Open
Bug 1535187
Opened 6 years ago
Updated 2 years ago
Investigate whether 1486521.html is still crashing Android verify build
Categories
(Core :: Layout, defect, P5)
Core
Layout
Tracking
()
NEW
People
(Reporter: TYLin, Unassigned)
References
Details
(Keywords: csectype-framepoisoning, sec-low)
The test added in bug 1486521 was annotated skip-if(verify&&Android)
because it crashes for the unknown reason. Filed this bug for keep tracking it.
Reporter | ||
Updated•6 years ago
|
Group: core-security
Reporter | ||
Comment 1•6 years ago
|
||
I pushed a try, and this time it has a call stack like
[task 2019-03-14T03:59:37.570Z] 03:59:37 INFO - Crash reason: SIGSEGV /SEGV_MAPERR
[task 2019-03-14T03:59:37.570Z] 03:59:37 INFO - Crash address: 0xf0dea8df
[task 2019-03-14T03:59:37.570Z] 03:59:37 INFO - Process uptime: not available
[task 2019-03-14T03:59:37.570Z] 03:59:37 INFO - Thread 12 (crashed)
[task 2019-03-14T03:59:37.570Z] 03:59:37 INFO - 0 libxul.so!nsIPresShell::ScrollFrameRectIntoView(nsIFrame*, nsRect const&, nsIPresShell::ScrollAxis, nsIPresShell::ScrollAxis, unsigned int) [PresShell.cpp:349c78cf67feabcd02797a910cf1348b63b1793f : 3540 + 0x6]
[task 2019-03-14T03:59:37.571Z] 03:59:37 INFO - r0 = 0xf0dea7ff r1 = 0x6ac9decc r2 = 0x52ffd788 r3 = 0x554a817d
[task 2019-03-14T03:59:37.571Z] 03:59:37 INFO - r4 = 0x53c54a89 r5 = 0x52ffd788 r6 = 0x554a817d r7 = 0x52ffd7f0
[task 2019-03-14T03:59:37.571Z] 03:59:37 INFO - r8 = 0x6ac9decc r9 = 0x6ac9de70 r10 = 0x000001e0 r12 = 0x531c3a1c
[task 2019-03-14T03:59:37.571Z] 03:59:37 INFO - fp = 0x52ffd720 sp = 0x52ffd688 lr = 0x530b65af pc = 0x553c95ac
[task 2019-03-14T03:59:37.571Z] 03:59:37 INFO - Found by: given as instruction pointer in context
[task 2019-03-14T03:59:37.571Z] 03:59:37 INFO - 1 libxul.so!nsListControlFrame::ScrollToFrame(mozilla::dom::HTMLOptionElement&) [nsListControlFrame.cpp:349c78cf67feabcd02797a910cf1348b63b1793f : 1816 + 0xd]
[task 2019-03-14T03:59:37.571Z] 03:59:37 INFO - r4 = 0x6ac9e498 r5 = 0x52ffd814 r6 = 0x400721f4 r7 = 0x52ffd838
[task 2019-03-14T03:59:37.571Z] 03:59:37 INFO - r8 = 0x6ac62000 r9 = 0x00000001 r10 = 0x400721f4 fp = 0x00000001
[task 2019-03-14T03:59:37.571Z] 03:59:37 INFO - sp = 0x52ffd7f8 lr = 0x554dac39 pc = 0x554dac39
[task 2019-03-14T03:59:37.571Z] 03:59:37 INFO - Found by: call frame info
[task 2019-03-14T03:59:37.571Z] 03:59:37 INFO - 2 libxul.so!nsListControlFrame::ScrollToIndex(int) [nsListControlFrame.cpp:349c78cf67feabcd02797a910cf1348b63b1793f : 1807 + 0x5]
[task 2019-03-14T03:59:37.571Z] 03:59:37 INFO - r4 = 0x6ac9de70 r5 = 0x400721f4 r6 = 0x6ac9e004 r7 = 0x52ffd860
[task 2019-03-14T03:59:37.572Z] 03:59:37 INFO - r8 = 0x00000001 r9 = 0x00000001 r10 = 0x400721f4 fp = 0x00000001
[task 2019-03-14T03:59:37.572Z] 03:59:37 INFO - sp = 0x52ffd840 lr = 0x554d99e1 pc = 0x554d99e1
[task 2019-03-14T03:59:37.572Z] 03:59:37 INFO - Found by: call frame info
[task 2019-03-14T03:59:37.572Z] 03:59:37 INFO - 3 libxul.so!non-virtual thunk to nsListControlFrame::OnOptionSelected(int, bool) [nsListControlFrame.cpp:349c78cf67feabcd02797a910cf1348b63b1793f : 964 + 0x3]
[task 2019-03-14T03:59:37.573Z] 03:59:37 INFO - r4 = 0x68c77580 r5 = 0x00000001 r6 = 0x6ac9e004 r7 = 0x52ffd868
[task 2019-03-14T03:59:37.573Z] 03:59:37 INFO - r8 = 0x00000001 r9 = 0x00000001 r10 = 0x400721f4 fp = 0x00000001
[task 2019-03-14T03:59:37.573Z] 03:59:37 INFO - sp = 0x52ffd868 lr = 0x554da051 pc = 0x554da051
[task 2019-03-14T03:59:37.573Z] 03:59:37 INFO - Found by: call frame info
https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=233798438&repo=try&lineNumber=1398
Comment 2•6 years ago
|
||
This is hitting our framepoisoning mitigation and should be unexploitable. But still means something's wrong.
Group: core-security
Keywords: csectype-framepoisoning,
sec-low
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•