED
Group: layout-core-security → core-security-release
Group: core-security-release
Flags: needinfo?(mstange.moz)
You need to log in before you can comment on or make changes to this bug.