Closed Bug 1560641 Opened 5 years ago Closed 5 years ago

Intermittent mozrunner-startup | <test-name> | application crashed [@ nsWindow::LayerViewSupport::OnDetach(already_AddRefed<mozilla::Runnable>)::{lambda()#1}::operator()() const]

Categories

(Core Graveyard :: Widget: Android, defect, P2)

Product:
Core Graveyard
Component:
Widget: Android
Platform:
Unspecified
Android
Type:
defect

Tracking

(firefox-esr60 unaffected, firefox-esr68 unaffected, firefox68 wontfix, firefox69+ fixed, firefox70+ fixed)

Status:
RESOLVED FIXED
Milestone:
mozilla70
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox-esr68 --- unaffected
firefox68 --- wontfix
firefox69 + fixed
firefox70 + fixed

People

(Reporter: intermittent-bug-filer, Assigned: fluffyemily)

References

Details

(5 keywords, Whiteboard: [geckoview:p2][post-critsmashe-triage[adv-main69+])

Crash Data

Attachments

(1 file)

Bug 1560641: Add a lock around `mCapturePixelsResults`. @geckoview-reviewers
47 bytes, text/x-phabricator-request
RyanVM
: approval-mozilla-beta+
Details | Review

Filed by: ncsoregi [at] mozilla.com
Parsed log: https://treeherder.mozilla.org/logviewer.html#?job_id=252814290&repo=autoland
Full log: https://queue.taskcluster.net/v1/task/ITRNK4f1Rv6ORw7Sy0YEug/runs/0/artifacts/public/logs/live_backing.log

