Closed
Bug 1452375
(CVE-2018-12362)
Opened 6 years ago
Closed 6 years ago
AddressSanitizer: heap-buffer-overflow /builds/worker/workspace/build/src/gfx/2d/ssse3-scaler.c:202:16 in ssse3_fetch_horizontal
Categories
(Core :: Graphics, defect, P2)
Tracking
()
People
(Reporter: rs, Assigned: jrmuizel)
References
(Blocks 1 open bug)
Details
(5 keywords, Whiteboard: [adv-main61+][adv-esr52.9+][adv-esr60.1+][post-critsmash-triage])
Crash Data
Attachments
(6 files, 3 obsolete files)
|
2.43 KB,
text/html
|
Details | |
|
9.10 KB,
text/plain
|
Details | |
|
5.80 KB,
patch
|
sotaro
:
review+
|
Details | Diff | Splinter Review |
|
2.04 KB,
patch
|
sotaro
:
review+
abillings
:
approval-mozilla-beta+
abillings
:
approval-mozilla-esr52+
abillings
:
approval-mozilla-esr60+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
|
4.82 KB,
patch
|
Details | Diff | Splinter Review | |
|
1.75 KB,
patch
|
Details | Diff | Splinter Review |
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36
Steps to reproduce:
tested on Nightly 61.0a1 (2018-04-06) (64-bit) build. Not minimized sample
firefox --private-window -no-remote heapbuffer.html
Actual results:
==12958==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6210023424fc at pc 0x7f365bba05bd bp 0x7f3606386790 sp 0x7f3606386788
READ of size 8 at 0x6210023424fc thread T30 (Compositor)
#0 0x7f365bba05bc in ssse3_fetch_horizontal /builds/worker/workspace/build/src/gfx/2d/ssse3-scaler.c:202:16
#1 0x7f365bba05bc in ssse3_fetch_bilinear_cover /builds/worker/workspace/build/src/gfx/2d/ssse3-scaler.c:325
#2 0x7f365bba05bc in ssse3_scale_data /builds/worker/workspace/build/src/gfx/2d/ssse3-scaler.c:556
#3 0x7f365c28eb28 in mozilla::layers::AttemptVideoScale(mozilla::layers::TextureSourceBasic*, mozilla::gfx::SourceSurface const*, float, mozilla::gfx::CompositionOp, mozilla::layers::TexturedEffect const*, mozilla::gfx::BaseMatrix<float> const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::DrawTarget*, mozilla::gfx::DrawTarget const*) /builds/worker/workspace/build/src/gfx/layers/basic/BasicCompositor.cpp:560:5
#4 0x7f365c25c690 in void mozilla::layers::BasicCompositor::DrawGeometry<mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> >(mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::EffectChain const&, float, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits> const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, bool) /builds/worker/workspace/build/src/gfx/layers/basic/BasicCompositor.cpp:773:13
#5 0x7f365c25af0e in mozilla::layers::BasicCompositor::DrawQuad(mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::EffectChain const&, float, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits> const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&) /builds/worker/workspace/build/src/gfx/layers/basic/BasicCompositor.cpp:644:3
#6 0x7f365bfb24be in mozilla::layers::Compositor::DrawGeometry(mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::EffectChain const&, float, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits> const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::Maybe<mozilla::gfx::PolygonTyped<mozilla::gfx::UnknownUnits> > const&) /builds/worker/workspace/build/src/gfx/layers/Compositor.cpp:227:5
#7 0x7f365c36ef95 in DrawGeometry /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/layers/Compositor.h:304:5
#8 0x7f365c36ef95 in mozilla::layers::ImageHost::Composite(mozilla::layers::Compositor*, mozilla::layers::LayerComposite*, mozilla::layers::EffectChain&, float, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SamplingFilter, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const*, mozilla::Maybe<mozilla::gfx::PolygonTyped<mozilla::gfx::UnknownUnits> > const&) /builds/worker/workspace/build/src/gfx/layers/composite/ImageHost.cpp:298
#9 0x7f365c3c4feb in mozilla::layers::ImageLayerComposite::RenderLayer(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::Maybe<mozilla::gfx::PolygonTyped<mozilla::gfx::UnknownUnits> > const&)::$_0::operator()(mozilla::layers::EffectChain&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) const /builds/worker/workspace/build/src/gfx/layers/composite/ImageLayerComposite.cpp:106:17
#10 0x7f365c373a9e in RenderWithAllMasks<(lambda at /builds/worker/workspace/build/src/gfx/layers/composite/ImageLayerComposite.cpp:104:22)> /builds/worker/workspace/build/src/gfx/layers/composite/LayerManagerComposite.h:738:5
#11 0x7f365c373a9e in mozilla::layers::ImageLayerComposite::RenderLayer(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::Maybe<mozilla::gfx::PolygonTyped<mozilla::gfx::UnknownUnits> > const&) /builds/worker/workspace/build/src/gfx/layers/composite/ImageLayerComposite.cpp:103
#12 0x7f365c35c3e6 in void mozilla::layers::RenderLayers<mozilla::layers::ContainerLayerComposite>(mozilla::layers::ContainerLayerComposite*, mozilla::layers::LayerManagerComposite*, mozilla::gfx::IntRectTyped<mozilla::RenderTargetPixel> const&, mozilla::Maybe<mozilla::gfx::PolygonTyped<mozilla::gfx::UnknownUnits> > const&) /builds/worker/workspace/build/src/gfx/layers/composite/ContainerLayerComposite.cpp:443:22
#13 0x7f365c3595de in void mozilla::layers::RenderIntermediate<mozilla::layers::ContainerLayerComposite>(mozilla::layers::ContainerLayerComposite*, mozilla::layers::LayerManagerComposite*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, RefPtr<mozilla::layers::CompositingRenderTarget>) /builds/worker/workspace/build/src/gfx/layers/composite/ContainerLayerComposite.cpp:554:3
#14 0x7f365c328439 in void mozilla::layers::ContainerPrepare<mozilla::layers::ContainerLayerComposite>(mozilla::layers::ContainerLayerComposite*, mozilla::layers::LayerManagerComposite*, mozilla::gfx::IntRectTyped<mozilla::RenderTargetPixel> const&) /builds/worker/workspace/build/src/gfx/layers/composite/ContainerLayerComposite.cpp:273:9
#15 0x7f365c3276ce in void mozilla::layers::ContainerPrepare<mozilla::layers::ContainerLayerComposite>(mozilla::layers::ContainerLayerComposite*, mozilla::layers::LayerManagerComposite*, mozilla::gfx::IntRectTyped<mozilla::RenderTargetPixel> const&) /builds/worker/workspace/build/src/gfx/layers/composite/ContainerLayerComposite.cpp:238:20
#16 0x7f365c3276ce in void mozilla::layers::ContainerPrepare<mozilla::layers::ContainerLayerComposite>(mozilla::layers::ContainerLayerComposite*, mozilla::layers::LayerManagerComposite*, mozilla::gfx::IntRectTyped<mozilla::RenderTargetPixel> const&) /builds/worker/workspace/build/src/gfx/layers/composite/ContainerLayerComposite.cpp:238:20
#17 0x7f365c3276ce in void mozilla::layers::ContainerPrepare<mozilla::layers::ContainerLayerComposite>(mozilla::layers::ContainerLayerComposite*, mozilla::layers::LayerManagerComposite*, mozilla::gfx::IntRectTyped<mozilla::RenderTargetPixel> const&) /builds/worker/workspace/build/src/gfx/layers/composite/ContainerLayerComposite.cpp:238:20
#18 0x7f365c3276ce in void mozilla::layers::ContainerPrepare<mozilla::layers::ContainerLayerComposite>(mozilla::layers::ContainerLayerComposite*, mozilla::layers::LayerManagerComposite*, mozilla::gfx::IntRectTyped<mozilla::RenderTargetPixel> const&) /builds/worker/workspace/build/src/gfx/layers/composite/ContainerLayerComposite.cpp:238:20
#19 0x7f365c3276ce in void mozilla::layers::ContainerPrepare<mozilla::layers::ContainerLayerComposite>(mozilla::layers::ContainerLayerComposite*, mozilla::layers::LayerManagerComposite*, mozilla::gfx::IntRectTyped<mozilla::RenderTargetPixel> const&) /builds/worker/workspace/build/src/gfx/layers/composite/ContainerLayerComposite.cpp:238:20
#20 0x7f365c32b81e in void mozilla::layers::ContainerPrepare<mozilla::layers::RefLayerComposite>(mozilla::layers::RefLayerComposite*, mozilla::layers::LayerManagerComposite*, mozilla::gfx::IntRectTyped<mozilla::RenderTargetPixel> const&) /builds/worker/workspace/build/src/gfx/layers/composite/ContainerLayerComposite.cpp:238:20
#21 0x7f365c3276ce in void mozilla::layers::ContainerPrepare<mozilla::layers::ContainerLayerComposite>(mozilla::layers::ContainerLayerComposite*, mozilla::layers::LayerManagerComposite*, mozilla::gfx::IntRectTyped<mozilla::RenderTargetPixel> const&) /builds/worker/workspace/build/src/gfx/layers/composite/ContainerLayerComposite.cpp:238:20
#22 0x7f365c3854c0 in mozilla::layers::LayerManagerComposite::Render(mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&) /builds/worker/workspace/build/src/gfx/layers/composite/LayerManagerComposite.cpp:944:18
#23 0x7f365c383244 in mozilla::layers::LayerManagerComposite::UpdateAndRender() /builds/worker/workspace/build/src/gfx/layers/composite/LayerManagerComposite.cpp:533:3
#24 0x7f365c381b26 in mozilla::layers::LayerManagerComposite::EndTransaction(mozilla::TimeStamp const&, mozilla::layers::LayerManager::EndTransactionFlags) /builds/worker/workspace/build/src/gfx/layers/composite/LayerManagerComposite.cpp:463:5
#25 0x7f365c3d4882 in mozilla::layers::CompositorBridgeParent::CompositeToTarget(mozilla::gfx::DrawTarget*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /builds/worker/workspace/build/src/gfx/layers/ipc/CompositorBridgeParent.cpp:1022:18
