Closed Bug 1404623 Opened 7 years ago Closed 1 year ago

Crash in CStdMarshal::DisconnectSrvIPIDs

Categories

(Core :: Disability Access APIs, defect, P2)

Product:
Core
Component:
Disability Access APIs
Version:
57 Branch
Platform:
All
Windows 10
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
113 Branch
Tracking Flags:
Tracking Status
firefox-esr52 --- wontfix
firefox-esr60 --- wontfix
firefox-esr102 --- wontfix
firefox57 --- wontfix
firefox58 --- wontfix
firefox59 --- wontfix
firefox60 --- wontfix
firefox61 --- wontfix
firefox62 --- wontfix
firefox63 --- wontfix
firefox64 --- wontfix
firefox113 --- fixed
firefox114 --- fixed
firefox115 --- fixed

People

(Reporter: philipp, Unassigned)

References

Details

(4 keywords, Whiteboard: aes+ a11y:crash-win)

Crash Data

This bug was filed from the Socorro interface and is 
report bp-f1813876-1e55-4055-ae19-35db20170930.
=============================================================
Crashing Thread (54)
Frame 	Module 	Signature 	Source
0 	combase.dll 	CStdMarshal::DisconnectSrvIPIDs(unsigned long) 	d:\rs1\onecore\com\combase\dcomrem\marshal.cxx:5090
1 		@0x2ff 	
2 	combase.dll 	CStdMarshal::Disconnect(unsigned long) 	d:\rs1\onecore\com\combase\dcomrem\marshal.cxx:4282
3 	combase.dll 	CRemoteUnknown::RemReleaseWorker(unsigned short, tagREMINTERFACEREF* const, int) 	d:\rs1\onecore\com\combase\dcomrem\remoteu.cxx:1189
4 	rpcrt4.dll 	Invoke 	
5 	combase.dll 	combase.dll@0x1e21df 	
6 	rpcrt4.dll 	Ndr64StubWorker(void*, void*, _RPC_MESSAGE*, _MIDL_SERVER_INFO_*, long (*const*)(void), _MIDL_SYNTAX_INFO*, unsigned long*) 	
7 	rpcrt4.dll 	NdrStubCall3 	
8 	combase.dll 	CStdStubBuffer_Invoke 	d:\rs1\onecore\com\combase\ndr\ndrole\stub.cxx:1461
9 	combase.dll 	ObjectMethodExceptionHandlingAction<<lambda_76d9e92c799d246a4afbe64a2bf5673d> >(<lambda_76d9e92c799d246a4afbe64a2bf5673d>, ObjectMethodExceptionHandlingInfo*, ExceptionHandlingResult*, void*) 	d:\rs1\onecore\com\combase\dcomrem\excepn.hxx:91
10 	combase.dll 	DefaultStubInvoke(bool, IServerCall*, IRpcChannelBuffer*, IRpcStubBuffer*, unsigned long*) 	d:\rs1\onecore\com\combase\dcomrem\channelb.cxx:1891
11 	combase.dll 	ServerCall::ContextInvoke(tagRPCOLEMESSAGE*, IRpcStubBuffer*, CServerChannel*, tagIPIDEntry*, unsigned long*) 	d:\rs1\onecore\com\combase\dcomrem\ctxchnl.cxx:1541
12 	combase.dll 	AppInvoke(ServerCall*, CServerChannel*, IRpcStubBuffer*, void*, void*, tagIPIDEntry*, WireLocalThis*) 	d:\rs1\onecore\com\combase\dcomrem\channelb.cxx:1616
13 	combase.dll 	ComInvokeWithLockAndIPID(ServerCall*, tagIPIDEntry*, bool*) 	d:\rs1\onecore\com\combase\dcomrem\channelb.cxx:2722
14 	combase.dll 	ThreadInvoke(_RPC_MESSAGE*) 	d:\rs1\onecore\com\combase\dcomrem\channelb.cxx:7082
15 	rpcrt4.dll 	DispatchToStubInCNoAvrf 	
16 	rpcrt4.dll 	RPC_INTERFACE::DispatchToStubWorker(_RPC_MESSAGE*, unsigned int, int, long*) 	
17 	rpcrt4.dll 	RPC_INTERFACE::DispatchToStubWithObject(_RPC_MESSAGE*, RPC_UUID*, unsigned int, int, long*, RPCP_INTERFACE_GROUP*) 	
18 	rpcrt4.dll 	LRPC_SCALL::DispatchRequest(int*) 	
19 	rpcrt4.dll 	LRPC_SCALL::HandleRequest(_PORT_MESSAGE*, _PORT_MESSAGE*, void*, unsigned __int64, RPCP_ALPC_HANDLE_ATTR*) 	
20 	rpcrt4.dll 	LRPC_ADDRESS::HandleRequest(_PORT_MESSAGE*, RPCP_ALPC_MESSAGE_ATTRIBUTES*, _PORT_MESSAGE*, int) 	
21 	rpcrt4.dll 	LRPC_ADDRESS::ProcessIO(void*) 	
22 	rpcrt4.dll 	LrpcIoComplete(_TP_CALLBACK_INSTANCE*, void*, _TP_ALPC*, void*) 	
23 	ntdll.dll 	TppAlpcpExecuteCallback 	
24 	ntdll.dll 	TppWorkerThread 	
25 	kernel32.dll 	BaseThreadInitThunk 	
26 	ntdll.dll 	RtlUserThreadStart

this crash signature is jumping up during 57.0b - i'm unsure where to file it, but the correlations in regards to accessibility may indicate that perhaps it's related to the e10s-a11y work?