[task 2019-06-21T17:15:08.471Z] 17:15:08 INFO - PROCESS-CRASH | mozrunner-startup | application crashed [@ nsWindow::LayerViewSupport::OnDetach(already_AddRefed<mozilla::Runnable>)::{lambda()#1}::operator()() const]
[task 2019-06-21T17:15:08.471Z] 17:15:08 INFO - Crash dump filename: /tmp/tmphITeRC/488e865d-623b-d0f9-ced2-e30556f9af09.dmp
[task 2019-06-21T17:15:08.471Z] 17:15:08 INFO - Operating system: Android
[task 2019-06-21T17:15:08.471Z] 17:15:08 INFO - 0.0.0 Linux 3.10.0+ #1 PREEMPT Thu Jan 5 00:46:30 UTC 2017 x86_64
[task 2019-06-21T17:15:08.471Z] 17:15:08 INFO - CPU: amd64
[task 2019-06-21T17:15:08.471Z] 17:15:08 INFO - family 6 model 2 stepping 3
[task 2019-06-21T17:15:08.471Z] 17:15:08 INFO - 1 CPU
[task 2019-06-21T17:15:08.471Z] 17:15:08 INFO -
[task 2019-06-21T17:15:08.471Z] 17:15:08 INFO - GPU: UNKNOWN
[task 2019-06-21T17:15:08.471Z] 17:15:08 INFO -
[task 2019-06-21T17:15:08.471Z] 17:15:08 INFO - Crash reason: SIGSEGV /0x00000080
[task 2019-06-21T17:15:08.471Z] 17:15:08 INFO - Crash address: 0x0
[task 2019-06-21T17:15:08.471Z] 17:15:08 INFO - Process uptime: not available
[task 2019-06-21T17:15:08.471Z] 17:15:08 INFO -
[task 2019-06-21T17:15:08.471Z] 17:15:08 INFO - Thread 0 (crashed)
[task 2019-06-21T17:15:08.471Z] 17:15:08 INFO - 0 libxul.so!nsWindow::LayerViewSupport::OnDetach(already_AddRefed<mozilla::Runnable>)::{lambda()#1}::operator()() const [nsWindow.cpp:887a479a52ebcd3fb005df8f18c7fb7d4da49c63 : 870 + 0xf]
[task 2019-06-21T17:15:08.472Z] 17:15:08 INFO - rax = 0x0072f2f2f2f2f2f2 rdx = 0x0000000000008001
[task 2019-06-21T17:15:08.472Z] 17:15:08 INFO - rcx = 0xe5e5e5e5e5e5e5e5 rbx = 0x00007c9c470336a8
[task 2019-06-21T17:15:08.472Z] 17:15:08 INFO - rsi = 0x0000000000000001 rdi = 0x00007c9c470336a8
[task 2019-06-21T17:15:08.472Z] 17:15:08 INFO - rbp = 0x00007fff83979b20 rsp = 0x00007fff83979ab0
[task 2019-06-21T17:15:08.472Z] 17:15:08 INFO - r8 = 0x0000000000001a42 r9 = 0x00007c9c76a1ab40
[task 2019-06-21T17:15:08.472Z] 17:15:08 INFO - r10 = 0x00007c9c720e7f70 r11 = 0x0000000000000246
[task 2019-06-21T17:15:08.472Z] 17:15:08 INFO - r12 = 0x00007fff83979ab0 r13 = 0x00007fff83979ac0
[task 2019-06-21T17:15:08.472Z] 17:15:08 INFO - r14 = 0xe5e5e5e5e5e5e5e5 r15 = 0x00007fff83979b40
[task 2019-06-21T17:15:08.472Z] 17:15:08 INFO - rip = 0x00007c9c54108fed
[task 2019-06-21T17:15:08.472Z] 17:15:08 INFO - Found by: given as instruction pointer in context
[task 2019-06-21T17:15:08.472Z] 17:15:08 INFO - 1 libxul.so!mozilla::detail::RunnableFunction<nsWindow::LayerViewSupport::OnDetach(already_AddRefed<mozilla::Runnable>)::{lambda()#1}>::Run() [nsThreadUtils.h:887a479a52ebcd3fb005df8f18c7fb7d4da49c63 : 564 + 0x9]
[task 2019-06-21T17:15:08.472Z] 17:15:08 INFO - rbx = 0x00007c9c45c1f820 rbp = 0x00007fff83979b30
[task 2019-06-21T17:15:08.472Z] 17:15:08 INFO - rsp = 0x00007fff83979b30 r12 = 0x00007fff83979b50
[task 2019-06-21T17:15:08.472Z] 17:15:08 INFO - r13 = 0xffffffffffffffff r14 = 0x00007fff83979b48
[task 2019-06-21T17:15:08.472Z] 17:15:08 INFO - r15 = 0x00007fff83979b40 rip = 0x00007c9c54108f65
[task 2019-06-21T17:15:08.472Z] 17:15:08 INFO - Found by: call frame info
[task 2019-06-21T17:15:08.472Z] 17:15:08 INFO - 2 libxul.so!mozilla::RunAndroidUiTasks() [AndroidUiThread.cpp:887a479a52ebcd3fb005df8f18c7fb7d4da49c63 : 331 + 0x11]