#26 0x7f365c3eae75 in mozilla::layers::CompositorVsyncScheduler::Composite(mozilla::TimeStamp) /builds/worker/workspace/build/src/gfx/layers/ipc/CompositorVsyncScheduler.cpp:243:27
#27 0x7f365c438e60 in applyImpl<mozilla::layers::CompositorVsyncScheduler, void (mozilla::layers::CompositorVsyncScheduler::*)(mozilla::TimeStamp), StoreCopyPassByConstLRef<mozilla::TimeStamp> , 0> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1164:12
#28 0x7f365c438e60 in apply<mozilla::layers::CompositorVsyncScheduler, void (mozilla::layers::CompositorVsyncScheduler::*)(mozilla::TimeStamp)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1170
#29 0x7f365c438e60 in mozilla::detail::RunnableMethodImpl<mozilla::layers::CompositorVsyncScheduler*, void (mozilla::layers::CompositorVsyncScheduler::*)(mozilla::TimeStamp), true, (mozilla::RunnableKind)1, mozilla::TimeStamp>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1215
#30 0x7f365a99cb23 in RunTask /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:452:9
#31 0x7f365a99cb23 in DeferOrRunPendingTask /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:460
#32 0x7f365a99cb23 in MessageLoop::DoWork() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:535
#33 0x7f365a99ea98 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/chromium/src/base/message_pump_default.cc:36:31
#34 0x7f365a99a139 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
#35 0x7f365a99a139 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
#36 0x7f365a99a139 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
#37 0x7f365a9b830f in base::Thread::ThreadMain() /builds/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:181:16
#38 0x7f365a9aaf1c in ThreadFunc(void*) /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:38:13
#39 0x7f367b88a7fb in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x77fb)
#40 0x7f367a8b8b5e in clone (/lib/x86_64-linux-gnu/libc.so.6+0x114b5e)
0x6210023424fc is located 4 bytes to the left of 4111-byte region [0x621002342500,0x62100234350f)
allocated by thread T30 (Compositor) here:
#0 0x4c54b3 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3
#1 0x7f365bd6bb26 in Realloc /builds/worker/workspace/build/src/gfx/2d/Tools.h:205:41
#2 0x7f365bd6bb26 in mozilla::gfx::SourceSurfaceAlignedRawData::Init(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SurfaceFormat, bool, unsigned char, int) /builds/worker/workspace/build/src/gfx/2d/SourceSurfaceRawData.cpp:68
#3 0x7f365bbc94dc in mozilla::gfx::Factory::CreateDataSourceSurface(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SurfaceFormat, bool) /builds/worker/workspace/build/src/gfx/2d/Factory.cpp:1077:16
#4 0x7f365c288685 in mozilla::layers::WrappingTextureSourceYCbCrBasic::GetSurface(mozilla::gfx::DrawTarget*) /builds/worker/workspace/build/src/gfx/layers/basic/BasicCompositor.cpp:124:18
#5 0x7f365c25c61b in void mozilla::layers::BasicCompositor::DrawGeometry<mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> >(mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::EffectChain const&, float, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits> const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, bool) /builds/worker/workspace/build/src/gfx/layers/basic/BasicCompositor.cpp:770:29
#6 0x7f365c25af0e in mozilla::layers::BasicCompositor::DrawQuad(mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::EffectChain const&, float, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits> const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&) /builds/worker/workspace/build/src/gfx/layers/basic/BasicCompositor.cpp:644:3
#7 0x7f365bfb24be in mozilla::layers::Compositor::DrawGeometry(mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::EffectChain const&, float, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits> const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::Maybe<mozilla::gfx::PolygonTyped<mozilla::gfx::UnknownUnits> > const&) /builds/worker/workspace/build/src/gfx/layers/Compositor.cpp:227:5
#8 0x7f365c36ef95 in DrawGeometry /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/layers/Compositor.h:304:5
#9 0x7f365c36ef95 in mozilla::layers::ImageHost::Composite(mozilla::layers::Compositor*, mozilla::layers::LayerComposite*, mozilla::layers::EffectChain&, float, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SamplingFilter, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const*, mozilla::Maybe<mozilla::gfx::PolygonTyped<mozilla::gfx::UnknownUnits> > const&) /builds/worker/workspace/build/src/gfx/layers/composite/ImageHost.cpp:298
#10 0x7f365c3c4feb in mozilla::layers::ImageLayerComposite::RenderLayer(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::Maybe<mozilla::gfx::PolygonTyped<mozilla::gfx::UnknownUnits> > const&)::$_0::operator()(mozilla::layers::EffectChain&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) const /builds/worker/workspace/build/src/gfx/layers/composite/ImageLayerComposite.cpp:106:17
#11 0x7f365c373a9e in RenderWithAllMasks<(lambda at /builds/worker/workspace/build/src/gfx/layers/composite/ImageLayerComposite.cpp:104:22)> /builds/worker/workspace/build/src/gfx/layers/composite/LayerManagerComposite.h:738:5
#12 0x7f365c373a9e in mozilla::layers::ImageLayerComposite::RenderLayer(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::Maybe<mozilla::gfx::PolygonTyped<mozilla::gfx::UnknownUnits> > const&) /builds/worker/workspace/build/src/gfx/layers/composite/ImageLayerComposite.cpp:103
#13 0x7f365c35c3e6 in void mozilla::layers::RenderLayers<mozilla::layers::ContainerLayerComposite>(mozilla::layers::ContainerLayerComposite*, mozilla::layers::LayerManagerComposite*, mozilla::gfx::IntRectTyped<mozilla::RenderTargetPixel> const&, mozilla::Maybe<mozilla::gfx::PolygonTyped<mozilla::gfx::UnknownUnits> > const&) /builds/worker/workspace/build/src/gfx/layers/composite/ContainerLayerComposite.cpp:443:22
#14 0x7f365c3595de in void mozilla::layers::RenderIntermediate<mozilla::layers::ContainerLayerComposite>(mozilla::layers::ContainerLayerComposite*, mozilla::layers::LayerManagerComposite*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, RefPtr<mozilla::layers::CompositingRenderTarget>) /builds/worker/workspace/build/src/gfx/layers/composite/ContainerLayerComposite.cpp:554:3
#15 0x7f365c328439 in void mozilla::layers::ContainerPrepare<mozilla::layers::ContainerLayerComposite>(mozilla::layers::ContainerLayerComposite*, mozilla::layers::LayerManagerComposite*, mozilla::gfx::IntRectTyped<mozilla::RenderTargetPixel> const&) /builds/worker/workspace/build/src/gfx/layers/composite/ContainerLayerComposite.cpp:273:9
#16 0x7f365c3276ce in void mozilla::layers::ContainerPrepare<mozilla::layers::ContainerLayerComposite>(mozilla::layers::ContainerLayerComposite*, mozilla::layers::LayerManagerComposite*, mozilla::gfx::IntRectTyped<mozilla::RenderTargetPixel> const&) /builds/worker/workspace/build/src/gfx/layers/composite/ContainerLayerComposite.cpp:238:20
#17 0x7f365c3276ce in void mozilla::layers::ContainerPrepare<mozilla::layers::ContainerLayerComposite>(mozilla::layers::ContainerLayerComposite*, mozilla::layers::LayerManagerComposite*, mozilla::gfx::IntRectTyped<mozilla::RenderTargetPixel> const&) /builds/worker/workspace/build/src/gfx/layers/composite/ContainerLayerComposite.cpp:238:20
#18 0x7f365c3276ce in void mozilla::layers::ContainerPrepare<mozilla::layers::ContainerLayerComposite>(mozilla::layers::ContainerLayerComposite*, mozilla::layers::LayerManagerComposite*, mozilla::gfx::IntRectTyped<mozilla::RenderTargetPixel> const&) /builds/worker/workspace/build/src/gfx/layers/composite/ContainerLayerComposite.cpp:238:20
#19 0x7f365c3276ce in void mozilla::layers::ContainerPrepare<mozilla::layers::ContainerLayerComposite>(mozilla::layers::ContainerLayerComposite*, mozilla::layers::LayerManagerComposite*, mozilla::gfx::IntRectTyped<mozilla::RenderTargetPixel> const&) /builds/worker/workspace/build/src/gfx/layers/composite/ContainerLayerComposite.cpp:238:20
#20 0x7f365c3276ce in void mozilla::layers::ContainerPrepare<mozilla::layers::ContainerLayerComposite>(mozilla::layers::ContainerLayerComposite*, mozilla::layers::LayerManagerComposite*, mozilla::gfx::IntRectTyped<mozilla::RenderTargetPixel> const&) /builds/worker/workspace/build/src/gfx/layers/composite/ContainerLayerComposite.cpp:238:20
#21 0x7f365c32b81e in void mozilla::layers::ContainerPrepare<mozilla::layers::RefLayerComposite>(mozilla::layers::RefLayerComposite*, mozilla::layers::LayerManagerComposite*, mozilla::gfx::IntRectTyped<mozilla::RenderTargetPixel> const&) /builds/worker/workspace/build/src/gfx/layers/composite/ContainerLayerComposite.cpp:238:20
#22 0x7f365c3276ce in void mozilla::layers::ContainerPrepare<mozilla::layers::ContainerLayerComposite>(mozilla::layers::ContainerLayerComposite*, mozilla::layers::LayerManagerComposite*, mozilla::gfx::IntRectTyped<mozilla::RenderTargetPixel> const&) /builds/worker/workspace/build/src/gfx/layers/composite/ContainerLayerComposite.cpp:238:20
#23 0x7f365c3854c0 in mozilla::layers::LayerManagerComposite::Render(mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&) /builds/worker/workspace/build/src/gfx/layers/composite/LayerManagerComposite.cpp:944:18
#24 0x7f365c383244 in mozilla::layers::LayerManagerComposite::UpdateAndRender() /builds/worker/workspace/build/src/gfx/layers/composite/LayerManagerComposite.cpp:533:3
#25 0x7f365c381b26 in mozilla::layers::LayerManagerComposite::EndTransaction(mozilla::TimeStamp const&, mozilla::layers::LayerManager::EndTransactionFlags) /builds/worker/workspace/build/src/gfx/layers/composite/LayerManagerComposite.cpp:463:5
#26 0x7f365c3d4882 in mozilla::layers::CompositorBridgeParent::CompositeToTarget(mozilla::gfx::DrawTarget*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /builds/worker/workspace/build/src/gfx/layers/ipc/CompositorBridgeParent.cpp:1022:18
#27 0x7f365c3eae75 in mozilla::layers::CompositorVsyncScheduler::Composite(mozilla::TimeStamp) /builds/worker/workspace/build/src/gfx/layers/ipc/CompositorVsyncScheduler.cpp:243:27
#28 0x7f365c438e60 in applyImpl<mozilla::layers::CompositorVsyncScheduler, void (mozilla::layers::CompositorVsyncScheduler::*)(mozilla::TimeStamp), StoreCopyPassByConstLRef<mozilla::TimeStamp> , 0> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1164:12
#29 0x7f365c438e60 in apply<mozilla::layers::CompositorVsyncScheduler, void (mozilla::layers::CompositorVsyncScheduler::*)(mozilla::TimeStamp)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1170
#30 0x7f365c438e60 in mozilla::detail::RunnableMethodImpl<mozilla::layers::CompositorVsyncScheduler*, void (mozilla::layers::CompositorVsyncScheduler::*)(mozilla::TimeStamp), true, (mozilla::RunnableKind)1, mozilla::TimeStamp>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1215
#31 0x7f365a99cb23 in RunTask /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:452:9
#32 0x7f365a99cb23 in DeferOrRunPendingTask /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:460
#33 0x7f365a99cb23 in MessageLoop::DoWork() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:535
#34 0x7f365a99ea98 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/chromium/src/base/message_pump_default.cc:36:31
#35 0x7f365a99a139 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
#36 0x7f365a99a139 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
#37 0x7f365a99a139 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
#38 0x7f365a9b830f in base::Thread::ThreadMain() /builds/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:181:16
Thread T30 (Compositor) created by T0 here:
#0 0x4ae80d in __interceptor_pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:204:3
#1 0x7f365a9a887f in CreateThread /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:135:14
#2 0x7f365a9a887f in PlatformThread::Create(unsigned long, PlatformThread::Delegate*, unsigned long*) /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:146
#3 0x7f365a9b7caf in base::Thread::StartWithOptions(base::Thread::Options const&) /builds/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:99:8
#4 0x7f365c3e994a in CreateCompositorThread /builds/worker/workspace/build/src/gfx/layers/ipc/CompositorThread.cpp:102:26
#5 0x7f365c3e994a in mozilla::layers::CompositorThreadHolder::CompositorThreadHolder() /builds/worker/workspace/build/src/gfx/layers/ipc/CompositorThread.cpp:52
#6 0x7f365c3e9c03 in mozilla::layers::CompositorThreadHolder::Start() /builds/worker/workspace/build/src/gfx/layers/ipc/CompositorThread.cpp:124:33
#7 0x7f365c4b9322 in gfxPlatform::InitLayersIPC() /builds/worker/workspace/build/src/gfx/thebes/gfxPlatform.cpp:1038:5
#8 0x7f365c4b5037 in gfxPlatform::Init() /builds/worker/workspace/build/src/gfx/thebes/gfxPlatform.cpp:774:5
#9 0x7f365c4b242b in gfxPlatform::GetPlatform() /builds/worker/workspace/build/src/gfx/thebes/gfxPlatform.cpp:533:9
#10 0x7f3661c0b54e in CreateVsyncRefreshTimer /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1023:5
#11 0x7f3661c0b54e in nsRefreshDriver::ChooseTimer() const /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1139
#12 0x7f3661c0e631 in nsRefreshDriver::EnsureTimerStarted(nsRefreshDriver::EnsureTimerStartedFlags) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1375:34
#13 0x7f3661e02536 in ObserveStyleFlushes /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIPresShell.h:654:7
#14 0x7f3661e02536 in EnsureStyleFlush /builds/worker/workspace/build/src/layout/base/nsIPresShellInlines.h:50
#15 0x7f3661e02536 in nsPresContext::MediaFeatureValuesChanged(mozilla::MediaFeatureChange const&) /builds/worker/workspace/build/src/layout/base/nsPresContext.h:297
#16 0x7f3661d5f576 in SetVisibleArea /builds/worker/workspace/build/src/layout/base/nsPresContext.h:473:9
#17 0x7f3661d5f576 in nsDocumentViewer::InitPresentationStuff(bool) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:721
#18 0x7f3661d5e950 in nsDocumentViewer::InitInternal(nsIWidget*, nsISupports*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, bool, bool, bool) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:944:10
#19 0x7f3661d5da27 in nsDocumentViewer::Init(nsIWidget*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:664:10
#20 0x7f3664f1557f in nsDocShell::SetupNewViewer(nsIContentViewer*) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:9096:7
#21 0x7f3664f13eeb in nsDocShell::Embed(nsIContentViewer*, char const*, nsISupports*) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6903:17
#22 0x7f3664f22546 in nsDocShell::CreateAboutBlankContentViewer(nsIPrincipal*, nsIURI*, bool, bool) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7784:14
#23 0x7f3664fa494f in nsWebShellWindow::Initialize(nsIXULWindow*, nsIXULWindow*, nsIURI*, int, int, bool, nsITabParent*, mozIDOMWindowProxy*, nsWidgetInitData&) /builds/worker/workspace/build/src/xpfe/appshell/nsWebShellWindow.cpp:237:21
#24 0x7f3664f9f1c1 in nsAppShellService::JustCreateTopWindow(nsIXULWindow*, nsIURI*, unsigned int, int, int, bool, nsITabParent*, mozIDOMWindowProxy*, nsWebShellWindow**) /builds/worker/workspace/build/src/xpfe/appshell/nsAppShellService.cpp:736:25
#25 0x7f3664fa0a3a in nsAppShellService::CreateTopLevelWindow(nsIXULWindow*, nsIURI*, unsigned int, int, int, nsITabParent*, mozIDOMWindowProxy*, nsIXULWindow**) /builds/worker/workspace/build/src/xpfe/appshell/nsAppShellService.cpp:200:8
#26 0x7f366577d6af in nsAppStartup::CreateChromeWindow2(nsIWebBrowserChrome*, unsigned int, nsITabParent*, mozIDOMWindowProxy*, unsigned long, bool*, nsIWebBrowserChrome**) /builds/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:680:15
#27 0x7f36658ee907 in nsWindowWatcher::CreateChromeWindow(nsTSubstring<char> const&, nsIWebBrowserChrome*, unsigned int, nsITabParent*, mozIDOMWindowProxy*, unsigned long, nsIWebBrowserChrome**) /builds/worker/workspace/build/src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:469:21
#28 0x7f36658ec3db in nsWindowWatcher::OpenWindowInternal(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool, nsIArray*, bool, bool, nsIDocShellLoadInfo*, mozIDOMWindowProxy**) /builds/worker/workspace/build/src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:939:14
#29 0x7f36658e6b8f in nsWindowWatcher::OpenWindow(mozIDOMWindowProxy*, char const*, char const*, char const*, nsISupports*, mozIDOMWindowProxy**) /builds/worker/workspace/build/src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:328:10
#30 0x7f3659b87701 in NS_InvokeByIndex /builds/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:106
#31 0x7f365b48c90e in Invoke /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1951:12
#32 0x7f365b48c90e in Call /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1267
#33 0x7f365b48c90e in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1234
#34 0x7f365b4935a8 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:911:12
#35 0x7f3665c74757 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:290:15
#36 0x7f3665c74757 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:467
#37 0x7f3665c5f211 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:522:12
#38 0x7f3665c5f211 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3084
#39 0x7f3665c4565a in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:417:12
#40 0x7f3665c77bf4 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:700:15
#41 0x7f3665d161af in ExecuteInExtensibleLexicalEnvironment(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>) /builds/worker/workspace/build/src/js/src/builtin/Eval.cpp:460:12
#42 0x7f3665d16e4f in js::ExecuteInJSMEnvironment(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::AutoVector<JSObject*>&) /builds/worker/workspace/build/src/js/src/builtin/Eval.cpp:546:12
#43 0x7f3665d16a53 in js::ExecuteInJSMEnvironment(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>) /builds/worker/workspace/build/src/js/src/builtin/Eval.cpp:504:12
#44 0x7f365b36ee37 in mozJSComponentLoader::ObjectForLocation(ComponentLoaderInfo&, nsIFile*, JS::MutableHandle<JSObject*>, JS::MutableHandle<JSScript*>, char**, bool, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/xpconnect/loader/mozJSComponentLoader.cpp:925:25
#45 0x7f365b36c362 in mozJSComponentLoader::LoadModule(mozilla::FileLocation&) /builds/worker/workspace/build/src/js/xpconnect/loader/mozJSComponentLoader.cpp:442:10
#46 0x7f3659b09e29 in Load /builds/worker/workspace/build/src/xpcom/components/nsComponentManager.cpp:717:24
#47 0x7f3659b09e29 in nsFactoryEntry::GetFactory() /builds/worker/workspace/build/src/xpcom/components/nsComponentManager.cpp:1748
#48 0x7f3659b0aaba in nsComponentManagerImpl::CreateInstanceByContractID(char const*, nsISupports*, nsID const&, void**) /builds/worker/workspace/build/src/xpcom/components/nsComponentManager.cpp:1046:41
#49 0x7f3659b020cd in nsComponentManagerImpl::GetServiceByContractID(char const*, nsID const&, void**) /builds/worker/workspace/build/src/xpcom/components/nsComponentManager.cpp:1409:10
#50 0x7f3659b10b15 in CallGetService /builds/worker/workspace/build/src/xpcom/components/nsComponentManagerUtils.cpp:67:43
#51 0x7f3659b10b15 in nsGetServiceByContractIDWithError::operator()(nsID const&, void**) const /builds/worker/workspace/build/src/xpcom/components/nsComponentManagerUtils.cpp:292
#52 0x7f36599cc69a in nsCOMPtr_base::assign_from_gs_contractid_with_error(nsGetServiceByContractIDWithError const&, nsID const&) /builds/worker/workspace/build/src/xpcom/base/nsCOMPtr.cpp:106:7
#53 0x7f3665993e98 in operator= /builds/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:1036:5
#54 0x7f3665993e98 in nsAppStartupNotifier::Observe(nsISupports*, char const*, char16_t const*) /builds/worker/workspace/build/src/toolkit/xre/nsAppStartupNotifier.cpp:59
#55 0x7f3665985e88 in XREMain::XRE_mainRun() /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4664:22
#56 0x7f366598970d in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4979:8
#57 0x7f366598abd4 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:5071:21
#58 0x4f4ef5 in do_main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:231:22
#59 0x4f4ef5 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:304
#60 0x7f367a7c51c0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x211c0)
SUMMARY: AddressSanitizer: heap-buffer-overflow /builds/worker/workspace/build/src/gfx/2d/ssse3-scaler.c:202:16 in ssse3_fetch_horizontal
Shadow bytes around the buggy address:
0x0c4280460440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
0x0c4280460450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4280460460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4280460470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4280460480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c4280460490: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
0x0c42804604a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c42804604b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c42804604c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c42804604d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c42804604e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==12958==ABORTING
|
Reporter | |
Comment 1•6 years ago
|
||
Just a note, I'm using DOMFuzz Helper.
|
|
Reporter | |
Comment 2•6 years ago
|
||
Ok, I don't think so is related to DOMFuzz Helper, I can't reproduce on a Desktop but I do on my server. There is a Crash annotation not pasted that happens before, here it is: Crash Annotation GraphicsCriticalError: |[0][GFX1-]: [OPENGL] Failed to init compositor with reason: FEATURE_FAILURE_OPENGL_CREATE_CONTEXT (t=0.756706) [GFX1-]: [OPENGL] Failed to init compositor with reason: FEATURE_FAILURE_OPENGL_CREATE_CONTEXT
|
||
Updated•6 years ago
|
Group: firefox-core-security → core-security
Component: Untriaged → Graphics
Product: Firefox → Core
|
||
Updated•6 years ago
|
Group: core-security → gfx-core-security
|
|
||
Comment 3•6 years ago
|
||
|
|
||
Updated•6 years ago
|
Status: UNCONFIRMED → NEW
Crash Signature: [@ ssse3_fetch_horizontal]
Ever confirmed: true
Flags: in-testsuite?
|
|
||
Updated•6 years ago
|
status-firefox59:
--- → affected
status-firefox60:
--- → affected
status-firefox61:
--- → affected
status-firefox-esr52:
--- → affected
|
|
Reporter | |
Comment 4•6 years ago
|
||
Is it planned for the next release?
|
||
Updated•6 years ago
|
Flags: sec-bounty?
|
|
Reporter | |
Updated•6 years ago
|
Flags: needinfo?(twsmith)
|
|
||
Comment 5•6 years ago
|
||
(In reply to Francisco A. from comment #4) > Is it planned for the next release? If you mean 60 coming out next week, no. These bugs take a while to figure out and we don't check in security fixes just before a release if we don't have to. We're already getting ready to build release candidates. Jeff, can you say who in graphics can look at this?
Flags: needinfo?(jmuizelaar)
|
|
||
Updated•6 years ago
|
Flags: needinfo?(twsmith)
|
Assignee | |
Comment 6•6 years ago
|
||
I can look at this next week.
|
|
Reporter | |
Comment 7•6 years ago
|
||
(In reply to Jeff Muizelaar [:jrmuizel] from comment #6) > I can look at this next week. Let me know if I can help with something to have this fixed soon.
|
||
Updated•6 years ago
|
Priority: -- → P2
|
|
Assignee | |
Comment 8•6 years ago
|
||
I'm going to try to look at this nowish, but if I end up on leave before I can get to it, it can be assigned to Sotaro.
Flags: needinfo?(jmuizelaar)
|
|
Assignee | |
Updated•6 years ago
|
Flags: needinfo?(jmuizelaar)
|
|
Assignee | |
Comment 9•6 years ago
|
||
Is it possible to reproduce this on Linux? I haven't been able to.
Flags: needinfo?(rs)
|
|
Reporter | |
Comment 10•6 years ago
|
||
This was tested on Linux a month ago. There is no crash in today's build so something has changed since I reported it. Also Tyson reproduced the issue, minimized the sample and triaged the affected versions.
Flags: needinfo?(rs) → needinfo?(twsmith)
|
|
||
Comment 11•6 years ago
|
||
I can still repro on Ubuntu 16.04 with the latest nightly ASan build BuildID=20180510164324 SourceStamp=17db33b6a124422d43a9f518bea1bc62a698126b
Flags: needinfo?(twsmith)
|
|
||
Comment 12•6 years ago
|
||
FWIW I used the reduced testcase
|
|
Reporter | |
Comment 13•6 years ago
|
||
(In reply to Tyson Smith [:tsmith] from comment #12) > FWIW I used the reduced testcase Ok I see, copy pasted the reduced (download it, dont do a c&p), but using mine still working in today's build. Thanks Tyson. ================================================================= ==2269==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621001f7acfc at pc 0x7fe1104e48ed bp 0x7fe0fc9357f0 sp 0x7fe0fc9357e8 READ of size 8 at 0x621001f7acfc thread T25 (Compositor) #0 0x7fe1104e48ec in ssse3_fetch_horizontal /builds/worker/workspace/build/src/gfx/2d/ssse3-scaler.c:202:16 #1 0x7fe1104e48ec in ssse3_fetch_bilinear_cover /builds/worker/workspace/build/src/gfx/2d/ssse3-scaler.c:325 #2 0x7fe1104e48ec in ssse3_scale_data /builds/worker/workspace/build/src/gfx/2d/ssse3-scaler.c:556 #3 0x7fe110be8e58 in mozilla::layers::AttemptVideoScale(mozilla::layers::TextureSourceBasic*, mozilla::gfx::SourceSurface const*, float, mozilla::gfx::CompositionOp, mozilla::layers::TexturedEffect const*, mozilla::gfx::BaseMatrix<float> const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::DrawTarget*, mozilla::gfx::DrawTarget const*) /builds/worker/workspace/build/src/gfx/layers/basic/BasicCompositor.cpp:560:5 #4 0x7fe110bb5a90 in void mozilla::layers::BasicCompositor::DrawGeometry<mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> >(mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::EffectChain const&, float, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits> const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, bool) /builds/worker/workspace/build/src/gfx/layers/basic/BasicCompositor.cpp:773:13 #5 0x7fe110bb430e in mozilla::layers::BasicCompositor::DrawQuad(mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::EffectChain const&, float, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits> const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&) /builds/worker/workspace/build/src/gfx/layers/basic/BasicCompositor.cpp:644:3 #6 0x7fe1108f78db in mozilla::layers::Compositor::DrawGeometry(mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::EffectChain const&, float, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits> const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::Maybe<mozilla::gfx::PolygonTyped<mozilla::gfx::UnknownUnits> > const&) /builds/worker/workspace/build/src/gfx/layers/Compositor.cpp:227:5 #7 0x7fe110cc8f5d in DrawGeometry /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/layers/Compositor.h:340:5 #8 0x7fe110cc8f5d in mozilla::layers::ImageHost::Composite(mozilla::layers::Compositor*, mozilla::layers::LayerComposite*, mozilla::layers::EffectChain&, float, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SamplingFilter, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const*, mozilla::Maybe<mozilla::gfx::PolygonTyped<mozilla::gfx::UnknownUnits> > const&) /builds/worker/workspace/build/src/gfx/layers/composite/ImageHost.cpp:298 #9 0x7fe110d12be6 in mozilla::layers::ImageLayerComposite::RenderLayer(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::Maybe<mozilla::gfx::PolygonTyped<mozilla::gfx::UnknownUnits> > const&)::$_0::operator()(mozilla::layers::EffectChain&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) const /builds/worker/workspace/build/src/gfx/layers/composite/ImageLayerComposite.cpp:106:17 #10 0x7fe110ccd41e in RenderWithAllMasks<(lambda at /builds/worker/workspace/build/src/gfx/layers/composite/ImageLayerComposite.cpp:104:22)> /builds/worker/workspace/build/src/gfx/layers/composite/LayerManagerComposite.h:739:5 #11 0x7fe110ccd41e in mozilla::layers::ImageLayerComposite::RenderLayer(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::Maybe<mozilla::gfx::PolygonTyped<mozilla::gfx::UnknownUnits> > const&) /builds/worker/workspace/build/src/gfx/layers/composite/ImageLayerComposite.cpp:103 #12 0x7fe110cb6116 in void mozilla::layers::RenderLayers<mozilla::layers::ContainerLayerComposite>(mozilla::layers::ContainerLayerComposite*, mozilla::layers::LayerManagerComposite*, mozilla::gfx::IntRectTyped<mozilla::RenderTargetPixel> const&, mozilla::Maybe<mozilla::gfx::PolygonTyped<mozilla::gfx::UnknownUnits> > const&) /builds/worker/workspace/build/src/gfx/layers/composite/ContainerLayerComposite.cpp:443:22 #13 0x7fe110cb331a in void mozilla::layers::RenderIntermediate<mozilla::layers::ContainerLayerComposite>(mozilla::layers::ContainerLayerComposite*, mozilla::layers::LayerManagerComposite*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, RefPtr<mozilla::layers::CompositingRenderTarget>) /builds/worker/workspace/build/src/gfx/layers/composite/ContainerLayerComposite.cpp:554:3 #14 0x7fe110c80c49 in void mozilla::layers::ContainerPrepare<mozilla::layers::ContainerLayerComposite>(mozilla::layers::ContainerLayerComposite*, mozilla::layers::LayerManagerComposite*, mozilla::gfx::IntRectTyped<mozilla::RenderTargetPixel> const&) /builds/worker/workspace/build/src/gfx/layers/composite/ContainerLayerComposite.cpp:273:9 #15 0x7fe110c7fede in void mozilla::layers::ContainerPrepare<mozilla::layers::ContainerLayerComposite>(mozilla::layers::ContainerLayerComposite*, mozilla::layers::LayerManagerComposite*, mozilla::gfx::IntRectTyped<mozilla::RenderTargetPixel> const&) /builds/worker/workspace/build/src/gfx/layers/composite/ContainerLayerComposite.cpp:238:20 #16 0x7fe110c7fede in void mozilla::layers::ContainerPrepare<mozilla::layers::ContainerLayerComposite>(mozilla::layers::ContainerLayerComposite*, mozilla::layers::LayerManagerComposite*, mozilla::gfx::IntRectTyped<mozilla::RenderTargetPixel> const&) /builds/worker/workspace/build/src/gfx/layers/composite/ContainerLayerComposite.cpp:238:20 #17 0x7fe110c7fede in void mozilla::layers::ContainerPrepare<mozilla::layers::ContainerLayerComposite>(mozilla::layers::ContainerLayerComposite*, mozilla::layers::LayerManagerComposite*, mozilla::gfx::IntRectTyped<mozilla::RenderTargetPixel> const&) /builds/worker/workspace/build/src/gfx/layers/composite/ContainerLayerComposite.cpp:238:20 #18 0x7fe110c7fede in void mozilla::layers::ContainerPrepare<mozilla::layers::ContainerLayerComposite>(mozilla::layers::ContainerLayerComposite*, mozilla::layers::LayerManagerComposite*, mozilla::gfx::IntRectTyped<mozilla::RenderTargetPixel> const&) /builds/worker/workspace/build/src/gfx/layers/composite/ContainerLayerComposite.cpp:238:20 #19 0x7fe110c7fede in void mozilla::layers::ContainerPrepare<mozilla::layers::ContainerLayerComposite>(mozilla::layers::ContainerLayerComposite*, mozilla::layers::LayerManagerComposite*, mozilla::gfx::IntRectTyped<mozilla::RenderTargetPixel> const&) /builds/worker/workspace/build/src/gfx/layers/composite/ContainerLayerComposite.cpp:238:20 #20 0x7fe110c8402e in void mozilla::layers::ContainerPrepare<mozilla::layers::RefLayerComposite>(mozilla::layers::RefLayerComposite*, mozilla::layers::LayerManagerComposite*, mozilla::gfx::IntRectTyped<mozilla::RenderTargetPixel> const&) /builds/worker/workspace/build/src/gfx/layers/composite/ContainerLayerComposite.cpp:238:20 #21 0x7fe110c7fede in void mozilla::layers::ContainerPrepare<mozilla::layers::ContainerLayerComposite>(mozilla::layers::ContainerLayerComposite*, mozilla::layers::LayerManagerComposite*, mozilla::gfx::IntRectTyped<mozilla::RenderTargetPixel> const&) /builds/worker/workspace/build/src/gfx/layers/composite/ContainerLayerComposite.cpp:238:20 #22 0x7fe110cde0dc in mozilla::layers::LayerManagerComposite::Render(mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&) /builds/worker/workspace/build/src/gfx/layers/composite/LayerManagerComposite.cpp:946:18 #23 0x7fe110cdbe14 in mozilla::layers::LayerManagerComposite::UpdateAndRender() /builds/worker/workspace/build/src/gfx/layers/composite/LayerManagerComposite.cpp:534:3 #24 0x7fe110cda6f6 in mozilla::layers::LayerManagerComposite::EndTransaction(mozilla::TimeStamp const&, mozilla::layers::LayerManager::EndTransactionFlags) /builds/worker/workspace/build/src/gfx/layers/composite/LayerManagerComposite.cpp:464:5 #25 0x7fe110d2c0cf in mozilla::layers::CompositorBridgeParent::CompositeToTarget(mozilla::gfx::DrawTarget*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /builds/worker/workspace/build/src/gfx/layers/ipc/CompositorBridgeParent.cpp:1056:18 #26 0x7fe110d42735 in mozilla::layers::CompositorVsyncScheduler::Composite(mozilla::TimeStamp) /builds/worker/workspace/build/src/gfx/layers/ipc/CompositorVsyncScheduler.cpp:243:27 #27 0x7fe110d79bf0 in applyImpl<mozilla::layers::CompositorVsyncScheduler, void (mozilla::layers::CompositorVsyncScheduler::*)(mozilla::TimeStamp), StoreCopyPassByConstLRef<mozilla::TimeStamp> , 0> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1165:12 #28 0x7fe110d79bf0 in apply<mozilla::layers::CompositorVsyncScheduler, void (mozilla::layers::CompositorVsyncScheduler::*)(mozilla::TimeStamp)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1171 #29 0x7fe110d79bf0 in mozilla::detail::RunnableMethodImpl<mozilla::layers::CompositorVsyncScheduler*, void (mozilla::layers::CompositorVsyncScheduler::*)(mozilla::TimeStamp), true, (mozilla::RunnableKind)1, mozilla::TimeStamp>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1216 #30 0x7fe10f310973 in RunTask /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:452:9 #31 0x7fe10f310973 in DeferOrRunPendingTask /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:460 #32 0x7fe10f310973 in MessageLoop::DoWork() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:535 #33 0x7fe10f312928 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/chromium/src/base/message_pump_default.cc:36:31 #34 0x7fe10f30df89 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10 #35 0x7fe10f30df89 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319 #36 0x7fe10f30df89 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299 #37 0x7fe10f32c22f in base::Thread::ThreadMain() /builds/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:181:16 #38 0x7fe10f31ee3c in ThreadFunc(void*) /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:38:13 #39 0x7fe12ff787fb in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x77fb) #40 0x7fe12efa6b5e in clone (/lib/x86_64-linux-gnu/libc.so.6+0x114b5e) 0x621001f7acfc is located 4 bytes to the left of 4111-byte region [0x621001f7ad00,0x621001f7bd0f) allocated by thread T25 (Compositor) here: #0 0x4c54b3 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3 #1 0x7fe1106b1cc6 in Realloc /builds/worker/workspace/build/src/gfx/2d/Tools.h:205:41 #2 0x7fe1106b1cc6 in mozilla::gfx::SourceSurfaceAlignedRawData::Init(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SurfaceFormat, bool, unsigned char, int) /builds/worker/workspace/build/src/gfx/2d/SourceSurfaceRawData.cpp:68 #3 0x7fe11050e0dc in mozilla::gfx::Factory::CreateDataSourceSurface(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SurfaceFormat, bool) /builds/worker/workspace/build/src/gfx/2d/Factory.cpp:1101:16 #4 0x7fe110be2105 in mozilla::layers::WrappingTextureSourceYCbCrBasic::GetSurface(mozilla::gfx::DrawTarget*) /builds/worker/workspace/build/src/gfx/layers/basic/BasicCompositor.cpp:124:18 #5 0x7fe110bb5a1b in void mozilla::layers::BasicCompositor::DrawGeometry<mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> >(mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::EffectChain const&, float, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits> const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, bool) /builds/worker/workspace/build/src/gfx/layers/basic/BasicCompositor.cpp:770:29 #6 0x7fe110bb430e in mozilla::layers::BasicCompositor::DrawQuad(mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::EffectChain const&, float, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits> const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&) /builds/worker/workspace/build/src/gfx/layers/basic/BasicCompositor.cpp:644:3 #7 0x7fe1108f78db in mozilla::layers::Compositor::DrawGeometry(mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::EffectChain const&, float, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits> const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::Maybe<mozilla::gfx::PolygonTyped<mozilla::gfx::UnknownUnits> > const&) /builds/worker/workspace/build/src/gfx/layers/Compositor.cpp:227:5 #8 0x7fe110cc8f5d in DrawGeometry /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/layers/Compositor.h:340:5 #9 0x7fe110cc8f5d in mozilla::layers::ImageHost::Composite(mozilla::layers::Compositor*, mozilla::layers::LayerComposite*, mozilla::layers::EffectChain&, float, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SamplingFilter, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const*, mozilla::Maybe<mozilla::gfx::PolygonTyped<mozilla::gfx::UnknownUnits> > const&) /builds/worker/workspace/build/src/gfx/layers/composite/ImageHost.cpp:298 #10 0x7fe110d12be6 in mozilla::layers::ImageLayerComposite::RenderLayer(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::Maybe<mozilla::gfx::PolygonTyped<mozilla::gfx::UnknownUnits> > const&)::$_0::operator()(mozilla::layers::EffectChain&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) const /builds/worker/workspace/build/src/gfx/layers/composite/ImageLayerComposite.cpp:106:17 #11 0x7fe110ccd41e in RenderWithAllMasks<(lambda at /builds/worker/workspace/build/src/gfx/layers/composite/ImageLayerComposite.cpp:104:22)> /builds/worker/workspace/build/src/gfx/layers/composite/LayerManagerComposite.h:739:5 #12 0x7fe110ccd41e in mozilla::layers::ImageLayerComposite::RenderLayer(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::Maybe<mozilla::gfx::PolygonTyped<mozilla::gfx::UnknownUnits> > const&) /builds/worker/workspace/build/src/gfx/layers/composite/ImageLayerComposite.cpp:103 #13 0x7fe110cb6116 in void mozilla::layers::RenderLayers<mozilla::layers::ContainerLayerComposite>(mozilla::layers::ContainerLayerComposite*, mozilla::layers::LayerManagerComposite*, mozilla::gfx::IntRectTyped<mozilla::RenderTargetPixel> const&, mozilla::Maybe<mozilla::gfx::PolygonTyped<mozilla::gfx::UnknownUnits> > const&) /builds/worker/workspace/build/src/gfx/layers/composite/ContainerLayerComposite.cpp:443:22 #14 0x7fe110cb331a in void mozilla::layers::RenderIntermediate<mozilla::layers::ContainerLayerComposite>(mozilla::layers::ContainerLayerComposite*, mozilla::layers::LayerManagerComposite*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, RefPtr<mozilla::layers::CompositingRenderTarget>) /builds/worker/workspace/build/src/gfx/layers/composite/ContainerLayerComposite.cpp:554:3 #15 0x7fe110c80c49 in void mozilla::layers::ContainerPrepare<mozilla::layers::ContainerLayerComposite>(mozilla::layers::ContainerLayerComposite*, mozilla::layers::LayerManagerComposite*, mozilla::gfx::IntRectTyped<mozilla::RenderTargetPixel> const&) /builds/worker/workspace/build/src/gfx/layers/composite/ContainerLayerComposite.cpp:273:9 #16 0x7fe110c7fede in void mozilla::layers::ContainerPrepare<mozilla::layers::ContainerLayerComposite>(mozilla::layers::ContainerLayerComposite*, mozilla::layers::LayerManagerComposite*, mozilla::gfx::IntRectTyped<mozilla::RenderTargetPixel> const&) /builds/worker/workspace/build/src/gfx/layers/composite/ContainerLayerComposite.cpp:238:20 #17 0x7fe110c7fede in void mozilla::layers::ContainerPrepare<mozilla::layers::ContainerLayerComposite>(mozilla::layers::ContainerLayerComposite*, mozilla::layers::LayerManagerComposite*, mozilla::gfx::IntRectTyped<mozilla::RenderTargetPixel> const&) /builds/worker/workspace/build/src/gfx/layers/composite/ContainerLayerComposite.cpp:238:20 #18 0x7fe110c7fede in void mozilla::layers::ContainerPrepare<mozilla::layers::ContainerLayerComposite>(mozilla::layers::ContainerLayerComposite*, mozilla::layers::LayerManagerComposite*, mozilla::gfx::IntRectTyped<mozilla::RenderTargetPixel> const&) /builds/worker/workspace/build/src/gfx/layers/composite/ContainerLayerComposite.cpp:238:20 #19 0x7fe110c7fede in void mozilla::layers::ContainerPrepare<mozilla::layers::ContainerLayerComposite>(mozilla::layers::ContainerLayerComposite*, mozilla::layers::LayerManagerComposite*, mozilla::gfx::IntRectTyped<mozilla::RenderTargetPixel> const&) /builds/worker/workspace/build/src/gfx/layers/composite/ContainerLayerComposite.cpp:238:20 #20 0x7fe110c7fede in void mozilla::layers::ContainerPrepare<mozilla::layers::ContainerLayerComposite>(mozilla::layers::ContainerLayerComposite*, mozilla::layers::LayerManagerComposite*, mozilla::gfx::IntRectTyped<mozilla::RenderTargetPixel> const&) /builds/worker/workspace/build/src/gfx/layers/composite/ContainerLayerComposite.cpp:238:20 #21 0x7fe110c8402e in void mozilla::layers::ContainerPrepare<mozilla::layers::RefLayerComposite>(mozilla::layers::RefLayerComposite*, mozilla::layers::LayerManagerComposite*, mozilla::gfx::IntRectTyped<mozilla::RenderTargetPixel> const&) /builds/worker/workspace/build/src/gfx/layers/composite/ContainerLayerComposite.cpp:238:20 #22 0x7fe110c7fede in void mozilla::layers::ContainerPrepare<mozilla::layers::ContainerLayerComposite>(mozilla::layers::ContainerLayerComposite*, mozilla::layers::LayerManagerComposite*, mozilla::gfx::IntRectTyped<mozilla::RenderTargetPixel> const&) /builds/worker/workspace/build/src/gfx/layers/composite/ContainerLayerComposite.cpp:238:20 #23 0x7fe110cde0dc in mozilla::layers::LayerManagerComposite::Render(mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&) /builds/worker/workspace/build/src/gfx/layers/composite/LayerManagerComposite.cpp:946:18 #24 0x7fe110cdbe14 in mozilla::layers::LayerManagerComposite::UpdateAndRender() /builds/worker/workspace/build/src/gfx/layers/composite/LayerManagerComposite.cpp:534:3 #25 0x7fe110cda6f6 in mozilla::layers::LayerManagerComposite::EndTransaction(mozilla::TimeStamp const&, mozilla::layers::LayerManager::EndTransactionFlags) /builds/worker/workspace/build/src/gfx/layers/composite/LayerManagerComposite.cpp:464:5 #26 0x7fe110d2c0cf in mozilla::layers::CompositorBridgeParent::CompositeToTarget(mozilla::gfx::DrawTarget*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /builds/worker/workspace/build/src/gfx/layers/ipc/CompositorBridgeParent.cpp:1056:18 #27 0x7fe110d42735 in mozilla::layers::CompositorVsyncScheduler::Composite(mozilla::TimeStamp) /builds/worker/workspace/build/src/gfx/layers/ipc/CompositorVsyncScheduler.cpp:243:27 #28 0x7fe110d79bf0 in applyImpl<mozilla::layers::CompositorVsyncScheduler, void (mozilla::layers::CompositorVsyncScheduler::*)(mozilla::TimeStamp), StoreCopyPassByConstLRef<mozilla::TimeStamp> , 0> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1165:12 #29 0x7fe110d79bf0 in apply<mozilla::layers::CompositorVsyncScheduler, void (mozilla::layers::CompositorVsyncScheduler::*)(mozilla::TimeStamp)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1171 #30 0x7fe110d79bf0 in mozilla::detail::RunnableMethodImpl<mozilla::layers::CompositorVsyncScheduler*, void (mozilla::layers::CompositorVsyncScheduler::*)(mozilla::TimeStamp), true, (mozilla::RunnableKind)1, mozilla::TimeStamp>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1216 #31 0x7fe10f310973 in RunTask /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:452:9 #32 0x7fe10f310973 in DeferOrRunPendingTask /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:460 #33 0x7fe10f310973 in MessageLoop::DoWork() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:535 #34 0x7fe10f312928 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/chromium/src/base/message_pump_default.cc:36:31 #35 0x7fe10f30df89 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10 #36 0x7fe10f30df89 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319 #37 0x7fe10f30df89 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299 #38 0x7fe10f32c22f in base::Thread::ThreadMain() /builds/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:181:16 Thread T25 (Compositor) created by T0 here: #0 0x4ae80d in __interceptor_pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:204:3 #1 0x7fe10f31c86f in CreateThread /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:135:14 #2 0x7fe10f31c86f in PlatformThread::Create(unsigned long, PlatformThread::Delegate*, unsigned long*) /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:146 #3 0x7fe10f32bbcf in base::Thread::StartWithOptions(base::Thread::Options const&) /builds/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:99:8 #4 0x7fe110d4120a in CreateCompositorThread /builds/worker/workspace/build/src/gfx/layers/ipc/CompositorThread.cpp:102:26 #5 0x7fe110d4120a in mozilla::layers::CompositorThreadHolder::CompositorThreadHolder() /builds/worker/workspace/build/src/gfx/layers/ipc/CompositorThread.cpp:52 #6 0x7fe110d414c3 in mozilla::layers::CompositorThreadHolder::Start() /builds/worker/workspace/build/src/gfx/layers/ipc/CompositorThread.cpp:124:33 #7 0x7fe110e05628 in InitLayersIPC /builds/worker/workspace/build/src/gfx/thebes/gfxPlatform.cpp:1034:5 #8 0x7fe110e05628 in gfxPlatform::Init() /builds/worker/workspace/build/src/gfx/thebes/gfxPlatform.cpp:772 #9 0x7fe110e0297b in gfxPlatform::GetPlatform() /builds/worker/workspace/build/src/gfx/thebes/gfxPlatform.cpp:532:9 #10 0x7fe115ee030b in nsWindow::Create(nsIWidget*, void*, mozilla::gfx::IntRectTyped<mozilla::LayoutDevicePixel> const&, nsWidgetInitData*) /builds/worker/workspace/build/src/widget/gtk/nsWindow.cpp:3680:19 #11 0x7fe115e17d71 in nsIWidget::Create(nsIWidget*, void*, mozilla::gfx::IntRectTyped<mozilla::DesktopPixel> const&, nsWidgetInitData*) /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIWidget.h:458:16 #12 0x7fe11970a87b in nsWebShellWindow::Initialize(nsIXULWindow*, nsIXULWindow*, nsIURI*, int, int, bool, nsITabParent*, mozIDOMWindowProxy*, nsWidgetInitData&) /builds/worker/workspace/build/src/xpfe/appshell/nsWebShellWindow.cpp:177:17 #13 0x7fe119705a21 in nsAppShellService::JustCreateTopWindow(nsIXULWindow*, nsIURI*, unsigned int, int, int, bool, nsITabParent*, mozIDOMWindowProxy*, nsWebShellWindow**) /builds/worker/workspace/build/src/xpfe/appshell/nsAppShellService.cpp:736:25 #14 0x7fe11970729a in nsAppShellService::CreateTopLevelWindow(nsIXULWindow*, nsIURI*, unsigned int, int, int, nsITabParent*, mozIDOMWindowProxy*, nsIXULWindow**) /builds/worker/workspace/build/src/xpfe/appshell/nsAppShellService.cpp:200:8 #15 0x7fe119edd5ff in nsAppStartup::CreateChromeWindow2(nsIWebBrowserChrome*, unsigned int, nsITabParent*, mozIDOMWindowProxy*, unsigned long, bool*, nsIWebBrowserChrome**) /builds/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:680:15 #16 0x7fe11a050c57 in nsWindowWatcher::CreateChromeWindow(nsTSubstring<char> const&, nsIWebBrowserChrome*, unsigned int, nsITabParent*, mozIDOMWindowProxy*, unsigned long, nsIWebBrowserChrome**) /builds/worker/workspace/build/src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:469:21 #17 0x7fe11a04e722 in nsWindowWatcher::OpenWindowInternal(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool, nsIArray*, bool, bool, nsIDocShellLoadInfo*, mozIDOMWindowProxy**) /builds/worker/workspace/build/src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:939:14 #18 0x7fe11a048eff in nsWindowWatcher::OpenWindow(mozIDOMWindowProxy*, char const*, char const*, char const*, nsISupports*, mozIDOMWindowProxy**) /builds/worker/workspace/build/src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:328:10 #19 0x7fe10e4ed491 in NS_InvokeByIndex /builds/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:106 #20 0x7fe10fe31b4f in Invoke /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1962:12 #21 0x7fe10fe31b4f in Call /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1268 #22 0x7fe10fe31b4f in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1235 #23 0x7fe10fe38510 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:911:12 #24 0x7fe11a3d37b7 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:280:15 #25 0x7fe11a3d37b7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:467 #26 0x7fe11a3bdfb0 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:522:12 #27 0x7fe11a3bdfb0 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3086 #28 0x7fe11a3a4773 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:417:12 #29 0x7fe11a3d6c54 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:700:15 #30 0x7fe11a471f4f in ExecuteInExtensibleLexicalEnvironment(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>) /builds/worker/workspace/build/src/js/src/builtin/Eval.cpp:460:12 #31 0x7fe11a472bef in js::ExecuteInJSMEnvironment(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::AutoVector<JSObject*>&) /builds/worker/workspace/build/src/js/src/builtin/Eval.cpp:546:12 #32 0x7fe11a4727f3 in js::ExecuteInJSMEnvironment(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>) /builds/worker/workspace/build/src/js/src/builtin/Eval.cpp:504:12 #33 0x7fe10fd16887 in mozJSComponentLoader::ObjectForLocation(ComponentLoaderInfo&, nsIFile*, JS::MutableHandle<JSObject*>, JS::MutableHandle<JSScript*>, char**, bool, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/xpconnect/loader/mozJSComponentLoader.cpp:925:25 #34 0x7fe10fd13e0b in mozJSComponentLoader::LoadModule(mozilla::FileLocation&) /builds/worker/workspace/build/src/js/xpconnect/loader/mozJSComponentLoader.cpp:442:10 #35 0x7fe10e471299 in Load /builds/worker/workspace/build/src/xpcom/components/nsComponentManager.cpp:717:24 #36 0x7fe10e471299 in nsFactoryEntry::GetFactory() /builds/worker/workspace/build/src/xpcom/components/nsComponentManager.cpp:1748 #37 0x7fe10e471f2a in nsComponentManagerImpl::CreateInstanceByContractID(char const*, nsISupports*, nsID const&, void**) /builds/worker/workspace/build/src/xpcom/components/nsComponentManager.cpp:1046:41 #38 0x7fe10e46953d in nsComponentManagerImpl::GetServiceByContractID(char const*, nsID const&, void**) /builds/worker/workspace/build/src/xpcom/components/nsComponentManager.cpp:1409:10 #39 0x7fe10e477f85 in CallGetService /builds/worker/workspace/build/src/xpcom/components/nsComponentManagerUtils.cpp:67:43 #40 0x7fe10e477f85 in nsGetServiceByContractIDWithError::operator()(nsID const&, void**) const /builds/worker/workspace/build/src/xpcom/components/nsComponentManagerUtils.cpp:292 #41 0x7fe10e33558a in nsCOMPtr_base::assign_from_gs_contractid_with_error(nsGetServiceByContractIDWithError const&, nsID const&) /builds/worker/workspace/build/src/xpcom/base/nsCOMPtr.cpp:106:7 #42 0x7fe11a0eeac8 in operator= /builds/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:1036:5 #43 0x7fe11a0eeac8 in nsAppStartupNotifier::Observe(nsISupports*, char const*, char16_t const*) /builds/worker/workspace/build/src/toolkit/xre/nsAppStartupNotifier.cpp:59 #44 0x7fe11a0e0628 in XREMain::XRE_mainRun() /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4459:22 #45 0x7fe11a0e3eac in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4774:8 #46 0x7fe11a0e5374 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4866:21 #47 0x4f4ef5 in do_main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:233:22 #48 0x4f4ef5 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:306 #49 0x7fe12eeb31c0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x211c0) SUMMARY: AddressSanitizer: heap-buffer-overflow /builds/worker/workspace/build/src/gfx/2d/ssse3-scaler.c:202:16 in ssse3_fetch_horizontal Shadow bytes around the buggy address: 0x0c42803e7540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa 0x0c42803e7550: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c42803e7560: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c42803e7570: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c42803e7580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c42803e7590: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa] 0x0c42803e75a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c42803e75b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c42803e75c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c42803e75d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c42803e75e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==2269==ABORTING
|
|
Reporter | |
Comment 14•6 years ago
|
||
This issue is marked as sec-high and still not assigned/fixed or have any patch proposal after a month.
|
|
Assignee | |
Comment 15•6 years ago
|
||
I've been able to reproduce this and will hopefully have a solution soon.
Flags: needinfo?(jmuizelaar)
|
|
Assignee | |
Comment 16•6 years ago
|
||
So it looks like we're probably running into some integer overflow situations in the ssse3 code.
|
|
Assignee | |
Comment 17•6 years ago
|
||
Assignee: nobody → jmuizelaar
Attachment #8976299 -
Flags: review?(sotaro.ikeda.g)
|
|
Assignee | |
Comment 18•6 years ago
|
||
Attachment #8976300 -
Flags: review?(sotaro.ikeda.g)
|
|
||
Comment 19•6 years ago
|
||
Here is the output from UBSan (without the patch applied). I tried to verify with the patches but they seem to be broken. The new 'if' statement is missing a '}' and PIXMAN_FIXED_* are not defined. Also 'void' was removed from the function ssse3_scale_data... seems like a typo.
|
|
||
Updated•6 years ago
|
Flags: needinfo?(jmuizelaar)
|
|
Assignee | |
Comment 20•6 years ago
|
||
Attachment #8976299 -
Attachment is obsolete: true
Attachment #8976299 -
Flags: review?(sotaro.ikeda.g)
Flags: needinfo?(jmuizelaar)
Attachment #8976361 -
Flags: review?(sotaro.ikeda.g)
|
|
Assignee | |
Comment 21•6 years ago
|
||
Attachment #8976300 -
Attachment is obsolete: true
Attachment #8976300 -
Flags: review?(sotaro.ikeda.g)
Attachment #8976362 -
Flags: review?(sotaro.ikeda.g)
|
|
Assignee | |
Comment 22•6 years ago
|
||
I ended up uploading old versions of the patches. These ones should work better.
|
|
||
Comment 23•6 years ago
|
||
Still getting "undeclared identifier" for the PIXMAN_FIXED_* constants. In fact I can't even find them in m-c using DRX or SearchFox.
Flags: needinfo?(jmuizelaar)
|
|
Assignee | |
Comment 24•6 years ago
|
||
The PIXMAN_FIXED_* constants are defined in '2/2 ssse3-scaler: make sure iter->x/y is representable' https://bug1452375.bmoattachments.org/attachment.cgi?id=8976362
Flags: needinfo?(jmuizelaar)
|
|
||
Comment 25•6 years ago
|
||
bah! I used the old patch :P On the plus side the patch works. Thanks Jeff!
|
||
Updated•6 years ago
|
Attachment #8976362 -
Flags: review?(sotaro.ikeda.g) → review+
|
|
||
Comment 26•6 years ago
|
||
Comment on attachment 8976361 [details] [diff] [review] 1/2 ssse3-scaler: handle init failure Good!
Attachment #8976361 -
Flags: review?(sotaro.ikeda.g) → review+
|
|
Assignee | |
Comment 27•6 years ago
|
||
Comment on attachment 8976362 [details] [diff] [review] 2/2 ssse3-scaler: make sure iter->x/y is representable. [Security approval request comment] How easily could an exploit be constructed based on the patch? It doesn't seem too hard. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? The patch suggests that there could be an integer overflow problem. Which older supported branches are affected by this flaw? All of them. Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? This code hasn't changed so it will be easy to backport. How likely is this patch to cause regressions; how much testing does it need? It's quite unlikely to cause regressions. It just forces a fallback.
Attachment #8976362 -
Flags: sec-approval?
|
|
Reporter | |
Comment 28•6 years ago
|
||
Comment on attachment 8965958 [details]
heapbuffer.html.gz
Use minimized testcase
Attachment #8965958 -
Attachment is obsolete: true
|
||
Comment 29•6 years ago
|
||
This is an out-of-bounds read, but it's reading a number that's then interpreted as graphics values. https://searchfox.org/mozilla-central/source/gfx/2d/ssse3-scaler.c#202,253 Do these values affect the location of a write somewhere later (that could be out of bounds)? I didn't see any but I'm not familiar with this code. Unless there is we're not talking about memory corruption here. It leaks bits of memory into an image that could maybe be scraped out of a canvas later. This should probably be downgraded to sec-moderate unless we can demonstrate recovering those bits.
Flags: needinfo?(jmuizelaar)
|
|
Reporter | |
Comment 30•6 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #29) This should probably be downgraded to sec-moderate unless we can > demonstrate recovering those bits. If I am going to analize the bug after two months of having been reported to be able to have an adequate rating (which I consider to be the minimum is sec-high due nature and componente) without knowing all this codebase. I find it unreasonable to continue reporting bugs.
|
|
Assignee | |
Comment 31•6 years ago
|
||
The out-of-bounds read is happening in the chrome process. I don't think it's possible for the values to make there way back to the content process. I don't think, but am not sure, if there's any way for the out of bounds read to impact control flow or control a memory write.
Flags: needinfo?(jmuizelaar)
|
|
||
Comment 32•6 years ago
|
||
RE: sec-bounty... I'd like to note that Francisco's help here helped us (fuzzing team) spot a defect in our automated fuzzing system.
|
|
||
Comment 33•6 years ago
|
||
(In reply to Francisco A. from comment #30) > If I am going to analize the bug after two months of having been reported to > be able to have an adequate rating (which I consider to be the minimum is > sec-high due nature and componente) without knowing all this codebase. I > find it unreasonable to continue reporting bugs. Ratings are based on the definitions at https://wiki.mozilla.org/Security_Severity_Ratings and if you want to make an argument based on the definitions there, we are open to discussion. Jeff, sec-approval+ for trunk. We'll want a patch for Beta, ESR52, and ESR60 branches nominated as well, to land after this is on mozilla-central.
status-firefox62:
--- → affected
tracking-firefox61:
--- → +
tracking-firefox62:
--- → +
tracking-firefox-esr52:
--- → 61+
tracking-firefox-esr60:
--- → 61+
|
|
||
Updated•6 years ago
|
Attachment #8976362 -
Flags: sec-approval? → sec-approval+
|
|
Assignee | |
Comment 34•6 years ago
|
||
I'm now on parental leave. Sotaro or someone else should be able to do the needed rebases.
Flags: needinfo?(dbolter)
|
||
Updated•6 years ago
|
status-firefox-esr60:
--- → affected
|
||
Comment 35•6 years ago
|
||
Sotaro can you handle the rebases?
Flags: needinfo?(dbolter) → needinfo?(sotaro.ikeda.g)
|
|
||
Comment 37•6 years ago
|
||
(In reply to Al Billings [:abillings] from comment #33) > > Ratings are based on the definitions at > https://wiki.mozilla.org/Security_Severity_Ratings and if you want to make > an argument based on the definitions there, we are open to discussion. > > Jeff, sec-approval+ for trunk. We'll want a patch for Beta, ESR52, and ESR60 > branches nominated as well, to land after this is on mozilla-central. We need a rebased patch only for ESR52. Current patch could be applied to Beta and ESR60.
|
|
||
Comment 38•6 years ago
|
||
|
|
||
Comment 39•6 years ago
|
||
|
|
||
Updated•6 years ago
|
Keywords: checkin-needed
|
|
||
Updated•6 years ago
|
Keywords: checkin-needed
|
|
||
Comment 41•6 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=89b829485b29fb58c62e69eec9a5ea6c80a93e93
|
|
||
Comment 42•6 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/b0fcf6190c8c8e6be6e8f5c7184a1acf88a3ad86 https://hg.mozilla.org/integration/mozilla-inbound/rev/4d7efa2ca9e2aae089754cd85558a048c9121512
|
||
Comment 43•6 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/b0fcf6190c8c https://hg.mozilla.org/mozilla-central/rev/4d7efa2ca9e2
Group: gfx-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla62
|
|
||
Comment 44•6 years ago
|
||
Thanks for getting this landed, Sotaro! Please request Beta/ESR60/ESR52 approval on the appropriate patches when you get a chance.
Flags: needinfo?(sotaro.ikeda.g)
|
|
||
Comment 45•6 years ago
|
||
Comment on attachment 8976362 [details] [diff] [review] 2/2 ssse3-scaler: make sure iter->x/y is representable. [Approval Request Comment] If this is not a sec:{high,crit} bug, please state case for ESR consideration: User impact if declined: Fix Landed on Version: Risk to taking this patch (and alternatives if risky): String or UUID changes made by this patch: See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info. [Approval Request Comment] If this is not a sec:{high,crit} bug, please state case for ESR consideration: User impact if declined: Fix Landed on Version: Risk to taking this patch (and alternatives if risky): String or UUID changes made by this patch: See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info. Approval Request Comment [Feature/Bug causing the regression]: Bug 1266491 [User impact if declined]: Could cause a crash in chrome process or gpu process. [Is this code covered by automated tests?]: Yes. [Has the fix been verified in Nightly?]: Yes. [Needs manual test from QE? If yes, steps to reproduce]: No [List of other uplifts needed for the feature/fix]: attachment 8976361 [details] [diff] [review] (this patch) attachment 8976362 [details] [diff] [review] (patch in this bug) [Is the change risky?]: Low risk. [Why is the change risky/not risky?]: It's unlikely to cause regressions. It just forces a fallback. [String changes made/needed]: None
Flags: needinfo?(sotaro.ikeda.g)
Attachment #8976362 -
Flags: approval-mozilla-release?
Attachment #8976362 -
Flags: approval-mozilla-esr60?
Attachment #8976362 -
Flags: approval-mozilla-esr52?
Attachment #8976362 -
Flags: approval-mozilla-beta?
|
|
||
Updated•6 years ago
|
Attachment #8976362 -
Flags: approval-mozilla-esr60?
Attachment #8976362 -
Flags: approval-mozilla-esr60+
Attachment #8976362 -
Flags: approval-mozilla-esr52?
Attachment #8976362 -
Flags: approval-mozilla-esr52+
Attachment #8976362 -
Flags: approval-mozilla-beta?
Attachment #8976362 -
Flags: approval-mozilla-beta+
|
|
||
Updated•6 years ago
|
Attachment #8976362 -
Flags: approval-mozilla-release?
|
|
||
Comment 46•6 years ago
|
||
"approval-mozilla-release?" was added by accident. I cleared it.
|
|
||
Updated•6 years ago
|
Flags: sec-bounty? → sec-bounty+
|
|
||
Comment 47•6 years ago
|
||
| uplift | ||
https://hg.mozilla.org/releases/mozilla-beta/rev/295b7c0fbe99 https://hg.mozilla.org/releases/mozilla-beta/rev/56b432712357
|
|
||
Comment 48•6 years ago
|
||
| uplift | ||
https://hg.mozilla.org/releases/mozilla-esr60/rev/cbf5d1ea2f9a https://hg.mozilla.org/releases/mozilla-esr60/rev/e205f08f30a7 https://hg.mozilla.org/releases/mozilla-esr52/rev/f1a745f8c42d https://hg.mozilla.org/releases/mozilla-esr52/rev/1f9a430881cc
|
|
||
Updated•6 years ago
|
Whiteboard: [adv-main61+][adv-esr52.9+][adv-esr60.1+]
|
||
Updated•6 years ago
|
Flags: qe-verify-
Whiteboard: [adv-main61+][adv-esr52.9+][adv-esr60.1+] → [adv-main61+][adv-esr52.9+][adv-esr60.1+][post-critsmash-triage]
|
|
||
Updated•6 years ago
|
Alias: CVE-2018-12362
|
|
||
Updated•5 years ago
|
Group: core-security-release
|
||
Updated•4 years ago
|
Blocks: asan-maintenance
|
||
Updated•1 month ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•