Closed Bug 1565466 Opened 1 year ago Closed 5 months ago

Intermittent <test-name> | application crashed [@ mozilla::detail::RunnableFunction<nsWindow::LayerViewSupport::OnDetach(already_AddRefed<mozilla::Runnable>)::{lambda()#1}>::Run()]

Categories

(GeckoView :: General, defect, P1, critical)

Unspecified
All
defect

Tracking

(firefox-esr60 unaffected, firefox-esr68 unaffected, firefox68 unaffected, firefox69 wontfix, firefox70 fixed, firefox71 fixed)

RESOLVED FIXED
mozilla71
Tracking Status
firefox-esr60 --- unaffected
firefox-esr68 --- unaffected
firefox68 --- unaffected
firefox69 --- wontfix
firefox70 --- fixed
firefox71 --- fixed

People

(Reporter: intermittent-bug-filer, Assigned: fluffyemily)

References

(Depends on 2 open bugs, Blocks 1 open bug)

Details

(Keywords: crash, intermittent-failure, regression, Whiteboard: [geckoview:m1909])

Crash Data

Attachments

(1 file)

Filed by: rgurzau [at] mozilla.com
Parsed log: https://treeherder.mozilla.org/logviewer.html#?job_id=256100975&repo=autoland
Full log: https://queue.taskcluster.net/v1/task/cBEjOXmqRS-Gbp39HetG8Q/runs/0/artifacts/public/logs/live_backing.log