[task 2019-06-21T17:15:08.472Z] 17:15:08 INFO - rbx = 0x00007c9c45c1f820 rbp = 0x00007fff83979ba0
[task 2019-06-21T17:15:08.472Z] 17:15:08 INFO - rsp = 0x00007fff83979b40 r12 = 0x00007fff83979b50
[task 2019-06-21T17:15:08.472Z] 17:15:08 INFO - r13 = 0xffffffffffffffff r14 = 0x00007fff83979b48
[task 2019-06-21T17:15:08.472Z] 17:15:08 INFO - r15 = 0x00007fff83979b40 rip = 0x00007c9c540d95d8
[task 2019-06-21T17:15:08.472Z] 17:15:08 INFO - Found by: call frame info
[task 2019-06-21T17:15:08.473Z] 17:15:08 INFO - 3 base.odex + 0x769046
[task 2019-06-21T17:15:08.473Z] 17:15:08 INFO - rbx = 0x0000000012c063f8 rbp = 0x0000000012c9c400
[task 2019-06-21T17:15:08.473Z] 17:15:08 INFO - rsp = 0x00007fff83979bb0 r12 = 0x00007c9c76514900
[task 2019-06-21T17:15:08.473Z] 17:15:08 INFO - r13 = 0x0000000075d16cb0 r14 = 0x0000000012c6d920
[task 2019-06-21T17:15:08.473Z] 17:15:08 INFO - r15 = 0x0000000070cb5668 rip = 0x00007c9c5b4fa046
[task 2019-06-21T17:15:08.473Z] 17:15:08 INFO - Found by: call frame info
[task 2019-06-21T17:15:08.473Z] 17:15:08 INFO - 4 dalvik-LinearAlloc (deleted) + 0x6d88
[task 2019-06-21T17:15:08.473Z] 17:15:08 INFO - rsp = 0x00007fff83979bb8 rip = 0x00007c9c7650ed88
[task 2019-06-21T17:15:08.473Z] 17:15:08 INFO - Found by: stack scanning
[task 2019-06-21T17:15:08.473Z] 17:15:08 INFO - 5 libart.so + 0x13fc2a
[task 2019-06-21T17:15:08.473Z] 17:15:08 INFO - rsp = 0x00007fff83979bc0 rip = 0x00007c9c71a4bc2a
[task 2019-06-21T17:15:08.473Z] 17:15:08 INFO - Found by: stack scanning
[task 2019-06-21T17:15:08.473Z] 17:15:08 INFO - 6 system@framework@boot.art + 0x50f2c8
[task 2019-06-21T17:15:08.473Z] 17:15:08 INFO - rsp = 0x00007fff83979bc8 rip = 0x0000000070fbe2c8
[task 2019-06-21T17:15:08.473Z] 17:15:08 INFO - Found by: stack scanning
[task 2019-06-21T17:15:08.473Z] 17:15:08 INFO - 7 dalvik-LinearAlloc (deleted) + 0xc068
[task 2019-06-21T17:15:08.473Z] 17:15:08 INFO - rsp = 0x00007fff83979bd8 rip = 0x00007c9c76514068
[task 2019-06-21T17:15:08.473Z] 17:15:08 INFO - Found by: stack scanning
[task 2019-06-21T17:15:08.473Z] 17:15:08 INFO - 8 dalvik-main space (deleted) + 0x63f8
[task 2019-06-21T17:15:08.473Z] 17:15:08 INFO - rsp = 0x00007fff83979c20 rip = 0x0000000012c063f8
[task 2019-06-21T17:15:08.473Z] 17:15:08 INFO - Found by: stack scanning
[task 2019-06-21T17:15:08.473Z] 17:15:08 INFO - 9 dalvik-main space (deleted) + 0x9c400
[task 2019-06-21T17:15:08.473Z] 17:15:08 INFO - rsp = 0x00007fff83979c28 rip = 0x0000000012c9c400
[task 2019-06-21T17:15:08.473Z] 17:15:08 INFO - Found by: stack scanning
[task 2019-06-21T17:15:08.473Z] 17:15:08 INFO - 10 dalvik-LinearAlloc (deleted) + 0xc900
[task 2019-06-21T17:15:08.473Z] 17:15:08 INFO - rsp = 0x00007fff83979c30 rip = 0x00007c9c76514900
[task 2019-06-21T17:15:08.473Z] 17:15:08 INFO - Found by: stack scanning
[task 2019-06-21T17:15:08.473Z] 17:15:08 INFO - 11 dalvik-zygote space (deleted) + 0xcb0
[task 2019-06-21T17:15:08.473Z] 17:15:08 INFO - rsp = 0x00007fff83979c38 rip = 0x0000000075d16cb0
[task 2019-06-21T17:15:08.473Z] 17:15:08 INFO - Found by: stack scanning
[task 2019-06-21T17:15:08.473Z] 17:15:08 INFO - 12 dalvik-main space (deleted) + 0x6d920
[task 2019-06-21T17:15:08.474Z] 17:15:08 INFO - rsp = 0x00007fff83979c40 rip = 0x0000000012c6d920
[task 2019-06-21T17:15:08.474Z] 17:15:08 INFO - Found by: stack scanning
