Closed Bug 1515793 Opened 1 year ago Closed 1 year ago

heap-use-after-free in [@ A8_RowProc_Blend]

Categories

(Core :: Graphics: WebRender, defect, P3, critical)

defect

Tracking

()

VERIFIED FIXED
mozilla66
Tracking Status
firefox-esr60 --- unaffected
firefox64 --- disabled
firefox65 + fixed
firefox66 + verified

People

(Reporter: tsmith, Assigned: lsalzman)

References

(Blocks 3 open bugs)

Details

(4 keywords, Whiteboard: [gfx-noted][post-critsmash-triage])

Attachments

(3 files, 1 obsolete file)

Attached file testcase.html (obsolete) —
Requires "gfx.webrender.all=true"

==130299==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000495240 at pc 0x7fe439ea4f26 bp 0x7fe4084cb7c0 sp 0x7fe4084cb7b8
READ of size 4 at 0x611000495240 thread T106 (WRScene~derLP#1)
    #0 0x7fe439ea4f25 in Load4Alphas src/gfx/skia/skia/src/core/../opts/Sk4px_SSE2.h:85:9
    #1 0x7fe439ea4f25 in MapDstSrcAlpha<(lambda at src/gfx/skia/skia/src/core/SkBlitMask_D32.cpp:85:9)> src/gfx/skia/skia/src/core/Sk4px.h:209
    #2 0x7fe439ea4f25 in A8_RowProc_Blend(unsigned int*, void const*, unsigned int const*, int) src/gfx/skia/skia/src/core/SkBlitMask_D32.cpp:84
    #3 0x7fe439eba570 in SkARGB32_Shader_Blitter::blitMask(SkMask const&, SkIRect const&) src/gfx/skia/skia/src/core/SkBlitter_ARGB32.cpp:576:13
    #4 0x7fe439eaa55f in SkBlitter::blitMaskRegion(SkMask const&, SkRegion const&) src/gfx/skia/skia/src/core/SkBlitter.cpp:397:15
    #5 0x7fe43a53a56a in SkDraw::drawDevMask(SkMask const&, SkPaint const&) const src/gfx/skia/skia/src/core/SkDraw.cpp:866:14
    #6 0x7fe43a53c895 in SkDraw::drawBitmapAsMask(SkBitmap const&, SkPaint const&) const src/gfx/skia/skia/src/core/SkDraw.cpp:1135:15
    #7 0x7fe43a53e680 in SkDraw::drawBitmap(SkBitmap const&, SkMatrix const&, SkRect const*, SkPaint const&) const src/gfx/skia/skia/src/core/SkDraw.cpp:1268:14
    #8 0x7fe43a1f3684 in SkBitmapDevice::drawBitmap(SkBitmap const&, SkMatrix const&, SkRect const*, SkPaint const&) src/gfx/skia/skia/src/core/SkBitmapDevice.cpp:440:5
    #9 0x7fe43a1f31f5 in SkBitmapDevice::drawBitmap(SkBitmap const&, float, float, SkPaint const&) src/gfx/skia/skia/src/core/SkBitmapDevice.cpp:425:11
    #10 0x7fe43a52ca8c in SkBaseDevice::drawImage(SkImage const*, float, float, SkPaint const&) src/gfx/skia/skia/src/core/SkDevice.cpp:145:15
    #11 0x7fe43a1f7641 in SkBitmapDevice::drawSpecial(SkSpecialImage*, int, int, SkPaint const&, SkImage*, SkMatrix const&) src/gfx/skia/skia/src/core/SkBitmapDevice.cpp:738:11
    #12 0x7fe43a21b40d in SkCanvas::internalDrawDevice(SkBaseDevice*, int, int, SkPaint const*, SkImage*, SkMatrix const&) src/gfx/skia/skia/src/core/SkCanvas.cpp:1231:25
    #13 0x7fe43a216b45 in SkCanvas::internalRestore() src/gfx/skia/skia/src/core/SkCanvas.cpp:1119:19
    #14 0x7fe43a217879 in SkCanvas::restore() src/gfx/skia/skia/src/core/SkCanvas.cpp:804:19
