Closed Bug 1361432 Opened 3 years ago Closed 2 years ago

[10.12] Crash in objc_msgSend | -[NSKeyBindingManager interpretEventAsCommand:forClient:]

Categories

(Core :: Widget: Cocoa, defect, critical)

53 Branch
Unspecified
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla57
Tracking Status
firefox-esr45 --- wontfix
firefox-esr52 --- wontfix
firefox53 --- wontfix
firefox54 + wontfix
firefox55 + wontfix
firefox56 + wontfix
firefox57 + fixed

People

(Reporter: marcia, Assigned: spohl)

References

Details

(5 keywords, Whiteboard: [fixed by bug 1324892][adv-main57+][post-critsmash-triage])

Crash Data

This bug was filed from the Socorro interface and is 
report bp-cdd752b7-e273-4abc-86a1-504ef0170502.
=============================================================

Seen while looking at the release explosiveness report - this crash spiked a bit recently on release: http://bit.ly/2oU98f4. All occur on 10.12

Many of the comments mention file upload. Here is one specific one:

Pressing Shift+Right Arrow with the Upload File dialog box open caused this crash twice. 

Marking security sensitive due to the crash signature.
Group: core-security → layout-core-security
Duplicate of this bug: 1361706
From bug 1361706:

Correlations for Firefox Release
(100.0% in signature vs 00.26% overall) address = 0xffffffffe5e5e5f8
(100.0% in signature vs 02.32% overall) reason = EXC_BAD_ACCESS / KERN_INVALID_ADDRESS
(98.06% in signature vs 00.36% overall) Module "MediaServices" = true [98.06% vs 23.73% if platform_version = 10.12.4 16E195]
(98.06% in signature vs 00.36% overall) Module "MediaRemote" = true [98.06% vs 23.73% if platform_version = 10.12.4 16E195]
(98.06% in signature vs 00.48% overall) Module "iLifeMediaBrowser" = true [98.06% vs 23.73% if platform_version = 10.12.4 16E195]
(98.06% in signature vs 00.48% overall) Module "AVKit" = true [98.06% vs 23.73% if platform_version = 10.12.4 16E195]
(100.0% in signature vs 00.89% overall) Module "Suggestions" = true [100.0% vs 30.66% if platform_version = 10.12.4 16E195]
(100.0% in signature vs 00.75% overall) Module "PlugInKit" = true [100.0% vs 30.66% if platform_version = 10.12.4 16E195]
(100.0% in signature vs 00.89% overall) Module "FinderKit" = true [100.0% vs 30.66% if platform_version = 10.12.4 16E195]
(100.0% in signature vs 00.74% overall) Module "CacheDelete" = true [100.0% vs 30.66% if platform_version = 10.12.4 16E195]
(100.0% in signature vs 01.51% overall) Module "Bom" = true [100.0% vs 40.98% if platform = Mac OS X]
(100.0% in signature vs 01.53% overall) platform_pretty_version = OS X 10.12 [100.0% vs 41.50% if platform = Mac OS X]
(100.0% in signature vs 01.10% overall) platform_version = 10.12.4 16E195 [100.0% vs 71.51% if platform_pretty_version = OS X 10.12]
(In reply to Marcia Knous [:marcia - use ni] from comment #0)
> Pressing Shift+Right Arrow with the Upload File dialog box open

Does anybody know what Shift+Right Arrow does?
(In reply to Markus Stange [:mstange] from comment #3)
> (In reply to Marcia Knous [:marcia - use ni] from comment #0)
> > Pressing Shift+Right Arrow with the Upload File dialog box open
> 
> Does anybody know what Shift+Right Arrow does?

If the cursor is in the "file name" field for example, holding shift will allow selection and pressing right/left arrow buttons will select one character at a time.
Hi Selena, I pinged you on IRC about this top crasher. It came up in the channel meeting today. We would like some dev help here to investigate and hopefully fix this top crasher. Thanks!
Flags: needinfo?(sdeckelmann)
tracking for 54/55 as top crasher on osx.
I've spent about 5-6 hours trying to reproduce this today/tonight without any luck. I went through about 150 different crash reports and tried using the various websites that have been reported which are listed below. I also went through all the comments to see if I could find anything usefull but Marcia basically highlighted the only useful user comment in comment#0.

* uploading ~100 images into FB
* uploading ~100 images into Google Images
* uploading ~100 images into auctiva.com
* uploading attachments into Gmail
* uploading ~100 images/PDFs/DMG's into Google Drive
* Uploading several images into https://eu1.badoo.com/
* uploading several files in https://wetransfer.com/
* uploading images/pdf's into https://web.whatsapp.com/
* attached files via the https://bugzilla.mozilla.org uploader
* sending images/attachments via https://web.skype.com/en/
* sending attachments via https://www.facebook.com/messages/
* uploading several files via https://console.aws.amazon.com/s3/
* downloading banking statements from personal https://easyweb.td.com/ (noticed some crashes from download pages)
* uploading several docs into https://it.pdf24.org/doc2pdf

Test Cases being used against the above websites:

* selecting files to upload via keyboard before draging & dropping
* dragging and dropping large amounts of files
* attempting to rename files via the shift + arrows when uploading to various websites when applicable
* clicking through large amounts of files and lagging the file selector modal window

I'm going to download my family's album which contains around 100GB worth of different types of images and I'll start uploading them into a dummy FB account to see if I can reproduce a crash. Most of the crash reports look like they're occurring on FB which makes sense due to it's popularity.
(In reply to Kamil Jozwiak [:kjozwiak] from comment #7)
> Test Cases being used against the above websites:
> 
> * selecting files to upload via keyboard before draging & dropping

Another way that shift + arrow buttons can be used is to select multiple files in the file picker. Not sure if the test case above covers this, or if that's one that you could add. Thanks for looking into this!
(In reply to Stephen A Pohl [:spohl] from comment #8)
> Another way that shift + arrow buttons can be used is to select multiple
> files in the file picker. Not sure if the test case above covers this, or if
> that's one that you could add. Thanks for looking into this!

Definitely tried the case of selecting multiple files via the "shift + arrow up/down" and than quickly pressing "Enter" to minimize mouse use but I couldn't reproduce any of the crashes.

I've downloaded a bunch of personal photo's that range in quality, this way I should have a nice variation of images to try:
* images from old mobile phones
* images from new mobile phones
* images from old camera's
* images from new camera's (20-30MB's each)

I have a pretty light weekend so I'll see if the wife will let me use her Macbook so I can have two running at the same time.
more arrow key comments:
* bp-a4f8577f-31d6-4ec1-94d8-801970170526: Was browsing for a file to upload (not sure whether this site uses standard means for local file browsing or not). Hit the 'e' key to jump to the right file in my folder, then hit another letter that moved me past the file I wanted, so I tried to use the mouse and arrow keys to go back, but the selection wouldn't change. Then Firefox crashed within a couple of seconds.
* bp-2743bef3-91e3-4b76-aca5-59e080170530: It's the second time this issue (bug?) happens to me in less than 2 minutes and crashes Firefox. I was selecting an image on my Mac on a pop up window in Firefox. The thumbs were so small that I decided to hit the space bar so I could get a preview of the image then I decided to hit the left arrow (while previewing that jpeg) so I could navigate through my other images while still in preview mode but then... boom! Firefox crashed.
* bp-dc2cbd16-1c5b-417a-b52f-ba3870170528: Every time I go to upload a file, if i try to press any of the arrow keys to search through files Firefox shuts down. This continues to happen, love firefox but may have to change over if this continues to be a problem.
* bp-cc9ac3f0-f401-443a-8b0a-6dd490170527: This is so annoying!!!!!! It does this every time I try to attach more than 1 photo in an email. The shift + right arrow button used to allow me to select more than 1 photo at once, and now every single darn time I do it, it crashes firefox!!!
* bp-47f30636-1307-4c56-a9f8-a8b500170524: press arrow down when your browsing your files
Bug 1370547 seems to have a good set of STR for this signature.
(In reply to Marcia Knous [:marcia - use ni] from comment #11)
> Bug 1370547 seems to have a good set of STR for this signature.

I was just able to reproduce the crash using the STR given in bug 1370547. Looking into it!
Duplicate of this bug: 1370547
The principal point from the STR in bug 1370547 that allowed me to reproduce is the fact that the icon view must be selected:

(In reply to Alexandru Nedelcu from bug 1370547 comment #0)
> 2. Open dialog for selecting a file for upload, using the icon view, see
> screenshot (this does not happen with the list view)

I'm unable to reproduce with local builds, which makes this harder to debug. Still looking into it.
I've been able to confirm that this only reproduces if Firefox is built with the 10.7 SDK. It does not reproduce with the 10.12 SDK (I have not tested SDKs between 10.7 and 10.12). Ideally, we should fix this by landing bug 1324892.

Needinfo-ing :coop to give a heads up.
Depends on: 1324892
Flags: needinfo?(sdeckelmann) → needinfo?(coop)
(In reply to Stephen A Pohl [:spohl] from comment #15)
> I've been able to confirm that this only reproduces if Firefox is built with
> the 10.7 SDK. It does not reproduce with the 10.12 SDK (I have not tested
> SDKs between 10.7 and 10.12). Ideally, we should fix this by landing bug
> 1324892.
> 
> Needinfo-ing :coop to give a heads up.

I'll try to get an ETA from buildduty on this work in bug 1324892.
Flags: needinfo?(coop)
Duplicate of this bug: 1381079
Any ETA?  Thanks
Flags: needinfo?(coop)
There are problems with linking and cross-compilation, so this isn't as straightforward as installing the new SDK. See https://bugzilla.mozilla.org/show_bug.cgi?id=1324892#c27 for details.
Flags: needinfo?(coop)
dveditz: why is this sec-moderate?  It's a UAF at fairly high frequency and reproducible.  Perhaps because it requires a specific (fast?) user action?  If so, ok, just want to be sure.
Flags: needinfo?(dveditz)
sec-moderate was just a guess given an attacker can't directly trigger this, and social engineering instructions to get the user to do the "right" thing in the file upload dialog seem awkward (including specifying the icon view), and it seemed difficult to reproduce. I wouldn't object to calling this sec-high; it's somewhere on that borderline.
Flags: needinfo?(dveditz)
Keywords: regression
Track 56+ as security issue.
So, how upliftable is an SDK update anyway? Especially for ESR52 where the builds are still coming from the old 10.7 builders.
That's a good point. Updating the SDK may cause regressions which make it hard to uplift.
UAF, tracked for 57.
Bug 1324892 has now landed. It would be great to keep an eye on crash stats to see if 57 starts to disappear.
Flags: needinfo?(mozillamarcia.knous)
Duplicate of this bug: 1392207
No more nightly crashes with this signature since the 20170908100218 buildid, as far as I can tell.
Great, thanks for verifying! Let's close this and reopen it should it reappear.
Status: NEW → RESOLVED
Closed: 2 years ago
Flags: needinfo?(mozillamarcia.knous)
Resolution: --- → FIXED
Whiteboard: [fixed by bug 1324892]
Target Milestone: --- → mozilla57
Assignee: nobody → spohl.mozilla.bugs
Group: layout-core-security → core-security-release
Per discussion with IRC, the OSX SDK update isn't something we want to attempt to backport to an ESR branch midway through a cycle.
Whiteboard: [fixed by bug 1324892] → [fixed by bug 1324892][adv-main57+]
Flags: qe-verify-
Whiteboard: [fixed by bug 1324892][adv-main57+] → [fixed by bug 1324892][adv-main57+][post-critsmash-triage]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.