[task 2019-06-21T17:15:08.474Z] 17:15:08 INFO - 13 system@framework@boot.art + 0x206668
[task 2019-06-21T17:15:08.474Z] 17:15:08 INFO - rsp = 0x00007fff83979c48 rip = 0x0000000070cb5668
[task 2019-06-21T17:15:08.474Z] 17:15:08 INFO - Found by: stack scanning
[task 2019-06-21T17:15:08.474Z] 17:15:08 INFO - 14 dalvik-jit-code-cache (deleted) + 0x4f67
[task 2019-06-21T17:15:08.474Z] 17:15:08 INFO - rsp = 0x00007fff83979c50 rip = 0x00007c9c5d63df67
[task 2019-06-21T17:15:08.474Z] 17:15:08 INFO - Found by: stack scanning
[task 2019-06-21T17:15:08.474Z] 17:15:08 INFO - 15 dalvik-LinearAlloc (deleted) + 0xc900
[task 2019-06-21T17:15:08.474Z] 17:15:08 INFO - rsp = 0x00007fff83979c58 rip = 0x00007c9c76514900
[task 2019-06-21T17:15:08.474Z] 17:15:08 INFO - Found by: stack scanning
[task 2019-06-21T17:15:08.474Z] 17:15:08 INFO - 16 libart.so + 0x609157
[task 2019-06-21T17:15:08.474Z] 17:15:08 INFO - rsp = 0x00007fff83979c60 rip = 0x00007c9c71f15157
[task 2019-06-21T17:15:08.474Z] 17:15:08 INFO - Found by: stack scanning
[task 2019-06-21T17:15:08.474Z] 17:15:08 INFO - 17 system@framework@boot.art + 0x1fd518
[task 2019-06-21T17:15:08.474Z] 17:15:08 INFO - rsp = 0x00007fff83979c70 rip = 0x0000000070cac518
[task 2019-06-21T17:15:08.474Z] 17:15:08 INFO - Found by: stack scanning
[task 2019-06-21T17:15:08.474Z] 17:15:08 INFO - 18 dalvik-main space (deleted) + 0x63f8
[task 2019-06-21T17:15:08.474Z] 17:15:08 INFO - rsp = 0x00007fff83979c88 rip = 0x0000000012c063f8
[task 2019-06-21T17:15:08.474Z] 17:15:08 INFO - Found by: stack scanning
[task 2019-06-21T17:15:08.474Z] 17:15:08 INFO - 19 dalvik-main space (deleted) + 0x73d00
[task 2019-06-21T17:15:08.474Z] 17:15:08 INFO - rsp = 0x00007fff83979c90 rip = 0x0000000012c73d00
[task 2019-06-21T17:15:08.474Z] 17:15:08 INFO - Found by: stack scanning
[task 2019-06-21T17:15:08.474Z] 17:15:08 INFO - 20 dalvik-main space (deleted) + 0x73d00
[task 2019-06-21T17:15:08.475Z] 17:15:08 INFO - rsp = 0x00007fff83979c98 rip = 0x0000000012c73d00
[task 2019-06-21T17:15:08.475Z] 17:15:08 INFO - Found by: stack scanning
[task 2019-06-21T17:15:08.475Z] 17:15:08 INFO - 21 system@framework@boot.art + 0x3412c8
[task 2019-06-21T17:15:08.475Z] 17:15:08 INFO - rsp = 0x00007fff83979ca0 rip = 0x0000000070df02c8
[task 2019-06-21T17:15:08.475Z] 17:15:08 INFO - Found by: stack scanning
[task 2019-06-21T17:15:08.475Z] 17:15:08 INFO - 22 system@framework@boot.art + 0x1fd518
[task 2019-06-21T17:15:08.475Z] 17:15:08 INFO - rsp = 0x00007fff83979ca8 rip = 0x0000000070cac518
[task 2019-06-21T17:15:08.475Z] 17:15:08 INFO - Found by: stack scanning
[task 2019-06-21T17:15:08.475Z] 17:15:08 INFO - 23 boot-framework.oat + 0x1657220
[task 2019-06-21T17:15:08.475Z] 17:15:08 INFO - rsp = 0x00007fff83979cb0 rip = 0x00000000745aa220
[task 2019-06-21T17:15:08.475Z] 17:15:08 INFO - Found by: stack scanning
[task 2019-06-21T17:15:08.476Z] 17:15:08 INFO - 24 system@framework@boot-framework.art + 0x256538
[task 2019-06-21T17:15:08.476Z] 17:15:08 INFO - rsp = 0x00007fff83979cb8 rip = 0x00000000714f6538
[task 2019-06-21T17:15:08.476Z] 17:15:08 INFO - Found by: stack scanning
[task 2019-06-21T17:15:08.476Z] 17:15:08 INFO - 25 dalvik-main space (deleted) + 0x63f8
[task 2019-06-21T17:15:08.476Z] 17:15:08 INFO - rsp = 0x00007fff83979cd0 rip = 0x0000000012c063f8
[task 2019-06-21T17:15:08.476Z] 17:15:08 INFO - Found by: stack scanning
[task 2019-06-21T17:15:08.476Z] 17:15:08 INFO - 26 dalvik-main space (deleted) + 0x88ae0
[task 2019-06-21T17:15:08.476Z] 17:15:08 INFO - rsp = 0x00007fff83979cd8 rip = 0x0000000012c88ae0
[task 2019-06-21T17:15:08.476Z] 17:15:08 INFO - Found by: stack scanning
[task 2019-06-21T17:15:08.476Z] 17:15:08 INFO - 27 boot-framework.oat + 0x1657296
[task 2019-06-21T17:15:08.477Z] 17:15:08 INFO - rsp = 0x00007fff83979ce0 rip = 0x00000000745aa296
[task 2019-06-21T17:15:08.477Z] 17:15:08 INFO - Found by: stack scanning
[task 2019-06-21T17:15:08.477Z] 17:15:08 INFO - 28 system@framework@boot-framework.art + 0x256570
[task 2019-06-21T17:15:08.477Z] 17:15:08 INFO - rsp = 0x00007fff83979ce8 rip = 0x00000000714f6570
[task 2019-06-21T17:15:08.477Z] 17:15:08 INFO - Found by: stack scanning
[task 2019-06-21T17:15:08.477Z] 17:15:08 INFO - 29 dalvik-main space (deleted) + 0x95d8
[task 2019-06-21T17:15:08.477Z] 17:15:08 INFO - rsp = 0x00007fff83979cf8 rip = 0x0000000012c095d8
[task 2019-06-21T17:15:08.477Z] 17:15:08 INFO - Found by: stack scanning
[task 2019-06-21T17:15:08.477Z] 17:15:08 INFO - 30 dalvik-main space (deleted) + 0x4bde0
[task 2019-06-21T17:15:08.477Z] 17:15:08 INFO - rsp = 0x00007fff83979d00 rip = 0x0000000012c4bde0
[task 2019-06-21T17:15:08.477Z] 17:15:08 INFO - Found by: stack scanning
[task 2019-06-21T17:15:08.477Z] 17:15:08 INFO - 31 dalvik-main space (deleted) + 0x73d00
[task 2019-06-21T17:15:08.477Z] 17:15:08 INFO - rsp = 0x00007fff83979d10 rip = 0x0000000012c73d00
[task 2019-06-21T17:15:08.477Z] 17:15:08 INFO - Found by: stack scanning
[task 2019-06-21T17:15:08.477Z] 17:15:08 INFO - 32 dalvik-main space (deleted) + 0x4bde0
[task 2019-06-21T17:15:08.477Z] 17:15:08 INFO - rsp = 0x00007fff83979d18 rip = 0x0000000012c4bde0
[task 2019-06-21T17:15:08.477Z] 17:15:08 INFO - Found by: stack scanning
[task 2019-06-21T17:15:08.477Z] 17:15:08 INFO - 33 boot-framework.oat + 0x1e12c44
[task 2019-06-21T17:15:08.477Z] 17:15:08 INFO - rsp = 0x00007fff83979d20 rip = 0x0000000074d65c44
[task 2019-06-21T17:15:08.477Z] 17:15:08 INFO - Found by: stack scanning
[task 2019-06-21T17:15:08.478Z] 17:15:08 INFO - 34 system@framework@boot-framework.art + 0x32c2f0
[task 2019-06-21T17:15:08.478Z] 17:15:08 INFO - rsp = 0x00007fff83979d28 rip = 0x00000000715cc2f0
[task 2019-06-21T17:15:08.478Z] 17:15:08 INFO - Found by: stack scanning
[task 2019-06-21T17:15:08.478Z] 17:15:08 INFO - 35 dalvik-main space (deleted) + 0x95d8
[task 2019-06-21T17:15:08.478Z] 17:15:08 INFO - rsp = 0x00007fff83979d30 rip = 0x0000000012c095d8
[task 2019-06-21T17:15:08.478Z] 17:15:08 INFO - Found by: stack scanning
[task 2019-06-21T17:15:08.478Z] 17:15:08 INFO - 36 system@framework@boot.art + 0x3405c8
[task 2019-06-21T17:15:08.478Z] 17:15:08 INFO - rsp = 0x00007fff83979d58 rip = 0x0000000070def5c8
[task 2019-06-21T17:15:08.478Z] 17:15:08 INFO - Found by: stack scanning
[task 2019-06-21T17:15:08.478Z] 17:15:08 INFO - 37 dalvik-main space (deleted) + 0x88ae0
[task 2019-06-21T17:15:08.478Z] 17:15:08 INFO - rsp = 0x00007fff83979d70 rip = 0x0000000012c88ae0
[task 2019-06-21T17:15:08.478Z] 17:15:08 INFO - Found by: stack scanning
[task 2019-06-21T17:15:08.478Z] 17:15:08 INFO - 38 dalvik-main space (deleted) + 0x73d00
