Closed Bug 1352875 Opened 9 years ago Closed 6 years ago

Crash in std::map<T>::_Try_emplace<T> called from TextureClientRecycleAllocator::CreateOrRecycle()

Categories

(Core :: Graphics: Layers, defect, P3)

Product:
Core
Component:
Graphics: Layers
Version:
53 Branch
Platform:
x86
Windows
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla70
Tracking Flags:
Tracking Status
firefox52 --- wontfix
firefox-esr52 --- wontfix
firefox-esr60 --- wontfix
firefox-esr68 --- wontfix
firefox53 --- wontfix
firefox54 --- wontfix
firefox55 --- wontfix
firefox68 --- wontfix
firefox69 --- fixed
firefox70 --- fixed

People

(Reporter: jesup, Assigned: nical)

References

(Blocks 1 open bug)

Details

(5 keywords, Whiteboard: [adv-main69+][post-critsmash-triage])

Crash Data

Attachments

(1 obsolete file)

+++ This bug was initially created as a clone of Bug #1351993 +++ This is for crashes where Try_emplace is called from TextureClientRecycleAllocator::CreateOrRecycle() These crashes started in 50.1.0 it appears, and there have been very few (~14 in the last 3 months). There are no reports after 52 (though there are reports in 52 and ESR52). More concerning is that this appears to be a clear UAF, and this might mean that bug 1351993 might also possibly be a UAF, though I've seen no evidence that it is. See https://crash-stats.mozilla.com/report/index/c9fb0916-7d1b-49e7-9c96-2f3e72170327 Hopefully this is something which is fixed in 53, but it might just be a signature change (or dumb luck considering the frequency).
Blocks: 1352877
Blocks: 1352895
Group: core-security → gfx-core-security
Please triage/assign.
Flags: needinfo?(milan)
No value in working on all std::map bugs in parallel; the root cause is likely to be the same (or the result of the same pattern.) Looking at bug 1352877 first.
Flags: needinfo?(milan)
Hi Milan: I have assigned these security bugs to you to reassign them to appropriate developers in your team to investigate and fix them. Thanks! Wennie
Assignee: nobody → milan
Assignee: milaninbugzilla → nobody
Current status: bug 1352877 reviewed... looks like we should have a fix landed soon. Assigning this bug to Nical for bookkeeping.
Assignee: nobody → nical.bugzilla
Nical, what about this bug?
Flags: needinfo?(nical.bugzilla)
Adding Jessie (new graphics engineering manager) to all sec-crit and sec-high graphics bugs
I'm not going to look into this one until January at least.
Flags: needinfo?(nical.bugzilla)

Nical - anything we can do here?

Flags: needinfo?(nical.bugzilla)

Not in the short term. These map::try_emplace bugs are very low volume and quite hard to investigate. I'll keep the needinfo for a bit longer to remind myself to have a look whenever I'm waiting for something.

Keywords: stalled
Flags: needinfo?(nical.bugzilla)

Around a dozen of crashes like this on the 5-29 Nightly for whatever reason. one example: bp-e4df3673-ecd8-47ae-b387-d92fd0190529

This seems much more visible in the 69 cycle overall - before we branched there were over 500 crashes/150 installs. Several of them I looked at had mozilla::layers::TextureClientRecycleAllocator::CreateOrRecycle(mozilla::layers::ITextureClientAllocationHelper&) in the stack.

status-firefox69: --- → affected

Nical, curious if this is becoming more possible to investigate if there has been an uptick in crashes?

Flags: needinfo?(nical.bugzilla)

This shouldn't be necessary since when the destructor runs nothing has access to the map anymore but it at least clears any doubt.

Flags: needinfo?(nical.bugzilla)

I seems similar to Bug 1565255. Since Bug 1565255 was uplifted to beta. The crash of this bug also seemed to be addressed.

Since Bug 1565255 fix, a crash did not happen at TextureClientRecycleAllocator::CreateOrRecycle() until now.
There is one crash, Since Bug 1565255 fix https://crash-stats.mozilla.org/report/index/ad2b28bc-b428-4b38-8dac-a97410190730
It happened at VideoBridgeParent::LookupTexture(). TextureClientRecycleAllocator is not related to it.

:nical, do you still want to land the patch? The crash seemed to be addressed by Bug 1565255 fix.

Flags: needinfo?(nical.bugzilla)

No need to land the patch. Let's close this.

Status: NEW → RESOLVED
Closed: 6 years ago
Flags: needinfo?(nical.bugzilla)
Resolution: --- → FIXED

Since the bug is closed, the stalled keyword is now meaningless.
For more information, please visit auto_nag documentation.

Keywords: stalled

Is there anything we can/should do for ESR60/ESR68 yet?

status-firefox53: ?wontfix
status-firefox54: ?wontfix
status-firefox55: ?wontfix
status-firefox68: --- → wontfix
status-firefox69: affectedfixed
status-firefox70: --- → fixed
status-firefox-esr52: affectedwontfix
status-firefox-esr60: --- → affected
status-firefox-esr68: --- → affected
Flags: needinfo?(nical.bugzilla)
Target Milestone: --- → mozilla70

(In reply to Ryan VanderMeulen [:RyanVM] from comment #20)

Is there anything we can/should do for ESR60/ESR68 yet?

ESR60 should not be affected and for 68 I'd rather not unless the crash volume is very high because the crashing code was removed recently but there's likely a chain of things that we would need to uplift to do the same there and I'm not sure I know the full list of them.

Flags: needinfo?(nical.bugzilla)
Group: gfx-core-security → core-security-release
Whiteboard: [adv-main69+]
Attachment #9080616 - Attachment is obsolete: true
Flags: qe-verify-
Whiteboard: [adv-main69+] → [adv-main69+][post-critsmash-triage]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: