Closed Bug 1452744 Opened 7 years ago Closed 7 years ago

AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:309:26 in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&)

Categories

(Core :: Layout, defect, P2)

Product:
Core
Component:
Layout
Version:
59 Branch
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1470260

People

(Reporter: jkratzer, Assigned: MatsPalmgren_bugz)

References

(Blocks 1 open bug)

Details

(4 keywords)

Attachments

(3 files)

trigger.html
602 bytes, text/html
Details
wip
4.91 KB, patch
jkratzer
: feedback-
Details | Diff | Splinter Review
Testcase #2
282 bytes, text/html
Details
Attached file trigger.html
Testcase found while fuzzing mozilla-central rev 30d72755b174. Testcase must be served via a local webserver and run using xvfb in order to reproduce.
Flags: in-testsuite?
Component: Canvas: WebGL → Layout
Summary: SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:309:26 in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) → AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:309:26 in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&)
Group: core-security → layout-core-security
==21307==ERROR: AddressSanitizer: heap-use-after-free on address 0x6080000b0ab0 at pc 0x7f01d0110a22 bp 0x7ffd4d24e810 sp 0x7ffd4d24e808 READ of size 1 at 0x6080000b0ab0 thread T0 (file:// Content) #0 0x7f01d0110a21 in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:309:26 #1 0x7f01d01101e6 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:329:5 #2 0x7f01d0112f5e in RunRefreshDrivers /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:770:5 #3 0x7f01d0112f5e in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:683 #4 0x7f01d0112b5e in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:584:9 #5 0x7f01d09cf26f in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) /builds/worker/workspace/build/src/layout/ipc/VsyncChild.cpp:68:16 #6 0x7f01c9538719 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:156:20 #7 0x7f01c940ebea in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:1968:28 #8 0x7f01c8f3f8ee in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2135:25 #9 0x7f01c8f3c871 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2065:17 #10 0x7f01c8f3e06c in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1911:5 #11 0x7f01c8f3e6c8 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1944:15 #12 0x7f01c8056f18 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1096:14 #13 0x7f01c8073350 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10 #14 0x7f01c8f4745a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21 #15 0x7f01c8e97229 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10 #16 0x7f01c8e97229 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319 #17 0x7f01c8e97229 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299 #18 0x7f01cfbb8eba in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:157:27 #19 0x7f01d3e7aedb in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:893:22 #20 0x7f01c8e97229 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10 #21 0x7f01c8e97229 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319 #22 0x7f01c8e97229 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299 #23 0x7f01d3e7a8a2 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:719:34 #24 0x4f50dc in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30 #25 0x4f50dc in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280 #26 0x7f01e7f3882f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 #27 0x42476c in _start (/home/forb1dden/builds/mc-asan/firefox+0x42476c) 0x6080000b0ab0 is located 16 bytes inside of 88-byte region [0x6080000b0aa0,0x6080000b0af8) freed by thread T0 (file:// Content) here: #0 0x4c5172 in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:68:3 #1 0x7f01d010d724 in Shutdown /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1053:3 #2 0x7f01d010d724 in nsRefreshDriver::Disconnect() /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:2440 #3 0x7f01d02e72d0 in nsPresContext::DetachShell() /builds/worker/workspace/build/src/layout/base/nsPresContext.cpp:1039:21 #4 0x7f01d014d7d4 in mozilla::PresShell::Destroy() /builds/worker/workspace/build/src/layout/base/PresShell.cpp:1389:19 #5 0x7f01d025ac02 in nsDocumentViewer::DestroyPresShell() /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:4602:15 #6 0x7f01d0247e03 in nsDocumentViewer::Destroy() /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1772:5 #7 0x7f01d339dea5 in nsDocShell::Destroy() /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:5514:21 #8 0x7f01d39420e9 in nsWebBrowser::SetDocShell(nsIDocShell*) /builds/worker/workspace/build/src/toolkit/components/browser/nsWebBrowser.cpp:1712:23 #9 0x7f01d394150d in nsWebBrowser::InternalDestroy() /builds/worker/workspace/build/src/toolkit/components/browser/nsWebBrowser.cpp:95:3 #10 0x7f01d3950462 in nsWebBrowser::Destroy() /builds/worker/workspace/build/src/toolkit/components/browser/nsWebBrowser.cpp:1306:3 #11 0x7f01d39506cc in non-virtual thunk to nsWebBrowser::Destroy() /builds/worker/workspace/build/src/toolkit/components/browser/nsWebBrowser.cpp #12 0x7f01cf46a4d6 in mozilla::dom::TabChild::DestroyWindow() /builds/worker/workspace/build/src/dom/ipc/TabChild.cpp:1074:21 #13 0x7f01cf47fa68 in mozilla::dom::TabChild::RecvDestroy() /builds/worker/workspace/build/src/dom/ipc/TabChild.cpp:2515:3 #14 0x7f01c96ae554 in mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBrowserChild.cpp:4406:20 #15 0x7f01c909ab13 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PContentChild.cpp:5132:28 #16 0x7f01c8f3f8ee in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2135:25 #17 0x7f01c8f3c871 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2065:17 #18 0x7f01c8f3e06c in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1911:5 #19 0x7f01c8f3e6c8 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1944:15 #20 0x7f01c80375c1 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32 #21 0x7f01c8056f18 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1096:14 #22 0x7f01c8073350 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10 #23 0x7f01c805db42 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThreadManager.cpp:565:36)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:323:25 #24 0x7f01c805db42 in SpinEventLoopUntilInternal /builds/worker/workspace/build/src/xpcom/threads/nsThreadManager.cpp:565 #25 0x7f01c805db42 in nsThreadManager::SpinEventLoopUntilOrShutdown(nsINestedEventLoopCondition*) /builds/worker/workspace/build/src/xpcom/threads/nsThreadManager.cpp:548 #26 0x7f01c80832a1 in NS_InvokeByIndex /builds/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:106 #27 0x7f01c998911e in Invoke /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1951:12 #28 0x7f01c998911e in Call /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1267 #29 0x7f01c998911e in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1234 #30 0x7f01c998fdb8 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:911:12 #31 0x7f01d415f927 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:290:15 #32 0x7f01d415f927 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:467 #33 0x7f01d414a3e1 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:522:12 #34 0x7f01d414a3e1 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3084 #35 0x7f01d413082a in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:417:12 #36 0x7f01d415f6a5 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:489:15 previously allocated by thread T0 (file:// Content) here: #0 0x4c54b3 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3 #1 0x4f5f7d in moz_xmalloc /builds/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:70:17 #2 0x7f01d00f9e66 in operator new /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:156:12 #3 0x7f01d00f9e66 in PVsyncActorCreated /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:2307 #4 0x7f01d00f9e66 in CreateContentVsyncRefreshTimer /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1003 #5 0x7f01d00f9e66 in CreateVsyncRefreshTimer /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1030 #6 0x7f01d00f9e66 in nsRefreshDriver::ChooseTimer() const /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1138 #7 0x7f01d00fcde1 in nsRefreshDriver::EnsureTimerStarted(nsRefreshDriver::EnsureTimerStartedFlags) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1374:34 #8 0x7f01d017734f in DoObserveStyleFlushes /builds/worker/workspace/build/src/layout/base/PresShell.cpp:9253:36 #9 0x7f01d017734f in ObserveStyleFlushes /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIPresShell.h:654 #10 0x7f01d017734f in nsIPresShell::EnsureStyleFlush() /builds/worker/workspace/build/src/layout/base/nsIPresShellInlines.h:50 #11 0x7f01d015ada8 in MediaFeatureValuesChanged /builds/worker/workspace/build/src/layout/base/nsPresContext.h:297:15 #12 0x7f01d015ada8 in SetVisibleArea /builds/worker/workspace/build/src/layout/base/nsPresContext.h:473 #13 0x7f01d015ada8 in mozilla::PresShell::ResizeReflowIgnoreOverride(int, int, int, int, nsIPresShell::ResizeReflowOptions) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:1938 #14 0x7f01cfb22fd4 in DoSetWindowDimensions /builds/worker/workspace/build/src/view/nsViewManager.cpp:191:19 #15 0x7f01cfb22fd4 in nsViewManager::SetWindowDimensions(int, int, bool) /builds/worker/workspace/build/src/view/nsViewManager.cpp:227 #16 0x7f01d025c67b in nsDocumentViewer::SetBoundsWithFlags(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, unsigned int) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:2057:19 #17 0x7f01d33f24ca in SetPositionAndSize /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:5654:27 #18 0x7f01d33f24ca in non-virtual thunk to nsDocShell::SetPositionAndSize(int, int, int, int, unsigned int) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp #19 0x7f01d3952fd3 in SetPositionAndSize /builds/worker/workspace/build/src/toolkit/components/browser/nsWebBrowser.cpp:1402:5 #20 0x7f01d3952fd3 in non-virtual thunk to nsWebBrowser::SetPositionAndSize(int, int, int, int, unsigned int) /builds/worker/workspace/build/src/toolkit/components/browser/nsWebBrowser.cpp #21 0x7f01cf46ffd7 in mozilla::dom::TabChild::RecvUpdateDimensions(mozilla::dom::DimensionInfo const&) /builds/worker/workspace/build/src/dom/ipc/TabChild.cpp:1314:14 #22 0x7f01c96afc52 in mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBrowserChild.cpp:3023:20 #23 0x7f01c909ab13 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PContentChild.cpp:5132:28 #24 0x7f01c8f3f8ee in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2135:25 #25 0x7f01c8f3c871 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2065:17 #26 0x7f01c8f3e06c in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1911:5 #27 0x7f01c8f3e6c8 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1944:15 #28 0x7f01c80375c1 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32 #29 0x7f01c8056f18 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1096:14 #30 0x7f01c8073350 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10 #31 0x7f01c8f4745a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21 #32 0x7f01c8e97229 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10 #33 0x7f01c8e97229 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319 #34 0x7f01c8e97229 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299 #35 0x7f01cfbb8eba in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:157:27 #36 0x7f01d3e7aedb in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:893:22 #37 0x7f01c8e97229 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10 #38 0x7f01c8e97229 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319 #39 0x7f01c8e97229 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299 #40 0x7f01d3e7a8a2 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:719:34 #41 0x4f50dc in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30 #42 0x4f50dc in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280 #43 0x7f01e7f3882f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:309:26 in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) Shadow bytes around the buggy address: 0x0c108000e100: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 0x0c108000e110: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 0x0c108000e120: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd 0x0c108000e130: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa 0x0c108000e140: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c108000e150: fa fa fa fa fd fd[fd]fd fd fd fd fd fd fd fd fa 0x0c108000e160: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa 0x0c108000e170: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa 0x0c108000e180: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd 0x0c108000e190: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa 0x0c108000e1a0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 02 fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==21307==ABORTING
Stack traces are missing the interesting bits here, but this smells like missing strong reference on stack.
yes.
Assignee: nobody → bugs
Ah, not a refcounted object, so a tad more difficult to fix.
Attached patch wipSplinter Review
Jason, want to test this? The idea is that the Timer is refcounted so that RefreshDriverVsyncObserver can effectively have a kungfuDeathGrip when calling RunRefreshDrivers. RefreshDriverVsyncObserver itself has still raw pointer to the mVsyncRefreshDriverTimer, but that is explicitly cleared when mVsyncRefreshDriverTimer object is about to be deleted.
Attachment #8967514 - Flags: feedback?(jkratzer)
(In reply to Olli Pettay [:smaug] (vacation Apr 15-20) from comment #5) > Created attachment 8967514 [details] [diff] [review] > wip > > Jason, want to test this? > The idea is that the Timer is refcounted so that RefreshDriverVsyncObserver > can effectively have a kungfuDeathGrip when calling RunRefreshDrivers. > RefreshDriverVsyncObserver itself has still raw pointer to the > mVsyncRefreshDriverTimer, but that is explicitly cleared when > mVsyncRefreshDriverTimer object is about to be deleted. I just tested this and can confirm that the testcase no longer reproduces using this patch.
Comment on attachment 8967514 [details] [diff] [review] wip Review of attachment 8967514 [details] [diff] [review]: ----------------------------------------------------------------- Tested and confirmed that the issue no longer reproduces.
Attachment #8967514 - Flags: feedback?(jkratzer) → feedback-
It looks like I may have spoken too soon. It took a few tries but the testcase still reproduces the same issue described in comment #1.
Assignee: bugs → nobody
Given this is repeatable locally, it should be possible to try it under 'rr' and see if it'll repro there - modulo I'm not sure you can run rr+ASAN. Jason: how hard is this to reproduce for you? Are you setup to test it under rr? Smaug: Thoughts on next steps here? Have you tried reproducing it? Thanks
Flags: needinfo?(jkratzer)
Flags: needinfo?(bugs)
Priority: -- → P2
No, I haven't reproduced it. Someone who can should take a look.
Flags: needinfo?(bugs)
(In reply to Maire Reavy [:mreavy] Plz needinfo? from comment #9) > Given this is repeatable locally, it should be possible to try it under 'rr' > and see if it'll repro there - modulo I'm not sure you can run rr+ASAN. > > Jason: how hard is this to reproduce for you? Are you setup to test it > under rr? > > Smaug: Thoughts on next steps here? Have you tried reproducing it? > > Thanks I'm unable to reproduce this on the latest m-c. A quick bisection reveals that this was likely fixed sometime during the range below: [2018-05-08 13:52:17] > Start: ccfd7b716a91241ddbc084cb7116ec561e56d5d1 (20180426141152) [2018-05-08 13:52:17] > End: 975e9b7613aaeea40c9d4cdf6ada1c6fa07e6d84 (20180426213853) [2018-05-08 13:52:17] > Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=ccfd7b716a91241ddbc084cb7116ec561e56d5d1&tochange=975e9b7613aaeea40c9d4cdf6ada1c6fa07e6d84
Flags: needinfo?(jkratzer)
I'm betting the fix was in that inbound merge. Can you perhaps bisect within that so we can confirm the fix? Would be good to know if there's something we need to be considering for backport here still.
Flags: needinfo?(jkratzer)
(In reply to Ryan VanderMeulen [:RyanVM] from comment #12) > I'm betting the fix was in that inbound merge. Can you perhaps bisect within > that so we can confirm the fix? Would be good to know if there's something > we need to be considering for backport here still. Bisection on inbound reduces the build range to: [2018-06-01 11:31:50] > Start: 442c41eb3ab1be47e960e344305b9421ac944f75 (20180426213100) [2018-06-01 11:31:50] > End: f679e7f1a758cd0f36adb333ebe0e5dc25f07b78 (20180426214608) [2018-06-01 11:31:50] > Pushlog: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=442c41eb3ab1be47e960e344305b9421ac944f75&tochange=f679e7f1a758cd0f36adb333ebe0e5dc25f07b78 Possibly this? https://hg.mozilla.org/integration/mozilla-inbound/rev/1ce48405e58a
Flags: needinfo?(jkratzer)
(In reply to Jason Kratzer [:jkratzer] from comment #13) > (In reply to Ryan VanderMeulen [:RyanVM] from comment #12) > > I'm betting the fix was in that inbound merge. Can you perhaps bisect within > > that so we can confirm the fix? Would be good to know if there's something > > we need to be considering for backport here still. > > Bisection on inbound reduces the build range to: > [2018-06-01 11:31:50] > Start: 442c41eb3ab1be47e960e344305b9421ac944f75 > (20180426213100) > [2018-06-01 11:31:50] > End: f679e7f1a758cd0f36adb333ebe0e5dc25f07b78 > (20180426214608) > [2018-06-01 11:31:50] > Pushlog: > https://hg.mozilla.org/integration/mozilla-inbound/ > pushloghtml?fromchange=442c41eb3ab1be47e960e344305b9421ac944f75&tochange=f679 > e7f1a758cd0f36adb333ebe0e5dc25f07b78 > > Possibly this? > https://hg.mozilla.org/integration/mozilla-inbound/rev/1ce48405e58a Bad paste on the last link. Possibly this? https://hg.mozilla.org/integration/mozilla-inbound/rev/c2f10e92f864
Emilio, does that sound plausible?
Flags: needinfo?(emilio)
To some extent, yes (not super-obvious to me how)... But that would mean I'd think that the bug is still present, just the conditions in the test-case that triggered them are not anymore doing so.
Flags: needinfo?(emilio)
As far as I see, the patch I provided shows an issue around this code.
Attached file Testcase #2
I can crash a Linux ASAN build using this testcase (where "1452744-iframe.html" is the "trigger.html" file above). STR: load this testcase in a few tabs, reload a few of them and then close a few tabs; then quit Firefox normally using File->Quit. On shutdown a content process crashes in RefreshDriverVsyncObserver::TickRefreshDriver using a deleted RefreshDriverVsyncObserver. This is the "part 1" crash of bug 1470260. Part 2 is the issue Olli fixes in the "wip" in this bug, for which I came up with almost exactly the same fix in bug 1470260. So these bugs are almost certainly the same underlying issues, just triggered slightly differently. I'm working on a fix in bug 1470260.
Assignee: nobody → mats
The underlying issues have been fixed in bug 1470260.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
Group: layout-core-security → core-security-release

Removing employee no longer with company from CC list of private bugs.

Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: