Closed Bug 1446108 Opened 6 years ago Closed 6 years ago

IPC: thread panicked at 'Unexpected unit for angle' [@Servo_AnimationValue_Transform]

Categories

(Core :: Graphics: Layers, defect)

Product:
Core
Component:
Graphics: Layers
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla61
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox59 --- wontfix
firefox60 --- wontfix
firefox61 --- fixed

People

(Reporter: posidron, Assigned: emilio)

References

(Blocks 1 open bug)

Details

(Keywords: crash, Whiteboard: [gfx-noted])

Attachments

(2 files)

session.txt
93.22 KB, text/plain
Details
Bug 1446108: Don't create bogus angles in layers animation code. r=kats
45 bytes, text/x-phabricator-request
kats
: review+
Details | Review
Attached file session.txt 
INFO: This is an IPC crash found by the fuzzer faulty - there is no test-case available which leads to an immediate crash for reproduction.

The attached session.txt contains a trace of IPC messages which were sent and received during a session of visiting  https://html5test.com

*** Possible reproduction scenario:

pip install git+https://github.com/mozillasecurity/fuzzfetch
fuzzfetch -a --fuzzing -n firefox -o /tmp

export FAULTY_PROBABILITY=50000
export FAULTY_LARGE_VALUES=1
export FAULTY_PARENT=1
export FAULTY_ENABLE_LOGGING=1
export FAULTY_PICKLE=1
export MOZ_IPC_MESSAGE_LOG=1



thread '<unnamed>' panicked at 'Unexpected unit for angle', servo/components/style/gecko/conversions.rs:144:18
stack backtrace:
   0:     0x7f1db60c6563 - std::sys::unix::backtrace::tracing::imp::unwind_backtrace::hb98fbe643b37b8bb
                               at /checkout/src/libstd/sys/unix/backtrace/tracing/gcc_s.rs:49
   1:     0x7f1db60c0f0c - std::panicking::default_hook::{{closure}}::h83c090f00cd2917d
                               at /checkout/src/libstd/sys_common/backtrace.rs:68
   2:     0x7f1db60c089d - std::panicking::default_hook::hf9722061a353cd29
                               at /checkout/src/libstd/panicking.rs:397
   3:     0x7f1db60c0422 - std::panicking::rust_panic_with_hook::h574be4fada9826dc
                               at /checkout/src/libstd/panicking.rs:577
   4:     0x7f1db5d1f068 - std::panicking::begin_panic::h4c361f27e8181557
                               at /checkout/src/libstd/panicking.rs:538
   5:     0x7f1db5db93ee - style::gecko_properties::clone_single_transform_function::hb89d031a41b65695
                               at /builds/worker/workspace/build/src/obj-firefox/toolkit/library/x86_64-unknown-linux-gnu/release/build/style-d82e4ba5182f4769/out/gecko_properties.rs:0
   6:     0x7f1db5db51b7 - style::gecko_properties::clone_transform_from_list::h005a7915a8a9e767
                               at /builds/worker/workspace/build/src/obj-firefox/toolkit/library/x86_64-unknown-linux-gnu/release/build/style-d82e4ba5182f4769/out/gecko_properties.rs:3547
                               at /checkout/src/libcore/iter/mod.rs:1497
                               at /checkout/src/liballoc/vec.rs:1801
                               at /checkout/src/liballoc/vec.rs:1713
                               at /checkout/src/libcore/iter/iterator.rs:1298
                               at /builds/worker/workspace/build/src/obj-firefox/toolkit/library/x86_64-unknown-linux-gnu/release/build/style-d82e4ba5182f4769/out/gecko_properties.rs:3541
   7:     0x7f1db5c57dd8 - Servo_AnimationValue_Transform
                               at servo/ports/geckolib/glue.rs:784
   8:     0x7f1daf889d19 - _ZN7mozilla14AnimationValue9TransformENS_16StyleBackendTypeER20nsCSSValueSharedList
                               at /builds/worker/workspace/build/src/layout/style/StyleAnimationValue.cpp:5606
   9:     0x7f1da9c4c5d1 - _ZN7mozilla6layersL16ToAnimationValueERKNS0_10AnimatableE
                               at /builds/worker/workspace/build/src/gfx/layers/AnimationHelper.cpp:498
  10:     0x7f1da9c4a4b8 - _ZN7mozilla6layers15AnimationHelper13SetAnimationsER8nsTArrayINS0_9AnimationEERS2_INS0_8AnimDataEERNS_14AnimationValueE
                               at /builds/worker/workspace/build/src/gfx/layers/AnimationHelper.cpp:545
  11:     0x7f1da9bbf074 - _ZN7mozilla6layers5Layer23SetCompositorAnimationsERKNS0_20CompositorAnimationsE
                               at /builds/worker/workspace/build/src/gfx/layers/Layers.cpp:210
  12:     0x7f1da9fd82bf - _ZN7mozilla6layers22LayerTransactionParent18SetLayerAttributesERKNS0_20OpSetLayerAttributesE
                               at /builds/worker/workspace/build/src/gfx/layers/ipc/LayerTransactionParent.cpp:541
  13:     0x7f1da9fd5d2c - _ZN7mozilla6layers22LayerTransactionParent10RecvUpdateERKNS0_15TransactionInfoE
                               at /builds/worker/workspace/build/src/gfx/layers/ipc/LayerTransactionParent.cpp:456
  14:     0x7f1da89e1ffb - _ZN7mozilla6layers23PLayerTransactionParent17OnMessageReceivedERKN3IPC7MessageE
                               at /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PLayerTransactionParent.cpp:136
  15:     0x7f1da8e8e595 - _ZN7mozilla6layers24PCompositorManagerParent17OnMessageReceivedERKN3IPC7MessageE
                               at /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PCompositorManagerParent.cpp:121
  16:     0x7f1da871314e - _ZN7mozilla3ipc14MessageChannel20DispatchAsyncMessageERKN3IPC7MessageE
                               at /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2135
  17:     0x7f1da87100d1 - _ZN7mozilla3ipc14MessageChannel15DispatchMessageEON3IPC7MessageE
                               at /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2065
  18:     0x7f1da87118cc - _ZN7mozilla3ipc14MessageChannel10RunMessageERNS1_11MessageTaskE
                               at /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1911
  19:     0x7f1da8711f28 - _ZN7mozilla3ipc14MessageChannel11MessageTask3RunEv
                               at /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1944
  20:     0x7f1da866bf23 - _ZN11MessageLoop6DoWorkEv
                               at /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:452
                               at /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:460
                               at /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:535
  21:     0x7f1da866de98 - _ZN4base18MessagePumpDefault3RunEPNS_11MessagePump8DelegateE
                               at /builds/worker/workspace/build/src/ipc/chromium/src/base/message_pump_default.cc:36
  22:     0x7f1da8669539 - _ZN11MessageLoop3RunEv
                               at /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326
                               at /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
                               at /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
  23:     0x7f1da868885f - _ZN4base6Thread10ThreadMainEv
                               at /builds/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:181
  24:     0x7f1da867a31c - _ZL10ThreadFuncPv
                               at /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:38
  25:     0x7f1dc80aa6b9 - start_thread
  26:     0x7f1dc713341c - clone
  27:                0x0 - <unknown>
Hmm, I wonder if this explains the other so far non reproducible crashes with a similar signature...
Flags: needinfo?(emilio)
Discussed this a bit on irc; it looks like the issue is that this IPC path can create malformed stylo structures which eventually leads to a panic. Fixing this would involve making the relevant paths explicitly fallible to thread the error up properly. Since this is a deterministic panic (safe) and seems to require some kind of RCE in the content process to mess with the IPC, fixing this probably shouldn't be a priority.
Whiteboard: [gfx-noted]
This is sort of a fuzzblocker so fixing this would be of high benefit to uncover other bugs.
Ok, I think I understand how this happens, I'll write a patch.
Assignee: nobody → emilio
Flags: needinfo?(emilio)
Comment on attachment 8961592 [details]
Bug 1446108: Don't create bogus angles in layers animation code. r=kats