    #15 0x7fe42ff16019 in mozilla::gfx::DrawTargetSkia::PopClip() src/gfx/2d/DrawTargetSkia.cpp:1979:12
    #16 0x7fe42ff4f101 in mozilla::gfx::RecordedPopClip::PlayEvent(mozilla::gfx::Translator*) const src/gfx/2d/RecordedEventImpl.h:2343:39
    #17 0x7fe42ff5f28f in operator() src/gfx/2d/InlineTranslator.cpp:80:31
    #18 0x7fe42ff5f28f in bool mozilla::gfx::RecordedEvent::DoWithEvent<mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned long)::MemReader, mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned long)::$_0>(mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned long)::MemReader&, mozilla::gfx::RecordedEvent::EventType, mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned long)::$_0) src/gfx/2d/RecordedEventImpl.h:3483
    #19 0x7fe42ff55e08 in mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned long) src/gfx/2d/InlineTranslator.cpp:70:20
    #20 0x7fe430e45b3f in Moz2DRenderCallback src/gfx/webrender_bindings/Moz2DImageRenderer.cpp:432:20
    #21 0x7fe430e45b3f in wr_moz2d_render_cb src/gfx/webrender_bindings/Moz2DImageRenderer.cpp:474
    #22 0x7fe43e2e62b3 in webrender_bindings::moz2d_renderer::rasterize_blob::hb950e0dd43d99135 src/gfx/webrender_bindings/src/moz2d_renderer.rs:524:11
    #23 0x7fe43e2e591b in core::ops::function::FnMut::call_mut::hfa440ebd4bf7385a src/libcore/ops/function.rs:156:4
    #24 0x7fe43e2e591b in _$LT$core..iter..Map$LT$I$C$$u20$F$GT$$u20$as$u20$core..iter..iterator..Iterator$GT$::fold::_$u7b$$u7b$closure$u7d$$u7d$::h71fff928074acb4b src/libcore/iter/mod.rs:1345
    #25 0x7fe43e2e591b in core::iter::iterator::Iterator::fold::_$u7b$$u7b$closure$u7d$$u7d$::ha998175759c4440d src/libcore/iter/iterator.rs:1695
    #26 0x7fe43e2e591b in core::iter::iterator::Iterator::try_fold::h203d00dc35b06d2b src/libcore/iter/iterator.rs:1583
    #27 0x7fe43e2e591b in core::iter::iterator::Iterator::fold::hf6408517a879d2a1 src/libcore/iter/iterator.rs:1695
    #28 0x7fe43e2e591b in _$LT$core..iter..Map$LT$I$C$$u20$F$GT$$u20$as$u20$core..iter..iterator..Iterator$GT$::fold::h6608284e10e2be38 src/libcore/iter/mod.rs:1345
    #29 0x7fe43e2e591b in core::iter::iterator::Iterator::for_each::h4a0ab85fe64f80eb src/libcore/iter/iterator.rs:614
    #30 0x7fe43e2e591b in _$LT$alloc..vec..Vec$LT$T$GT$$u20$as$u20$alloc..vec..SpecExtend$LT$T$C$$u20$I$GT$$GT$::spec_extend::he0150649a7503808 src/liballoc/vec.rs:1831
    #31 0x7fe43e2e591b in _$LT$alloc..vec..Vec$LT$T$GT$$u20$as$u20$alloc..vec..SpecExtend$LT$T$C$$u20$I$GT$$GT$::from_iter::h25bd3333cd8cf4f3 src/liballoc/vec.rs:1814
    #32 0x7fe43e2e591b in _$LT$alloc..vec..Vec$LT$T$GT$$u20$as$u20$core..iter..traits..FromIterator$LT$T$GT$$GT$::from_iter::haa3918204592c81b src/liballoc/vec.rs:1700
    #33 0x7fe43e2e591b in core::iter::iterator::Iterator::collect::hd0e1f098f2e427e4 src/libcore/iter/iterator.rs:1476
    #34 0x7fe43e2e591b in _$LT$webrender_bindings..moz2d_renderer..Moz2dBlobRasterizer$u20$as$u20$webrender_api..image..AsyncBlobImageRasterizer$GT$::rasterize::hf2130d5ea52bd14a src/gfx/webrender_bindings/src/moz2d_renderer.rs:505
    #35 0x7fe43e341de3 in webrender::scene_builder::Transaction::rasterize_blobs::h3d94d5d87e04a2eb src/gfx/wr/webrender/src/scene_builder.rs:90:39
    #36 0x7fe43e457761 in webrender::scene_builder::LowPrioritySceneBuilder::process_transaction::hee2035b37c54eb7c src/gfx/wr/webrender/src/scene_builder.rs:745:8
    #37 0x7fe43e457761 in webrender::scene_builder::LowPrioritySceneBuilder::run::h90c994385fdbdf0a src/gfx/wr/webrender/src/scene_builder.rs:720
    #38 0x7fe43e457761 in webrender::renderer::Renderer::new::_$u7b$$u7b$closure$u7d$$u7d$::h94b233d7409d3faf src/gfx/wr/webrender/src/renderer.rs:1918
    #39 0x7fe43e457761 in std::sys_common::backtrace::__rust_begin_short_backtrace::hbbd1a2418232cf29 src/libstd/sys_common/backtrace.rs:136
    #40 0x7fe43e4575a2 in std::thread::Builder::spawn::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h4f19c6aae9a43b81 src/libstd/thread/mod.rs:409:20
    #41 0x7fe43e4575a2 in _$LT$std..panic..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::he1e46fbafb524b5c src/libstd/panic.rs:313
    #42 0x7fe43e4575a2 in std::panicking::try::do_call::h6fd644b79d437e65 src/libstd/panicking.rs:310
    #43 0x7fe43e4575a2 in __rust_maybe_catch_panic /rustc/abe02cefd6cd1916df62ad7dc80161bea50b72e8/src/libpanic_abort/lib.rs:39
    #44 0x7fe43e4575a2 in std::panicking::try::h0a9b2d544b3af387 src/libstd/panicking.rs:289
    #45 0x7fe43e4575a2 in std::panic::catch_unwind::h56c67d375feb3cc0 src/libstd/panic.rs:392
    #46 0x7fe43e4575a2 in std::thread::Builder::spawn::_$u7b$$u7b$closure$u7d$$u7d$::h0589762486411921 src/libstd/thread/mod.rs:408
    #47 0x7fe43e4575a2 in _$LT$F$u20$as$u20$alloc..boxed..FnBox$LT$A$GT$$GT$::call_box::h73b203d719a72997 src/liballoc/boxed.rs:672
    #48 0x7fe43e864134 in _$LT$alloc..boxed..Box$LT$$LP$dyn$u20$alloc..boxed..FnBox$LT$A$C$$u20$Output$u3d$R$GT$$u20$$u2b$$u20$$u27$a$RP$$GT$$u20$as$u20$core..ops..function..FnOnce$LT$A$GT$$GT$::call_once::he3acfc8f1203786f /rustc/abe02cefd6cd1916df62ad7dc80161bea50b72e8/src/liballoc/boxed.rs:682:8
    #49 0x7fe43e864134 in std::sys_common::thread::start_thread::h5213f803a61d7811 /rustc/abe02cefd6cd1916df62ad7dc80161bea50b72e8/src/libstd/sys_common/thread.rs:24
    #50 0x7fe43e864134 in std::sys::unix::thread::Thread::new::thread_start::he89121f566d2a8c7 /rustc/abe02cefd6cd1916df62ad7dc80161bea50b72e8/src/libstd/sys/unix/thread.rs:90
    #51 0x7fe4523e86b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
    #52 0x7fe45147141c in clone /build/glibc-Cl5G7W/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109

