Closed
Bug 1404791
Opened 7 years ago
Closed 3 years ago
stylo: Crash in geckoservo::glue::Servo_ComputedValues_EqualCustomProperties
Categories
(Core :: CSS Parsing and Computation, defect, P3)
Core
CSS Parsing and Computation
Tracking
()
RESOLVED
WORKSFORME
Tracking | Status | |
---|---|---|
firefox-esr52 | --- | unaffected |
firefox-esr60 | --- | wontfix |
firefox55 | --- | unaffected |
firefox56 | --- | unaffected |
firefox57 | --- | wontfix |
firefox58 | --- | wontfix |
firefox59 | --- | wontfix |
firefox60 | --- | wontfix |
firefox61 | --- | wontfix |
firefox62 | --- | wontfix |
firefox63 | --- | wontfix |
firefox64 | --- | wontfix |
firefox65 | --- | wontfix |
People
(Reporter: cpeterson, Unassigned)
References
(Depends on 1 open bug)
Details
(5 keywords, Whiteboard: [sec-triage-backlog])
Crash Data
Attachments
(1 file)
18.05 KB,
text/plain
|
Details |
This bug was filed from the Socorro interface and is report bp-9c36234d-3cbb-46d9-a932-316c90171002. ============================================================= 135 crash reports from 62 installations. Among Stylo-specific crash signatures, this is Stylo top crash #4.
Reporter | ||
Updated•7 years ago
|
Summary: stylo: Crash in memcmp | geckoservo::glue::Servo_ComputedValues_EqualCustomProperties → stylo: Crash in geckoservo::glue::Servo_ComputedValues_EqualCustomProperties
Comment 1•7 years ago
|
||
All URLs from crash reports are YouTube videos.
Comment 2•7 years ago
|
||
So, we're crashing when performing deep-equality on the CustomPropertiesMap hashtables. dmajor and I dug into some of the minidumps. We're crashing when trying to extract nsIAtom::mHash from garbage memory (0xe5d5..., 0x0, or similar). This happens in HashMap::eq(), which looks like this: self.iter().all(|(key, value)| other.get(key).map_or(false, |v| *value == *v)) So we iterate the first map, which gives us a bunch of key/value pairs, where the nsIAtom* is the key. And at least one of those pointers is garbage. This strongly suggests that the storage of at least one (k,v) pair returned from iterating the first map is uninitialized memory. This makes sense, since upon table allocation, only the hash storage is zeroed, and the (k,v) storage is left uninitialized as an optimization. This also suggests that the crashes in bug 1385925 are indeed due to an std::HashMap bug, rather than external corruption. This also explains why bug 1403397 hasn't found any strong evidence of external memory corruption. I could further confirm this theory by poisoning the rest of the table buffer with a unique value. It's a bit tricky that these particular crashes only happen on 57 beta (where we don't want to run diagnostic code if we can avoid it), but we may be able to see it on the other HashMap crashes we still have on Nightly. In the mean time, Gankro is doing some HashMap auditing/fuzzing, looking for ways this might happen. Marking this as s-s, since a memory hazard in std::HashMap would be a big deal.
Group: core-security
See Also: → 1385925
Updated•7 years ago
|
Assignee: nobody → bobbyholley
Comment 3•7 years ago
|
||
So I captured a 1.5G log of all the custom property insertions (and associated precomputed hashes) on youtube: https://www.dropbox.com/s/15wbkopvj3893tw/youtube%20custom%20property%20log.bz2?dl=0 The plan was for Gankro to feed that into a fuzzer. But I just realized that, up until 4 days ago [1], the custom properties map used the default hasher, with randomized state. So we won't be able to reliably reproduce the hashes. That said, we can at least try with the default hasher on those atoms, by just feeding the precomputed hash back into a RandomState hasher [2]. The crashes are consistent enough across installations that they can't be entirely dependent on a single random seed. Interestingly, these crashes are _almost_ exclusively on beta (with one exception on 58a and one exception on 57a) over the past 14 days. On the other hand, the switch to PrecomputedHash on nightly only happened 4 days ago. Still, I think it's worth getting [1] uplifted (which we were going to do anyway in bug 1385971) to see if that has any impact on the crashes. NI Manish to request uplift on [1] (and the rest of bug bug 1385971), and NI Gankro to try fuzzing with DefaultHasher re-hashing the hashvalues in the log. [1] https://github.com/servo/servo/pull/18679 [2] http://searchfox.org/mozilla-central/rev/e62604a97286f49993eb29c493672c17c7398da9/servo/components/style/gecko_string_cache/mod.rs#283
Flags: needinfo?(manishearth)
Flags: needinfo?(a.beingessner)
Comment 4•7 years ago
|
||
Oh! I didn't realize these were going through the random hasher. Will change. I'm new to reading aggregate crash logs, do we have any sense on if this is in any way platform-specific? I'm wondering if this might be hashmap getting miscompiled. Also: y'all were seeing this long before you forked HashMap, right?
Flags: needinfo?(a.beingessner)
Comment 5•7 years ago
|
||
This is the result of feeding the log through `awk '!a[$0]++'`, which the internet tells me deduplicates lines.
Comment 6•7 years ago
|
||
(In reply to Alexis Beingessner [:Gankro] from comment #4) > Oh! I didn't realize these were going through the random hasher. Will change. > > I'm new to reading aggregate crash logs, do we have any sense on if this is > in any way platform-specific? They're almost all on windows (there is exactly one crash on mac). But that's not at all unusual, given how skewed our population is. > I'm wondering if this might be hashmap getting miscompiled. It's possible, but IMO unlikely. If there are any theories about specific ways it might be getting miscompiled it's straightforward to verify them. > Also: y'all were seeing this long before you forked HashMap, > right? Correct.
Comment 7•7 years ago
|
||
If we stop seeing this crash after the elimination of RandomState I wonder if it's because SipHash13 has some bad initialization values (that get hit when the random state starts at a particular value) or something. Though that shouldn't cause unsafety since Hash and Eq are safe APIs (and thus should be totally safe to mis-write) and collisions should not cause anything other than correctness problems. (Though that's worth checking, do we ever assume that hashes do not collide?)
Flags: needinfo?(manishearth)
Comment 8•7 years ago
|
||
HashMap should be perfectly capable of handling hash collisions -- although this is probably an incredibly untested path considering it's ~1/2^63 for the builtin hasher.
Updated•7 years ago
|
Group: core-security → layout-core-security
Updated•7 years ago
|
Updated•7 years ago
|
Depends on: stylo-hashmap-crashes
Updated•7 years ago
|
Keywords: regression
Reporter | ||
Comment 10•7 years ago
|
||
status-firefox57=wontfix unless someone thinks this bug should block 57
Comment 11•6 years ago
|
||
(In reply to Alexis Beingessner [:Gankro] from comment #8) > HashMap should be perfectly capable of handling hash collisions -- although > this is probably an incredibly untested path considering it's ~1/2^63 for > the builtin hasher. What is the the hash function used in HashMap? Assuming it's not collision resistant (which functions for hash storage usually aren't), an attacker can blow this low probability out of proportion. Does that change anything?
Comment 12•6 years ago
|
||
Still crashing in 59b14 with UAF. https://crash-stats.mozilla.com/report/index/1b433967-a57b-4a45-a203-a93570180126
status-firefox59:
--- → affected
status-firefox60:
--- → ?
Comment 13•6 years ago
|
||
How can that be even possible? Gecko_CalcStyleDifference always passes aIgnoreVariables = true: https://searchfox.org/mozilla-central/rev/14d933246211b02f5be21d2e730a57cf087c6606/layout/style/ServoBindings.cpp#378 Which means that unless it got miscompiled or what not, that function should never be called: https://searchfox.org/mozilla-central/rev/14d933246211b02f5be21d2e730a57cf087c6606/layout/style/nsStyleContext.cpp#165
Updated•6 years ago
|
Updated•6 years ago
|
Whiteboard: [sec-triage-backlog]
Updated•6 years ago
|
status-firefox61:
--- → fix-optional
status-firefox62:
--- → affected
status-firefox-esr60:
--- → affected
Updated•6 years ago
|
Comment 14•6 years ago
|
||
As part of layout security bug scrub, marking bugs being tracked in the Rust HashMap investigation (bug 1406996) as stalled for now.
Keywords: stalled
Updated•6 years ago
|
Assignee: bobbyholley → nobody
Comment 15•6 years ago
|
||
Wontfix for 62/63.
status-firefox64:
--- → affected
status-firefox65:
--- → affected
Updated•5 years ago
|
Comment 16•3 years ago
|
||
Looks like the crash volume has been at zero here for a while. Calling this WORKSFORME.
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WORKSFORME
Comment 17•3 years ago
|
||
Since the bug is closed, the stalled keyword is now meaningless.
For more information, please visit auto_nag documentation.
Keywords: stalled
Updated•3 years ago
|
Group: layout-core-security → core-security-release
Updated•10 months ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•