[task 2019-07-12T03:47:50.948Z] 03:47:50 INFO - SUITE-END | took 134s
[task 2019-07-12T03:47:51.670Z] 03:47:51 INFO - mozcrash Downloading symbols from: https://queue.taskcluster.net/v1/task/d8nbFgnGQ7KYopF3eLVMZw/artifacts/public/build/target.crashreporter-symbols.zip
[task 2019-07-12T03:47:55.113Z] 03:47:55 INFO - mozcrash Copy/paste: /builds/worker/workspace/build/linux64-minidump_stackwalk /tmp/tmpybsaSk/6be80166-8999-523a-e97c-e345a059a10e.dmp /tmp/tmpsEqydW
[task 2019-07-12T03:47:59.317Z] 03:47:59 INFO - mozcrash Saved minidump as /builds/worker/workspace/build/blobber_upload_dir/6be80166-8999-523a-e97c-e345a059a10e.dmp
[task 2019-07-12T03:47:59.318Z] 03:47:59 INFO - mozcrash Saved app info as /builds/worker/workspace/build/blobber_upload_dir/6be80166-8999-523a-e97c-e345a059a10e.extra
[task 2019-07-12T03:47:59.325Z] 03:47:59 WARNING - PROCESS-CRASH | org.mozilla.geckoview.test.SelectionActionDelegateTest.paste[#text] | application crashed [@ mozilla::detail::RunnableFunction<nsWindow::LayerViewSupport::OnDetach(already_AddRefed<mozilla::Runnable>)::{lambda()#1}>::Run()]
[task 2019-07-12T03:47:59.325Z] 03:47:59 INFO - Crash dump filename: /tmp/tmpybsaSk/6be80166-8999-523a-e97c-e345a059a10e.dmp
[task 2019-07-12T03:47:59.326Z] 03:47:59 INFO - Operating system: Android
[task 2019-07-12T03:47:59.326Z] 03:47:59 INFO - 0.0.0 Linux 3.10.0+ #260 SMP PREEMPT Fri May 19 12:48:14 PDT 2017 x86_64
[task 2019-07-12T03:47:59.326Z] 03:47:59 INFO - CPU: amd64
[task 2019-07-12T03:47:59.326Z] 03:47:59 INFO - family 6 model 6 stepping 3
[task 2019-07-12T03:47:59.326Z] 03:47:59 INFO - 4 CPUs
[task 2019-07-12T03:47:59.326Z] 03:47:59 INFO - GPU: UNKNOWN
[task 2019-07-12T03:47:59.326Z] 03:47:59 INFO - Crash reason: SIGSEGV /0x00000080
[task 2019-07-12T03:47:59.326Z] 03:47:59 INFO - Crash address: 0x0
[task 2019-07-12T03:47:59.326Z] 03:47:59 INFO - Process uptime: not available
[task 2019-07-12T03:47:59.332Z] 03:47:59 INFO - Thread 0 (crashed)
[task 2019-07-12T03:47:59.332Z] 03:47:59 INFO - 0 libxul.so!mozilla::detail::RunnableFunction<nsWindow::LayerViewSupport::OnDetach(already_AddRefed<mozilla::Runnable>)::{lambda()#1}>::Run() [nsThreadUtils.h:d7a0f54d4db28226aa2c457c4867603b74b920e5 : 564 + 0x29]
[task 2019-07-12T03:47:59.332Z] 03:47:59 INFO - rax = 0x0072f2f2f2f2f2f2 rdx = 0x0000000000000002
[task 2019-07-12T03:47:59.332Z] 03:47:59 INFO - rcx = 0xe5e5e5e5e5e5e5e5 rbx = 0xe5e5e5e5e5e5e5e5
[task 2019-07-12T03:47:59.332Z] 03:47:59 INFO - rsi = 0x0000000000000000 rdi = 0x00007fc2fd577400
[task 2019-07-12T03:47:59.332Z] 03:47:59 INFO - rbp = 0x00007fffd839a650 rsp = 0x00007fffd839a5c0
[task 2019-07-12T03:47:59.332Z] 03:47:59 INFO - r8 = 0x0000000000000000 r9 = 0x0000000000000000
[task 2019-07-12T03:47:59.332Z] 03:47:59 INFO - r10 = 0x00007fc3332e7f70 r11 = 0x0000000000000246
[task 2019-07-12T03:47:59.332Z] 03:47:59 INFO - r12 = 0x00007fffd839a610 r13 = 0x00007fc2fd577400
[task 2019-07-12T03:47:59.332Z] 03:47:59 INFO - r14 = 0x00000000132d9d00 r15 = 0x00007fffd839a5c8
[task 2019-07-12T03:47:59.332Z] 03:47:59 INFO - rip = 0x00007fc3161fa91a
[task 2019-07-12T03:47:59.332Z] 03:47:59 INFO - Found by: given as instruction pointer in context
[task 2019-07-12T03:47:59.332Z] 03:47:59 INFO - 1 libxul.so!long mozilla::jni::NativeStub<mozilla::java::GeckoThread::RunUiThreadCallback_t, GeckoThreadSupport, mozilla::jni::Args<> >::Wrap<&GeckoThreadSupport::RunUiThreadCallback>(_JNIEnv*, _jclass*) [Natives.h:d7a0f54d4db28226aa2c457c4867603b74b920e5 : 695 + 0xac]
[task 2019-07-12T03:47:59.332Z] 03:47:59 INFO - rbx = 0x00007fc310746580 rbp = 0x00007fffd839a6a0
[task 2019-07-12T03:47:59.332Z] 03:47:59 INFO - rsp = 0x00007fffd839a660 r12 = 0x00007fc310746580
[task 2019-07-12T03:47:59.332Z] 03:47:59 INFO - r13 = 0x00007fc2fd577400 r14 = 0x00000000132d9d00
[task 2019-07-12T03:47:59.332Z] 03:47:59 INFO - r15 = 0x00007fffd839a668 rip = 0x00007fc3161ef012
[task 2019-07-12T03:47:59.332Z] 03:47:59 INFO - Found by: call frame info

Type: -- → defect

Emily is working on a similar test crash in bug 1560641.

Assignee: nobody → etoop
Priority: -- → P1
See Also: → 1560641
Whiteboard: [geckoview:fenix:m7]
Duplicate of this bug: 1568715
Assignee: etoop → nobody
Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
See Also: → 1569416

This still happening.

Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Summary: Intermittent org.mozilla.geckoview.test.SelectionActionDelegateTest.paste[#text] | application crashed [@ mozilla::detail::RunnableFunction<nsWindow::LayerViewSupport::OnDetach(already_AddRefed<mozilla::Runnable>)::{lambda()#1}>::Run()] → Intermittent <test-name> | application crashed [@ mozilla::detail::RunnableFunction<nsWindow::LayerViewSupport::OnDetach(already_AddRefed<mozilla::Runnable>)::{lambda()#1}>::Run()]
Duplicate of this bug: 1569346
Duplicate of this bug: 1569416
Duplicate of this bug: 1569555
Duplicate of this bug: 1569671
Duplicate of this bug: 1572402
Crash Signature: [@ mozilla::detail::RunnableFunction<nsWindow::LayerViewSupport::OnDetach(already_AddRefed<mozilla::Runnable>)::{lambda()#1}>::Run()] → [@ mozilla::detail::RunnableFunction<nsWindow::LayerViewSupport::OnDetach(already_AddRefed<mozilla::Runnable>)::{lambda()#1}>::Run()] [@ nsWindow::LayerViewSupport::OnDetach(already_AddRefed<mozilla::Runnable>)::{lambda()#1}::operator()() const ]

69 and 70=affected because the fix didn't fix the crash.

See Also: → 1574004

Emily, can you take another look at this test crash or help find an owner for it? Thanks!

Flags: needinfo?(etoop)

I've got some time to take a look at this again.

Assignee: nobody → etoop
Flags: needinfo?(etoop)

Adding this bug to GV's September sprint.

Whiteboard: [geckoview:fenix:m7] → [geckoview:m1909]

...the last patch.

Remove deadlock opportunity

Attachment #9090652 - Attachment description: Bug 1565466 - Move lock of window inside thread in `LayerViewSupport::OnDetach` and pop the `GeckoResult` from list of waiting results while we still have the initial lock in `LayerViewSupport::RecvScreenPixels`. This passes try, but then so did... → Bug 1565466 - Lock Window in `LayerViewSupport::OnDetach`
Pushed by etoop@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/fdf8bd81fe14
Lock Window in `LayerViewSupport::OnDetach` r=snorp
Status: REOPENED → RESOLVED
Closed: 1 year ago5 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla71

Emily, do you think your OnDetach fix could prevent real users crashes or just test crashes? It sounds worthwhile to uplift either way.

Flags: needinfo?(etoop)

(In reply to Intermittent Failures Robot from comment #25)

3 failures in 4408 pushes (0.001 failures/push) were associated with this bug in the last 7 days.
...
For more details, see:
https://treeherder.mozilla.org/intermittent-failures.html#/bugdetails?bug=1565466&startday=2019-09-02&endday=2019-09-08&tree=all

We can ignore those three test failures because they happened on 2019-09-03 and 2019-09-04, before Emily's fix landed on mozilla-central on 2019-09-06.

I think it is worth an uplift as it is a use after free, which is bad.

Flags: needinfo?(etoop)

Comment on attachment 9090652 [details]
Bug 1565466 - Lock Window in LayerViewSupport::OnDetach

Beta/Release Uplift Approval Request

  • User impact if declined: This is not causing any known crashes in the live environment, but this is a use after free situation which would cause an application crash if it occured.
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): This is not causing any known crashes in the live environment
  • String changes made/needed:
Attachment #9090652 - Flags: approval-mozilla-beta?

Comment on attachment 9090652 [details]
Bug 1565466 - Lock Window in LayerViewSupport::OnDetach

Fixes a possible Android UAF. Approved for GV70.

Attachment #9090652 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
See Also: → 1584675
Depends on: 1584675
See Also: 1584675
Depends on: 1585538
You need to log in before you can comment on or make changes to this bug.