Closed
Bug 1544532
Opened 5 years ago
Closed 3 years ago
IPC: crash [@mozilla::layers::TextureReadLock::Deserialize]
Categories
(Core :: Graphics: Layers, defect, P3)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: posidron, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash, testcase)
Crash Data
Attachments
(1 file)
123 bytes,
application/octet-stream
|
Details |
The following testcase crashes on mozilla-central revision 20190412-412447b6149e
See attachment.
Backtrace:
==1929==ERROR: AddressSanitizer: SEGV on unknown address 0x00009f3f8001 (pc 0x7fa399840bf5 bp 0x7ffdc0a2b070 sp 0x7ffdc0a2b040 T0)
==1929==The signal is caused by a READ memory access.
SCARINESS: 20 (wild-addr-read)
#0 0x7fa399840bf4 in fetch_add clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/6.4.0/../../../../include/c++/6.4.0/bits/atomic_base.h:514:16
#1 0x7fa399840bf4 in operator++ obj-firefox/dist/include/nsISupportsImpl.h:317
#2 0x7fa399840bf4 in AddRef gfx/layers/client/TextureClient.h:188
#3 0x7fa399840bf4 in AddRef gfx/layers/../../mfbt/RefPtr.h:45
#4 0x7fa399840bf4 in AddRef gfx/layers/../../mfbt/RefPtr.h:362
#5 0x7fa399840bf4 in RefPtr gfx/layers/../../mfbt/RefPtr.h:105
#6 0x7fa399840bf4 in mozilla::layers::TextureReadLock::Deserialize(mozilla::layers::ReadLockDescriptor const&, mozilla::layers::ISurfaceAllocator*) gfx/layers/client/TextureClient.cpp:1498
#7 0x7fa3998fd9f7 in DeserializeReadLock gfx/layers/composite/TextureHost.cpp:627:15
#8 0x7fa3998fd9f7 in mozilla::layers::TextureHost::Create(mozilla::layers::SurfaceDescriptor const&, mozilla::layers::ReadLockDescriptor const&, mozilla::layers::ISurfaceAllocator*, mozilla::layers::LayersBackend, mozilla::layers::TextureFlags, mozilla::Maybe<mozilla::wr::WrExternalImageId>&) gfx/layers/composite/TextureHost.cpp:230
#9 0x7fa3998fd282 in Init gfx/layers/composite/TextureHost.cpp:1164:18
#10 0x7fa3998fd282 in mozilla::layers::TextureHost::CreateIPDLActor(mozilla::layers::HostIPCAllocator*, mozilla::layers::SurfaceDescriptor const&, mozilla::layers::ReadLockDescriptor const&, mozilla::layers::LayersBackend, mozilla::layers::TextureFlags, unsigned long, mozilla::Maybe<mozilla::wr::WrExternalImageId> const&) gfx/layers/composite/TextureHost.cpp:125
#11 0x7fa3999839d2 in mozilla::layers::ContentCompositorBridgeParent::AllocPTextureParent(mozilla::layers::SurfaceDescriptor const&, mozilla::layers::ReadLockDescriptor const&, mozilla::layers::LayersBackend const&, mozilla::layers::TextureFlags const&, mozilla::layers::LayersId const&, unsigned long const&, mozilla::Maybe<mozilla::wr::WrExternalImageId> const&) gfx/layers/ipc/ContentCompositorBridgeParent.cpp:603:10
#12 0x7fa3975e33ed in mozilla::layers::PCompositorBridgeParent::OnMessageReceived(IPC::Message const&) obj-firefox/ipc/ipdl/PCompositorBridgeParent.cpp:1250:71
#13 0x7fa3976013e7 in mozilla::layers::PCompositorManagerParent::OnMessageReceived(IPC::Message const&) obj-firefox/ipc/ipdl/PCompositorManagerParent.cpp:136:28
#14 0x7fa3a613a2ca in void mozilla::ipc::FuzzProtocol<mozilla::layers::CompositorManagerParent>(mozilla::layers::CompositorManagerParent*, unsigned char const*, unsigned long, nsTArray<nsTString<char> > const&) obj-firefox/dist/include/ProtocolFuzzer.h:107:18
#15 0x7fa3a613999a in RunCompositorManagerParentIPCFuzzing(unsigned char const*, unsigned long) gfx/layers/ipc/fuzztest/compositor_manager_parent_ipc_libfuzz.cpp:30:3
#16 0x557bb64d03ad in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) tools/fuzzing/libfuzzer/FuzzerLoop.cpp:517:13
#17 0x557bb64cfc05 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) tools/fuzzing/libfuzzer/FuzzerLoop.cpp:442:3
#18 0x557bb64d105d in fuzzer::Fuzzer::MutateAndTestOne() tools/fuzzing/libfuzzer/FuzzerLoop.cpp:650:19
#19 0x557bb64d1935 in fuzzer::Fuzzer::Loop(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, fuzzer::fuzzer_allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) tools/fuzzing/libfuzzer/FuzzerLoop.cpp:773:5
#20 0x557bb64c94c6 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) tools/fuzzing/libfuzzer/FuzzerDriver.cpp:754:6
#21 0x7fa3a4efff19 in mozilla::FuzzerRunner::Run(int*, char***) tools/fuzzing/interface/harness/FuzzerRunner.cpp:61:10
#22 0x7fa3a4e0981d in XREMain::XRE_mainStartup(bool*) toolkit/xre/nsAppRunner.cpp:3740:35
#23 0x7fa3a4e2230a in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) toolkit/xre/nsAppRunner.cpp:4697:12
#24 0x7fa3a4e23f59 in XRE_main(int, char**, mozilla::BootstrapConfig const&) toolkit/xre/nsAppRunner.cpp:4791:21
#25 0x557bb643064c in do_main browser/app/nsBrowserApp.cpp:212:22
#26 0x557bb643064c in main browser/app/nsBrowserApp.cpp:291
#27 0x7fa3bccc6b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#28 0x557bb6355ebc in _start (/home/worker/firefox/firefox+0x2debc)
DEDUP_TOKEN: fetch_add
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/6.4.0/../../../../include/c++/6.4.0/bits/atomic_base.h:514:16 in fetch_add
Command: /home/worker/firefox/firefox ./corpora/ -handle_segv=0 -handle_bus=0 -handle_abrt=0 -handle_ill=0 -handle_fpe=0 -print_pcs=1
==1929==ABORTING
Reporter | ||
Comment 1•5 years ago
|
||
Updated•5 years ago
|
Blocks: libfuzzer-ipc
Updated•5 years ago
|
Group: core-security → gfx-core-security
Comment 2•5 years ago
|
||
I think this is a fuzzer bug: https://searchfox.org/mozilla-central/source/gfx/layers/client/TextureClient.cpp#1489-1498
Looks like within a process we can send a uintptr_t
and just cast it to a real pointer, but that shouldn't be possible in a cross-process context.
The fuzzer runs in a same-process mode so it's able to do this; we should figure out how to make the fuzzer not able to reach this case.
Updated•5 years ago
|
Priority: -- → P3
Comment 4•3 years ago
|
||
There were no crashes with this signature in the last 6 months, closing it resolved:worksforme.
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•