0x611000495240 is located 0 bytes inside of 205-byte region [0x611000495240,0x61100049530d)
freed by thread T106 (WRScene~derLP#1) here:
    #0 0x562307deca12 in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:124:3
    #1 0x7fe43a95c4a2 in ~SkMallocPixelRef src/gfx/skia/skia/src/core/SkMallocPixelRef.cpp:147:9
    #2 0x7fe43a95c4a2 in SkMallocPixelRef::~SkMallocPixelRef() src/gfx/skia/skia/src/core/SkMallocPixelRef.cpp:145
    #3 0x7fe43a1fcb17 in unref src/gfx/skia/skia/include/core/SkRefCnt.h:89:19
    #4 0x7fe43a1fcb17 in SkSafeUnref<SkPixelRef> src/gfx/skia/skia/include/core/SkRefCnt.h:162
    #5 0x7fe43a1fcb17 in ~sk_sp src/gfx/skia/skia/include/core/SkRefCnt.h:249
    #6 0x7fe43a1fcb17 in ~SkBitmap src/gfx/skia/skia/src/core/SkBitmap.cpp:61
    #7 0x7fe43a1fcb17 in SkBitmapDevice::~SkBitmapDevice() src/gfx/skia/skia/src/core/SkBitmapDevice.h:37
    #8 0x7fe43a1fcc9d in SkBitmapDevice::~SkBitmapDevice() src/gfx/skia/skia/src/core/SkBitmapDevice.h:37:7
    #9 0x7fe43a2170f9 in unref src/gfx/skia/skia/include/core/SkRefCnt.h:89:19
    #10 0x7fe43a2170f9 in SkSafeUnref<SkBaseDevice> src/gfx/skia/skia/include/core/SkRefCnt.h:162
    #11 0x7fe43a2170f9 in ~sk_sp src/gfx/skia/skia/include/core/SkRefCnt.h:249
    #12 0x7fe43a2170f9 in ~DeviceCM src/gfx/skia/skia/src/core/SkCanvas.cpp:185
    #13 0x7fe43a2170f9 in SkCanvas::internalRestore() src/gfx/skia/skia/src/core/SkCanvas.cpp:1129
    #14 0x7fe43a256394 in SkCanvas::~SkCanvas() src/gfx/skia/skia/src/core/SkCanvas.cpp:654:11
    #15 0x7fe43a2174ed in SkCanvas::~SkCanvas() src/gfx/skia/skia/src/core/SkCanvas.cpp:650:23
    #16 0x7fe43a4d40de in operator() src/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/4.9.4/../../../../include/c++/4.9.4/bits/unique_ptr.h:76:2
    #17 0x7fe43a4d40de in ~unique_ptr src/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/4.9.4/../../../../include/c++/4.9.4/bits/unique_ptr.h:236
    #18 0x7fe43a4d40de in ~SkSurface_Base src/gfx/skia/skia/src/image/SkSurface.cpp:73
    #19 0x7fe43a4d40de in ~SkSurface_Raster src/gfx/skia/skia/src/image/SkSurface_Raster.cpp:15
    #20 0x7fe43a4d40de in SkSurface_Raster::~SkSurface_Raster() src/gfx/skia/skia/src/image/SkSurface_Raster.cpp:15
    #21 0x7fe42ff9e08e in unref src/gfx/skia/skia/include/core/SkRefCnt.h:89:19
    #22 0x7fe42ff9e08e in SkSafeUnref<SkSurface> src/gfx/skia/skia/include/core/SkRefCnt.h:162
    #23 0x7fe42ff9e08e in ~sk_sp src/gfx/skia/skia/include/core/SkRefCnt.h:249
    #24 0x7fe42ff9e08e in mozilla::gfx::SourceSurfaceSkia::~SourceSurfaceSkia() src/gfx/2d/SourceSurfaceSkia.cpp:27
    #25 0x7fe42ff9e3f8 in mozilla::gfx::SourceSurfaceSkia::~SourceSurfaceSkia() src/gfx/2d/SourceSurfaceSkia.cpp:27:41
    #26 0x7fe42ff174ac in Release src/obj-firefox/dist/include/mozilla/RefCounted.h:201:7
    #27 0x7fe42ff174ac in Release src/obj-firefox/dist/include/mozilla/RefPtr.h:45
    #28 0x7fe42ff174ac in Release src/obj-firefox/dist/include/mozilla/RefPtr.h:363
    #29 0x7fe42ff174ac in ~RefPtr src/obj-firefox/dist/include/mozilla/RefPtr.h:76
    #30 0x7fe42ff174ac in ~PushedLayer src/gfx/2d/DrawTargetSkia.h:168
    #31 0x7fe42ff174ac in destroy<mozilla::gfx::DrawTargetSkia::PushedLayer> src/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/4.9.4/../../../../include/c++/4.9.4/ext/new_allocator.h:124
    #32 0x7fe42ff174ac in destroy<mozilla::gfx::DrawTargetSkia::PushedLayer> src/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/4.9.4/../../../../include/c++/4.9.4/bits/alloc_traits.h:539
    #33 0x7fe42ff174ac in pop_back src/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/4.9.4/../../../../include/c++/4.9.4/bits/stl_vector.h:952
    #34 0x7fe42ff174ac in mozilla::gfx::DrawTargetSkia::PopLayer() src/gfx/2d/DrawTargetSkia.cpp:2050
    #35 0x7fe42ffff705 in mozilla::gfx::DrawTargetOffset::PopLayer() src/gfx/2d/DrawTargetOffset.cpp:182:16
    #36 0x7fe42ff4f801 in mozilla::gfx::RecordedPopLayer::PlayEvent(mozilla::gfx::Translator*) const src/gfx/2d/RecordedEventImpl.h:2438:39
    #37 0x7fe42ff5ff45 in operator() src/gfx/2d/InlineTranslator.cpp:80:31
    #38 0x7fe42ff5ff45 in bool mozilla::gfx::RecordedEvent::DoWithEvent<mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned long)::MemReader, mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned long)::$_0>(mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned long)::MemReader&, mozilla::gfx::RecordedEvent::EventType, mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned long)::$_0) src/gfx/2d/RecordedEventImpl.h:3483
    #39 0x7fe42ff55e08 in mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned long) src/gfx/2d/InlineTranslator.cpp:70:20
    #40 0x7fe430e45b3f in Moz2DRenderCallback src/gfx/webrender_bindings/Moz2DImageRenderer.cpp:432:20
    #41 0x7fe430e45b3f in wr_moz2d_render_cb src/gfx/webrender_bindings/Moz2DImageRenderer.cpp:474
    #42 0x7fe43e2e62b3 in webrender_bindings::moz2d_renderer::rasterize_blob::hb950e0dd43d99135 src/gfx/webrender_bindings/src/moz2d_renderer.rs:524:11