Dunno if you're into Phabricator mail yet :P
Attachment #8961592 - Flags: review?(bugmail)
Comment on attachment 8961592 [details]
Bug 1446108: Don't create bogus angles in layers animation code. r=kats

Kartikaya Gupta (email:kats@mozilla.com) has approved the revision.

https://phabricator.services.mozilla.com/D794
Attachment #8961592 - Flags: review+
Pushed by ecoal95@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/7977451e9641
Don't create bogus angles in layers animation code. r=kats
Pushed by ecoal95@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/08814c30af6d
followup: Make a destructor public to workaround bug 1448384 and reopen the CLOSED TREE. r=me
Depends on: 1448387
Backed out for build bustages failures in  build bustages on build\src\obj-firefox\dist\include\mozilla/Alignment.h(29)

URL of the backout: https://hg.mozilla.org/integration/mozilla-inbound/rev/d09816697ea8b6d972a88bf12f4330704518850e 

Push with failures: https://treeherder.mozilla.org/#/jobs?repo=mozilla-inbound&revision=7977451e964108fe145d7747afac0442d77a7675&filter-resultStatus=testfailed&filter-resultStatus=busted&filter-resultStatus=exception&filter-resultStatus=success&filter-resultStatus=pending&filter-resultStatus=running

Failure log: https://treeherder.mozilla.org/logviewer.html#?job_id=169899622&repo=mozilla-inbound&lineNumber=16276