[task 2019-06-21T17:15:08.478Z] 17:15:08 INFO - rsp = 0x00007fff83979d80 rip = 0x0000000012c73d00
[task 2019-06-21T17:15:08.478Z] 17:15:08 INFO - Found by: stack scanning
[task 2019-06-21T17:15:08.478Z] 17:15:08 INFO - 39 system@framework@boot-framework.art + 0x419fd8
[task 2019-06-21T17:15:08.478Z] 17:15:08 INFO - rsp = 0x00007fff83979da0 rip = 0x00000000716b9fd8
[task 2019-06-21T17:15:08.479Z] 17:15:08 INFO - Found by: stack scanning
[task 2019-06-21T17:15:08.479Z] 17:15:08 INFO - 40 boot-framework.oat + 0x165ee53
[task 2019-06-21T17:15:08.479Z] 17:15:08 INFO - rsp = 0x00007fff83979db0 rip = 0x00000000745b1e53
[task 2019-06-21T17:15:08.479Z] 17:15:08 INFO - Found by: stack scanning
[task 2019-06-21T17:15:08.479Z] 17:15:08 INFO - 41 system@framework@boot-framework.art + 0x419fd8
[task 2019-06-21T17:15:08.479Z] 17:15:08 INFO - rsp = 0x00007fff83979db8 rip = 0x00000000716b9fd8
[task 2019-06-21T17:15:08.479Z] 17:15:08 INFO - Found by: stack scanning
[task 2019-06-21T17:15:08.479Z] 17:15:08 INFO - 42 dalvik-main space (deleted) + 0x4fe60
[task 2019-06-21T17:15:08.479Z] 17:15:08 INFO - rsp = 0x00007fff83979dc0 rip = 0x0000000012c4fe60
[task 2019-06-21T17:15:08.479Z] 17:15:08 INFO - Found by: stack scanning
[task 2019-06-21T17:15:08.479Z] 17:15:08 INFO - 43 dalvik-main space (deleted) + 0x138b0
[task 2019-06-21T17:15:08.479Z] 17:15:08 INFO - rsp = 0x00007fff83979dc8 rip = 0x0000000012c138b0
[task 2019-06-21T17:15:08.479Z] 17:15:08 INFO - Found by: stack scanning
[task 2019-06-21T17:15:08.479Z] 17:15:08 INFO - 44 dalvik-main space (deleted) + 0x4fe30
[task 2019-06-21T17:15:08.479Z] 17:15:08 INFO - rsp = 0x00007fff83979dd0 rip = 0x0000000012c4fe30
[task 2019-06-21T17:15:08.479Z] 17:15:08 INFO - Found by: stack scanning
[task 2019-06-21T17:15:08.479Z] 17:15:08 INFO - 45 system@framework@boot-framework.art + 0x41c0b0
[task 2019-06-21T17:15:08.479Z] 17:15:08 INFO - rsp = 0x00007fff83979dd8 rip = 0x00000000716bc0b0
[task 2019-06-21T17:15:08.479Z] 17:15:08 INFO - Found by: stack scanning
[task 2019-06-21T17:15:08.479Z] 17:15:08 INFO - 46 boot-framework.oat + 0x165e9dc
[task 2019-06-21T17:15:08.479Z] 17:15:08 INFO - rsp = 0x00007fff83979de0 rip = 0x00000000745b19dc
[task 2019-06-21T17:15:08.479Z] 17:15:08 INFO - Found by: stack scanning
[task 2019-06-21T17:15:08.479Z] 17:15:08 INFO - 47 system@framework@boot-framework.art + 0x419fa0
[task 2019-06-21T17:15:08.479Z] 17:15:08 INFO - rsp = 0x00007fff83979de8 rip = 0x00000000716b9fa0
[task 2019-06-21T17:15:08.479Z] 17:15:08 INFO - Found by: stack scanning
[task 2019-06-21T17:15:08.479Z] 17:15:08 INFO - 48 system@framework@boot-framework.art + 0x41ac50
[task 2019-06-21T17:15:08.479Z] 17:15:08 INFO - rsp = 0x00007fff83979e00 rip = 0x00000000716bac50
[task 2019-06-21T17:15:08.479Z] 17:15:08 INFO - Found by: stack scanning
[task 2019-06-21T17:15:08.479Z] 17:15:08 INFO - 49 dalvik-main space (deleted) + 0x4be20
[task 2019-06-21T17:15:08.479Z] 17:15:08 INFO - rsp = 0x00007fff83979e08 rip = 0x0000000012c4be20
[task 2019-06-21T17:15:08.479Z] 17:15:08 INFO - Found by: stack scanning
[task 2019-06-21T17:15:08.479Z] 17:15:08 INFO - 50 dalvik-main space (deleted) + 0x4fd60
[task 2019-06-21T17:15:08.479Z] 17:15:08 INFO - rsp = 0x00007fff83979e10 rip = 0x0000000012c4fd60
[task 2019-06-21T17:15:08.479Z] 17:15:08 INFO - Found by: stack scanning

  • last test: /html/browsers/the-window-object/apis-for-creating-and-navigating-browsing-contexts-by-name/open-features-tokenization-noreferrer.html *

Hi Emily,
I saw you are the last person change nsWindow::LayerViewSupport::OnDetach relative code, could you please take a look? Thank you.

Flags: needinfo?(etoop)
Blocks: 1553135

This bug has helped me resolve an issue I've been trying to track down for an age, so thanks. This seems to be a race condition caused if detach is called while a screen shot is being taken. The solution to this is twofold:

  1. Lock the list of waiting screenshot GeckoResults such that we can't try and use the same one to both notify for detach and notify for a completed screenshot.
  2. Check to ensure that mLayerViewSupport is not null before trying to return a screenshot.
Flags: needinfo?(etoop)

Adding [geckoview] whiteboard tag to send this bug to GV triage.

status-firefox69: --- → affected
OS: Unspecified → Android
Whiteboard: [geckoview]?
Assignee: nobody → etoop

This is to ensure that multiple completions cannot be attempted on the same GeckoResult, resulting in crashes.

Depends on D36928

Priority: -- → P2

Emily is this patch still waiting to land?

status-firefox70: --- → affected
Flags: needinfo?(etoop)

Yes. It's in review but we're still trying to find the right fix for it.

Flags: needinfo?(etoop)
Summary: Intermittent mozrunner-startup | application crashed [@ nsWindow::LayerViewSupport::OnDetach(already_AddRefed<mozilla::Runnable>)::{lambda()#1}::operator()() const] → Intermittent mozrunner-startup | <test-name> | application crashed [@ nsWindow::LayerViewSupport::OnDetach(already_AddRefed<mozilla::Runnable>)::{lambda()#1}::operator()() const]
Crash Signature: [@ nsWindow::LayerViewSupport::OnDetach(already_AddRefed<mozilla::Runnable>)::{lambda()#1}::operator()() const] → [@ nsWindow::LayerViewSupport::OnDetach(already_AddRefed<mozilla::Runnable>)::{lambda()#1}::operator()() const] [@ mozilla::detail::RunnableFunction<nsWindow::LayerViewSupport::OnDetach(already_AddRefed<mozilla::Runnable>)::{lambda()#1}>::Run()]

Emily says she's working on this test crash.

