Closed
Bug 1403845
Opened 7 years ago
Closed 5 years ago
stylo: Crash in style::properties::cascade
Categories
(Core :: CSS Parsing and Computation, defect, P3)
Tracking
()
People
(Reporter: philipp, Assigned: emilio)
References
(Depends on 1 open bug)
Details
(4 keywords, Whiteboard: [sec-triage-backlog])
Crash Data
This bug was filed from the Socorro interface and is report bp-22bb0310-2c79-4039-afc9-5b3e40170928. ============================================================= Crashing Thread (0) Frame Module Signature Source 0 xul.dll std::panicking::rust_panic_with_hook src/libstd/panicking.rs:555 1 xul.dll std::panicking::begin_panic<collections::string::String> src/libstd/panicking.rs:511 2 xul.dll std::panicking::begin_panic_fmt src/libstd/panicking.rs:495 3 xul.dll core::panicking::panic_fmt src/libcore/panicking.rs:61 4 xul.dll core::panicking::panic src/libcore/panicking.rs:49 5 xul.dll style::properties::cascade toolkit/library/x86_64-pc-windows-msvc/release/build/style-7d743b4d7af5be49/out/properties.rs:142759 6 xul.dll style::style_resolver::StyleResolverForElement<style::gecko::wrapper::GeckoElement>::cascade_style<style::gecko::wrapper::GeckoElement> servo/components/style/style_resolver.rs:586 7 xul.dll style::style_resolver::StyleResolverForElement<style::gecko::wrapper::GeckoElement>::cascade_style_and_visited<style::gecko::wrapper::GeckoElement> servo/components/style/style_resolver.rs:309 8 xul.dll style::style_resolver::StyleResolverForElement<style::gecko::wrapper::GeckoElement>::cascade_primary_style<style::gecko::wrapper::GeckoElement> servo/components/style/style_resolver.rs:214 9 xul.dll style::style_resolver::StyleResolverForElement<style::gecko::wrapper::GeckoElement>::resolve_style<style::gecko::wrapper::GeckoElement> servo/components/style/style_resolver.rs:225 10 xul.dll style::traversal::compute_style<style::gecko::wrapper::GeckoElement> servo/components/style/traversal.rs:672 11 xul.dll geckoservo::glue::traverse_subtree servo/ports/geckolib/glue.rs:261 12 xul.dll geckoservo::glue::Servo_TraverseSubtree servo/ports/geckolib/glue.rs:300 13 xul.dll mozilla::ServoStyleSet::StyleDocument(mozilla::ServoTraversalFlags) layout/style/ServoStyleSet.cpp:977 14 xul.dll mozilla::ServoRestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) layout/base/ServoRestyleManager.cpp:1106 15 xul.dll mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) layout/base/PresShell.cpp:4170 16 xul.dll nsIPresShell::FlushPendingNotifications(mozilla::ChangesToFlush) layout/base/nsIPresShell.h:566 17 xul.dll nsRefreshDriver::Tick(__int64, mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp:1921 18 xul.dll mozilla::RefreshDriverTimer::TickDriver(nsRefreshDriver*, __int64, mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp:337 19 xul.dll mozilla::RefreshDriverTimer::TickRefreshDrivers(__int64, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) layout/base/nsRefreshDriver.cpp:307 20 xul.dll mozilla::RefreshDriverTimer::Tick(__int64, mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp:329 21 xul.dll mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp:770 22 xul.dll mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp:683 23 xul.dll mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) layout/base/nsRefreshDriver.cpp:584 24 xul.dll mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) layout/ipc/VsyncChild.cpp:67 25 xul.dll mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) ipc/ipdl/PVsyncChild.cpp:155 26 xul.dll mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) ipc/ipdl/PBackgroundChild.cpp:1695 27 xul.dll mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) ipc/glue/MessageChannel.cpp:2115 28 xul.dll mozilla::ipc::MessageChannel::DispatchMessageW(IPC::Message&&) ipc/glue/MessageChannel.cpp:2045 29 xul.dll mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) ipc/glue/MessageChannel.cpp:1891 30 xul.dll mozilla::ipc::MessageChannel::MessageTask::Run() ipc/glue/MessageChannel.cpp:1924 31 xul.dll nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:1039 32 xul.dll NS_ProcessNextEvent(nsIThread*, bool) xpcom/threads/nsThreadUtils.cpp:521 33 xul.dll mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:125 34 xul.dll mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:301 35 xul.dll MessageLoop::RunHandler() ipc/chromium/src/base/message_loop.cc:319 36 xul.dll MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:299 37 xul.dll nsBaseAppShell::Run() widget/nsBaseAppShell.cpp:158 38 xul.dll nsAppShell::Run() widget/windows/nsAppShell.cpp:230 39 xul.dll XRE_RunAppShell() toolkit/xre/nsEmbedFunctions.cpp:880 40 xul.dll mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:269 41 xul.dll MessageLoop::RunHandler() ipc/chromium/src/base/message_loop.cc:319 42 xul.dll MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:299 43 xul.dll XRE_InitChildProcess(int, char** const, XREChildData const*) toolkit/xre/nsEmbedFunctions.cpp:705 44 firefox.exe content_process_main(mozilla::Bootstrap*, int, char** const) ipc/contentproc/plugin-container.cpp:63 45 firefox.exe NS_internal_main(int, char**, char**) browser/app/nsBrowserApp.cpp:285 46 firefox.exe wmain toolkit/xre/nsWindowsWMain.cpp:115 47 firefox.exe __scrt_common_main_seh f:/dd/vctools/crt/vcstartup/src/startup/exe_common.inl:253 48 kernel32.dll BaseThreadInitThunk 49 ntdll.dll RtlUserThreadStart this signature seems to spring up during the firefox 57 cycle - so far i haven't seen it on 58.0a1 yet though. around half the reports come with moz crash reason "called `Option::unwrap()` on a `None` value", one report at bp-afbb5af8-5894-4ce8-9963-be7070170808 with "Found unexpected value in style struct for border_right_style property: 112".