6:02:50     INFO -  cl : Command line warning D9025 : overriding '/O1' with '/O2'
16:02:50     INFO -  mozmake.EXE[4]: Leaving directory 'z:/build/build/src/obj-firefox/gfx/skia'
16:02:50     INFO -  mozmake.EXE[4]: Entering directory 'z:/build/build/src/obj-firefox/gfx/skia'
16:02:50     INFO -  mozmake.EXE[4]: Leaving directory 'z:/build/build/src/obj-firefox/gfx/skia'
16:02:51     INFO -  mozmake.EXE[4]: Entering directory 'z:/build/build/src/obj-firefox/gfx/layers'
16:02:51     INFO -  z:/build/build/src/sccache2/sccache.exe z:/build/build/src/vs2017_15.6.0/VC/bin/Hostx64/x86/cl.exe -FoUnified_cpp_gfx_layers0.obj -c -Iz:/build/build/src/obj-firefox/dist/stl_wrappers -DNDEBUG=1 -DTRIMMED=1 -DGOOGLE_PROTOBUF_NO_RTTI -DGOOGLE_PROTOBUF_NO_STATIC_INITIALIZER -DWIN32_LEAN_AND_MEAN -D_WIN32 -DWIN32 -D_CRT_RAND_S -DCERT_CHAIN_PARA_HAS_EXTRA_FIELDS -DOS_WIN=1 -D_UNICODE -DCHROMIUM_BUILD -DU_STATIC_IMPLEMENTATION -DUNICODE -D_WINDOWS -D_SECURE_ATL -DCOMPILER_MSVC -DMOZ_ENABLE_D3D10_LAYER -DSTATIC_EXPORTABLE_JS_API -DMOZ_HAS_MOZGLUE -DMOZILLA_INTERNAL_API -DIMPL_LIBXUL -Iz:/build/build/src/gfx/layers -Iz:/build/build/src/obj-firefox/gfx/layers -Iz:/build/build/src/obj-firefox/ipc/ipdl/_ipdlheaders -Iz:/build/build/src/ipc/chromium/src -Iz:/build/build/src/ipc/glue -Iz:/build/build/src/docshell/base -Iz:/build/build/src/layout/base -Iz:/build/build/src/layout/generic -Iz:/build/build/src/media/libyuv/libyuv/include -Iz:/build/build/src/gfx/skia -Iz:/build/build/src/gfx/skia/skia/include/config -Iz:/build/build/src/gfx/skia/skia/include/core -Iz:/build/build/src/gfx/skia/skia/include/gpu -Iz:/build/build/src/gfx/skia/skia/include/utils -Iz:/build/build/src/obj-firefox/dist/include -Iz:/build/build/src/obj-firefox/dist/include/nspr -Iz:/build/build/src/obj-firefox/dist/include/nss -MD -FI z:/build/build/src/obj-firefox/mozilla-config.h -DMOZILLA_CLIENT -utf-8 -TP -nologo -w15038 -wd5026 -wd5027 -Zc:sizedDealloc- -wd4091 -wd4577 -D_HAS_EXCEPTIONS=0 -W3 -Gy -Zc:inline -arch:SSE2 -Gw -wd4251 -wd4244 -wd4267 -wd4800 -wd4595 -we4553 -D_SILENCE_TR1_NAMESPACE_DEPRECATION_WARNING -GR- -Z7 -O1 -Oi -Oy- -WX -Iz:/build/build/src/obj-firefox/dist/include/cairo  -deps.deps/Unified_cpp_gfx_layers0.obj.pp    z:/build/build/src/obj-firefox/gfx/layers/Unified_cpp_gfx_layers0.cpp
16:02:51     INFO -  Unified_cpp_gfx_layers0.cpp
16:02:51     INFO -  z:\build\build\src\obj-firefox\dist\include\mozilla/Alignment.h(29): error C2220: warning treated as error - no 'object' file generated
16:02:51     INFO -  z:\build\build\src\obj-firefox\dist\include\mozilla/Alignment.h(32): note: see reference to class template instantiation 'mozilla::AlignmentFinder<T>::Aligner' being compiled
Flags: needinfo?(emilio)
Pushed by ecoal95@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/3252f6b9d8c6
Don't create bogus angles in layers animation code. r=kats
Flags: needinfo?(emilio)
Attachment #8961592 - Flags: review?(bugmail)
https://hg.mozilla.org/mozilla-central/rev/3252f6b9d8c6
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox61: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla61
Would this be beneficial to uplift to Beta?
status-firefox59: --- → wontfix
status-firefox60: --- → affected
status-firefox-esr52: --- → unaffected
Flags: needinfo?(emilio)
This is mostly a fuzz-blocker, and can only be hit from bogus IPC messages, so unless we want to fuzz beta / release this it's probably not a high priority.
Flags: needinfo?(emilio)
Christoph, is there any fuzzing impact here beyond trunk?
Flags: needinfo?(cdiehl)
No, not really.
Flags: needinfo?(cdiehl)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: