Closed Bug 1467568 Opened 7 years ago Closed 7 years ago

[10.13.4+] Crash in objc_release | CGSWindowInvalidateCache

Categories

(Core :: Widget: Cocoa, defect, P2)

Product:
Core
Component:
Widget: Cocoa
Version:
61 Branch
Platform:
Unspecified
macOS
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1452763
Tracking Flags:
Tracking Status
firefox-esr52 --- wontfix
firefox-esr60 --- wontfix
firefox60 --- wontfix
firefox61 --- wontfix
firefox62 --- wontfix
firefox63 --- wontfix

People

(Reporter: philipp, Unassigned)

Details

(Keywords: crash, csectype-uaf, sec-moderate)

Crash Data

This bug was filed from the Socorro interface and is report bp-47cf5465-dcf4-422c-be9f-4739b0180607. ============================================================= Top 10 frames of crashing thread: 0 libobjc.A.dylib objc_release 1 SkyLight CGSWindowInvalidateCache 2 SkyLight CGSWindowGetShapeBounds 3 SkyLight CGSWindowGetSize 4 SkyLight SLSGetWindowSize 5 AppKit -[_NSCGSWindow size] 6 AppKit -[_NSCGSWindow setDragShape:] 7 AppKit _NSClearDragRectsInWindow 8 AppKit -[NSNextStepFrame _resetDragMargins] 9 AppKit -[NSNextStepFrame setFrameSize:] ============================================================= the macos signature [@ objc_release] covers multiple different issues. i'm filing this report for crashes similar to the stack above - this crash-stats query should cover them: https://crash-stats.mozilla.com/search/?signature=%3Dobjc_release&proto_signature=~objc_release%20%7C%20CGSWindowInvalidateCache&date=%3E%3D2018-01-01&_facets=signature&_facets=version&_facets=user_comments&_facets=adapter_vendor_id&_facets=build_id&_facets=useragent_locale&_facets=release_channel&_facets=address&_facets=proto_signature&_facets=platform_version#facet-version the reports started appearing on/after macos 10.13.4 and all of them show a crashing address indicating a uaf situation.
Group: core-security → layout-core-security
Summary: Crash in objc_release | CGSWindowInvalidateCache → [10.13.4+] Crash in objc_release | CGSWindowInvalidateCache
bug 1469056 improved the crash signature for this case
Crash Signature: [@ objc_release] → [@ objc_release | CGSWindowInvalidateCache]
Adding 63 as affected.
status-firefox63: --- → affected
One recent comment: "I clicked the Last Pass button on the toolbar to look up a password while I was on an Outlook 365 page composing an email. "
Priority: -- → P2
The deallocation (objc_release) here seems to be for some internal object in some CGS related cache. This looks like an OSX bug to me. We should report it to Apple.
Flags: needinfo?(mstange)
I'm pretty sure this is the same underlying issue as bug 1452763.
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(mstange)
Resolution: --- → DUPLICATE
Group: layout-core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.