|
Reporter | |
Updated•7 years ago
|
Summary: Crash in style::properties::cascade → stylo: Crash in style::properties::cascade
|
|
Reporter | |
Updated•7 years ago
|
Crash Signature: [@ style::properties::cascade] → [@ style::properties::cascade]
[@ style::custom_properties::cascade]
[@ style::custom_properties::finish_cascade]
|
||
Comment 1•7 years ago
|
||
Most of these seem to be: called `Option::unwrap()` on a `None` value Somewhere in cascade(), but the line number is just at the end of the generated properties::cascade() function, so it's hard to tell exactly where the problem is. If nothing jumps out at us, a next reasonable step would be to replace the unwrap() calls with expect(), so that we get more useful panic messages.
Priority: -- → P3
|
||
Comment 2•7 years ago
|
||
We can also recompile the same revision and look at the generated file somewhere like ./obj-x86_64-pc-linux-gnu/toolkit/library/x86_64-unknown-linux-gnu/release/build/style-186da10a8220d0f4/out/properties.rs
|
||
Comment 3•7 years ago
|
||
(In reply to Simon Sapin (:SimonSapin) from comment #2) > We can also recompile the same revision and look at the generated file > somewhere like > ./obj-x86_64-pc-linux-gnu/toolkit/library/x86_64-unknown-linux-gnu/release/ > build/style-186da10a8220d0f4/out/properties.rs We don't need to recompile. The crash reports website can display generated files now.
|
|
||
Comment 4•7 years ago
|
||
Yeah, the issue is just that the source line doesn't tell us very much, which I'm assuming is related to inlining / optimizations.
|
|
||
Comment 5•7 years ago
|
||
I wonder, couldn't unwrap get the exact line it is called? IIRC it can in Rust? There is even a RFC [1] which wants to bring this to other functions. Could we include that information in crash reports? [1] https://github.com/rust-lang/rfcs/pull/2091
|
||
Comment 6•7 years ago
|
||
Caller information is not available without resorting to things like libbacktrace. You might be thinking of the line!() macro, which is like __LINE__ in C++.
|
||
Comment 7•7 years ago
|
||
> There is even a RFC [1] which wants to bring this to other functions
This RFC doesn't just bring it to "other functions", it brings it to unwrap() too. unwrap() doesn't currently do this.
Macros like panic do.
|
||
Comment 8•7 years ago
|
||
There are 2 crashes in nightly 58 starting with buildid 20171003100226.
|
||
Comment 9•7 years ago
|
||
All sorts of bad addresses, read and write, and illegal instructions. Restricting. sec-high; might be worse given the spew of crash types/addresses Bobby - can you re-evaluate next steps and priority? Thanks
|
Assignee | |
Comment 10•7 years ago
|
||
There are some pretty random crashes that don't look like panic, like: > Found unexpected value in style struct for border_left_style property: 127 It may be related to the hashmap stuff we're trying to track down in bug 1404791 (and it kinda makes sense if these are due to custom properties). Are there any patterns in the URLs and such? I know for example youtube uses custom properties quite heavily (I can't access the URLs).
Flags: needinfo?(rjesup)
|
|
Assignee | |
Comment 11•7 years ago
|
||
(In reply to Emilio Cobos Álvarez [:emilio] from comment #10) > There are some pretty random crashes that don't look like panic, like: s/don't look like panic/I cannot make any sense of
|
|
||
Updated•7 years ago
|
Flags: needinfo?(rjesup)
|
||
Comment 12•7 years ago
|
||
Looks like something goes wrong in Stylo, Rust catches the error as it should, and then the panic code screws up. Fixing CSS code to prevent the panic might leave whatever bug is allowing the panic code to go off the rails. That's the one I'm worried about--if it's happened here why couldn't it happen with other Rust panics?
|
|
Assignee | |
Comment 13•7 years ago
|
||
Are you sure? Some of them don't look panicking. There's nothing panic-related on https://crash-stats.mozilla.com/report/index/34eb30d6-7d7e-44e5-9e2a-49b9f0171004, for example.
|
|
Assignee | |
Comment 14•7 years ago
|
||
(And, I know what piece of code is triggering the particular panic about border_foo_style, but that's... not suspicious). Anyway this morning I opened https://github.com/servo/servo/pull/18745 to reduce sources of panic in the `custom_properties` module, which is the one discussed at the top of this bug.
|
|
||
Comment 15•7 years ago
|
||
(In reply to Emilio Cobos Álvarez [:emilio] from comment #10) > There are some pretty random crashes that don't look like panic, like: > > > Found unexpected value in style struct for border_left_style property: 127 > > It may be related to the hashmap stuff we're trying to track down in bug > 1404791 (and it kinda makes sense if these are due to custom properties). > > Are there any patterns in the URLs and such? I know for example youtube uses > custom properties quite heavily (I can't access the URLs). Most of the urls are related to youtube.
|
|
||
Updated•7 years ago
|
Group: core-security → layout-core-security
|
|
||
Comment 16•7 years ago
|
||
There are a few repeated URLs from youtube. Some of the signatures above are 100% youtube; most overall are youtube, but some are not. Also: not all are rust_panics: https://crash-stats.mozilla.com/signature/?proto_signature=%21~rust_panic&signature=style%3A%3Aproperties%3A%3Acascade&date=%3E%3D2017-09-27T17%3A15%3A00.000Z&date=%3C2017-10-04T17%3A15%3A00.000Z&_columns=date&_columns=product&_columns=version&_columns=build_id&_columns=platform&_columns=reason&_columns=address&_columns=install_time&_sort=-date&page=1#reports (and https://crash-stats.mozilla.com/report/index/f0e7d9d9-f903-4896-a0d5-681060171004 from the 3rd signature)
|
|
||
Comment 17•7 years ago
|
||
The fact that we're hitting garbage pointers on youtube sure makes me suspect that this is the same hashtable corruption as we're looking at in bug 1404791. Various in-flight things of interest: * bug 1405879 - poison the hashtable buffers with a safe value. * https://github.com/servo/servo/pull/18745 - which cleans up the consuming code, and could change patterns. * bug 1385971#c40 - Changing the hash function, which _might_ alter the frequency. Gankro's fuzzer didn't turn up anything, and the crashes are almost non-existent on nightly, which hampers out diagnostic ability. However, I'm hoping that we can uplift the poisoning (bug 1405879) as a security/mitigation measure, which would simultaneously allow us to confirm that theory. Also note that I may head out on paternity leave soon, which would impact my ability to pursue this.
Flags: needinfo?(bobbyholley)
|
||
Comment 18•7 years ago
|
||
[Tracking Requested - why for this release]: sec-high revolving around rust and stylo. sounds like a blocker.
|
|
||
Comment 19•7 years ago
|
||
I'm hopeful that, at the very least, bug 1405879 will turn these into safe crashes.
|
||
Comment 20•7 years ago
|
||
(In reply to Jim Mathies [:jimm] from comment #18) > [Tracking Requested - why for this release]: > sec-high revolving around rust and stylo. sounds like a blocker. Tracking 57/58+ for this issue, especially given the popularity of the main site affected.
tracking-firefox58:
--- → +
|
|
||
Updated•7 years ago
|
Depends on: stylo-hashmap-crashes
|
||
Updated•7 years ago
|
Assignee: bobbyholley → emilio
|
||
Comment 22•7 years ago
|
||
status-firefox57=wontfix unless someone thinks this bug should block 57
|
|
||
Updated•7 years ago
|
status-firefox59:
--- → affected
|
||
Updated•6 years ago
|
|
||
Updated•6 years ago
|
Whiteboard: [sec-triage-backlog]
|
||
Comment 23•6 years ago
|
||
As part of layout security bug scrub, marking bugs being tracked in the Rust HashMap investigation (bug 1406996) as stalled for now.
Keywords: stalled
|
|
||
Comment 24•5 years ago
|
||
In the last 6 months (the full crash-stats window) I don't see any crashes newer than ESR-60 on desktop or Fx62 on Android
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → WORKSFORME
|
|
||
Updated•5 years ago
|
Group: layout-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•