Closed Bug 1481385 Opened 7 years ago Closed 7 years ago

Intermittent AddressSanitizer: heap-buffer-overflow /builds/worker/workspace/build/src/widget/gtk/WindowSurfaceX11Image.cpp:166:28 in UpdateMaskBits

Categories

(Core :: Widget: Gtk, defect)

Product:
Core
Component:
Widget: Gtk
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla63
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox-esr60 --- unaffected
firefox61 --- unaffected
firefox62 --- unaffected
firefox63 --- fixed

People

(Reporter: noemi_erli, Assigned: stransky)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-uaf, regression)

Attachments

(1 file)

patch
1.20 KB, patch
lsalzman
: review+
Details | Diff | Splinter Review
[task 2018-08-07T06:54:40.797Z] 06:54:40 INFO - TEST-START | toolkit/content/tests/chrome/test_arrowpanel.xul [task 2018-08-07T06:54:42.013Z] 06:54:42 INFO - GECKO(5406) | ================================================================= [task 2018-08-07T06:54:42.014Z] 06:54:42 ERROR - GECKO(5406) | ==5406==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61c00000b78d at pc 0x7f8bf703db06 bp 0x7f8bde819560 sp 0x7f8bde819558 [task 2018-08-07T06:54:42.014Z] 06:54:42 INFO - GECKO(5406) | READ of size 1 at 0x61c00000b78d thread T21 (Compositor) [task 2018-08-07T06:54:42.964Z] 06:54:42 INFO - GECKO(5406) | #0 0x7f8bf703db05 in UpdateMaskBits /builds/worker/workspace/build/src/widget/gtk/WindowSurfaceX11Image.cpp:166:28 [task 2018-08-07T06:54:42.964Z] 06:54:42 INFO - GECKO(5406) | #1 0x7f8bf703db05 in mozilla::widget::WindowSurfaceX11Image::ApplyTransparencyBitmap() /builds/worker/workspace/build/src/widget/gtk/WindowSurfaceX11Image.cpp:216 [task 2018-08-07T06:54:42.964Z] 06:54:42 INFO - GECKO(5406) | #2 0x7f8bf703e702 in mozilla::widget::WindowSurfaceX11Image::Commit(mozilla::gfx::IntRegionTyped<mozilla::LayoutDevicePixel> const&) /builds/worker/workspace/build/src/widget/gtk/WindowSurfaceX11Image.cpp:270:5 [task 2018-08-07T06:54:42.967Z] 06:54:42 INFO - GECKO(5406) | #3 0x7f8bf196ca33 in mozilla::layers::BasicCompositor::TryToEndRemoteDrawing(bool) /builds/worker/workspace/build/src/gfx/layers/basic/BasicCompositor.cpp:1057:14 [task 2018-08-07T06:54:42.968Z] 06:54:42 INFO - GECKO(5406) | #4 0x7f8bf197b2ca in mozilla::layers::BasicCompositor::EndFrame() /builds/worker/workspace/build/src/gfx/layers/basic/BasicCompositor.cpp:1015:3 [task 2018-08-07T06:54:42.986Z] 06:54:42 INFO - GECKO(5406) | #5 0x7f8bf1a9c979 in mozilla::layers::LayerManagerComposite::Render(mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&) /builds/worker/workspace/build/src/gfx/layers/composite/LayerManagerComposite.cpp:995:18 [task 2018-08-07T06:54:42.986Z] 06:54:42 INFO - GECKO(5406) | #6 0x7f8bf1a99939 in mozilla::layers::LayerManagerComposite::UpdateAndRender() /builds/worker/workspace/build/src/gfx/layers/composite/LayerManagerComposite.cpp:534:3 [task 2018-08-07T06:54:42.986Z] 06:54:42 INFO - GECKO(5406) | #7 0x7f8bf1a981d6 in mozilla::layers::LayerManagerComposite::EndTransaction(mozilla::TimeStamp const&, mozilla::layers::LayerManager::EndTransactionFlags) /builds/worker/workspace/build/src/gfx/layers/composite/LayerManagerComposite.cpp:464:5 [task 2018-08-07T06:54:42.994Z] 06:54:42 INFO - GECKO(5406) | #8 0x7f8bf1aebbbd in mozilla::layers::CompositorBridgeParent::CompositeToTarget(mozilla::gfx::DrawTarget*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /builds/worker/workspace/build/src/gfx/layers/ipc/CompositorBridgeParent.cpp:1073:18 [task 2018-08-07T06:54:42.996Z] 06:54:42 INFO - GECKO(5406) | #9 0x7f8bf1b02265 in mozilla::layers::CompositorVsyncScheduler::Composite(mozilla::TimeStamp) /builds/worker/workspace/build/src/gfx/layers/ipc/CompositorVsyncScheduler.cpp:245:27 [task 2018-08-07T06:54:43.000Z] 06:54:42 INFO - GECKO(5406) | #10 0x7f8bf1b3b6f0 in applyImpl<mozilla::layers::CompositorVsyncScheduler, void (mozilla::layers::CompositorVsyncScheduler::*)(mozilla::TimeStamp), StoreCopyPassByConstLRef<mozilla::TimeStamp> , 0> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1168:12 [task 2018-08-07T06:54:43.001Z] 06:54:43 INFO - GECKO(5406) | #11 0x7f8bf1b3b6f0 in apply<mozilla::layers::CompositorVsyncScheduler, void (mozilla::layers::CompositorVsyncScheduler::*)(mozilla::TimeStamp)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1174 [task 2018-08-07T06:54:43.004Z] 06:54:43 INFO - GECKO(5406) | #12 0x7f8bf1b3b6f0 in mozilla::detail::RunnableMethodImpl<mozilla::layers::CompositorVsyncScheduler*, void (mozilla::layers::CompositorVsyncScheduler::*)(mozilla::TimeStamp), true, (mozilla::RunnableKind)1, mozilla::TimeStamp>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1219 [task 2018-08-07T06:54:43.014Z] 06:54:43 INFO - GECKO(5406) | #13 0x7f8bf0119243 in RunTask /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:451:9 [task 2018-08-07T06:54:43.016Z] 06:54:43 INFO - GECKO(5406) | #14 0x7f8bf0119243 in DeferOrRunPendingTask /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:459 [task 2018-08-07T06:54:43.017Z] 06:54:43 INFO - GECKO(5406) | #15 0x7f8bf0119243 in MessageLoop::DoWork() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:534 [task 2018-08-07T06:54:43.018Z] 06:54:43 INFO - GECKO(5406) | #16 0x7f8bf011b389 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/chromium/src/base/message_pump_default.cc:38:31 [task 2018-08-07T06:54:43.018Z] 06:54:43 INFO - GECKO(5406) | #17 0x7f8bf011684c in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10 [task 2018-08-07T06:54:43.018Z] 06:54:43 INFO - GECKO(5406) | #18 0x7f8bf011684c in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318 [task 2018-08-07T06:54:43.019Z] 06:54:43 INFO - GECKO(5406) | #19 0x7f8bf011684c in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298 [task 2018-08-07T06:54:43.026Z] 06:54:43 INFO - GECKO(5406) | #20 0x7f8bf0132633 in base::Thread::ThreadMain() /builds/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:181:16 [task 2018-08-07T06:54:43.027Z] 06:54:43 INFO - GECKO(5406) | #21 0x7f8bf0127849 in ThreadFunc(void*) /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:44:13 [task 2018-08-07T06:54:43.029Z] 06:54:43 INFO - GECKO(5406) | #22 0x7f8c103e36b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9) [task 2018-08-07T06:54:43.100Z] 06:54:43 INFO - GECKO(5406) | #23 0x7f8c0f46c41c in clone /build/glibc-Cl5G7W/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109 [task 2018-08-07T06:54:43.100Z] 06:54:43 INFO - GECKO(5406) | 0x61c00000b78d is located 0 bytes to the right of 1805-byte region [0x61c00000b080,0x61c00000b78d)
https://treeherder.mozilla.org/logviewer.html#?job_id=192453402&repo=autoland [task 2018-08-07T06:54:40.797Z] 06:54:40 INFO - TEST-START | toolkit/content/tests/chrome/test_arrowpanel.xul [task 2018-08-07T06:54:42.013Z] 06:54:42 INFO - GECKO(5406) | ================================================================= [task 2018-08-07T06:54:42.014Z] 06:54:42 ERROR - GECKO(5406) | ==5406==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61c00000b78d at pc 0x7f8bf703db06 bp 0x7f8bde819560 sp 0x7f8bde819558 [task 2018-08-07T06:54:42.014Z] 06:54:42 INFO - GECKO(5406) | READ of size 1 at 0x61c00000b78d thread T21 (Compositor) [task 2018-08-07T06:54:42.964Z] 06:54:42 INFO - GECKO(5406) | #0 0x7f8bf703db05 in UpdateMaskBits /builds/worker/workspace/build/src/widget/gtk/WindowSurfaceX11Image.cpp:166:28 [task 2018-08-07T06:54:42.964Z] 06:54:42 INFO - GECKO(5406) | #1 0x7f8bf703db05 in mozilla::widget::WindowSurfaceX11Image::ApplyTransparencyBitmap() /builds/worker/workspace/build/src/widget/gtk/WindowSurfaceX11Image.cpp:216 [task 2018-08-07T06:54:42.964Z] 06:54:42 INFO - GECKO(5406) | #2 0x7f8bf703e702 in mozilla::widget::WindowSurfaceX11Image::Commit(mozilla::gfx::IntRegionTyped<mozilla::LayoutDevicePixel> const&) /builds/worker/workspace/build/src/widget/gtk/WindowSurfaceX11Image.cpp:270:5 [task 2018-08-07T06:54:42.967Z] 06:54:42 INFO - GECKO(5406) | #3 0x7f8bf196ca33 in mozilla::layers::BasicCompositor::TryToEndRemoteDrawing(bool) /builds/worker/workspace/build/src/gfx/layers/basic/BasicCompositor.cpp:1057:14 [task 2018-08-07T06:54:42.968Z] 06:54:42 INFO - GECKO(5406) | #4 0x7f8bf197b2ca in mozilla::layers::BasicCompositor::EndFrame() /builds/worker/workspace/build/src/gfx/layers/basic/BasicCompositor.cpp:1015:3 [task 2018-08-07T06:54:42.986Z] 06:54:42 INFO - GECKO(5406) | #5 0x7f8bf1a9c979 in mozilla::layers::LayerManagerComposite::Render(mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&) /builds/worker/workspace/build/src/gfx/layers/composite/LayerManagerComposite.cpp:995:18 [task 2018-08-07T06:54:42.986Z] 06:54:42 INFO - GECKO(5406) | #6 0x7f8bf1a99939 in mozilla::layers::LayerManagerComposite::UpdateAndRender() /builds/worker/workspace/build/src/gfx/layers/composite/LayerManagerComposite.cpp:534:3 [task 2018-08-07T06:54:42.986Z] 06:54:42 INFO - GECKO(5406) | #7 0x7f8bf1a981d6 in mozilla::layers::LayerManagerComposite::EndTransaction(mozilla::TimeStamp const&, mozilla::layers::LayerManager::EndTransactionFlags) /builds/worker/workspace/build/src/gfx/layers/composite/LayerManagerComposite.cpp:464:5 [task 2018-08-07T06:54:42.994Z] 06:54:42 INFO - GECKO(5406) | #8 0x7f8bf1aebbbd in mozilla::layers::CompositorBridgeParent::CompositeToTarget(mozilla::gfx::DrawTarget*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /builds/worker/workspace/build/src/gfx/layers/ipc/CompositorBridgeParent.cpp:1073:18 [task 2018-08-07T06:54:42.996Z] 06:54:42 INFO - GECKO(5406) | #9 0x7f8bf1b02265 in mozilla::layers::CompositorVsyncScheduler::Composite(mozilla::TimeStamp) /builds/worker/workspace/build/src/gfx/layers/ipc/CompositorVsyncScheduler.cpp:245:27 [task 2018-08-07T06:54:43.000Z] 06:54:42 INFO - GECKO(5406) | #10 0x7f8bf1b3b6f0 in applyImpl<mozilla::layers::CompositorVsyncScheduler, void (mozilla::layers::CompositorVsyncScheduler::*)(mozilla::TimeStamp), StoreCopyPassByConstLRef<mozilla::TimeStamp> , 0> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1168:12 [task 2018-08-07T06:54:43.001Z] 06:54:43 INFO - GECKO(5406) | #11 0x7f8bf1b3b6f0 in apply<mozilla::layers::CompositorVsyncScheduler, void (mozilla::layers::CompositorVsyncScheduler::*)(mozilla::TimeStamp)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1174 [task 2018-08-07T06:54:43.004Z] 06:54:43 INFO - GECKO(5406) | #12 0x7f8bf1b3b6f0 in mozilla::detail::RunnableMethodImpl<mozilla::layers::CompositorVsyncScheduler*, void (mozilla::layers::CompositorVsyncScheduler::*)(mozilla::TimeStamp), true, (mozilla::RunnableKind)1, mozilla::TimeStamp>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1219 [task 2018-08-07T06:54:43.014Z] 06:54:43 INFO - GECKO(5406) | #13 0x7f8bf0119243 in RunTask /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:451:9 [task 2018-08-07T06:54:43.016Z] 06:54:43 INFO - GECKO(5406) | #14 0x7f8bf0119243 in DeferOrRunPendingTask /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:459 [task 2018-08-07T06:54:43.017Z] 06:54:43 INFO - GECKO(5406) | #15 0x7f8bf0119243 in MessageLoop::DoWork() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:534 [task 2018-08-07T06:54:43.018Z] 06:54:43 INFO - GECKO(5406) | #16 0x7f8bf011b389 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/chromium/src/base/message_pump_default.cc:38:31 [task 2018-08-07T06:54:43.018Z] 06:54:43 INFO - GECKO(5406) | #17 0x7f8bf011684c in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10 [task 2018-08-07T06:54:43.018Z] 06:54:43 INFO - GECKO(5406) | #18 0x7f8bf011684c in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318 [task 2018-08-07T06:54:43.019Z] 06:54:43 INFO - GECKO(5406) | #19 0x7f8bf011684c in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298 [task 2018-08-07T06:54:43.026Z] 06:54:43 INFO - GECKO(5406) | #20 0x7f8bf0132633 in base::Thread::ThreadMain() /builds/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:181:16 [task 2018-08-07T06:54:43.027Z] 06:54:43 INFO - GECKO(5406) | #21 0x7f8bf0127849 in ThreadFunc(void*) /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:44:13 [task 2018-08-07T06:54:43.029Z] 06:54:43 INFO - GECKO(5406) | #22 0x7f8c103e36b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9) [task 2018-08-07T06:54:43.100Z] 06:54:43 INFO - GECKO(5406) | #23 0x7f8c0f46c41c in clone /build/glibc-Cl5G7W/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109 [task 2018-08-07T06:54:43.100Z] 06:54:43 INFO - GECKO(5406) | 0x61c00000b78d is located 0 bytes to the right of 1805-byte region [0x61c00000b080,0x61c00000b78d) [task 2018-08-07T06:54:43.100Z] 06:54:43 INFO - GECKO(5406) | allocated by thread T21 (Compositor) here: [task 2018-08-07T06:54:43.118Z] 06:54:43 INFO - GECKO(5406) | #0 0x4c1e53 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3 [task 2018-08-07T06:54:43.118Z] 06:54:43 INFO - GECKO(5406) | #1 0x4f319d in moz_xmalloc /builds/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:70:17 [task 2018-08-07T06:54:43.119Z] 06:54:43 INFO - GECKO(5406) | #2 0x7f8bf703d6c5 in operator new[] /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:148:12 [task 2018-08-07T06:54:43.120Z] 06:54:43 INFO - GECKO(5406) | #3 0x7f8bf703d6c5 in ResizeTransparencyBitmap /builds/worker/workspace/build/src/widget/gtk/WindowSurfaceX11Image.cpp:181 [task 2018-08-07T06:54:43.121Z] 06:54:43 INFO - GECKO(5406) | #4 0x7f8bf703d6c5 in mozilla::widget::WindowSurfaceX11Image::ApplyTransparencyBitmap() /builds/worker/workspace/build/src/widget/gtk/WindowSurfaceX11Image.cpp:206 [task 2018-08-07T06:54:43.123Z] 06:54:43 INFO - GECKO(5406) | #5 0x7f8bf703e702 in mozilla::widget::WindowSurfaceX11Image::Commit(mozilla::gfx::IntRegionTyped<mozilla::LayoutDevicePixel> const&) /builds/worker/workspace/build/src/widget/gtk/WindowSurfaceX11Image.cpp:270:5 [task 2018-08-07T06:54:43.124Z] 06:54:43 INFO - GECKO(5406) | #6 0x7f8bf196ca33 in mozilla::layers::BasicCompositor::TryToEndRemoteDrawing(bool) /builds/worker/workspace/build/src/gfx/layers/basic/BasicCompositor.cpp:1057:14 [task 2018-08-07T06:54:43.126Z] 06:54:43 INFO - GECKO(5406) | #7 0x7f8bf197b2ca in mozilla::layers::BasicCompositor::EndFrame() /builds/worker/workspace/build/src/gfx/layers/basic/BasicCompositor.cpp:1015:3 [task 2018-08-07T06:54:43.128Z] 06:54:43 INFO - GECKO(5406) | #8 0x7f8bf1a9c979 in mozilla::layers::LayerManagerComposite::Render(mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&) /builds/worker/workspace/build/src/gfx/layers/composite/LayerManagerComposite.cpp:995:18 [task 2018-08-07T06:54:43.131Z] 06:54:43 INFO - GECKO(5406) | #9 0x7f8bf1a99939 in mozilla::layers::LayerManagerComposite::UpdateAndRender() /builds/worker/workspace/build/src/gfx/layers/composite/LayerManagerComposite.cpp:534:3 [task 2018-08-07T06:54:43.133Z] 06:54:43 INFO - GECKO(5406) | #10 0x7f8bf1a981d6 in mozilla::layers::LayerManagerComposite::EndTransaction(mozilla::TimeStamp const&, mozilla::layers::LayerManager::EndTransactionFlags) /builds/worker/workspace/build/src/gfx/layers/composite/LayerManagerComposite.cpp:464:5 [task 2018-08-07T06:54:43.136Z] 06:54:43 INFO - GECKO(5406) | #11 0x7f8bf1aebbbd in mozilla::layers::CompositorBridgeParent::CompositeToTarget(mozilla::gfx::DrawTarget*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /builds/worker/workspace/build/src/gfx/layers/ipc/CompositorBridgeParent.cpp:1073:18 [task 2018-08-07T06:54:43.138Z] 06:54:43 INFO - GECKO(5406) | #12 0x7f8bf1b02265 in mozilla::layers::CompositorVsyncScheduler::Composite(mozilla::TimeStamp) /builds/worker/workspace/build/src/gfx/layers/ipc/CompositorVsyncScheduler.cpp:245:27 [task 2018-08-07T06:54:43.140Z] 06:54:43 INFO - GECKO(5406) | #13 0x7f8bf1b3b6f0 in applyImpl<mozilla::layers::CompositorVsyncScheduler, void (mozilla::layers::CompositorVsyncScheduler::*)(mozilla::TimeStamp), StoreCopyPassByConstLRef<mozilla::TimeStamp> , 0> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1168:12 [task 2018-08-07T06:54:43.144Z] 06:54:43 INFO - GECKO(5406) | #14 0x7f8bf1b3b6f0 in apply<mozilla::layers::CompositorVsyncScheduler, void (mozilla::layers::CompositorVsyncScheduler::*)(mozilla::TimeStamp)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1174 [task 2018-08-07T06:54:43.146Z] 06:54:43 INFO - GECKO(5406) | #15 0x7f8bf1b3b6f0 in mozilla::detail::RunnableMethodImpl<mozilla::layers::CompositorVsyncScheduler*, void (mozilla::layers::CompositorVsyncScheduler::*)(mozilla::TimeStamp), true, (mozilla::RunnableKind)1, mozilla::TimeStamp>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1219 [task 2018-08-07T06:54:43.148Z] 06:54:43 INFO - GECKO(5406) | #16 0x7f8bf0119243 in RunTask /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:451:9 [task 2018-08-07T06:54:43.150Z] 06:54:43 INFO - GECKO(5406) | #17 0x7f8bf0119243 in DeferOrRunPendingTask /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:459 [task 2018-08-07T06:54:43.152Z] 06:54:43 INFO - GECKO(5406) | #18 0x7f8bf0119243 in MessageLoop::DoWork() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:534 [task 2018-08-07T06:54:43.153Z] 06:54:43 INFO - GECKO(5406) | #19 0x7f8bf011b389 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/chromium/src/base/message_pump_default.cc:38:31 [task 2018-08-07T06:54:43.157Z] 06:54:43 INFO - GECKO(5406) | #20 0x7f8bf011684c in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10 [task 2018-08-07T06:54:43.158Z] 06:54:43 INFO - GECKO(5406) | #21 0x7f8bf011684c in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318 [task 2018-08-07T06:54:43.160Z] 06:54:43 INFO - GECKO(5406) | #22 0x7f8bf011684c in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298 [task 2018-08-07T06:54:43.161Z] 06:54:43 INFO - GECKO(5406) | #23 0x7f8bf0132633 in base::Thread::ThreadMain() /builds/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:181:16 [task 2018-08-07T06:54:43.163Z] 06:54:43 INFO - GECKO(5406) | #24 0x7f8bf0127849 in ThreadFunc(void*) /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:44:13 [task 2018-08-07T06:54:43.165Z] 06:54:43 INFO - GECKO(5406) | #25 0x7f8c103e36b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9) [task 2018-08-07T06:54:43.166Z] 06:54:43 INFO - GECKO(5406) | Thread T21 (Compositor) created by T0 here: [task 2018-08-07T06:54:43.176Z] 06:54:43 INFO - GECKO(5406) | #0 0x4aaedd in __interceptor_pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:204:3 [task 2018-08-07T06:54:43.177Z] 06:54:43 INFO - GECKO(5406) | #1 0x7f8bf012530c in CreateThread /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:131:14 [task 2018-08-07T06:54:43.178Z] 06:54:43 INFO - GECKO(5406) | #2 0x7f8bf012530c in PlatformThread::Create(unsigned long, PlatformThread::Delegate*, unsigned long*) /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:142 [task 2018-08-07T06:54:43.180Z] 06:54:43 INFO - GECKO(5406) | #3 0x7f8bf0131fd3 in base::Thread::StartWithOptions(base::Thread::Options const&) /builds/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:99:8 [task 2018-08-07T06:54:43.181Z] 06:54:43 INFO - GECKO(5406) | #4 0x7f8bf1b00d2e in CreateCompositorThread /builds/worker/workspace/build/src/gfx/layers/ipc/CompositorThread.cpp:102:26 [task 2018-08-07T06:54:43.184Z] 06:54:43 INFO - GECKO(5406) | #5 0x7f8bf1b00d2e in mozilla::layers::CompositorThreadHolder::CompositorThreadHolder() /builds/worker/workspace/build/src/gfx/layers/ipc/CompositorThread.cpp:52 [task 2018-08-07T06:54:43.185Z] 06:54:43 INFO - GECKO(5406) | #6 0x7f8bf1b00fe7 in mozilla::layers::CompositorThreadHolder::Start() /builds/worker/workspace/build/src/gfx/layers/ipc/CompositorThread.cpp:124:33 [task 2018-08-07T06:54:43.195Z] 06:54:43 INFO - GECKO(5406) | #7 0x7f8bf1bcffa7 in gfxPlatform::InitLayersIPC() /builds/worker/workspace/build/src/gfx/thebes/gfxPlatform.cpp:1054:5 [task 2018-08-07T06:54:43.196Z] 06:54:43 INFO - GECKO(5406) | #8 0x7f8bf1bcb12b in gfxPlatform::Init() /builds/worker/workspace/build/src/gfx/thebes/gfxPlatform.cpp:764:5 [task 2018-08-07T06:54:43.197Z] 06:54:43 INFO - GECKO(5406) | #9 0x7f8bf1bc86bb in gfxPlatform::GetPlatform() /builds/worker/workspace/build/src/gfx/thebes/gfxPlatform.cpp:521:9 [task 2018-08-07T06:54:43.216Z] 06:54:43 INFO - GECKO(5406) | #10 0x7f8bf6f6c83d in mozilla::widget::GfxInfoBase::GetContentBackend(nsTSubstring<char16_t>&) /builds/worker/workspace/build/src/widget/GfxInfoBase.cpp:1529:25 [task 2018-08-07T06:54:43.216Z] 06:54:43 INFO - GECKO(5406) | #11 0x7f8bef2bac81 in NS_InvokeByIndex /builds/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:106 [task 2018-08-07T06:54:43.218Z] 06:54:43 INFO - GECKO(5406) | #12 0x7f8bf0be41a6 in Invoke /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1673:12 [task 2018-08-07T06:54:43.219Z] 06:54:43 INFO - GECKO(5406) | #13 0x7f8bf0be41a6 in Call /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1231 [task 2018-08-07T06:54:43.221Z] 06:54:43 INFO - GECKO(5406) | #14 0x7f8bf0be41a6 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1198 [task 2018-08-07T06:54:43.222Z] 06:54:43 INFO - GECKO(5406) | #15 0x7f8bf0bea884 in GetAttribute /builds/worker/workspace/build/src/js/xpconnect/src/xpcprivate.h:1542:17 [task 2018-08-07T06:54:43.224Z] 06:54:43 INFO - GECKO(5406) | #16 0x7f8bf0bea884 in XPC_WN_GetterSetter(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:931 [task 2018-08-07T06:54:43.238Z] 06:54:43 INFO - GECKO(5406) | #17 0x7f8bfaec5f9e in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:445:15 [task 2018-08-07T06:54:43.238Z] 06:54:43 INFO - GECKO(5406) | #18 0x7f8bfaec5f9e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:533 [task 2018-08-07T06:54:43.239Z] 06:54:43 INFO - GECKO(5406) | #19 0x7f8bfaec9955 in InternalCall /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:584:12 [task 2018-08-07T06:54:43.240Z] 06:54:43 INFO - GECKO(5406) | #20 0x7f8bfaec9955 in Call /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:603 [task 2018-08-07T06:54:43.241Z] 06:54:43 INFO - GECKO(5406) | #21 0x7f8bfaec9955 in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:723 [task 2018-08-07T06:54:43.259Z] 06:54:43 INFO - GECKO(5406) | #22 0x7f8bfbe59004 in CallGetter /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2121:16 [task 2018-08-07T06:54:43.259Z] 06:54:43 INFO - GECKO(5406) | #23 0x7f8bfbe59004 in GetExistingProperty<js::CanGC> /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2174 [task 2018-08-07T06:54:43.260Z] 06:54:43 INFO - GECKO(5406) | #24 0x7f8bfbe59004 in NativeGetPropertyInline<js::CanGC> /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2387 [task 2018-08-07T06:54:43.260Z] 06:54:43 INFO - GECKO(5406) | #25 0x7f8bfbe59004 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2423 [task 2018-08-07T06:54:43.278Z] 06:54:43 INFO - GECKO(5406) | #26 0x7f8bfaeb1dd2 in GetProperty /builds/worker/workspace/build/src/js/src/vm/NativeObject.h:1718:12 [task 2018-08-07T06:54:43.280Z] 06:54:43 INFO - GECKO(5406) | #27 0x7f8bfaeb1dd2 in GetObjectElementOperation /builds/worker/workspace/build/src/js/src/vm/Interpreter-inl.h:526 [task 2018-08-07T06:54:43.281Z] 06:54:43 INFO - GECKO(5406) | #28 0x7f8bfaeb1dd2 in GetElementOperation /builds/worker/workspace/build/src/js/src/vm/Interpreter-inl.h:632 [task 2018-08-07T06:54:43.281Z] 