Crash Signature: [@ nsWindow::LayerViewSupport::OnDetach(already_AddRefed<mozilla::Runnable>)::{lambda()#1}::operator()() const] [@ mozilla::detail::RunnableFunction<nsWindow::LayerViewSupport::OnDetach(already_AddRefed<mozilla::Runnable>)::{lambda()#1}>::Run()] → [@ nsWindow::LayerViewSupport::OnDetach(already_AddRefed<mozilla::Runnable>)::{lambda()#1}::operator()() const] [@ mozilla::detail::RunnableFunction<nsWindow::LayerViewSupport::OnDetach(already_AddRefed<mozilla::Runnable>)::{lambda()#1}>::Run()]
status-firefox68: --- → wontfix
Whiteboard: [geckoview]? → [geckoview:p2]
See Also: → 1565466
Pushed by etoop@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/e07c631eca62
Add a lock around `mCapturePixelsResults`. @geckoview-reviewers r=geckoview-reviewers,snorp

https://hg.mozilla.org/mozilla-central/rev/e07c631eca62

Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox70: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla70

Is this something we should consider uplifting to Beta for GV69 or can this ride the 70 train?

status-firefox-esr60: --- → unaffected
status-firefox-esr68: --- → unaffected
Flags: needinfo?(etoop)
Component: DOM: Core & HTML → Widget: Android

(In reply to Ryan VanderMeulen [:RyanVM] from comment #22)

Is this something we should consider uplifting to Beta for GV69 or can this ride the 70 train?

This is a use-after-free so it should be uplifted.

I'm not sure how exploitable this is in practice, but it is a frequent intermittent failure with use after free poison values in registers, so I'm going to mark it sec-high to be conservative.

Group: gfx-core-security
Keywords: csectype-race, sec-high
Comment 24 is private: false
Group: gfx-core-security → core-security-release

We should consider this for GV 69

Flags: needinfo?(etoop)

Comment on attachment 9075989 [details]
Bug 1560641: Add a lock around mCapturePixelsResults. @geckoview-reviewers

Beta/Release Uplift Approval Request

  • User impact if declined: In rare cases Fenix will crash rather than closing down cleanly.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: Yes
  • If yes, steps to reproduce:
  • List of other uplifts needed: Bug 1553135
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): This crash would occur only when the app is being backgrounded and so was not visible to the user.
  • String changes made/needed:
Attachment #9075989 - Flags: approval-mozilla-beta?

Comment on attachment 9075989 [details]
Bug 1560641: Add a lock around mCapturePixelsResults. @geckoview-reviewers

Fixes a security-sensitive GeckoView crash. Approved for GV69.

Attachment #9075989 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

Hi!
I tested this, as suggested in Comment 27, on Firefox Preview Nightly 190725 (Build #12061813), Release 68.0 with

  • Prestigio Grace X5 (Android 4.4.2);
  • Lenovo Yoga Tablet 2 (Android 4.4.2; x86);
  • Sony Xperia Z5 Premium (Android 7.1.1);
  • OnePlus 5T (Android 9).

and I could not reproduce the crash.
I see this is a Treeherder bug, are there any other informations about reproducing this bug? Thank you!

Flags: qe-verify-
Whiteboard: [geckoview:p2] → [geckoview:p2][post-critsmashe-triage]

is this the same as https://bugzilla.mozilla.org/show_bug.cgi?id=1565466 ? because in that case it's still happening in the trunk

ni for Comment 31

Flags: needinfo?(continuation)

(In reply to :Agi | ⏰ PST | he/him from comment #31)

is this the same as https://bugzilla.mozilla.org/show_bug.cgi?id=1565466 ? because in that case it's still happening in the trunk

It certainly looks very similar. In one crash, I saw 0x0072f2f2f2f2f2f2 in a register like the crash in comment 0, which looks like JS_FRESH_NURSERY_PATTERN, and in another I saw 0xe5e5e5e5 in a register, which is from a use-after-free. Maybe there's another lock missing somewhere?

Flags: needinfo?(continuation) → needinfo?(etoop)
Flags: needinfo?(etoop) → needinfo?(agi)
Whiteboard: [geckoview:p2][post-critsmashe-triage] → [geckoview:p2][post-critsmashe-triage[adv-main69+]

resolved by bug 1565466

Flags: needinfo?(agi)
Group: core-security-release
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: