Closed Bug 1418790 Opened 7 years ago Closed 1 year ago

Crash in mozilla::ActiveScrolledRoot::Release

Categories

(Core :: Web Painting, defect, P3)

Product:
Core
Component:
Web Painting
Version:
58 Branch
Type:
defect

Tracking

()

Status:
RESOLVED INCOMPLETE
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox-esr60 --- wontfix
firefox57 --- unaffected
firefox58 + wontfix
firefox59 + wontfix
firefox60 + wontfix
firefox61 - wontfix
firefox62 - wontfix
firefox63 - wontfix
firefox64 + wontfix
firefox65 --- wontfix

People

(Reporter: philipp, Unassigned)

References

Details

(4 keywords)

Crash Data

This bug was filed from the Socorro interface and is report bp-22e718a9-f56d-4bab-912c-427ee0171119. ============================================================= Top 10 frames of crashing thread: 0 xul.dll mozilla::ActiveScrolledRoot::Release layout/painting/nsDisplayList.h:296 1 xul.dll mozilla::ActiveScrolledRoot::~ActiveScrolledRoot layout/painting/nsDisplayList.h:309 2 xul.dll mozilla::ActiveScrolledRoot::Release layout/painting/nsDisplayList.h:296 3 xul.dll nsTArray_Impl<RefPtr<mozilla::ActiveScrolledRoot>, nsTArrayInfallibleAllocator>::RemoveElementsAt xpcom/ds/nsTArray.h:2079 4 xul.dll nsDisplayListBuilder::EndFrame layout/painting/nsDisplayList.cpp:998 5 xul.dll nsLayoutUtils::PaintFrame layout/base/nsLayoutUtils.cpp:4034 6 xul.dll nsContainerFrame::GetChildLists layout/generic/nsContainerFrame.cpp:338 7 xul.dll mozilla::PresShell::Paint layout/base/PresShell.cpp:6468 8 xul.dll nsViewManager::ProcessPendingUpdatesPaint view/nsViewManager.cpp:480 9 xul.dll nsViewManager::ProcessPendingUpdatesForView view/nsViewManager.cpp:412 ============================================================= crash reports with this signature are newly showing up in firefox 58
retained display lists are riding the trains in 58, but are preffed off for non-nightly. updating flags to reflect that.
status-firefox58: affecteddisabled
status-firefox59: ?affected
Priority: -- → P1
Marking 58 affected per the report dates.
status-firefox58: disabledaffected
Some reports are showing as high exploitability in crash-stats, so I'm marking this security-sensitive.
Group: gfx-core-security
tracking-firefox58: --- → +
tracking-firefox59: --- → +
Reads and writes to random real addresses
Keywords: csectype-wildptr, sec-high
Assignee: nobody → matt.woodrow
Had a look at the dump for https://crash-stats.mozilla.com/report/index/c5af1b66-958f-4f86-bec2-7514f0180115 This looks to be a duplicate of bug 1406727, with a new signature. The callstack is the same (nsDisplayItem::Destroy), and the display item contains corrupted memory, but now the mActiveScrolledRoot member is refcounted, and we crash trying to dereference this corrupt pointer to decrement the ref count. mActiveScrolledRoot is 0x1e01b5e0.
Looks pretty unlikely we're going to get a fix here in time for Fx59, but I'll leave this as fix-optional in case something low-risk materializes in before the RC in just over a week.
status-firefox58: fix-optionalwontfix
status-firefox59: affectedfix-optional
status-firefox60: --- → affected
tracking-firefox60: --- → +
(In reply to Matt Woodrow (:mattwoodrow) from comment #5) > This looks to be a duplicate of bug 1406727, with a new signature. Do you want to close this bug and add the signature to bug 1406727? Either way, both of those bugs doesn't seem to be moving. What's next?
Flags: needinfo?(matt.woodrow)
(In reply to Frederik Braun [:freddyb] from comment #7) > (In reply to Matt Woodrow (:mattwoodrow) from comment #5) > > This looks to be a duplicate of bug 1406727, with a new signature. > > Do you want to close this bug and add the signature to bug 1406727? > Either way, both of those bugs doesn't seem to be moving. What's next? That would be fine with me. I'm really unsure about what's next. It's a bizarre corruption crash that seems to happen at random places that build or operate on display lists. I haven't been able to find any pattern to when it happens that might identify the code causing it. I've tried running ASAN builds on Windows (with Direct2D disabled, to try match the Windows 7 config where this is most common), and spoken with the fuzzing team. As of yet, we have no way to reproduce this, and I'm struggling for ideas on how to narrow it down further.
Flags: needinfo?(matt.woodrow)
Group: gfx-core-security → layout-core-security
No sign of this on 61 so far. Is is possible the signature changed?
status-firefox60: affectedwontfix
status-firefox-esr60: --- → affected
No longer blocks: RDLbugs
Multiple crashes in 61
Dropping tracking status since this bug seems pretty inactionable as it is. I'd definitely consider taking a patch for 61 still if one should materialize, though.
status-firefox61: affectedfix-optional
status-firefox62: --- → affected
tracking-firefox61: +-
tracking-firefox62: --- → +
tracking-firefox-esr60: --- → ?
Blocks: 1467514
No longer blocks: 1467514
Low volume, still present in 62 beta, and one crash in 63, but as Ryan mentioned, we don't have any new information here to work with. I'm dropping tracking for 62, but would still happily take a fix.
status-firefox63: --- → affected
tracking-firefox62: +-
Tracking for 63 because of the potential exploitability
tracking-firefox63: --- → +
Keywords: stalled
Marking as fix-optional and untracking for 63 given that the bug is stalled.
status-firefox63: affectedfix-optional
status-firefox64: --- → affected
tracking-firefox63: +-
tracking-firefox64: --- → +
Group: layout-core-security → gfx-core-security
Assignee: matt.woodrow → nobody

Seems very low volume now.

Severity: critical → S3
Priority: P1 → P3

The severity field for this bug is set to S3. However, the bug is flagged with the sec-high keyword.
:tnikkel, could you consider increasing the severity of this security bug?

For more information, please visit auto_nag documentation.

Flags: needinfo?(tnikkel)

There's only one crash report newer than 91 and its crash address is null. Doesn't seem sec-high anymore?

Flags: needinfo?(tnikkel)

There aren't many crashes, but if you expand the search window there still are some that aren't null or near-null

bp-500c4b2b-2c40-4a50-9f4b-3163d0221111      2022-11-11    Firefox 102.3.0esr
bp-49d37f38-c96d-4b69-8389-57e450221027     2022-10-27   Firefox 102.3.0esr
bp-ad29ed20-62b6-418a-aba6-576280220822   2022-08-22  Firefox 103.0

Keywords: sec-highsec-moderate

The volume is low. There are non-null crashes, but nothing on poison values. I don't think having this bug open is serving any purpose. There was some investigation 5 years ago and then it has just sat around.

Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → INCOMPLETE

Since the bug is closed, the stalled keyword is now meaningless.
For more information, please visit BugBot documentation.

Keywords: stalled

FWIW, it looks like the signature for this is now [@ nsAutoRefCnt::operator-- ] bp-dc1dcc21-02fa-4baf-ad05-b3d7e0230806

Group: gfx-core-security
You need to log in before you can comment on or make changes to this bug.