Correlations for Firefox Beta
(100.0% in signature vs 06.37% overall) reason = EXCEPTION_ACCESS_VIOLATION_READ
(100.0% in signature vs 18.37% overall) accessibility = Active
(100.0% in signature vs 02.32% overall) platform_version = 10.0.14393
(61.70% in signature vs 00.60% overall) Module "uiautomationcore.dll" = true
(31.91% in signature vs 00.07% overall) Module "UIAutomationCore.DLL" = true
Flags: needinfo?(aklotz)
Component: Untriaged → Disability Access APIs
Flags: needinfo?(aklotz)
Whiteboard: aes+
Priority: P1 → P2
Wild-ptr (UAF??) READ crashes...
Group: core-security
Flags: needinfo?(dbolter)
Keywords: csectype-wildptr, sec-high
Group: core-security → layout-core-security
Accessibility is definitely causing this signature to spike, but it has been around for a while (with and without a11y active). Do we have any previously filed sec bugs about it?
Hi Alexander:

I have assigned these security bugs to you to reassign them to appropriate developers in your team to investigate and fix them.

Thanks!

Wennie
Assignee: nobody → surkov.alexander
Aaron would you mind to look at these COM stuff please?
Flags: needinfo?(aklotz)
We have discussed this but there isn't anything actionable from this, unfortunately.
Flags: needinfo?(aklotz)
happening more or less forever, the concern is that it's spiked pretty dramatically recently in 57beta, so something we did provoked it.  Not amenable to regression-range checking though unless the spike started in mid-beta (nightly has too low a rate to help with regression-range).

Stacks look less than useful, though maybe there's a good one somewhere there
status-firefox57: fix-optionalwontfix
status-firefox59: --- → affected
status-firefox-esr52: --- → affected
status-thunderbird_esr52: --- → affected
The correlations also mention a strong correlation with Windows 10 (96.88), which could be another driver begind the spike. Given, how people get new devices over the holidays (or find the tech-savvy relative to do the updates for them :)))
Crash rate is going down. Anyone got an idea why that might be the case?
I don't know exactly, but it here are two possibilities:
1. Bug 1434822, which means that we clean up remote references to our objects when the object dies rather than letting COM do it when all remote clients disconnect.
2. Bug 1433046, which provided several "correctness" fixes concerning handling of references.
Whiteboard: aes+ → aes+ a11y:crash-win
Aaron can you think of any diagnostics that would help us learn more from these crashes?
Alex are you out of ideas?
Flags: needinfo?(surkov.alexander)
Flags: needinfo?(aklotz)
(In reply to David Bolter [:davidb] (NeedInfo me for attention) from comment #10)
> Alex are you out of ideas?

The stack is not helpful, looks MSCOMish and too random with me to be helpful here. On the other side the crash ratio goes down over last months, so it's probably of lower priority now than it was used to be.
Flags: needinfo?(surkov.alexander)
Unfortunately without being able to debug a live machine, I doubt that there is much else we can do here.
Flags: needinfo?(aklotz)
low volume and stalled, wontif for our release in flight.
status-firefox62: fix-optionalwontfix
status-firefox63: fix-optionalwontfix
status-firefox64: --- → wontfix
See Also: → 1710212
Depends on: 1737193

The bug assignee didn't login in Bugzilla in the last months and this bug has priority 'P2'/severity 'critical'.
:Jamie, could you have a look please?
For more information, please visit auto_nag documentation.

Assignee: surkov.alexander → nobody
Flags: needinfo?(jteh)
Severity: critical → S2

While comment 6 suggests that not all crashes with this signature are related to e10s a11y (Firefox 57+), the spike discussed in this bug is. That should be fixed by Cache the World, which is enabled by default in Firefox 113.

Status: NEW → RESOLVED
Closed: 1 year ago
status-firefox113: --- → fixed
status-firefox114: --- → fixed
status-firefox115: --- → fixed
Flags: needinfo?(jteh)
Resolution: --- → FIXED

Since the bug is closed, the stalled keyword is now meaningless.
For more information, please visit BugBot documentation.

Keywords: stalled
Group: layout-core-security → core-security-release
status-firefox-esr102: --- → wontfix
Target Milestone: --- → 113 Branch
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.