Closed Bug 1394790 Opened 8 years ago Closed 6 years ago

Crash at [@ CIImeIPoint::DoUpdateContextWithLock ] with MS Japanese IME on Win10 Creators Update (Will be fixed by Fall Creators Update)

Categories

(Core :: Widget: Win32, defect, P2)

Product:
Core
Component:
Widget: Win32
Platform:
Unspecified
Windows 10
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
thunderbird_esr52 --- wontfix
firefox-esr52 --- wontfix
firefox56 --- wontfix
firefox57 --- wontfix
firefox58 --- wontfix

People

(Reporter: birtles, Unassigned)

References

Details

(4 keywords)

Crash Data

This seems to be a pretty frequent crash happening about 20~30 times a day across all recent versions. It just happened to me while typing in Facebook Messenger.
Keywords: crash
Hardware: x86_64 → Unspecified
Keywords: inputmethod
Yoshida-san: Could you check this stack trace? Looks like that this crashes suggest window's thread of MS-IME. So, it seems that this is same bug as bug 1367692, i.e., crashes in the other side. So, my question is, will this crash be fixed by Fall Creators Update? Or different bug? https://crash-stats.mozilla.com/report/index/7134285a-0c5c-47d8-a68b-07f170170829 > 0 imjpapi.dll CIImeIPoint::DoUpdateContextWithLock(int, _PENDING_CALLBACK_CONTEXT*) > 1 imjpapi.dll CIImeIPoint::UpdateContext(int) > 2 imjppred.dll NotifyUpdateContextToMainThread(IImeEMManager*) > 3 imjppred.dll CCmdPredictCreateCandidate::ShowCandidateWindow(bool) > 4 imjppred.dll CCmdPredictCreateCandidate::OnCandidateReady(void*) > 5 imjppred.dll CSuggestionClient::OnSuggestionReady(unsigned long, IMtfSuggestionList*) > 6 imjppred.dll CSuggestionClient::_OnSuggestionReady(unsigned long, IMtfSuggestionList*, void*) > 7 imjppred.dll CImeSuggestionNotify::SuggestionReady(unsigned long, IMtfSuggestionList*) > 8 imjppred.dll CFrameworkWrapper::ProcessRequest(CQueueItem*) > 9 imjppred.dll CIMEFrameworkHost::CIMEFrameworkThread::ThProcMain() > 10 imjppred.dll CIMEFrameworkHost::CIMEFrameworkThread::_ThreadProc(void*) > 11 kernel32.dll BaseThreadInitThunk > 12 ntdll.dll RtlUserThreadStart
Flags: needinfo?(kotaroy)
Yes and no. This is not the same issue, but this is also fixed in Fall Creators Update.
Flags: needinfo?(kotaroy)
Thank you, Yoshida-san!
Summary: Crash at [@ CIImeIPoint::DoUpdateContextWithLock ] with MS Japanese IME → Crash at [@ CIImeIPoint::DoUpdateContextWithLock ] with MS Japanese IME on Win10 Creators Update (Will be fixed by Fall Creators Update)
Priority: -- → P2
Rising in frequency steadily, most crashes are wildptr crashes (or 0xfffffffff which means "don't know the address"). If this is fixed in Fall Creator's, we should see the rate drop off. How dangerous are these crashes compared to "normal" wildptr crashes? Is there any way we can avoid this in machines not running the Fall Creator's update? If there is a mitigation or workaround, that should be P1 to deal with. masayuki, can you update the keywords/priority on this bug once you have the answers to the above questions? THanks. Note: crashes go back to Firefox 38 at least: https://crash-stats.mozilla.com/report/index/e47cb7a1-3c0a-4ae7-b2c6-bbf0f0171031 There's also *1* crash on Win8.1 in Thunderbird -- a different bug maybe? https://crash-stats.mozilla.com/report/index/11afd46b-ba33-4871-82d6-7eb670171030
Group: core-security
status-firefox56: --- → wontfix
status-firefox58: --- → affected
status-firefox-esr52: --- → affected
status-thunderbird_esr52: --- → affected
Flags: needinfo?(masayuki)
Flags: needinfo?(kotaroy)
Keywords: csectype-wildptr, sec-high