previously allocated by thread T106 (WRScene~derLP#1) here:
    #0 0x562307decf8a in calloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:155:3
    #1 0x7fe43a95bf36 in sk_calloc_canfail src/gfx/skia/skia/include/private/SkMalloc.h:74:12
    #2 0x7fe43a95bf36 in MakeUsing src/gfx/skia/skia/src/core/SkMallocPixelRef.cpp:76
    #3 0x7fe43a95bf36 in SkMallocPixelRef::MakeZeroed(SkImageInfo const&, unsigned long) src/gfx/skia/skia/src/core/SkMallocPixelRef.cpp:91
    #4 0x7fe43a4d338d in SkSurface::MakeRaster(SkImageInfo const&, unsigned long, SkSurfaceProps const*) src/gfx/skia/skia/src/image/SkSurface_Raster.cpp:208:28
    #5 0x7fe42ff11860 in mozilla::gfx::DrawTargetSkia::Init(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SurfaceFormat) src/gfx/2d/DrawTargetSkia.cpp:1803:14
    #6 0x7fe42ff1093f in mozilla::gfx::DrawTargetSkia::CreateSimilarDrawTarget(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SurfaceFormat) const src/gfx/2d/DrawTargetSkia.cpp:1612:16
    #7 0x7fe42ff48ff2 in mozilla::gfx::RecordedCreateSimilarDrawTarget::PlayEvent(mozilla::gfx::Translator*) const src/gfx/2d/RecordedEventImpl.h:1863:46
    #8 0x7fe42ff5c01c in operator() src/gfx/2d/InlineTranslator.cpp:80:31
    #9 0x7fe42ff5c01c in bool mozilla::gfx::RecordedEvent::DoWithEvent<mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned long)::MemReader, mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned long)::$_0>(mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned long)::MemReader&, mozilla::gfx::RecordedEvent::EventType, mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned long)::$_0) src/gfx/2d/RecordedEventImpl.h:3483
    #10 0x7fe42ff55e08 in mozilla::gfx::InlineTranslator::TranslateRecording(char*, unsigned long) src/gfx/2d/InlineTranslator.cpp:70:20
    #11 0x7fe430e45b3f in Moz2DRenderCallback src/gfx/webrender_bindings/Moz2DImageRenderer.cpp:432:20
    #12 0x7fe430e45b3f in wr_moz2d_render_cb src/gfx/webrender_bindings/Moz2DImageRenderer.cpp:474
    #13 0x7fe43e2e62b3 in webrender_bindings::moz2d_renderer::rasterize_blob::hb950e0dd43d99135 src/gfx/webrender_bindings/src/moz2d_renderer.rs:524:11

