1544532 - IPC: crash [@mozilla::layers::TextureReadLock::Deserialize]

Status: RESOLVED WORKSFORME

(Core :: Graphics: Layers, defect, P3)

Description

[Christoph Diehl [:posidron]]

The following testcase crashes on mozilla-central revision 20190412-412447b6149e

See attachment.

Backtrace:

==1929==ERROR: AddressSanitizer: SEGV on unknown address 0x00009f3f8001 (pc 0x7fa399840bf5 bp 0x7ffdc0a2b070 sp 0x7ffdc0a2b040 T0)
==1929==The signal is caused by a READ memory access.
SCARINESS: 20 (wild-addr-read)
    #0 0x7fa399840bf4 in fetch_add clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/6.4.0/../../../../include/c++/6.4.0/bits/atomic_base.h:514:16
    #1 0x7fa399840bf4 in operator++ obj-firefox/dist/include/nsISupportsImpl.h:317
    #2 0x7fa399840bf4 in AddRef gfx/layers/client/TextureClient.h:188
    #3 0x7fa399840bf4 in AddRef gfx/layers/../../mfbt/RefPtr.h:45
    #4 0x7fa399840bf4 in AddRef gfx/layers/../../mfbt/RefPtr.h:362
    #5 0x7fa399840bf4 in RefPtr gfx/layers/../../mfbt/RefPtr.h:105
    #6 0x7fa399840bf4 in mozilla::layers::TextureReadLock::Deserialize(mozilla::layers::ReadLockDescriptor const&, mozilla::layers::ISurfaceAllocator*) gfx/layers/client/TextureClient.cpp:1498
    #7 0x7fa3998fd9f7 in DeserializeReadLock gfx/layers/composite/TextureHost.cpp:627:15
    #8 0x7fa3998fd9f7 in mozilla::layers::TextureHost::Create(mozilla::layers::SurfaceDescriptor const&, mozilla::layers::ReadLockDescriptor const&, mozilla::layers::ISurfaceAllocator*, mozilla::layers::LayersBackend, mozilla::layers::TextureFlags, mozilla::Maybe<mozilla::wr::WrExternalImageId>&) gfx/layers/composite/TextureHost.cpp:230
    #9 0x7fa3998fd282 in Init gfx/layers/composite/TextureHost.cpp:1164:18
    #10 0x7fa3998fd282 in mozilla::layers::TextureHost::CreateIPDLActor(mozilla::layers::HostIPCAllocator*, mozilla::layers::SurfaceDescriptor const&, mozilla::layers::ReadLockDescriptor const&, mozilla::layers::LayersBackend, mozilla::layers::TextureFlags, unsigned long, mozilla::Maybe<mozilla::wr::WrExternalImageId> const&) gfx/layers/composite/TextureHost.cpp:125
    #11 0x7fa3999839d2 in mozilla::layers::ContentCompositorBridgeParent::AllocPTextureParent(mozilla::layers::SurfaceDescriptor const&, mozilla::layers::ReadLockDescriptor const&, mozilla::layers::LayersBackend const&, mozilla::layers::TextureFlags const&, mozilla::layers::LayersId const&, unsigned long const&, mozilla::Maybe<mozilla::wr::WrExternalImageId> const&) gfx/layers/ipc/ContentCompositorBridgeParent.cpp:603:10
    #12 0x7fa3975e33ed in mozilla::layers::PCompositorBridgeParent::OnMessageReceived(IPC::Message const&) obj-firefox/ipc/ipdl/PCompositorBridgeParent.cpp:1250:71
    #13 0x7fa3976013e7 in mozilla::layers::PCompositorManagerParent::OnMessageReceived(IPC::Message const&) obj-firefox/ipc/ipdl/PCompositorManagerParent.cpp:136:28
    #14 0x7fa3a613a2ca in void mozilla::ipc::FuzzProtocol<mozilla::layers::CompositorManagerParent>(mozilla::layers::CompositorManagerParent*, unsigned char const*, unsigned long, nsTArray<nsTString<char> > const&) obj-firefox/dist/include/ProtocolFuzzer.h:107:18
    #15 0x7fa3a613999a in RunCompositorManagerParentIPCFuzzing(unsigned char const*, unsigned long) gfx/layers/ipc/fuzztest/compositor_manager_parent_ipc_libfuzz.cpp:30:3
    #16 0x557bb64d03ad in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) tools/fuzzing/libfuzzer/FuzzerLoop.cpp:517:13
    #17 0x557bb64cfc05 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) tools/fuzzing/libfuzzer/FuzzerLoop.cpp:442:3
    #18 0x557bb64d105d in fuzzer::Fuzzer::MutateAndTestOne() tools/fuzzing/libfuzzer/FuzzerLoop.cpp:650:19
    #19 0x557bb64d1935 in fuzzer::Fuzzer::Loop(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, fuzzer::fuzzer_allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) tools/fuzzing/libfuzzer/FuzzerLoop.cpp:773:5
    #20 0x557bb64c94c6 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) tools/fuzzing/libfuzzer/FuzzerDriver.cpp:754:6
    #21 0x7fa3a4efff19 in mozilla::FuzzerRunner::Run(int*, char***) tools/fuzzing/interface/harness/FuzzerRunner.cpp:61:10
    #22 0x7fa3a4e0981d in XREMain::XRE_mainStartup(bool*) toolkit/xre/nsAppRunner.cpp:3740:35
    #23 0x7fa3a4e2230a in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) toolkit/xre/nsAppRunner.cpp:4697:12
    #24 0x7fa3a4e23f59 in XRE_main(int, char**, mozilla::BootstrapConfig const&) toolkit/xre/nsAppRunner.cpp:4791:21
    #25 0x557bb643064c in do_main browser/app/nsBrowserApp.cpp:212:22
    #26 0x557bb643064c in main browser/app/nsBrowserApp.cpp:291
    #27 0x7fa3bccc6b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #28 0x557bb6355ebc in _start (/home/worker/firefox/firefox+0x2debc)

DEDUP_TOKEN: fetch_add
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/6.4.0/../../../../include/c++/6.4.0/bits/atomic_base.h:514:16 in fetch_add

Command: /home/worker/firefox/firefox ./corpora/ -handle_segv=0 -handle_bus=0 -handle_abrt=0 -handle_ill=0 -handle_fpe=0 -print_pcs=1

==1929==ABORTING

Comment 1

[Christoph Diehl [:posidron]]

Attachment: Testcase

Comment 2

[Alex Gaynor [:Alex_Gaynor]]

I think this is a fuzzer bug: https://searchfox.org/mozilla-central/source/gfx/layers/client/TextureClient.cpp#1489-1498

Looks like within a process we can send a uintptr_t and just cast it to a real pointer, but that shouldn't be possible in a cross-process context.

The fuzzer runs in a same-process mode so it's able to do this; we should figure out how to make the fuzzer not able to reach this case.

Comment 3

[Alex Gaynor [:Alex_Gaynor]]

Not s-s since it's a bug in the fuzzer.

Comment 4

[Timea Cernea [:tbabos][inactive]]

There were no crashes with this signature in the last 6 months, closing it resolved:worksforme.