Group: core-security → layout-core-security
(In reply to Randell Jesup [:jesup] from comment #4) > Rising in frequency steadily, most crashes are wildptr crashes (or > 0xfffffffff which means "don't know the address"). > > If this is fixed in Fall Creator's, we should see the rate drop off. Yeah, perhaps, so since all crash reports reported in a month are come from 10.0.15063. > How dangerous are these crashes compared to "normal" wildptr crashes? I'm not sure. MS-IME tries to read heap after free. > Is there any way we can avoid this in machines not running the Fall Creator's update? No, according to Kotaro-san who is an engineer of MS, this kind of crashes are caused by race between threads in MS-IME. So, perhaps, we cannot do that except we'd completely disable IME. > There's also *1* crash on Win8.1 in Thunderbird -- a different bug maybe? > https://crash-stats.mozilla.com/report/index/11afd46b-ba33-4871-82d6- > 7eb670171030 Or, depending on the different of possibility between Windows versions. This kind of crash reports started to come after Creators Update's release but according to the MS engineers, the bug is not a new regression of Creators Update.
Flags: needinfo?(masayuki)
tentatively moving to sec-other since it's external, not possible to work around, and fixed in the version currently being pushed to users.
Keywords: sec-highsec-other
See Also: → 1461126
I agree this is gone with Fall Creators Update 10.0.16299 per last 6 months of crashes [1] (just one crash in 6 months). After Fall Creators Update IME still caused crashes per bug 1350741 and bug 1461126. They are fixed by 10.0.17134 April Update. That leaves two crashes, which are all Thunderbird: * TelemetryLogger::OnChangeInputStatus during message compose bug 1437375 (topcrash) which will be fixed in Fall 2018 Windows update - https://crash-stats.mozilla.com/report/index/01fcea5e-60f5-4fcc-8b89-456e10180630 - https://crash-stats.mozilla.com/signature/?useragent_locale=ja-JP&useragent_locale=ja&platform_version=%3D10.0.17134&signature=TelemetryLogger%3A%3AOnChangeInputStatus&date=%3E%3D2018-06-16T01%3A23%3A42.000Z&date=%3C2018-06-30T01%3A23%3A42.000Z&_columns=date&_columns=product&_columns=version&_columns=build_id&_columns=platform&_columns=reason&_columns=address&_columns=install_time&_sort=-date&page=1#reports * CTipContextEditor::OnSetFocus (no bug report) https://crash-stats.mozilla.com/report/index/5c843ca8-7dc0-4d0f-8ca4-7f3e10180629 - - https://crash-stats.mozilla.com/signature/?useragent_locale=ja-JP&useragent_locale=ja&platform_version=%3D10.0.17134&signature=CTipContextEditor%3A%3AOnSetFocus&date=%3E%3D2018-06-16T01%3A23%3A42.000Z&date=%3C2018-06-30T01%3A23%3A42.000Z&_columns=date&_columns=product&_columns=version&_columns=build_id&_columns=platform&_columns=reason&_columns=address&_columns=install_time&_sort=-date&page=1#summary [1] crashes, 6 months https://crash-stats.mozilla.com/search/?signature=%3DCIImeIPoint%3A%3ADoUpdateContextWithLock&date=%3E%3D2017-12-30T08%3A16%3A54.000Z&date=%3C2018-06-30T09%3A16%3A54.000Z&_sort=-date&_facets=signature&_facets=platform_version&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#facet-platform_versioneports
Flags: needinfo?(kotaroy)
See Also: → 1437375
Group: layout-core-security → core-security-release

I think we can close this. For the signatures I cited in comment 7, none exist for Thunderbird version 68. (crashes still do exist for Thunderbird 60)

Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WORKSFORME
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.