Investigate whether 1486521.html is still crashing Android verify build

NEW
Unassigned

Status

()

defect
P5
normal
4 months ago
4 months ago

People

(Reporter: TYLin, Unassigned)

Tracking

({csectype-framepoisoning, sec-low})

Firefox Tracking Flags

(Not tracked)

Details

The test added in bug 1486521 was annotated skip-if(verify&&Android) because it crashes for the unknown reason. Filed this bug for keep tracking it.

https://searchfox.org/mozilla-central/rev/aae527894a97ee3bbe0c2cfce9c67c59e8b8fcb9/layout/base/crashtests/crashtests.list#546

Group: core-security

I pushed a try, and this time it has a call stack like

[task 2019-03-14T03:59:37.570Z] 03:59:37     INFO -  Crash reason:  SIGSEGV /SEGV_MAPERR
[task 2019-03-14T03:59:37.570Z] 03:59:37     INFO -  Crash address: 0xf0dea8df
[task 2019-03-14T03:59:37.570Z] 03:59:37     INFO -  Process uptime: not available
[task 2019-03-14T03:59:37.570Z] 03:59:37     INFO -  Thread 12 (crashed)
[task 2019-03-14T03:59:37.570Z] 03:59:37     INFO -   0  libxul.so!nsIPresShell::ScrollFrameRectIntoView(nsIFrame*, nsRect const&, nsIPresShell::ScrollAxis, nsIPresShell::ScrollAxis, unsigned int) [PresShell.cpp:349c78cf67feabcd02797a910cf1348b63b1793f : 3540 + 0x6]
[task 2019-03-14T03:59:37.571Z] 03:59:37     INFO -       r0 = 0xf0dea7ff    r1 = 0x6ac9decc    r2 = 0x52ffd788    r3 = 0x554a817d
[task 2019-03-14T03:59:37.571Z] 03:59:37     INFO -       r4 = 0x53c54a89    r5 = 0x52ffd788    r6 = 0x554a817d    r7 = 0x52ffd7f0
[task 2019-03-14T03:59:37.571Z] 03:59:37     INFO -       r8 = 0x6ac9decc    r9 = 0x6ac9de70   r10 = 0x000001e0   r12 = 0x531c3a1c
[task 2019-03-14T03:59:37.571Z] 03:59:37     INFO -       fp = 0x52ffd720    sp = 0x52ffd688    lr = 0x530b65af    pc = 0x553c95ac
[task 2019-03-14T03:59:37.571Z] 03:59:37     INFO -      Found by: given as instruction pointer in context
[task 2019-03-14T03:59:37.571Z] 03:59:37     INFO -   1  libxul.so!nsListControlFrame::ScrollToFrame(mozilla::dom::HTMLOptionElement&) [nsListControlFrame.cpp:349c78cf67feabcd02797a910cf1348b63b1793f : 1816 + 0xd]
[task 2019-03-14T03:59:37.571Z] 03:59:37     INFO -       r4 = 0x6ac9e498    r5 = 0x52ffd814    r6 = 0x400721f4    r7 = 0x52ffd838
[task 2019-03-14T03:59:37.571Z] 03:59:37     INFO -       r8 = 0x6ac62000    r9 = 0x00000001   r10 = 0x400721f4    fp = 0x00000001
[task 2019-03-14T03:59:37.571Z] 03:59:37     INFO -       sp = 0x52ffd7f8    lr = 0x554dac39    pc = 0x554dac39
[task 2019-03-14T03:59:37.571Z] 03:59:37     INFO -      Found by: call frame info
[task 2019-03-14T03:59:37.571Z] 03:59:37     INFO -   2  libxul.so!nsListControlFrame::ScrollToIndex(int) [nsListControlFrame.cpp:349c78cf67feabcd02797a910cf1348b63b1793f : 1807 + 0x5]
[task 2019-03-14T03:59:37.571Z] 03:59:37     INFO -       r4 = 0x6ac9de70    r5 = 0x400721f4    r6 = 0x6ac9e004    r7 = 0x52ffd860
[task 2019-03-14T03:59:37.572Z] 03:59:37     INFO -       r8 = 0x00000001    r9 = 0x00000001   r10 = 0x400721f4    fp = 0x00000001
[task 2019-03-14T03:59:37.572Z] 03:59:37     INFO -       sp = 0x52ffd840    lr = 0x554d99e1    pc = 0x554d99e1
[task 2019-03-14T03:59:37.572Z] 03:59:37     INFO -      Found by: call frame info
[task 2019-03-14T03:59:37.572Z] 03:59:37     INFO -   3  libxul.so!non-virtual thunk to nsListControlFrame::OnOptionSelected(int, bool) [nsListControlFrame.cpp:349c78cf67feabcd02797a910cf1348b63b1793f : 964 + 0x3]
[task 2019-03-14T03:59:37.573Z] 03:59:37     INFO -       r4 = 0x68c77580    r5 = 0x00000001    r6 = 0x6ac9e004    r7 = 0x52ffd868
[task 2019-03-14T03:59:37.573Z] 03:59:37     INFO -       r8 = 0x00000001    r9 = 0x00000001   r10 = 0x400721f4    fp = 0x00000001
[task 2019-03-14T03:59:37.573Z] 03:59:37     INFO -       sp = 0x52ffd868    lr = 0x554da051    pc = 0x554da051
[task 2019-03-14T03:59:37.573Z] 03:59:37     INFO -      Found by: call frame info

https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=233798438&repo=try&lineNumber=1398

This is hitting our framepoisoning mitigation and should be unexploitable. But still means something's wrong.

Group: core-security
You need to log in before you can comment on or make changes to this bug.