Closed Bug 1424126 Opened 7 years ago Closed 4 years ago

Crash: MEH: malicious process?

Categories

(Core :: Graphics: WebRender, defect, P3)

Product:
Core
Component:
Graphics: WebRender
Platform:
x86_64
All
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox-esr60 --- unaffected
firefox57 --- unaffected
firefox58 --- unaffected
firefox59 --- disabled
firefox60 --- disabled
firefox61 --- disabled
firefox62 --- disabled
firefox63 --- disabled
firefox64 --- affected

People

(Reporter: jan, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, nightly-community)

Crash Data

Seen on Socorro.

bp-2c05a2aa-d84c-4a2d-aab3-9c75f0171204 Build 20171204100103 (2017-12-04) @ macOS
> MEH: malicious process?: Custom("invalid value: integer `3857049061`, expected variant index 0 <= i < 19")

> 0 	libmozglue.dylib 	mozalloc_abort(char const*) 	memory/mozalloc/mozalloc_abort.cpp:33
> 1 	libmozglue.dylib 	abort 	memory/mozalloc/mozalloc_abort.cpp:80
> 2 	XUL 	std::panicking::rust_panic 	src/libpanic_abort/lib.rs:59
> 3 	XUL 	std::panicking::rust_panic_with_hook 	src/libstd/panicking.rs:593
> 4 	XUL 	std::panicking::begin_panic<alloc::string::String> 	src/libstd/panicking.rs:538
> 5 	XUL 	std::panicking::begin_panic_fmt 	src/libstd/panicking.rs:522
> 6 	XUL 	core::panicking::panic_fmt 	src/libstd/panicking.rs:498
> 7 	XUL 	core::result::unwrap_failed<alloc::boxed::Box<bincode::internal::ErrorKind>> 	src/libcore/macros.rs:23
> 8 	XUL 	webrender_api::display_list::{{impl}}::next 	src/libcore/result.rs:799
> 9 	XUL 	webrender::frame::{{impl}}::flatten_root 	gfx/webrender/src/frame.rs:150
> 10 	XUL 	webrender::frame::{{impl}}::flatten_item 	gfx/webrender/src/frame.rs:368
> 11 	XUL 	webrender::frame::{{impl}}::flatten_item 	gfx/webrender/src/frame.rs:159
> 12 	XUL 	webrender::frame::{{impl}}::flatten_root 	gfx/webrender/src/frame.rs:159
> 13 	XUL 	webrender::render_backend::{{impl}}::build_scene 	gfx/webrender/src/frame.rs:1151
> 14 	XUL 	webrender::render_backend::{{impl}}::process_document 	gfx/webrender/src/render_backend.rs:292
> 15 	XUL 	webrender::render_backend::{{impl}}::run 	gfx/webrender/src/render_backend.rs:491
> 16 	XUL 	std::sys_common::backtrace::__rust_begin_short_backtrace<closure, ()> 	gfx/webrender/src/renderer.rs:1975
> 17 	XUL 	alloc::boxed::{{impl}}::call_box<(), closure> 	src/libstd/thread/mod.rs:400
> 18 	XUL 	std::sys::imp::thread::{{impl}}::new::thread_start 	src/liballoc/boxed.rs:736
> 19 	libsystem_pthread.dylib 	_pthread_body 	
> 20 	libsystem_pthread.dylib 	_pthread_start 	
> 21 	libsystem_pthread.dylib 	thread_start 	
> 22 	XUL 	XUL@0x444917f
Well, at least we're catching the corruption properly in the backend (;>.>)

Hard to say what this could be without a test page.
Whiteboard: [wr-mvp] [triage]
There's only the one crash of this kind (there's two reports in crash-stats but they appear to be identical).

However, the value `3857049061` is 0xE5E5E5E5 which is jemalloc fills in for freed memory. so this is really a use-after-free instance which is bad news. Hopefully it doesn't come back.
(In reply to Kartikaya Gupta (email:kats@mozilla.com) from comment #2)
> Hopefully it doesn't come back.

It came back.

https://crash-stats.mozilla.com/search/?moz_crash_reason=~MEH%3A%20malicious%20process%3F&date=%3E%3D2018-01-20T19%3A38%3A43.000Z&date=%3C2018-04-20T20%3A38%3A43.000Z&_sort=-date&_facets=signature&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform#crash-reports

The last one so far:

bp-12909d01-6105-4d64-a5fd-877270180222 build 2018-02-21_102240 Win10
> MEH: malicious process?: Custom("invalid value: integer `128`, expected variant index 0 <= i < 20")
Crash Signature: [@ mozalloc_abort | abort | core::result::unwrap_failed<T> | webrender_api::display_list::{{impl}}::next ] → [@ mozalloc_abort | abort | core::result::unwrap_failed<T> | webrender_api::display_list::{{impl}}::next ] [@ core::result::unwrap_failed<T> | webrender_api::display_list::BuiltDisplayListIter::next ]
status-firefox60: --- → disabled
status-firefox61: --- → disabled
status-firefox-esr60: --- → unaffected
OS: Mac OS X → All
Summary: Crash in mozalloc_abort | abort | core::result::unwrap_failed<T> | webrender_api::display_list::{{impl}}::next → Crash: MEH: malicious process?
Whiteboard: [wr-mvp] [triage]
bp-4d8c8659-95cd-46b4-a6fc-ba60b0180522 build 2018-05-21_220045 MacOS
Crash Signature: [@ mozalloc_abort | abort | core::result::unwrap_failed<T> | webrender_api::display_list::{{impl}}::next ] [@ core::result::unwrap_failed<T> | webrender_api::display_list::BuiltDisplayListIter::next ] → [@ mozalloc_abort | abort | core::result::unwrap_failed<T> | webrender_api::display_list::{{impl}}::next ] [@ core::result::unwrap_failed<T> | webrender_api::display_list::BuiltDisplayListIter::next ] [@ mozalloc_abort | abort | core::result::unwrap_fai…
status-firefox62: --- → disabled
Rare enough not to block release.
Blocks: stage-wr-next
No longer blocks: stage-wr-trains
bp-b46bd5de-f54a-4362-bc59-977c70180917, Nvidia, GP106 [GeForce GTX 1060 6GB]
> MEH: malicious process?: Custom("invalid value: integer `150994944`, expected variant index 0 <= i < 3")
Crash Signature: core::result::unwrap_failed::h28729ab984c8d4f9 ] → core::result::unwrap_failed::h28729ab984c8d4f9 ] [@ core::result::unwrap_failed<T> | webrender_api::display_list::BuiltDisplayListIter::next_raw ]
status-firefox63: --- → disabled
status-firefox64: --- → affected

One recent crash in the nightly 4-10 build. Should we just close this one out based on the low crash volume?

Closing because no crashes reported for 12 weeks.

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.