06:54:43 INFO - GECKO(5406) | #29 0x7f8bfaeb1dd2 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3075 [task 2018-08-07T06:54:43.282Z] 06:54:43 INFO - GECKO(5406) | #30 0x7f8bfae96a8a in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:425:12 [task 2018-08-07T06:54:43.283Z] 06:54:43 INFO - GECKO(5406) | #31 0x7f8bfaec6874 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:557:15 [task 2018-08-07T06:54:43.284Z] 06:54:43 INFO - GECKO(5406) | #32 0x7f8bfaec7e02 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:603:10 [task 2018-08-07T06:54:43.302Z] 06:54:43 INFO - GECKO(5406) | #33 0x7f8bfb9c37fd in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2841:12 [task 2018-08-07T06:54:43.303Z] 06:54:43 INFO - GECKO(5406) | #34 0x7f8bf0bcca5f in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedJSClass.cpp:1135:23 [task 2018-08-07T06:54:43.303Z] 06:54:43 INFO - GECKO(5406) | #35 0x7f8bef2bc358 in PrepareAndDispatch /builds/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:127:37 [task 2018-08-07T06:54:43.304Z] 06:54:43 INFO - GECKO(5406) | #36 0x7f8bef2bb22a in SharedStub (/builds/worker/workspace/build/application/firefox/libxul.so+0x213122a) [task 2018-08-07T06:54:43.311Z] 06:54:43 INFO - GECKO(5406) | #37 0x7f8bef232215 in NS_CreateServicesFromCategory(char const*, nsISupports*, char const*, char16_t const*) /builds/worker/workspace/build/src/xpcom/components/nsCategoryManager.cpp:775:19 [task 2018-08-07T06:54:43.313Z] 06:54:43 INFO - GECKO(5406) | #38 0x7f8bfac0fd7f in nsXREDirProvider::DoStartup() /builds/worker/workspace/build/src/toolkit/xre/nsXREDirProvider.cpp:1002:11 [task 2018-08-07T06:54:43.319Z] 06:54:43 INFO - GECKO(5406) | #39 0x7f8bfabec27d in XREMain::XRE_mainRun() /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4592:16 [task 2018-08-07T06:54:43.320Z] 06:54:43 INFO - GECKO(5406) | #40 0x7f8bfabefa13 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4909:8 [task 2018-08-07T06:54:43.323Z] 06:54:43 INFO - GECKO(5406) | #41 0x7f8bfabf0ec8 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:5001:21 [task 2018-08-07T06:54:43.325Z] 06:54:43 INFO - GECKO(5406) | #42 0x4f20fc in do_main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:233:22 [task 2018-08-07T06:54:43.326Z] 06:54:43 INFO - GECKO(5406) | #43 0x4f20fc in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:311 [task 2018-08-07T06:54:43.328Z] 06:54:43 INFO - GECKO(5406) | #44 0x7f8c0f38582f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 [task 2018-08-07T06:54:43.332Z] 06:54:43 INFO - GECKO(5406) | SUMMARY: AddressSanitizer: heap-buffer-overflow /builds/worker/workspace/build/src/widget/gtk/WindowSurfaceX11Image.cpp:166:28 in UpdateMaskBits [task 2018-08-07T06:54:43.334Z] 06:54:43 INFO - GECKO(5406) | Shadow bytes around the buggy address: [task 2018-08-07T06:54:43.336Z] 06:54:43 INFO - GECKO(5406) | 0x0c387fff96a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [task 2018-08-07T06:54:43.337Z] 06:54:43 INFO - GECKO(5406) | 0x0c387fff96b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [task 2018-08-07T06:54:43.339Z] 06:54:43 INFO - GECKO(5406) | 0x0c387fff96c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [task 2018-08-07T06:54:43.342Z] 06:54:43 INFO - GECKO(5406) | 0x0c387fff96d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [task 2018-08-07T06:54:43.344Z] 06:54:43 INFO - GECKO(5406) | 0x0c387fff96e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [task 2018-08-07T06:54:43.345Z] 06:54:43 INFO - GECKO(5406) | =>0x0c387fff96f0: 00[05]fa fa fa fa fa fa fa fa fa fa fa fa fa fa [task 2018-08-07T06:54:43.349Z] 06:54:43 INFO - GECKO(5406) | 0x0c387fff9700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa [task 2018-08-07T06:54:43.350Z] 06:54:43 INFO - GECKO(5406) | 0x0c387fff9710: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd [task 2018-08-07T06:54:43.352Z] 06:54:43 INFO - GECKO(5406) | 0x0c387fff9720: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd [task 2018-08-07T06:54:43.354Z] 06:54:43 INFO - GECKO(5406) | 0x0c387fff9730: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd [task 2018-08-07T06:54:43.354Z] 06:54:43 INFO - GECKO(5406) | 0x0c387fff9740: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd [task 2018-08-07T06:54:43.358Z] 06:54:43 INFO - GECKO(5406) | Shadow byte legend (one shadow byte represents 8 application bytes): [task 2018-08-07T06:54:43.360Z] 06:54:43 INFO - GECKO(5406) | Addressable: 00 [task 2018-08-07T06:54:43.361Z] 06:54:43 INFO - GECKO(5406) | Partially addressable: 01 02 03 04 05 06 07 [task 2018-08-07T06:54:43.364Z] 06:54:43 INFO - GECKO(5406) | Heap left redzone: fa [task 2018-08-07T06:54:43.366Z] 06:54:43 INFO - GECKO(5406) | Freed heap region: fd [task 2018-08-07T06:54:43.368Z] 06:54:43 INFO - GECKO(5406) | Stack left redzone: f1 [task 2018-08-07T06:54:43.370Z] 06:54:43 INFO - GECKO(5406) | Stack mid redzone: f2 [task 2018-08-07T06:54:43.372Z] 06:54:43 INFO - GECKO(5406) | Stack right redzone: f3 [task 2018-08-07T06:54:43.374Z] 06:54:43 INFO - GECKO(5406) | Stack after return: f5 [task 2018-08-07T06:54:43.375Z] 06:54:43 INFO - GECKO(5406) | Stack use after scope: f8 [task 2018-08-07T06:54:43.377Z] 06:54:43 INFO - GECKO(5406) | Global redzone: f9 [task 2018-08-07T06:54:43.379Z] 06:54:43 INFO - GECKO(5406) | Global init order: f6 [task 2018-08-07T06:54:43.380Z] 06:54:43 INFO - GECKO(5406) | Poisoned by user: f7 [task 2018-08-07T06:54:43.382Z] 06:54:43 INFO - GECKO(5406) | Container overflow: fc [task 2018-08-07T06:54:43.384Z] 06:54:43 INFO - GECKO(5406) | Array cookie: ac [task 2018-08-07T06:54:43.386Z] 06:54:43 INFO - GECKO(5406) | Intra object redzone: bb [task 2018-08-07T06:54:43.387Z] 06:54:43 INFO - GECKO(5406) | ASan internal: fe [task 2018-08-07T06:54:43.389Z] 06:54:43 INFO - GECKO(5406) | Left alloca redzone: ca [task 2018-08-07T06:54:43.391Z] 06:54:43 INFO - GECKO(5406) | Right alloca redzone: cb [task 2018-08-07T06:54:43.393Z] 06:54:43 INFO - GECKO(5406) | ==5406==ABORTING [task 2018-08-07T06:54:43.631Z] 06:54:43 INFO - TEST-INFO | Main app process: exit 0 [task 2018-08-07T06:54:43.633Z] 06:54:43 INFO - runtests.py | Application ran for: 0:00:18.473840
Component: Graphics → Widget: Gtk
Keywords: csectype-uaf
Group: core-security → gfx-core-security
Lee, can you take a look at this, please?
Flags: needinfo?(lsalzman)
Martin, this looks like fallout from bug 1406533.
Flags: needinfo?(lsalzman) → needinfo?(stransky)
Martin, one guess at what might be causing this... ResizeTransparencyBitmap, you have a check like so: if (mTransparencyBitmapWidth*mTransparencyBitmapHeight < aWidth*aHeight) For example, if mTransparencyBitmapWidth == 8, and mTransparencyBitmapHeight == 1, their product is 8. Then suppose aWidth == 1 and aHeight == 8, their product is 8. So this check would never trigger... However, 1x8 requires 8 bytes of space due to the rounding of width in GetBitmapStride, whereas 8x1 requires only 1 byte, so this could result in the old 1 byte storage being used, when 8 was required, for example.
Thanks Lee, I'll look at it.
Flags: needinfo?(stransky)
Assignee: nobody → stransky
Attached patch patchSplinter Review
Thanks Lee, there's the patch. I didn't find anything else there so I guess you're right and that's the issue here.
Attachment #8998494 - Flags: review?(lsalzman)
Attachment #8998494 - Flags: review?(lsalzman) → review+
Asking to land as it's a regression from bug 1406533 which is shipped at nightly only.
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/f60a7c1ec1ef
Group: gfx-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox63: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla63
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: