Crash in [@ objc_msgLookupSuper2]
Categories
(Core :: Widget: Cocoa, defect, P1)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr60 | --- | unaffected |
| firefox-esr68 | --- | unaffected |
| firefox68 | --- | unaffected |
| firefox69 | --- | unaffected |
| firefox70 | --- | fixed |
People
(Reporter: marcia, Assigned: bugzilla)
References
Details
(5 keywords, Whiteboard: [post-critsmash-triage])
Crash Data
Attachments
(1 file)
Seen while looking at nightly crash triage. Both of these crash signatures are similar and have what looks to be potential UAF signatures. The crashes started in 20190724220024: https://bit.ly/2yeXn4M. Not sure where to bucket this one based on the stacks, some of which have image related stuff in them.
Possible regression range based on build id: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=69ac304560c98a733d44a0245fe9782dc6a465e2&tochange=1da5a37de0fd1695e96a9d5e7f59fbd84d8759b2
|
Reporter | |
Updated•5 years ago
|
|
||
Comment 1•5 years ago
|
||
Interesting that ignoring a couple random Fx52 crashes, this seems to have started in Fx67 AND ESR-60.7. Some security fix we uplifted? A build tool change?
@ _object_remove_assocations
60.7: bp-735d824f-e92f-459e-b976-c91b50190719
67: bp-f4a160dc-be01-4edd-acd9-932030190722
All these crashes seem to be on Mac 10.14 or 10.15
|
|
Reporter | |
Comment 2•5 years ago
|
||
Looks as if Matthew N hit one of the signatures in Bug 1569012. Timothy believes it is a regression from Bug 1521893. adding ni on Harry here as well because the spike in 70 seems to have started when he landed Bug 1521893. Would be interesting to know why we see crashes before that.
|
|
Reporter | |
Updated•5 years ago
|
|
Assignee | |
Comment 3•5 years ago
|
||
Looks like the crash signature is converging with bug 1569012. Marcia, would you say this bug's security flag makes it different enough to keep open? Otherwise it could probably be marked as a duplicate.
That said, I agree it's interesting that this crash affects Fx67 -- in bug 1569012, it seemed like this is a result of a patch I pushed to 70. The 67 crash complicates things a little.
|
|
Reporter | |
Comment 4•5 years ago
|
||
Harry - I think we should track all the signatures in this bug based on the large number of UAF signatures and the fact that it is rated a sec-high bug. Usually if it is a security issue we work in the security bug and not in a open one.
|
|
Reporter | |
Comment 5•5 years ago
|
||
The combination of these 4 signatures in 70 nightly is making this a topcrash. Adding the relevant keyword.
|
|
Assignee | |
Comment 7•5 years ago
|
||
Discussion in bug 1569012 is moving towards backing out https://hg.mozilla.org/mozilla-central/rev/4aead1eca8c65fab12771084a3be639564fc1b61 until this can be fixed. Who's the best person to needinfo about that? And is it best to do that here or over in bug 1569012?
|
|
Reporter | |
Comment 8•5 years ago
|
||
(In reply to Harry Twyford [:harry] from comment #7)
Discussion in bug 1569012 is moving towards backing out https://hg.mozilla.org/mozilla-central/rev/4aead1eca8c65fab12771084a3be639564fc1b61 until this can be fixed. Who's the best person to needinfo about that? And is it best to do that here or over in bug 1569012?
Sheriffs should be able to help us back that out - I can ping them in the IRC channel. I will add Matthew N and Timothy to this bug so that they are aware the signatures are UAFs.
|
|
Reporter | |
Comment 9•5 years ago
|
||
Adding Aryx - Can you work with Harry to help us back out the changeset in Comment 8?
|
||
Comment 10•5 years ago
|
||
Backed out part 2 of bug 1521893 to fix crashes (Bug 1568862):
https://hg.mozilla.org/integration/autoland/rev/4b23bb4e274c0c0d69b7be2d3cd6090a971a837e
|
||
Updated•5 years ago
|
|
|
Reporter | |
Updated•5 years ago
|
|
|
Assignee | |
Comment 12•5 years ago
|
||
|
|
Assignee | |
Comment 13•5 years ago
|
||
The presence of nsMenuItemIconX::OnComplete in the crash signatures is very interesting. That method was only touched in the patch preceding the one that was backed out, and has been landed for two weeks longer: https://hg.mozilla.org/integration/autoland/rev/ab282375f89b
I took a look at it and realized there was some faulty logic in its error handling. I'm not entirely sure this will resolve the above issues, but it's a fix nonetheless!
|
|
||
Updated•5 years ago
|
|
||
Updated•5 years ago
|
|
||
Updated•5 years ago
|
|
|
Assignee | |
Comment 14•5 years ago
|
||
Following the Security Approval Guide I'm trying to set the sec-approval flag but can't find it for the life of me. Maybe I'm missing a step? Marcia, can you please advise? The patch on Phabricator is approved and good-to-go.
|
|
Reporter | |
Comment 15•5 years ago
|
||
(In reply to Harry Twyford [:harry] from comment #14)
Following the Security Approval Guide I'm trying to set the
sec-approvalflag but can't find it for the life of me. Maybe I'm missing a step? Marcia, can you please advise? The patch on Phabricator is approved and good-to-go.
It's on the patch in the same spot as other approval flags. That being said, if it only affects Nightly, it doesn't need sec-approval.
|
|
||
Comment 16•5 years ago
|
||
|
|
Assignee | |
Updated•5 years ago
|
|
||
Updated•5 years ago
|
|
||
Updated•5 years ago
|
|
|
||
Updated•4 years ago
|
Description
•