Thread T106 (WRScene~derLP#1) created by T91 (Renderer) here:
    #0 0x562307dd56ad in __interceptor_pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:210:3
    #1 0x7fe43e863e56 in std::sys::unix::thread::Thread::new::h685b56f1623eb4e3 /rustc/abe02cefd6cd1916df62ad7dc80161bea50b72e8/src/libstd/sys/unix/thread.rs:78:18

Thread T91 (Renderer) created by T0 here:
    #0 0x562307dd56ad in __interceptor_pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:210:3
    #1 0x7fe42e43eaf2 in CreateThread src/ipc/chromium/src/base/platform_thread_posix.cc:123:14
    #2 0x7fe42e43eaf2 in PlatformThread::Create(unsigned long, PlatformThread::Delegate*, unsigned long*) src/ipc/chromium/src/base/platform_thread_posix.cc:134
    #3 0x7fe42e474f9f in base::Thread::StartWithOptions(base::Thread::Options const&) src/ipc/chromium/src/base/thread.cc:97:8
    #4 0x7fe430e4d816 in mozilla::wr::RenderThread::Start() src/gfx/webrender_bindings/RenderThread.cpp:65:16
    #5 0x7fe430ae98f6 in gfxPlatform::InitLayersIPC() src/gfx/thebes/gfxPlatform.cpp:1240:7
    #6 0x7fe430ae1942 in gfxPlatform::Init() src/gfx/thebes/gfxPlatform.cpp:962:3
    #7 0x7fe430adec13 in gfxPlatform::GetPlatform() src/gfx/thebes/gfxPlatform.cpp:497:5
    #8 0x7fe4375ca208 in mozilla::widget::GfxInfoBase::GetContentBackend(nsTSubstring<char16_t>&) src/widget/GfxInfoBase.cpp:1469:25
    #9 0x7fe42d2e4181 in NS_InvokeByIndex src/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:106
    #10 0x7fe42f6710d7 in Invoke src/js/xpconnect/src/XPCWrappedNative.cpp:1657:10
    #11 0x7fe42f6710d7 in Call src/js/xpconnect/src/XPCWrappedNative.cpp:1215
    #12 0x7fe42f6710d7 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) src/js/xpconnect/src/XPCWrappedNative.cpp:1181
    #13 0x7fe42f679b1f in GetAttribute src/js/xpconnect/src/xpcprivate.h:1515:12
    #14 0x7fe42f679b1f in XPC_WN_GetterSetter(JSContext*, unsigned int, JS::Value*) src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:987
    #15 0x7fe43c38f93d in CallJSNative src/js/src/vm/Interpreter.cpp:443:13
    #16 0x7fe43c38f93d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:535
    #17 0x7fe43c394260 in InternalCall src/js/src/vm/Interpreter.cpp:590:10
    #18 0x7fe43c394260 in Call src/js/src/vm/Interpreter.cpp:606
    #19 0x7fe43c394260 in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:730
    #20 0x7fe43c9984d9 in CallGetter src/js/src/vm/NativeObject.cpp:2246:12
    #21 0x7fe43c9984d9 in GetExistingProperty<js::CanGC> src/js/src/vm/NativeObject.cpp:2298
    #22 0x7fe43c9984d9 in NativeGetPropertyInline<js::CanGC> src/js/src/vm/NativeObject.cpp:2547
    #23 0x7fe43c9984d9 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) src/js/src/vm/NativeObject.cpp:2584
    #24 0x7fe43c377cee in GetProperty src/js/src/vm/ObjectOperations-inl.h:117:10
    #25 0x7fe43c377cee in GetObjectElementOperation src/js/src/vm/Interpreter-inl.h:536
    #26 0x7fe43c377cee in GetElementOperation src/js/src/vm/Interpreter-inl.h:652
    #27 0x7fe43c377cee in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3142
    #28 0x7fe43c35bfe6 in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:423:10
    #29 0x7fe43c3902e1 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:563:13
    #30 0x7fe43c391f62 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:606:8
    #31 0x7fe43cf7b9da in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2586:10
    #32 0x7fe42f652f39 in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) src/js/xpconnect/src/XPCWrappedJSClass.cpp:1125:17
    #33 0x7fe42d2e5888 in PrepareAndDispatch src/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:127:37
    #34 0x7fe42d2e475a in SharedStub (libxul.so+0x49b175a)
    #35 0x7fe42d23089d in NS_CreateServicesFromCategory(char const*, nsISupports*, char const*, char16_t const*) src/xpcom/components/nsCategoryManager.cpp:677:19
    #36 0x7fe43c0ce263 in nsXREDirProvider::DoStartup() src/toolkit/xre/nsXREDirProvider.cpp:1020:11
    #37 0x7fe43c0a2fa7 in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:4449:16
    #38 0x7fe43c0a6959 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:4754:8
    #39 0x7fe43c0a8423 in XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:4839:21
    #40 0x562307e1f67c in do_main src/browser/app/nsBrowserApp.cpp:214:22
    #41 0x562307e1f67c in main src/browser/app/nsBrowserApp.cpp:293
    #42 0x7fe45138a82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
Flags: in-testsuite?
Component: Canvas: 2D → Graphics: WebRender
Priority: -- → P3
Whiteboard: [gfx-noted]
Blocks: wr-fuzz
I can't reproduce this stack at all. Despite trying, all I get is an unrelated crash stack in the GC that seems to have nothing to do with DrawTargetSkia at all:

#7  0x00007fc0670470b3 in nsRange::UnregisterCommonAncestor(nsINode*, bool) (this=0x7fc05a984450, aNode=0x0, aIsUnlinking=false) at /home/lee/central/dom/base/nsRange.cpp:422
#8  0x00007fc067049eb4 in nsRange::SetSelection(mozilla::dom::Selection*) (this=0x7fc05a984450, aSelection=0x0) at /home/lee/central/dom/base/nsRange.cpp:1023
#9  0x00007fc066e8e7fd in mozilla::dom::Selection::Clear(nsPresContext*) (this=0x7fc05a928d90, aPresContext=0x0) at /home/lee/central/dom/base/Selection.cpp:1165
#10 0x00007fc066e8be10 in mozilla::dom::Selection::RemoveAllRanges(mozilla::ErrorResult&) (this=0x7fc05a928d90, aRv=...) at /home/lee/central/dom/base/Selection.cpp:1917
#11 0x00007fc066e8bd4a in mozilla::dom::Selection::cycleCollection::Unlink(void*) (this=0x7fc06efc84c8 <mozilla::dom::Selection::_cycleCollectorGlobal>, p=0x7fc05a928d90)
    at /home/lee/central/dom/base/Selection.cpp:703
#12 0x00007fc064937128 in nsCycleCollector::CollectWhite() (this=0x7fc078689700) at /home/lee/central/xpcom/base/nsCycleCollector.cpp:3084
#13 0x00007fc06493858f in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) (this=0x7fc078689700, aCCType=SliceCC, aBudget=..., aManualListener=0x0, aPreferShorterSlices=false) at /home/lee/central/xpcom/base/nsCycleCollector.cpp:3430
#14 0x00007fc06493abee in nsCycleCollector_collectSlice(js::SliceBudget&, bool) (budget=..., aPreferShorterSlices=false) at /home/lee/central/xpcom/base/nsCycleCollector.cpp:3955
#15 0x00007fc066fca981 in nsJSContext::RunCycleCollectorSlice(mozilla::TimeStamp) (aDeadline=...) at /home/lee/central/dom/base/nsJSEnvironment.cpp:1468
#16 0x00007fc066fcadcd in ICCRunnerFired(mozilla::TimeStamp) (aDeadline=...) at /home/lee/central/dom/base/nsJSEnvironment.cpp:1519
#17 0x00007fc066344447 in std::_Function_handler<bool (mozilla::TimeStamp), bool (*)(mozilla::TimeStamp)>::_M_invoke(std::_Any_data const&, mozilla::TimeStamp&&) (__functor=..., __args=<unknown type in /home/lee/central/obj-dbg/dist/bin/libxul.so, CU 0x3a87d4f, DIE 0x3b1b49e>) at /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/std_function.h:282
#18 0x00007fc064a3faa4 in std::function<bool (mozilla::TimeStamp)>::operator()(mozilla::TimeStamp) const (this=0x7fc05ad42b08, __args=...)
    at /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/std_function.h:687
#19 0x00007fc064a3ed10 in mozilla::IdleTaskRunner::Run() (this=0x7fc05ad42ac0) at /home/lee/central/xpcom/threads/IdleTaskRunner.cpp:58
#20 0x00007fc064a7f304 in nsThread::ProcessNextEvent(bool, bool*) (this=0x7fc078657e80, aMayWait=false, aResult=0x7ffe6db23bf7) at /home/lee/central/xpcom/threads/nsThread.cpp:1157
#21 0x00007fc064a826e9 in NS_ProcessNextEvent(nsIThread*, bool) (aThread=0x7fc078657e80, aMayWait=false) at /home/lee/central/xpcom/threads/nsThreadUtils.cpp:468
#22 0x00007fc0655e2206 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) (this=0x7fc07869d420, aDelegate=0x7ffe6db24138) at /home/lee/central/ipc/glue/MessagePump.cpp:88
#23 0x00007fc0655e2f09 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) (this=0x7fc07869d420, aDelegate=0x7ffe6db24138)
    at /home/lee/central/ipc/glue/MessagePump.cpp:271
#24 0x00007fc06550677f in MessageLoop::RunInternal() (this=0x7ffe6db24138) at /home/lee/central/ipc/chromium/src/base/message_loop.cc:314
#25 0x00007fc0655066f5 in MessageLoop::RunHandler() (this=0x7ffe6db24138) at /home/lee/central/ipc/chromium/src/base/message_loop.cc:307
#26 0x00007fc0655066aa in MessageLoop::Run() (this=0x7ffe6db24138) at /home/lee/central/ipc/chromium/src/base/message_loop.cc:289
#27 0x00007fc069d2f093 in nsBaseAppShell::Run() (this=0x7fc05d3d9e40) at /home/lee/central/widget/nsBaseAppShell.cpp:137
#28 0x00007fc06ca644c4 in XRE_RunAppShell() () at /home/lee/central/toolkit/xre/nsEmbedFunctions.cpp:915
#29 0x00007fc0655e2d63 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) (this=0x7fc07869d420, aDelegate=0x7ffe6db24138)
    at /home/lee/central/ipc/glue/MessagePump.cpp:238
#30 0x00007fc06550677f in MessageLoop::RunInternal() (this=0x7ffe6db24138) at /home/lee/central/ipc/chromium/src/base/message_loop.cc:314
#31 0x00007fc0655066f5 in MessageLoop::RunHandler() (this=0x7ffe6db24138) at /home/lee/central/ipc/chromium/src/base/message_loop.cc:307
#32 0x00007fc0655066aa in MessageLoop::Run() (this=0x7ffe6db24138) at /home/lee/central/ipc/chromium/src/base/message_loop.cc:289
#33 0x00007fc06ca63c9b in XRE_InitChildProcess(int, char**, XREChildData const*) (aArgc=15, aArgv=0x7ffe6db244d8, aChildData=0x7ffe6db24380)
    at /home/lee/central/toolkit/xre/nsEmbedFunctions.cpp:753
Flags: needinfo?(twsmith)
The attached testcase gives me the same results. Let me reduce another one, I will attach it shortly.
Attached file testcase.html
This one reproduces with m-c:

BuildID=20190102094850
SourceStamp=5826b2352ac08248205d3b0e29587ab8ad415bfe
Attachment #9032811 - Attachment is obsolete: true
Flags: needinfo?(twsmith)
The new testcase does not trigger for me either, regardless of what I do.
Attached file prefs-default-e10s.js
The attached testcase works for me on Linux x64 using the attached prefs and the latest m-c build.
Assignee: nobody → lsalzman
Status: NEW → ASSIGNED
In the 3D transform case, we were popping clips at the wrong scope. This adjusts the scope of the PopClip so we do it correctly.

[Security Approval Request]

How easily could an exploit be constructed based on the patch?: Not easily.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No

Which older supported branches are affected by this flaw?: 65

If not all supported branches, which bug introduced the flaw?: Bug 1388842

Do you have backports for the affected branches?: Yes

If not, how different, hard to create, and risky will they be?: 

How likely is this patch to cause regressions; how much testing does it need?: Unlikely. We have not let WebRender ride the trains to release, and this only affects WebRender. WebRender is also not turned on for the majority of the user population.
Attachment #9034258 - Flags: sec-approval?
Attachment #9034258 - Flags: review?(matt.woodrow)
Actually, it looks like bug 1447880 was where the bug originated, and not bug 1388842. So the regression is much more recent.
We should take this on Beta still for the benefit of the users opted into the studies currently running.
It should also be noted that merely enabling WR is not enough to cause this bug to occur with the attached test-case. There is some other pref required in the bunch of prefs supplied besides that I have not isolated and can't obviously see. So whether this even realistically affects WR users at this point is unknown.
Comment on attachment 9034258 [details] [diff] [review]
pop blob image transform clips

Review of attachment 9034258 [details] [diff] [review]:
-----------------------------------------------------------------

::: gfx/layers/wr/WebRenderCommandBuilder.cpp
@@ +950,4 @@
>  
> +      if (currentClip.HasClip()) {
> +        aContext->Restore();
> +        aContext->GetDrawTarget()->FlushItem(aItemBounds);

FlushItem might be unnecessary for the 3d case, since that already called it.
Attachment #9034258 - Flags: review?(matt.woodrow) → review+
Comment on attachment 9034258 [details] [diff] [review]
pop blob image transform clips

Sec-approval+ for trunk. Let's get this nominated for beta and in there as well.
Attachment #9034258 - Flags: sec-approval? → sec-approval+
Please request Beta approval on this when you get a chance. It grafts cleanly as-landed.
Group: gfx-core-security → core-security-release
Flags: needinfo?(lsalzman)
Comment on attachment 9034258 [details] [diff] [review]
pop blob image transform clips

[Beta/Release Uplift Approval Request]

Feature/Bug causing the regression: Bug 1447880

User impact if declined: Potential use-after-free

Is this code covered by automated tests?: Yes

Has the fix been verified in Nightly?: Yes

Needs manual test from QE?: No

If yes, steps to reproduce: 

List of other uplifts needed: None

Risk to taking this patch: Low

Why is the change risky/not risky? (and alternatives if risky): Doesn't introduce new semantics. Just fixes buggy cleanup of draw target clips where it was needed.

String changes made/needed:
Flags: needinfo?(lsalzman)
Attachment #9034258 - Flags: approval-mozilla-beta?
Tyson, could you please figure out which pref aside from gfx.webrender.all is needed to actually make the testcase work? I am not sure we can add this testcase to the tree yet until we figure that out.
Flags: needinfo?(twsmith)

Required prefs:
"gfx.webrender.all=true"
"layout.css.individual-transform.enabled=true"

Tested with m-c:
BuildID=20190102094850
SourceStamp=5826b2352ac08248205d3b0e29587ab8ad415bfe

Flags: needinfo?(twsmith)

Comment on attachment 9034258 [details] [diff] [review]
pop blob image transform clips

[Triage Comment]
UAF fix for users with WebRender enabled. Approved for 65.0b9.

Attachment #9034258 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

(In reply to Tyson Smith [:tsmith] from comment #16)

Required prefs:
"gfx.webrender.all=true"
"layout.css.individual-transform.enabled=true"

Tested with m-c:
BuildID=20190102094850
SourceStamp=5826b2352ac08248205d3b0e29587ab8ad415bfe

Is there a way to make this testcase work without requiring layout.css.individual-transform.enabled so we could gauge whether that is required for the exploit to happen?

Comment on attachment 9034035 [details]
testcase.html

Swapping style="rotate: 1deg -1 0 0" with style="transform: rotate3d(-1,0,0,1deg)" should work.

Flags: qe-verify+
Whiteboard: [gfx-noted] → [gfx-noted][post-critsmash-triage]

I wasn't able to reproduce the initial issue on Ubuntu 16.04 x64, using the provided testcase, the infos provided in comment 19 and one of the affected builds 66.0a1 (2018-12-20).
:twsmith, can you please confirm that the fix is successfully applied?

Flags: needinfo?(twsmith)

Of course :)

Verified with m-c:
BuildID=20190121175139
SourceStamp=44369796f148630ff496be99f77a5eeea41c7d23

Status: RESOLVED → VERIFIED
Flags: needinfo?(twsmith)

Thank you :twsmith for your confirmation! I will modify the following flags, according to previous comments.

Flags: qe-verify+
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.