Closed
Bug 1469486
Opened 6 years ago
Closed 6 years ago
Intermittent: AddressSanitizer: heap-use-after-free z:\build\build\src\gfx\cairo\cairo\src\cairo-region.c:377 in _moz_cairo_region_destroy
Categories
(Core :: Graphics, defect)
Core
Graphics
Tracking
()
RESOLVED
FIXED
mozilla64
People
(Reporter: RaulG, Assigned: rhunt)
References
(Blocks 1 open bug)
Details
(Keywords: csectype-uaf, intermittent-failure, sec-high, Whiteboard: [post-critsmash-triage][adv-main63+][adv-esr60.3+])
Attachments
(1 file)
46 bytes,
text/x-phabricator-request
|
pascalc
:
approval-mozilla-release+
RyanVM
:
approval-mozilla-esr60+
|
Details | Review |
https://treeherder.mozilla.org/logviewer.html#?job_id=183705434&repo=mozilla-central&lineNumber=2615 23:11:07 INFO - GECKO(2104) | MEMORY STAT | vsize 17303946MB | vsizeMaxContiguous 114169929MB | residentFast 1426MB 23:11:07 INFO - 777 INFO TEST-OK | browser/base/content/test/urlbar/browser_page_action_menu.js | took 21323ms 23:11:07 INFO - 778 INFO checking window state 23:11:07 INFO - 779 INFO TEST-START | browser/base/content/test/urlbar/browser_page_action_menu_add_search_engine.js 23:11:08 INFO - GECKO(2104) | JavaScript error: resource:///modules/PageStyleHandler.jsm, line 55: NS_ERROR_FAILURE: Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIDocShell.tabChild] 23:11:12 INFO - GECKO(2104) | JavaScript error: resource:///modules/PageStyleHandler.jsm, line 55: NS_ERROR_FAILURE: Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIDocShell.tabChild] 23:11:19 INFO - GECKO(2104) | ================================================================= 23:11:19 ERROR - GECKO(2104) | ==2104==ERROR: AddressSanitizer: heap-use-after-free on address 0x129bc078f570 at pc 0x7ff985b16b08 bp 0x00ca939f8db0 sp 0x00ca939f8df8
Comment 1•6 years ago
|
||
Can't help but think that this is tied to bug 1467363.
Group: core-security → gfx-core-security
See Also: → 1467363
Comment 2•6 years ago
|
||
Yeah, the stack also has widget stuff in it.
Updated•6 years ago
|
Keywords: csectype-uaf,
sec-high
Comment 4•6 years ago
|
||
This issue is still active in automation. Seen on autoland: https://treeherder.mozilla.org/logviewer.html#?job_id=183705434&repo=mozilla-central&lineNumber=2615 23:11:07 INFO - 777 INFO TEST-OK | browser/base/content/test/urlbar/browser_page_action_menu.js | took 21323ms 23:11:07 INFO - 778 INFO checking window state 23:11:07 INFO - 779 INFO TEST-START | browser/base/content/test/urlbar/browser_page_action_menu_add_search_engine.js 23:11:08 INFO - GECKO(2104) | JavaScript error: resource:///modules/PageStyleHandler.jsm, line 55: NS_ERROR_FAILURE: Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIDocShell.tabChild] 23:11:12 INFO - GECKO(2104) | JavaScript error: resource:///modules/PageStyleHandler.jsm, line 55: NS_ERROR_FAILURE: Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIDocShell.tabChild] 23:11:19 INFO - GECKO(2104) | ================================================================= 23:11:19 ERROR - GECKO(2104) | ==2104==ERROR: AddressSanitizer: heap-use-after-free on address 0x129bc078f570 at pc 0x7ff985b16b08 bp 0x00ca939f8db0 sp 0x00ca939f8df8 23:11:19 INFO - GECKO(2104) | READ of size 4 at 0x129bc078f570 thread T0 23:11:19 INFO - GECKO(2104) | #0 0x7ff985b16b07 in _moz_cairo_region_destroy z:\build\build\src\gfx\cairo\cairo\src\cairo-region.c:377 23:11:19 INFO - GECKO(2104) | #1 0x7ff985a94784 in _cairo_win32_surface_fill_rectangles z:\build\build\src\gfx\cairo\cairo\src\cairo-win32-surface.c:1691 23:11:19 INFO - GECKO(2104) | #2 0x7ff985b40477 in _cairo_surface_fill_rectangles z:\build\build\src\gfx\cairo\cairo\src\cairo-surface.c:2045 23:11:19 INFO - GECKO(2104) | #3 0x7ff985b48331 in _cairo_surface_fill_region z:\build\build\src\gfx\cairo\cairo\src\cairo-surface.c:2002 23:11:19 INFO - GECKO(2104) | #4 0x7ff985a8c7d0 in _clip_and_composite_trapezoids z:\build\build\src\gfx\cairo\cairo\src\cairo-win32-surface.c:3260 23:11:19 INFO - GECKO(2104) | #5 0x7ff985a8b866 in _cairo_win32_surface_fallback_paint z:\build\build\src\gfx\cairo\cairo\src\cairo-win32-surface.c:3533 23:11:19 INFO - GECKO(2104) | #6 0x7ff985b3e62a in _cairo_surface_paint z:\build\build\src\gfx\cairo\cairo\src\cairo-surface.c:2110 23:11:19 INFO - GECKO(2104) | #7 0x7ff985ab71be in _cairo_gstate_fill z:\build\build\src\gfx\cairo\cairo\src\cairo-gstate.c:1285 23:11:19 INFO - GECKO(2104) | #8 0x7ff985b65be6 in _moz_cairo_fill z:\build\build\src\gfx\cairo\cairo\src\cairo.c:2449 23:11:19 INFO - GECKO(2104) | #9 0x7ff97cd09072 in mozilla::gfx::DrawTargetCairo::ClearRect(struct mozilla::gfx::RectTyped<struct mozilla::gfx::UnknownUnits,float> const &) z:\build\build\src\gfx\2d\DrawTargetCairo.cpp:1208 23:11:19 INFO - GECKO(2104) | #10 0x7ff98376324d in mozilla::widget::WinCompositorWidget::ClearTransparentWindow(void) z:\build\build\src\widget\windows\WinCompositorWidget.cpp:301 23:11:19 INFO - GECKO(2104) | #11 0x7ff9838bd46d in nsWindow::Show(bool) z:\build\build\src\widget\windows\nsWindow.cpp:1637 23:11:19 INFO - GECKO(2104) | #12 0x7ff9835caec1 in nsView::DoResetWidgetBounds(bool,bool) z:\build\build\src\view\nsView.cpp:342 23:11:19 INFO - GECKO(2104) | #13 0x7ff9835d88c7 in nsViewManager::ProcessPendingUpdatesForView(class nsView *,bool) z:\build\build\src\view\nsViewManager.cpp:399 23:11:19 INFO - GECKO(2104) | #14 0x7ff9835e0d86 in nsViewManager::UpdateWidgetGeometry(void) z:\build\build\src\view\nsViewManager.cpp:1117 23:11:19 INFO - GECKO(2104) | #15 0x7ff983ecb312 in mozilla::PresShell::DoFlushPendingNotifications(struct mozilla::ChangesToFlush) z:\build\build\src\layout\base\PresShell.cpp:4348 23:11:19 INFO - GECKO(2104) | #16 0x7ff983e4701e in nsRefreshDriver::Tick(__int64,class mozilla::TimeStamp) z:\build\build\src\layout\base\nsRefreshDriver.cpp:1923 23:11:19 INFO - GECKO(2104) | #17 0x7ff983e5a3ed in mozilla::RefreshDriverTimer::TickRefreshDrivers(__int64,class mozilla::TimeStamp,class nsTArray<class RefPtr<class nsRefreshDriver> > &) z:\build\build\src\layout\base\nsRefreshDriver.cpp:301 23:11:19 INFO - GECKO(2104) | #18 0x7ff983e59fdd in mozilla::RefreshDriverTimer::Tick(__int64,class mozilla::TimeStamp) z:\build\build\src\layout\base\nsRefreshDriver.cpp:320 23:11:19 INFO - GECKO(2104) | #19 0x7ff983e5e3a2 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(class mozilla::TimeStamp) z:\build\build\src\layout\base\nsRefreshDriver.cpp:760 23:11:19 INFO - GECKO(2104) | #20 0x7ff983e5d669 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(class mozilla::TimeStamp) z:\build\build\src\layout\base\nsRefreshDriver.cpp:673 23:11:19 INFO - GECKO(2104) | #21 0x7ff983e5da89 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::ParentProcessVsyncNotifier::Run(void) z:\build\build\src\layout\base\nsRefreshDriver.cpp:519 23:11:19 INFO - GECKO(2104) | #22 0x7ff97a8cb466 in nsThread::ProcessNextEvent(bool,bool *) z:\build\build\src\xpcom\threads\nsThread.cpp:1059 23:11:19 INFO - GECKO(2104) | #23 0x7ff97a8ed52a in NS_ProcessNextEvent(class nsIThread *,bool) z:\build\build\src\xpcom\threads\nsThreadUtils.cpp:519 23:11:19 INFO - GECKO(2104) | #24 0x7ff97b8c5426 in mozilla::ipc::MessagePump::Run(class base::MessagePump::Delegate *) z:\build\build\src\ipc\glue\MessagePump.cpp:125 23:11:19 INFO - GECKO(2104) | #25 0x7ff97b82872e in MessageLoop::RunHandler(void) z:\build\build\src\ipc\chromium\src\base\message_loop.cc:318 23:11:19 INFO - GECKO(2104) | #26 0x7ff97b8284b6 in MessageLoop::Run(void) z:\build\build\src\ipc\chromium\src\base\message_loop.cc:298 23:11:19 INFO - GECKO(2104) | #27 0x7ff9836bae1a in nsBaseAppShell::Run(void) z:\build\build\src\widget\nsBaseAppShell.cpp:157 23:11:19 INFO - GECKO(2104) | #28 0x7ff983841c87 in nsAppShell::Run(void) z:\build\build\src\widget\windows\nsAppShell.cpp:415 23:11:19 INFO - GECKO(2104) | #29 0x7ff987a478ee in nsAppStartup::Run(void) z:\build\build\src\toolkit\components\startup\nsAppStartup.cpp:290 23:11:19 INFO - GECKO(2104) | #30 0x7ff987cdafbc in XREMain::XRE_mainRun(void) z:\build\build\src\toolkit\xre\nsAppRunner.cpp:4746 23:11:19 INFO - GECKO(2104) | #31 0x7ff987ce06d4 in XREMain::XRE_main(int,char * * const,struct mozilla::BootstrapConfig const &) z:\build\build\src\toolkit\xre\nsAppRunner.cpp:4891 23:11:20 INFO - GECKO(2104) | #32 0x7ff987ce2be0 in XRE_main(int,char * * const,struct mozilla::BootstrapConfig const &) z:\build\build\src\toolkit\xre\nsAppRunner.cpp:4983 23:11:20 INFO - GECKO(2104) | #33 0x7ff771191e3d (Z:\task_1529362687\build\application\firefox\firefox.exe+0x140001e3d) 23:11:20 INFO - GECKO(2104) | #34 0x7ff771191529 (Z:\task_1529362687\build\application\firefox\firefox.exe+0x140001529) 23:11:20 INFO - GECKO(2104) | #35 0x7ff77128ac87 (Z:\task_1529362687\build\application\firefox\firefox.exe+0x1400fac87) 23:11:20 INFO - GECKO(2104) | #36 0x7ff9af512773 (C:\Windows\System32\KERNEL32.DLL+0x180012773) 23:11:20 INFO - GECKO(2104) | #37 0x7ff9b1a40d60 (C:\Windows\SYSTEM32\ntdll.dll+0x180070d60) 23:11:20 INFO - GECKO(2104) | 0x129bc078f570 is located 0 bytes inside of 32-byte region [0x129bc078f570,0x129bc078f590) 23:11:20 INFO - GECKO(2104) | freed by thread T41 here: 23:11:20 INFO - GECKO(2104) | #0 0x7ff979cc2ce0 (Z:\task_1529362687\build\application\firefox\clang_rt.asan_dynamic-x86_64.dll+0x180032ce0) 23:11:20 INFO - GECKO(2104) | #1 0x7ff985a954a4 in _cairo_win32_surface_flush z:\build\build\src\gfx\cairo\cairo\src\cairo-win32-surface.c:1763 23:11:20 INFO - GECKO(2104) | #2 0x7ff985b46bc2 in _moz_cairo_surface_flush z:\build\build\src\gfx\cairo\cairo\src\cairo-surface.c:1117 23:11:20 INFO - GECKO(2104) | #3 0x7ff985b60ea2 in _moz_cairo_destroy z:\build\build\src\gfx\cairo\cairo\src\cairo.c:468 23:11:20 INFO - GECKO(2104) | #4 0x7ff97ccfd7a5 in mozilla::gfx::DrawTargetCairo::~DrawTargetCairo(void) z:\build\build\src\gfx\2d\DrawTargetCairo.cpp:615 23:11:20 INFO - GECKO(2104) | #5 0x7ff97cd9dfdf in mozilla::gfx::DrawTargetCairo::`scalar deleting destructor'(unsigned int) z:\build\build\src\gfx\2d\DrawTargetCairo.cpp:614 23:11:20 INFO - GECKO(2104) | #6 0x7ff97d464d99 in mozilla::layers::BasicCompositor::TryToEndRemoteDrawing(bool) z:\build\build\src\gfx\layers\basic\BasicCompositor.cpp:1060 23:11:20 INFO - GECKO(2104) | #7 0x7ff97d476c67 in mozilla::layers::BasicCompositor::EndFrame(void) z:\build\build\src\gfx\layers\basic\BasicCompositor.cpp:1015 23:11:20 INFO - GECKO(2104) | #8 0x7ff97d5c85b7 in mozilla::layers::LayerManagerComposite::Render(class mozilla::gfx::IntRegionTyped<struct mozilla::gfx::UnknownUnits> const &,class mozilla::gfx::IntRegionTyped<struct mozilla::gfx::UnknownUnits> const &) z:\build\build\src\gfx\layers\composite\LayerManagerComposite.cpp:995 23:11:20 INFO - GECKO(2104) | #9 0x7ff97d5c4c11 in mozilla::layers::LayerManagerComposite::UpdateAndRender(void) z:\build\build\src\gfx\layers\composite\LayerManagerComposite.cpp:534 23:11:20 INFO - GECKO(2104) | #10 0x7ff97d5c334c in mozilla::layers::LayerManagerComposite::EndTransaction(class mozilla::TimeStamp const &,enum mozilla::layers::LayerManager::EndTransactionFlags) z:\build\build\src\gfx\layers\composite\LayerManagerComposite.cpp:464 23:11:20 INFO - GECKO(2104) | #11 0x7ff97d67344f in mozilla::layers::CompositorBridgeParent::CompositeToTarget(class mozilla::gfx::DrawTarget *,struct mozilla::gfx::IntRectTyped<struct mozilla::gfx::UnknownUnits> const *) z:\build\build\src\gfx\layers\ipc\CompositorBridgeParent.cpp:1068 23:11:20 INFO - GECKO(2104) | #12 0x7ff97d68f179 in mozilla::layers::CompositorVsyncScheduler::Composite(class mozilla::TimeStamp) z:\build\build\src\gfx\layers\ipc\CompositorVsyncScheduler.cpp:243 23:11:20 INFO - GECKO(2104) | #13 0x7ff97d6bc6f1 in mozilla::detail::RunnableMethodImpl<class mozilla::layers::CompositorVsyncScheduler *,void ( mozilla::layers::CompositorVsyncScheduler::*)(class mozilla::TimeStamp),1,1,class mozilla::TimeStamp>::Run(void) z:\build\build\src\obj-firefox\dist\include\nsThreadUtils.h:1216 23:11:20 INFO - GECKO(2104) | #14 0x7ff97b829983 in ?DeferOrRunPendingTask@MessageLoop@@IEAA_N$$QEAUPendingTask@1@@Z z:\build\build\src\ipc\chromium\src\base\message_loop.cc:459 23:11:20 INFO - GECKO(2104) | #15 0x7ff97b82b16e in MessageLoop::DoWork(void) z:\build\build\src\ipc\chromium\src\base\message_loop.cc:534 23:11:20 INFO - GECKO(2104) | #16 0x7ff97b7fb752 in base::MessagePumpForUI::DoRunLoop(void) z:\build\build\src\ipc\chromium\src\base\message_pump_win.cc:210 23:11:20 INFO - GECKO(2104) | #17 0x7ff97b7fdba9 in base::MessagePumpWin::Run(class base::MessagePump::Delegate *) z:\build\build\src\ipc\chromium\src\base\message_pump_win.h:80 23:11:20 INFO - GECKO(2104) | #18 0x7ff97b82872e in MessageLoop::RunHandler(void) z:\build\build\src\ipc\chromium\src\base\message_loop.cc:318 23:11:20 INFO - GECKO(2104) | #19 0x7ff97b838f25 in base::Thread::ThreadMain(void) z:\build\build\src\ipc\chromium\src\base\thread.cc:181 23:11:20 INFO - GECKO(2104) | #20 0x7ff97b7ff5bf in `anonymous namespace'::ThreadFunc z:\build\build\src\ipc\chromium\src\base\platform_thread_win.cc:28 23:11:20 INFO - GECKO(2104) | #21 0x7ff979ccd0b8 (Z:\task_1529362687\build\application\firefox\clang_rt.asan_dynamic-x86_64.dll+0x18003d0b8) 23:11:20 INFO - GECKO(2104) | #22 0x7ff9af512773 (C:\Windows\System32\KERNEL32.DLL+0x180012773) 23:11:20 INFO - GECKO(2104) | #23 0x7ff99c4d5441 in patched_BaseThreadInitThunk z:\build\build\src\mozglue\build\WindowsDllBlocklist.cpp:622 23:11:20 INFO - GECKO(2104) | #24 0x7ff9b1a40d60 (C:\Windows\SYSTEM32\ntdll.dll+0x180070d60) 23:11:20 INFO - GECKO(2104) | previously allocated by thread T41 here: 23:11:20 INFO - GECKO(2104) | #0 0x7ff979cc2dd0 (Z:\task_1529362687\build\application\firefox\clang_rt.asan_dynamic-x86_64.dll+0x180032dd0) 23:11:20 INFO - GECKO(2104) | #1 0x7ff985aefdab in _moz_cairo_region_create_rectangles z:\build\build\src\gfx\cairo\cairo\src\cairo-region.c:233 23:11:20 INFO - GECKO(2104) | #2 0x7ff985b5502f in _cairo_traps_extract_region z:\build\build\src\gfx\cairo\cairo\src\cairo-traps.c:551 23:11:20 INFO - GECKO(2104) | #3 0x7ff985a8c194 in _clip_and_composite_trapezoids z:\build\build\src\gfx\cairo\cairo\src\cairo-win32-surface.c:3231 23:11:20 INFO - GECKO(2104) | #4 0x7ff985a90392 in _cairo_win32_surface_fallback_fill z:\build\build\src\gfx\cairo\cairo\src\cairo-win32-surface.c:3841 23:11:20 INFO - GECKO(2104) | #5 0x7ff985b382e6 in _cairo_surface_fill z:\build\build\src\gfx\cairo\cairo\src\cairo-surface.c:2352 23:11:20 INFO - GECKO(2104) | #6 0x7ff985ab712d in _cairo_gstate_fill z:\build\build\src\gfx\cairo\cairo\src\cairo-gstate.c:1290 23:11:20 INFO - GECKO(2104) | #7 0x7ff985b65be6 in _moz_cairo_fill z:\build\build\src\gfx\cairo\cairo\src\cairo.c:2449 23:11:20 INFO - GECKO(2104) | #8 0x7ff97cd073ce in mozilla::gfx::DrawTargetCairo::CopySurfaceInternal(struct _cairo_surface *,struct mozilla::gfx::IntRectTyped<struct mozilla::gfx::UnknownUnits> const &,struct mozilla::gfx::IntPointTyped<struct mozilla::gfx::UnknownUnits> const &) z:\build\build\src\gfx\2d\DrawTargetCairo.cpp:1123 23:11:20 INFO - GECKO(2104) | #9 0x7ff97cd07a87 in mozilla::gfx::DrawTargetCairo::CopySurface(class mozilla::gfx::SourceSurface *,struct mozilla::gfx::IntRectTyped<struct mozilla::gfx::UnknownUnits> const &,struct mozilla::gfx::IntPointTyped<struct mozilla::gfx::UnknownUnits> const &) z:\build\build\src\gfx\2d\DrawTargetCairo.cpp:1149 23:11:20 INFO - GECKO(2104) | #10 0x7ff97d464927 in mozilla::layers::BasicCompositor::TryToEndRemoteDrawing(bool) z:\build\build\src\gfx\layers\basic\BasicCompositor.cpp:1050 23:11:20 INFO - GECKO(2104) | #11 0x7ff97d476c67 in mozilla::layers::BasicCompositor::EndFrame(void) z:\build\build\src\gfx\layers\basic\BasicCompositor.cpp:1015 23:11:20 INFO - GECKO(2104) | #12 0x7ff97d5c85b7 in mozilla::layers::LayerManagerComposite::Render(class mozilla::gfx::IntRegionTyped<struct mozilla::gfx::UnknownUnits> const &,class mozilla::gfx::IntRegionTyped<struct mozilla::gfx::UnknownUnits> const &) z:\build\build\src\gfx\layers\composite\LayerManagerComposite.cpp:995 23:11:20 INFO - GECKO(2104) | #13 0x7ff97d5c4c11 in mozilla::layers::LayerManagerComposite::UpdateAndRender(void) z:\build\build\src\gfx\layers\composite\LayerManagerComposite.cpp:534 23:11:20 INFO - GECKO(2104) | #14 0x7ff97d5c334c in mozilla::layers::LayerManagerComposite::EndTransaction(class mozilla::TimeStamp const &,enum mozilla::layers::LayerManager::EndTransactionFlags) z:\build\build\src\gfx\layers\composite\LayerManagerComposite.cpp:464 23:11:20 INFO - GECKO(2104) | #15 0x7ff97d67344f in mozilla::layers::CompositorBridgeParent::CompositeToTarget(class mozilla::gfx::DrawTarget *,struct mozilla::gfx::IntRectTyped<struct mozilla::gfx::UnknownUnits> const *) z:\build\build\src\gfx\layers\ipc\CompositorBridgeParent.cpp:1068 23:11:20 INFO - GECKO(2104) | #16 0x7ff97d68f179 in mozilla::layers::CompositorVsyncScheduler::Composite(class mozilla::TimeStamp) z:\build\build\src\gfx\layers\ipc\CompositorVsyncScheduler.cpp:243 23:11:20 INFO - GECKO(2104) | #17 0x7ff97d6bc6f1 in mozilla::detail::RunnableMethodImpl<class mozilla::layers::CompositorVsyncScheduler *,void ( mozilla::layers::CompositorVsyncScheduler::*)(class mozilla::TimeStamp),1,1,class mozilla::TimeStamp>::Run(void) z:\build\build\src\obj-firefox\dist\include\nsThreadUtils.h:1216 23:11:20 INFO - GECKO(2104) | #18 0x7ff97b829983 in ?DeferOrRunPendingTask@MessageLoop@@IEAA_N$$QEAUPendingTask@1@@Z z:\build\build\src\ipc\chromium\src\base\message_loop.cc:459 23:11:20 INFO - GECKO(2104) | #19 0x7ff97b82b16e in MessageLoop::DoWork(void) z:\build\build\src\ipc\chromium\src\base\message_loop.cc:534 23:11:20 INFO - GECKO(2104) | #20 0x7ff97b7fb752 in base::MessagePumpForUI::DoRunLoop(void) z:\build\build\src\ipc\chromium\src\base\message_pump_win.cc:210 23:11:20 INFO - GECKO(2104) | #21 0x7ff97b7fdba9 in base::MessagePumpWin::Run(class base::MessagePump::Delegate *) z:\build\build\src\ipc\chromium\src\base\message_pump_win.h:80 23:11:20 INFO - GECKO(2104) | #22 0x7ff97b82872e in MessageLoop::RunHandler(void) z:\build\build\src\ipc\chromium\src\base\message_loop.cc:318 23:11:20 INFO - GECKO(2104) | #23 0x7ff97b838f25 in base::Thread::ThreadMain(void) z:\build\build\src\ipc\chromium\src\base\thread.cc:181 23:11:20 INFO - GECKO(2104) | #24 0x7ff97b7ff5bf in `anonymous namespace'::ThreadFunc z:\build\build\src\ipc\chromium\src\base\platform_thread_win.cc:28 23:11:20 INFO - GECKO(2104) | #25 0x7ff979ccd0b8 (Z:\task_1529362687\build\application\firefox\clang_rt.asan_dynamic-x86_64.dll+0x18003d0b8) 23:11:20 INFO - GECKO(2104) | #26 0x7ff9af512773 (C:\Windows\System32\KERNEL32.DLL+0x180012773) 23:11:20 INFO - GECKO(2104) | #27 0x7ff99c4d5441 in patched_BaseThreadInitThunk z:\build\build\src\mozglue\build\WindowsDllBlocklist.cpp:622 23:11:20 INFO - GECKO(2104) | #28 0x7ff9b1a40d60 (C:\Windows\SYSTEM32\ntdll.dll+0x180070d60) 23:11:20 INFO - GECKO(2104) | Thread T41 created by T0 here: 23:11:20 INFO - GECKO(2104) | #0 0x7ff979cce200 (Z:\task_1529362687\build\application\firefox\clang_rt.asan_dynamic-x86_64.dll+0x18003e200) 23:11:20 INFO - GECKO(2104) | #1 0x7ff97b7ff55f in PlatformThread::Create(unsigned __int64,class PlatformThread::Delegate *,void * *) z:\build\build\src\ipc\chromium\src\base\platform_thread_win.cc:86 23:11:20 INFO - GECKO(2104) | #2 0x7ff97b8387dc in base::Thread::StartWithOptions(struct base::Thread::Options const &) z:\build\build\src\ipc\chromium\src\base\thread.cc:99 23:11:20 INFO - GECKO(2104) | #3 0x7ff97d68d99c in mozilla::layers::CompositorThreadHolder::CompositorThreadHolder(void) z:\build\build\src\gfx\layers\ipc\CompositorThread.cpp:53 23:11:20 INFO - GECKO(2104) | #4 0x7ff97d68dcd0 in mozilla::layers::CompositorThreadHolder::Start(void) z:\build\build\src\gfx\layers\ipc\CompositorThread.cpp:124 23:11:20 INFO - GECKO(2104) | #5 0x7ff97d76e93b in gfxPlatform::Init(void) z:\build\build\src\gfx\thebes\gfxPlatform.cpp:777 23:11:20 INFO - GECKO(2104) | #6 0x7ff97d76b8e3 in gfxPlatform::GetPlatform(void) z:\build\build\src\gfx\thebes\gfxPlatform.cpp:534 23:11:20 INFO - GECKO(2104) | #7 0x7ff983e3e80f in nsRefreshDriver::ChooseTimer(void)const z:\build\build\src\layout\base\nsRefreshDriver.cpp:1110 23:11:20 INFO - GECKO(2104) | #8 0x7ff983e422cb in nsRefreshDriver::EnsureTimerStarted(enum nsRefreshDriver::EnsureTimerStartedFlags) z:\build\build\src\layout\base\nsRefreshDriver.cpp:1360 23:11:20 INFO - GECKO(2104) | #9 0x7ff983eaba16 in nsRefreshDriver::AddStyleFlushObserver(class nsIPresShell *) z:\build\build\src\layout\base\nsRefreshDriver.h:188 23:11:20 INFO - GECKO(2104) | #10 0x7ff9840823c4 in nsPresContext::CompatibilityModeChanged(void) z:\build\build\src\layout\base\nsPresContext.cpp:1182 23:11:20 INFO - GECKO(2104) | #11 0x7ff983ea571d in mozilla::PresShell::Init(class nsIDocument *,class nsPresContext *,class nsViewManager *,class mozilla::UniquePtr<class mozilla::ServoStyleSet,class mozilla::DefaultDelete<class mozilla::ServoStyleSet> >) z:\build\build\src\layout\base\PresShell.cpp:951 23:11:20 INFO - GECKO(2104) | #12 0x7ff97e187391 in nsIDocument::CreateShell(class nsPresContext *,class nsViewManager *,class mozilla::UniquePtr<class mozilla::ServoStyleSet,class mozilla::DefaultDelete<class mozilla::ServoStyleSet> >) z:\build\build\src\dom\base\nsDocument.cpp:3782 23:11:20 INFO - GECKO(2104) | #13 0x7ff983fc82af in nsDocumentViewer::InitPresentationStuff(bool) z:\build\build\src\layout\base\nsDocumentViewer.cpp:794 23:11:20 INFO - GECKO(2104) | #14 0x7ff983fc75db in nsDocumentViewer::InitInternal(class nsIWidget *,class nsISupports *,struct mozilla::gfx::IntRectTyped<struct mozilla::gfx::UnknownUnits> const &,bool,bool,bool) z:\build\build\src\layout\base\nsDocumentViewer.cpp:1044 23:11:20 INFO - GECKO(2104) | #15 0x7ff983fc6760 in nsDocumentViewer::Init(class nsIWidget *,struct mozilla::gfx::IntRectTyped<struct mozilla::gfx::UnknownUnits> const &) z:\build\build\src\layout\base\nsDocumentViewer.cpp:769 23:11:20 INFO - GECKO(2104) | #16 0x7ff9870d4d87 in nsDocShell::SetupNewViewer(class nsIContentViewer *) z:\build\build\src\docshell\base\nsDocShell.cpp:8969 23:11:20 INFO - GECKO(2104) | #17 0x7ff9870d3782 in nsDocShell::Embed(class nsIContentViewer *,char const *,class nsISupports *) z:\build\build\src\docshell\base\nsDocShell.cpp:6779 23:11:20 INFO - GECKO(2104) | #18 0x7ff9870e4aca in nsDocShell::CreateAboutBlankContentViewer(class nsIPrincipal *,class nsIURI *,bool,bool) z:\build\build\src\docshell\base\nsDocShell.cpp:7658 23:11:20 INFO - GECKO(2104) | #19 0x7ff9870e619a in nsDocShell::CreateAboutBlankContentViewer(class nsIPrincipal *) z:\build\build\src\docshell\base\nsDocShell.cpp:7683 23:11:20 INFO - GECKO(2104) | #20 0x7ff987174c30 in nsWebShellWindow::Initialize(class nsIXULWindow *,class nsIXULWindow *,class nsIURI *,int,int,bool,class nsITabParent *,class mozIDOMWindowProxy *,struct nsWidgetInitData &) z:\build\build\src\xpfe\appshell\nsWebShellWindow.cpp:233 23:11:20 INFO - GECKO(2104) | #21 0x7ff98716eb18 in nsAppShellService::JustCreateTopWindow(class nsIXULWindow *,class nsIURI *,unsigned int,int,int,bool,class nsITabParent *,class mozIDOMWindowProxy *,class nsWebShellWindow * *) z:\build\build\src\xpfe\appshell\nsAppShellService.cpp:736 23:11:20 INFO - GECKO(2104) | #22 0x7ff987170cac in nsAppShellService::CreateTopLevelWindow(class nsIXULWindow *,class nsIURI *,unsigned int,int,int,class nsITabParent *,class mozIDOMWindowProxy *,class nsIXULWindow * *) z:\build\build\src\xpfe\appshell\nsAppShellService.cpp:200 23:11:20 INFO - GECKO(2104) | #23 0x7ff987a4a1ef in nsAppStartup::CreateChromeWindow2(class nsIWebBrowserChrome *,unsigned int,class nsITabParent *,class mozIDOMWindowProxy *,unsigned __int64,bool *,class nsIWebBrowserChrome * *) z:\build\build\src\toolkit\components\startup\nsAppStartup.cpp:680 23:11:20 INFO - GECKO(2104) | #24 0x7ff987c36254 in nsWindowWatcher::CreateChromeWindow(class nsTSubstring<char> const &,class nsIWebBrowserChrome *,unsigned int,class nsITabParent *,class mozIDOMWindowProxy *,unsigned __int64,class nsIWebBrowserChrome * *) z:\build\build\src\toolkit\components\windowwatcher\nsWindowWatcher.cpp:467 23:11:20 INFO - GECKO(2104) | #25 0x7ff987c30fe8 in nsWindowWatcher::OpenWindowInternal(class mozIDOMWindowProxy *,char const *,char const *,char const *,bool,bool,bool,class nsIArray *,bool,bool,class nsIDocShellLoadInfo *,class mozIDOMWindowProxy * *) z:\build\build\src\toolkit\components\windowwatcher\nsWindowWatcher.cpp:938 23:11:20 INFO - GECKO(2104) | #26 0x7ff987c2c704 in nsWindowWatcher::OpenWindow(class mozIDOMWindowProxy *,char const *,char const *,char const *,class nsISupports *,class mozIDOMWindowProxy * *) z:\build\build\src\toolkit\components\windowwatcher\nsWindowWatcher.cpp:327 23:11:20 INFO - GECKO(2104) | #27 0x7ff98a4afa41 in XPTC__InvokebyIndex z:\build\build\src\xpcom\reflect\xptcall\md\win32\xptcinvoke_asm_x86_64.asm:97 23:11:20 INFO - GECKO(2104) | #28 0x7ff97c450062 in XPCWrappedNative::CallMethod(class XPCCallContext &,enum XPCWrappedNative::CallMode) z:\build\build\src\js\xpconnect\src\XPCWrappedNative.cpp:1186 23:11:20 INFO - GECKO(2104) | #29 0x7ff97c457329 in XPC_WN_CallMethod(struct JSContext *,unsigned int,union JS::Value *) z:\build\build\src\js\xpconnect\src\XPCWrappedNativeJSOps.cpp:899 23:11:20 INFO - GECKO(2104) | #30 0x7ff9898549b2 in js::InternalCallOrConstruct(struct JSContext *,class JS::CallArgs const &,enum js::MaybeConstruct) z:\build\build\src\js\src\vm\Interpreter.cpp:471 23:11:20 INFO - GECKO(2104) | #31 0x7ff989856095 in InternalCall z:\build\build\src\js\src\vm\Interpreter.cpp:520 23:11:20 INFO - GECKO(2104) | #32 0x7ff989839667 in Interpret z:\build\build\src\js\src\vm\Interpreter.cpp:3122 23:11:20 INFO - GECKO(2104) | #33 0x7ff98981d850 in js::RunScript(struct JSContext *,class js::RunState &) z:\build\build\src\js\src\vm\Interpreter.cpp:421 23:11:20 INFO - GECKO(2104) | #34 0x7ff989854fb4 in js::InternalCallOrConstruct(struct JSContext *,class JS::CallArgs const &,enum js::MaybeConstruct) z:\build\build\src\js\src\vm\Interpreter.cpp:493 23:11:20 INFO - GECKO(2104) | #35 0x7ff989856095 in InternalCall z:\build\build\src\js\src\vm\Interpreter.cpp:520 23:11:20 INFO - GECKO(2104) | #36 0x7ff9898562c6 in js::Call(struct JSContext *,class JS::Handle<union JS::Value>,class JS::Handle<union JS::Value>,class js::AnyInvokeArgs const &,class JS::MutableHandle<union JS::Value>) z:\build\build\src\js\src\vm\Interpreter.cpp:539 23:11:20 INFO - GECKO(2104) | #37 0x7ff987ef361b in JS_CallFunctionValue(struct JSContext *,class JS::Handle<class JSObject *>,class JS::Handle<union JS::Value>,class JS::HandleValueArray const &,class JS::MutableHandle<union JS::Value>) z:\build\build\src\js\src\jsapi.cpp:2850 23:11:20 INFO - GECKO(2104) | #38 0x7ff97c43568f in nsXPCWrappedJSClass::CallMethod(class nsXPCWrappedJS *,unsigned short,struct nsXPTMethodInfo const *,struct nsXPTCMiniVariant *) z:\build\build\src\js\xpconnect\src\XPCWrappedJSClass.cpp:1123 23:11:20 INFO - GECKO(2104) | #39 0x7ff97c433323 in nsXPCWrappedJS::CallMethod(unsigned short,struct nsXPTMethodInfo const *,struct nsXPTCMiniVariant *) z:\build\build\src\js\xpconnect\src\XPCWrappedJS.cpp:611 23:11:20 INFO - GECKO(2104) | #40 0x7ff97a902e62 in PrepareAndDispatch z:\build\build\src\xpcom\reflect\xptcall\md\win32\xptcstubs_x86_64.cpp:173 23:11:20 INFO - GECKO(2104) | #41 0x7ff98a4afa98 in SharedStub z:\build\build\src\xpcom\reflect\xptcall\md\win32\xptcstubs_asm_x86_64.asm:57 23:11:20 INFO - GECKO(2104) | #42 0x7ff97a8677b7 in NS_CreateServicesFromCategory(char const *,class nsISupports *,char const *,UNKNOWN const *) z:\build\build\src\xpcom\components\nsCategoryManager.cpp:810 23:11:20 INFO - GECKO(2104) | #43 0x7ff987d11759 in nsXREDirProvider::DoStartup(void) z:\build\build\src\toolkit\xre\nsXREDirProvider.cpp:999 23:11:20 INFO - GECKO(2104) | #44 0x7ff987cda4cc in XREMain::XRE_mainRun(void) z:\build\build\src\toolkit\xre\nsAppRunner.cpp:4574 23:11:20 INFO - GECKO(2104) | #45 0x7ff987ce06d4 in XREMain::XRE_main(int,char * * const,struct mozilla::BootstrapConfig const &) z:\build\build\src\toolkit\xre\nsAppRunner.cpp:4891 23:11:20 INFO - GECKO(2104) | #46 0x7ff987ce2be0 in XRE_main(int,char * * const,struct mozilla::BootstrapConfig const &) z:\build\build\src\toolkit\xre\nsAppRunner.cpp:4983 23:11:20 INFO - GECKO(2104) | #47 0x7ff771191e3d (Z:\task_1529362687\build\application\firefox\firefox.exe+0x140001e3d) 23:11:20 INFO - GECKO(2104) | #48 0x7ff771191529 (Z:\task_1529362687\build\application\firefox\firefox.exe+0x140001529) 23:11:20 INFO - GECKO(2104) | #49 0x7ff77128ac87 (Z:\task_1529362687\build\application\firefox\firefox.exe+0x1400fac87) 23:11:20 INFO - GECKO(2104) | #50 0x7ff9af512773 (C:\Windows\System32\KERNEL32.DLL+0x180012773) 23:11:20 INFO - GECKO(2104) | #51 0x7ff9b1a40d60 (C:\Windows\SYSTEM32\ntdll.dll+0x180070d60) 23:11:20 INFO - GECKO(2104) | SUMMARY: AddressSanitizer: heap-use-after-free z:\build\build\src\gfx\cairo\cairo\src\cairo-region.c:377 in _moz_cairo_region_destroy 23:11:20 INFO - GECKO(2104) | Shadow bytes around the buggy address: 23:11:20 INFO - GECKO(2104) | 0x04e938171e50: fd fd fa fa 00 00 00 fa fa fa fd fd fd fa fa fa 23:11:20 INFO - GECKO(2104) | 0x04e938171e60: 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00 00 00 23:11:20 INFO - GECKO(2104) | 0x04e938171e70: fa fa fd fd fd fa fa fa 00 00 00 fa fa fa 00 00 23:11:20 INFO - GECKO(2104) | 0x04e938171e80: 00 00 fa fa 00 00 00 fa fa fa 00 00 00 00 fa fa 23:11:20 INFO - GECKO(2104) | 0x04e938171e90: 00 00 00 00 fa fa 00 00 00 fa fa fa 00 00 00 00 23:11:20 INFO - GECKO(2104) | =>0x04e938171ea0: fa fa 00 00 00 fa fa fa fd fd fd fa fa fa[fd]fd 23:11:20 INFO - GECKO(2104) | 0x04e938171eb0: fd fd fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 23:11:20 INFO - GECKO(2104) | 0x04e938171ec0: fa fa fa fa fa fa fd fd fd fa fa fa 00 00 00 01 23:11:20 INFO - GECKO(2104) | 0x04e938171ed0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd 23:11:20 INFO - GECKO(2104) | 0x04e938171ee0: fd fa fa fa fd fd fd fd fa fa 00 00 00 00 fa fa 23:11:20 INFO - GECKO(2104) | 0x04e938171ef0: fd fd fd fd fa fa fa fa fa fa fa fa fd fd fd fd 23:11:20 INFO - GECKO(2104) | Shadow byte legend (one shadow byte represents 8 application bytes): 23:11:20 INFO - GECKO(2104) | Addressable: 00 23:11:20 INFO - GECKO(2104) | Partially addressable: 01 02 03 04 05 06 07 23:11:20 INFO - GECKO(2104) | Heap left redzone: fa 23:11:20 INFO - GECKO(2104) | Freed heap region: fd 23:11:20 INFO - GECKO(2104) | Stack left redzone: f1 23:11:20 INFO - GECKO(2104) | Stack mid redzone: f2 23:11:20 INFO - GECKO(2104) | Stack right redzone: f3 23:11:20 INFO - GECKO(2104) | Stack after return: f5 23:11:20 INFO - GECKO(2104) | Stack use after scope: f8 23:11:20 INFO - GECKO(2104) | Global redzone: f9 23:11:20 INFO - GECKO(2104) | Global init order: f6 23:11:20 INFO - GECKO(2104) | Poisoned by user: f7 23:11:20 INFO - GECKO(2104) | Container overflow: fc 23:11:20 INFO - GECKO(2104) | Array cookie: ac 23:11:20 INFO - GECKO(2104) | Intra object redzone: bb 23:11:20 INFO - GECKO(2104) | ASan internal: fe 23:11:20 INFO - GECKO(2104) | Left alloca redzone: ca 23:11:20 INFO - GECKO(2104) | Right alloca redzone: cb 23:11:20 INFO - GECKO(2104) | Shadow gap: cc 23:11:20 INFO - GECKO(2104) | ==2104==ABORTING
Comment 6•6 years ago
|
||
Sorry for spam, meant that for Lee.
Flags: needinfo?(rhunt) → needinfo?(lsalzman)
Assignee | ||
Comment 8•6 years ago
|
||
It looks like we have a race on the cairo surface owned by WinCompositorWidget for transparent windows. The transparent surface creation and destruction is protected by mTransparentSurfaceLock, but it's also handed out in a draw target to the compositor by StartRemoteDrawing [1]. The compositor itself doesn't hold the transparent surface lock, so it's able to be reacquired by the main thread which can then also access the transparent surface [2]. This issue only affects the in process compositor case. When we are using remote compositing, the transparency updates from the main thread are proxied to the compositor thread in the GPU process. The updates will then be on the same thread eliminating this race. I think the easiest solution here is to use the present lock (which is held while compositing) in these transparency update messages when we have an in process compositor. [1] https://searchfox.org/mozilla-central/rev/6d1ab84b4b39fbfb9505d4399857239bc15202ef/widget/windows/WinCompositorWidget.cpp#88 [2] https://searchfox.org/mozilla-central/rev/6d1ab84b4b39fbfb9505d4399857239bc15202ef/widget/windows/WinCompositorWidget.h#88
Flags: needinfo?(lsalzman)
Assignee | ||
Comment 9•6 years ago
|
||
Assignee | ||
Updated•6 years ago
|
Assignee: nobody → rhunt
Comment 10•6 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/777ef3d920f01a85b677dea8914fc38df9135814 https://hg.mozilla.org/mozilla-central/rev/777ef3d920f0
Group: gfx-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox64:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla64
Comment 11•6 years ago
|
||
This was called a sec-high (which would necessitate sec-approval before landing), but we previously called bug 1467363 a sec-moderate. Dan, do you think the high rating is still appropriate given the analysis in comment 8?
status-firefox62:
--- → wontfix
status-firefox63:
--- → affected
status-firefox-esr60:
--- → affected
tracking-firefox63:
--- → ?
tracking-firefox-esr60:
--- → ?
Flags: needinfo?(dveditz)
Assignee | ||
Comment 12•6 years ago
|
||
Oh, I had forgotten this was a security bug when landing things and it needed approval. Apologies! For what it's worth, I consider this bug to come from the same root cause as bug 1467363, the patch there just didn't cover all the cases.
Updated•6 years ago
|
Comment 13•6 years ago
|
||
Should that patch be uplifted to beta now that it has landed on mozilla-central?
Assignee | ||
Comment 14•6 years ago
|
||
Comment on attachment 9012886 [details] Bug 1469486 - Protect main thread in-process access to WinCompositorWidget transparent surface. r?bas [Beta/Release Uplift Approval Request] Feature/Bug causing the regression: Bug 1469486 User impact if declined: Intermittent UAF Is this code covered by automated tests?: No Has the fix been verified in Nightly?: No Needs manual test from QE?: No If yes, steps to reproduce: List of other uplifts needed: None Risk to taking this patch: Low Why is the change risky/not risky? (and alternatives if risky): This change has been in nightly and hasn't caused any regressions. The change acquires an existing lock over a vulnerable function call. The absolute worst case is that it's ineffective at solving the crash. String changes made/needed:
Attachment #9012886 -
Flags: approval-mozilla-beta?
Assignee | ||
Comment 15•6 years ago
|
||
Comment on attachment 9012886 [details] Bug 1469486 - Protect main thread in-process access to WinCompositorWidget transparent surface. r?bas [ESR Uplift Approval Request] If this is not a sec:{high,crit} bug, please state case for ESR consideration: User impact if declined: Potential intermittent UAF Fix Landed on Version: 64 Risk to taking this patch: Low Why is the change risky/not risky? (and alternatives if risky): This change has been in nightly and hasn't caused any regressions. The change acquires an existing lock over a vulnerable function call. The absolute worst case is that it's ineffective at solving the crash. String or UUID changes made by this patch:
Attachment #9012886 -
Flags: approval-mozilla-esr60?
Comment 16•6 years ago
|
||
Comment on attachment 9012886 [details] Bug 1469486 - Protect main thread in-process access to WinCompositorWidget transparent surface. r?bas Crash & sec fix, on nightly for 3 days without reported regressions, small patch, approved for 63rc1, thanks.
Attachment #9012886 -
Flags: approval-mozilla-beta? → approval-mozilla-release+
Comment 17•6 years ago
|
||
uplift |
https://hg.mozilla.org/releases/mozilla-release/rev/615a51e2b5e2565258f188188aaef5a24039c7dc https://hg.mozilla.org/releases/mozilla-beta/rev/6641ad209d525686077ef92932d171021e8d99a4 (FIREFOX_63b_RELBRANCH)
Comment 18•6 years ago
|
||
Comment on attachment 9012886 [details] Bug 1469486 - Protect main thread in-process access to WinCompositorWidget transparent surface. r?bas Approved for 60.3esr as well.
Attachment #9012886 -
Flags: approval-mozilla-esr60? → approval-mozilla-esr60+
Comment 19•6 years ago
|
||
uplift |
https://hg.mozilla.org/releases/mozilla-esr60/rev/7d99a574e21b
Flags: needinfo?(dveditz)
Updated•6 years ago
|
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Updated•6 years ago
|
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main63+][adv-esr60.3+]
Updated•5 years ago
|
Group: core-security-release
Updated•4 years ago
|
Blocks: asan-maintenance
You need to log in
before you can comment on or make changes to this bug.
Description
•