1500239 - Crash in libobjc.A.dylib@0x9d5c and schedule_class_load

Status: RESOLVED WORKSFORME

(Core :: Widget: Cocoa, defect, P3)

Description

[Marcia Knous [:marcia]]

This bug was filed from the Socorro interface and is
report bp-43d8f59f-94b6-420f-a9b3-4840e0181018.
=============================================================

Seen while looking at Mac nightly crash stats: https://bit.ly/2PHEjnd. 3 crashes, but all appear to be possible UAFs based on the signature. 

Top 10 frames of crashing thread:

0 libobjc.A.dylib libobjc.A.dylib@0x9d5c 
1 SkyLight SkyLight@0x119ee6 
2 SkyLight SkyLight@0x6a3a 
3 SkyLight SkyLight@0x876fd 
4 OpenGL OpenGL@0x6e3a 
5 OpenGL OpenGL@0x8e3a 
6 OpenGL OpenGL@0x8cce 
7 AppKit AppKit@0x3e064e 
8 XUL -[ChildView preRender:] widget/cocoa/nsChildView.mm:3470
9 XUL nsChildView::PreRender widget/cocoa/nsChildView.mm:2140

=============================================================

Comment 1

[Marcia Knous [:marcia]]

Adding 63 as affected.

Comment 2

[Marcia Knous [:marcia]]

This probably needs a better component than Webrender, but it appears as if the different individual crashes I looked at don't seem to have a consistent stack pattern. All the crashes with this signature continue to be 10.14 only.

Comments:
*Tried to type address in new private browsing window 
*Stylish

Comment 3

[Randell Jesup [:jesup] (needinfo me)]

clear UAFs going back to at least Firefox 52 -> not webrender I think (also tbird)

Looking at your 3, in one I see ""wrQualified":{"status":"blocked"},"webrender":{"status":"blocked"}}}" in metadata


Stack are All Over The Place (other than we're deep in OS code, typically some type of rendering).  We must be passing in a freed buffer, or freeing something we previously passed to the OS and it assumes will exist until <whatever>.  (I think the second is more likely).

Comment 4

[Jeff Muizelaar [:jrmuizel]]

We're missing mac symbols for this crash: https://crash-stats.mozilla.com/report/index/43d8f59f-94b6-420f-a9b3-4840e0181018

Can we fix that?

Comment 5

[(not currently active) Ted Mielczarek]

This looks like the Mojave release. Someone would need to manually run the symbol scraping scripts on a machine with it installed. spohl did this for one of the seeds in bug 1480101.

Comment 6

[(not currently active) Ted Mielczarek]

kats scraped symbols out of this build and I uploaded them, and I reprocessed the crash from comment 0. The new signature is [@ schedule_class_load ]. Unfortunately it looks like we're still missing symbols for a SkyLight framework.

Comment 7

[Jeff Muizelaar [:jrmuizel]]

(In reply to Ted Mielczarek [:ted] [:ted.mielczarek] from comment #6)
> kats scraped symbols out of this build and I uploaded them, and I
> reprocessed the crash from comment 0. The new signature is [@
> schedule_class_load ]. Unfortunately it looks like we're still missing
> symbols for a SkyLight framework.

https://github.com/luser/breakpad-scrape-system-symbols/pull/8 should fix this problem.

Comment 8

[Jeff Muizelaar [:jrmuizel]]

This crash is happening in a variety of different places. I think Widget: Cocoa is probably a better place for it.

Comment 9

[Maire Reavy [:mreavy]]

Adding Jessie (new graphics engineering manager) to all sec-crit and sec-high graphics bugs

Comment 10

[Jim Mathies [:jimm]]

for triage / investigation.

Comment 11

[Stephen A Pohl [:spohl] (OOO until 2/27)]

We should add some of these stack frames to the skiplist. The top frames may be different on 10.14, but these crashes might turn out to be identical to crashes on lower versions of macOS once the top frames have been ignored. Bug 1471379 is an example where we added some frames to the skiplist.

Comment 12

[Marcia Knous [:marcia]]

(In reply to Stephen A Pohl [:spohl] from comment #11)
> We should add some of these stack frames to the skiplist. The top frames may
> be different on 10.14, but these crashes might turn out to be identical to
> crashes on lower versions of macOS once the top frames have been ignored.
> Bug 1471379 is an example where we added some frames to the skiplist.

If you let me know which ones, I can file a bug. Maybe would also help with Bug 1517012 which I just filed.

Comment 13

[Stephen A Pohl [:spohl] (OOO until 2/27)]

It looks like there are at least two signatures that could be ignored. At the moment, these two signatures cause different crashes to be placed in the same bucket:

1: libobjc.A.dylib schedule_class_load(objc_class*)
2: SkyLight SkyLight@0x119ee6

There may be others, but this should be a good start.

Comment 14

[Marcia Knous [:marcia]]

Filed Bug 1541588 for the skip list add. Also adding Will K-G the bug in case he needs to reference something from this bug.

Comment 15

[Marcia Knous [:marcia]]

(In reply to Marcia Knous [:marcia - needinfo? me] from comment #14)

Filed Bug 1541588 for the skip list add. Also adding Will K-G the bug in case he needs to reference something from this bug.

It looks as if this was previously done in Bug 1520615 several months ago and the affected reports back then were reprocessed.

Comment 16

[Stephen A Pohl [:spohl] (OOO until 2/27)]

There don't seem to be any crashes anymore since the reports were reprocessed. Can we go ahead and close this?

Comment 17

[Marcia Knous [:marcia]]

Resolving this one as WFM since it doesn't appear anything fixed it, and the signatures are no longer present. If the resolution should be "fixed," please feel free to correct it.

Comment 18

[BugBot [:suhaib / :marco/ :calixte]]

Since the bug is closed, the stalled keyword is now meaningless.
For more information, please visit auto_nag documentation.