Closed Bug 1593865 Opened 1 year ago Closed 1 year ago

AddressSanitizer: SEGV /builds/worker/workspace/build/src/servo/components/servo_arc/lib.rs:1099:16 in _$LT$servo_arc..RawOffsetArc$LT$T$GT$$u20$as$u20$core..ops..drop..Drop$GT$::drop::hf087ada73012f773

Categories

(Core :: CSS Parsing and Computation, defect, P2)

defect

Tracking

()

VERIFIED FIXED
mozilla72
Tracking Status
firefox-esr68 --- unaffected
firefox70 --- wontfix
firefox71 --- verified
firefox72 --- verified

People

(Reporter: jkratzer, Assigned: emilio)

References

(Blocks 2 open bugs, Regression)

Details

(4 keywords, Whiteboard: [post-critsmash-triage][adv-main71+r])

Attachments

(4 files, 1 obsolete file)

Attached file testcase.html

Testcase found while fuzzing mozilla-central rev 5647ec4ba6f2.

==11153==ERROR: AddressSanitizer: SEGV on unknown address 0x7f149e05b388 (pc 0x7f032dc80469 bp 0x7ffc0a2f0d70 sp 0x7ffc0a2f0d50 T0)
==11153==The signal is caused by a READ memory access.
    #0 0x7f032dc80468 in _$LT$servo_arc..RawOffsetArc$LT$T$GT$$u20$as$u20$core..ops..drop..Drop$GT$::drop::hf087ada73012f773 /builds/worker/workspace/build/src/servo/components/servo_arc/lib.rs:1099:16
    #1 0x7f032dc80468 in core::ptr::real_drop_in_place::h4afa2fde0ebb96bc /rustc/625451e376bb2e5283fc4741caa0a3e8a2ca4d54/src/libcore/ptr/mod.rs:175
    #2 0x7f032dc80468 in style::gecko_bindings::sugar::ownership::HasArcFFI::release::h55d78793a3dbb6ba /builds/worker/workspace/build/src/servo/components/style/gecko_bindings/sugar/ownership.rs:113:88
    #3 0x7f032dc80468 in Servo_NamespaceRule_Release /builds/worker/workspace/build/src/servo/components/style/gecko/arc_types.rs:57:12
    #4 0x7f0326cb8d2a in Release /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ServoArcTypeList.h:35:1
    #5 0x7f0326cb8d2a in Release /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:373:36
    #6 0x7f0326cb8d2a in ~RefPtr /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:79:7
    #7 0x7f0326cb8d2a in ~CSSNamespaceRule /builds/worker/workspace/build/src/layout/style/CSSNamespaceRule.cpp:15:40
    #8 0x7f0326cb8d2a in mozilla::dom::CSSNamespaceRule::~CSSNamespaceRule() /builds/worker/workspace/build/src/layout/style/CSSNamespaceRule.cpp:15:39
    #9 0x7f031d5c9811 in SuspectAfterShutdown(void*, nsCycleCollectionParticipant*, nsCycleCollectingAutoRefCnt*, bool*) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3745:12
    #10 0x7f0326d4b122 in decr<&NS_CycleCollectorSuspect3> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsISupportsImpl.h:234:7
    #11 0x7f0326d4b122 in decr<&NS_CycleCollectorSuspect3> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsISupportsImpl.h:221:12
    #12 0x7f0326d4b122 in mozilla::css::Rule::Release() /builds/worker/workspace/build/src/layout/style/Rule.cpp:25:1
    #13 0x7f0326d4cd97 in Release /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:48:40
    #14 0x7f0326d4cd97 in Release /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:373:36
    #15 0x7f0326d4cd97 in ~RefPtr /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:79:7
    #16 0x7f0326d4cd97 in DropRule /builds/worker/workspace/build/src/layout/style/ServoCSSRuleList.cpp:122:1
    #17 0x7f0326d4cd97 in operator() /builds/worker/workspace/build/src/layout/style/ServoCSSRuleList.cpp:128:29
    #18 0x7f0326d4cd97 in EnumerateInstantiatedRules<(lambda at /builds/worker/workspace/build/src/layout/style/ServoCSSRuleList.cpp:128:7)> /builds/worker/workspace/build/src/layout/style/ServoCSSRuleList.cpp:114:7
    #19 0x7f0326d4cd97 in mozilla::ServoCSSRuleList::DropAllRules() /builds/worker/workspace/build/src/layout/style/ServoCSSRuleList.cpp:127:3
    #20 0x7f0326d4ff47 in ~ServoCSSRuleList /builds/worker/workspace/build/src/layout/style/ServoCSSRuleList.cpp:212:3
    #21 0x7f0326d4ff47 in mozilla::ServoCSSRuleList::~ServoCSSRuleList() /builds/worker/workspace/build/src/layout/style/ServoCSSRuleList.cpp:209:39
    #22 0x7f031d5c9811 in SuspectAfterShutdown(void*, nsCycleCollectionParticipant*, nsCycleCollectingAutoRefCnt*, bool*) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3745:12
    #23 0x7f0326cb3612 in decr<&NS_CycleCollectorSuspect3> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsISupportsImpl.h:234:7
    #24 0x7f0326cb3612 in decr<&NS_CycleCollectorSuspect3> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsISupportsImpl.h:221:12
    #25 0x7f0326cb3612 in mozilla::dom::CSSRuleList::Release() /builds/worker/workspace/build/src/layout/style/CSSRuleList.cpp:22:1
    #26 0x7f0326d652a5 in mozilla::StyleSheet::Release() /builds/worker/workspace/build/src/layout/style/StyleSheet.cpp:183:1
    #27 0x7f0326da83bf in Release /builds/worker/workspace/build/src/layout/style/nsLayoutStylesheetCache.cpp:109:1
    #28 0x7f0326da83bf in AssignAssumingAddRef /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/StaticPtr.h:167:15
    #29 0x7f0326da83bf in AssignWithAddref /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/StaticPtr.h:160:5
    #30 0x7f0326da83bf in operator= /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/StaticPtr.h:120:5
    #31 0x7f0326da83bf in nsLayoutStylesheetCache::Shutdown() /builds/worker/workspace/build/src/layout/style/nsLayoutStylesheetCache.cpp:165:15
    #32 0x7f03279d481a in nsLayoutStatics::Shutdown() /builds/worker/workspace/build/src/layout/build/nsLayoutStatics.cpp:386:3
    #33 0x7f03279d4662 in Release /builds/worker/workspace/build/src/layout/build/nsLayoutStatics.h:44:31
    #34 0x7f03279d4662 in Shutdown /builds/worker/workspace/build/src/layout/build/nsLayoutModule.cpp:127:3
    #35 0x7f03279d4662 in nsLayoutModuleDtor() /builds/worker/workspace/build/src/layout/build/nsLayoutModule.cpp:256:3
    #36 0x7f031d7298a9 in nsComponentManagerImpl::Shutdown() /builds/worker/workspace/build/src/xpcom/components/nsComponentManager.cpp:941:3
    #37 0x7f031d7cd46a in mozilla::ShutdownXPCOM(nsIServiceManager*) /builds/worker/workspace/build/src/xpcom/build/XPCOMInit.cpp:724:55
    #38 0x7f032a92857c in XRE_TermEmbedding() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:223:3
    #39 0x7f031e9fb491 in mozilla::ipc::ScopedXREEmbed::Stop() /builds/worker/workspace/build/src/ipc/glue/ScopedXREEmbed.cpp:90:5
    #40 0x7f032a9291a4 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:773:16
    #41 0x55eada3d0cf0 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #42 0x55eada3d0cf0 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:272:18
    #43 0x7f03407dcb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/servo/components/servo_arc/lib.rs:1099:16 in _$LT$servo_arc..RawOffsetArc$LT$T$GT$$u20$as$u20$core..ops..drop..Drop$GT$::drop::hf087ada73012f773
Flags: in-testsuite?

If you could have a pernosco session for this it'd be amazing, otherwise I can take a closer look tomorrow or some time this week.

Flags: needinfo?(emilio)

Smells like UAF to me...

Group: core-security

I couldn't reproduce locally on a fuzzing debug build with the following mozconfig:

MOZCONFIGS=/home/emilio/.mozconfigs                                                                                                                                                                                                           
mk_add_options AUTOCLOBBER=1
ac_add_options --enable-address-sanitizer
ac_add_options --disable-jemalloc
ac_add_options --disable-crashreporter
ac_add_options --disable-elf-hack
 
export CFLAGS="-fsanitize=address -Dxmalloc=mymalloc -fPIC"
export CXXFLAGS="-fsanitize=address -Dxmalloc=mymalloc -fPIC"
export LDFLAGS="-fsanitize=address"
ac_add_options --enable-debug
ac_add_options --enable-fuzzing
ac_add_options --disable-optimize
if [ -z $ARTIFACT_BUILD ]; then
  if [ -z $ICECC ]; then
    export HOST_CC="/home/emilio/.mozbuild/clang/bin/clang"
    export HOST_CXX="/home/emilio/.mozbuild/clang/bin/clang++"
    export AS="/home/emilio/.mozbuild/clang/bin/clang"
    export CC="/home/emilio/.mozbuild/clang/bin/clang"
    export CXX="/home/emilio/.mozbuild/clang/bin/clang++"
    ac_add_options --with-ccache=sccache
  fi
fi
mk_add_options MOZ_OBJDIR=/home/emilio/src/moz/gecko-3/obj-asan-debug-fuzzing-noopt

And using ./mach run --setpref fuzzing.enabled=true testcase.html, multiple times, with various variations of FuzzingFunctions.cycleCollect() and FuzzingFunctions.garbageCollect() thrown in the mix.

Jason any way I can repro this?

Flags: needinfo?(emilio) → needinfo?(jkratzer)

Emilio, sorry for the delay. Here's a link to the pernosco session:

https://pernos.co/debug/db66fJXXff75pxrjgS4VBw/index.html

Flags: needinfo?(jkratzer)

It seems there's no C++ debuginfo in the trace? I cannot see C++ source or symbols, which makes inspecting the state of the program quite a pain.

Flags: needinfo?(jkratzer)
Priority: -- → P2
Attached file prefs.js
Flags: needinfo?(jkratzer)

This is stale pointers to shared memory. Can only happen on shutdown, but it seems scary anyway.

Regressed by: 1533569
Assignee: nobody → emilio

This turned out not to be the culprit, but it doesn't seem unreasonable for
DropAllRules -> DropRules -> cycle-collection-stuff that ends up reentering in
the parent rule list.

It seems safer to first remove from the array / move the array to the stack,
then free the pointer, than to leave dangling pointers while we iterate through
the array.

The existing code wasn't sound, as CSSOM objects also needed to go away before
the shared memory goes away (as they keep references to them).

This is sound assuming no presence of reference cycles introduced by CSSOM.

We may want to live with this and rely on chrome code not writing cycles like
this with UA stylesheet DOM objects.

We could explicitly drop all potentially-static objects... That seems pretty
error prone though.

Or we could also just leak the shared memory buffer, is there any reason why we
may not want to do that?

Seems less gnarly than the alternatives, and we'd only free it until shutdown so
not much worse, actually.

Can I have a security rating for this? This is the cycle-collector poking at unmapped shared memory after shutdown, so I don't think it is extremely dangerous. Also, content can't have references to the stylesheets that can trigger the bug, only chrome code (like InspectorUtils in the test-case can).

Flags: needinfo?(dveditz)
Flags: needinfo?(dveditz)
Group: core-security → layout-core-security

Will move the first patch somewhere else as it's not particularly related to this bug.

Comment on attachment 9106606 [details]
Bug 1593865 - More safely remove rules in ServoCSSRuleList.

Revision D51869 was moved to bug 1594471. Setting attachment 9106606 [details] to obsolete.

Attachment #9106606 - Attachment is obsolete: true

Landed as
https://hg.mozilla.org/integration/autoland/rev/6fd25e6c3d1a58782e34e8d7f53e995e03683036
https://hg.mozilla.org/integration/autoland/rev/40de560a7cadb4f2c5cb388aac0afebdab650827

Backed out for multiple failures on asan_malloc_linux.cc:
https://hg.mozilla.org/integration/autoland/rev/4dfacb8bd61a3c8eaedd93df7e2e7770db0cbfa2

Push with failures: https://treeherder.mozilla.org/#/jobs?repo=autoland&group_state=expanded&resultStatus=pending%2Crunning%2Csuccess%2Csuperseded%2Cusercancel%2Cretry%2Ctestfailed%2Cbusted%2Cexception&searchStr=linux%2Casan&revision=40de560a7cadb4f2c5cb388aac0afebdab650827&selectedJob=274874439
Failure log: https://treeherder.mozilla.org/logviewer.html#?job_id=274874439&repo=autoland

[task 2019-11-06T17:35:24.104Z] 17:35:24 INFO - REFTEST TEST-START | file:///builds/worker/workspace/build/tests/reftest/tests/dom/media/test/crashtests/convolver-memory-report-1.html
[task 2019-11-06T17:35:24.106Z] 17:35:24 INFO - REFTEST TEST-LOAD | file:///builds/worker/workspace/build/tests/reftest/tests/dom/media/test/crashtests/convolver-memory-report-1.html | 641 / 3732 (17%)
[task 2019-11-06T17:35:24.307Z] 17:35:24 INFO - =================================================================
[task 2019-11-06T17:35:24.310Z] 17:35:24 ERROR - ==1223==ERROR: AddressSanitizer: attempting to call malloc_usable_size() for pointer which is not owned: 0x7f51d58c9088
[task 2019-11-06T17:35:24.487Z] 17:35:24 INFO - #0 0x55982f92e68d in malloc_usable_size /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:198:3
[task 2019-11-06T17:35:24.490Z] 17:35:24 INFO - #1 0x55982f8b839d in Unwind /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_stacktrace.h:115:5
[task 2019-11-06T17:35:24.492Z] 17:35:24 INFO - #2 0x55982f8b839d in __asan::asan_malloc_usable_size(void const*, unsigned long, unsigned long) /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_allocator.cc:969:5
[task 2019-11-06T17:35:24.914Z] 17:35:24 INFO - #3 0x7f93ed17a6a4 in malloc_size_of::MallocSizeOfOps::malloc_size_of::h6e3f7ea9515de366 /builds/worker/workspace/build/src/servo/components/malloc_size_of/lib.rs:150:12
[task 2019-11-06T17:35:24.915Z] 17:35:24 INFO - #4 0x7f93ed17a6a4 in _$LT$alloc..vec..Vec$LT$T$GT$$u20$as$u20$malloc_size_of..MallocShallowSizeOf$GT$::shallow_size_of::h2330fce08dbb0044 /builds/worker/workspace/build/src/servo/components/malloc_size_of/lib.rs:379:17
[task 2019-11-06T17:35:24.915Z] 17:35:24 INFO - #5 0x7f93ed17a6a4 in style::stylesheets::rule_list::CssRules::size_of::h907edb8055059d4e /builds/worker/workspace/build/src/servo/components/style/stylesheets/rule_list.rs:50:20
[task 2019-11-06T17:35:25.044Z] 17:35:25 INFO - #6 0x7f93ed012a7e in style::stylesheets::stylesheet::StylesheetContents::size_of::he38cd2b8716e8121 /builds/worker/workspace/build/src/servo/components/style/stylesheets/stylesheet.rs:149:12
[task 2019-11-06T17:35:25.045Z] 17:35:25 INFO - #7 0x7f93ed012a7e in Servo_StyleSheet_SizeOfIncludingThis /builds/worker/workspace/build/src/servo/ports/geckolib/glue.rs:1980:4
[task 2019-11-06T17:35:25.061Z] 17:35:25 INFO - #8 0x7f93e6dc5a98 in SizeOfIncludingThis /builds/worker/workspace/build/src/layout/style/StyleSheet.cpp:330:8
[task 2019-11-06T17:35:25.061Z] 17:35:25 INFO - #9 0x7f93e6dc5a98 in mozilla::StyleSheet::SizeOfIncludingThis(unsigned long ()(void const)) const /builds/worker/workspace/build/src/layout/style/StyleSheet.cpp:779:23
[task 2019-11-06T17:35:25.069Z] 17:35:25 INFO - #10 0x7f93e6e02af3 in nsLayoutStylesheetCache::SizeOfIncludingThis(unsigned long ()(void const)) const /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/UserAgentStyleSheetList.h:23:1
[task 2019-11-06T17:35:25.069Z] 17:35:25 INFO - #11 0x7f93e6e0265b in nsLayoutStylesheetCache::CollectReports(nsIHandleReportCallback*, nsISupports*, bool) /builds/worker/workspace/build/src/layout/style/nsLayoutStylesheetCache.cpp:184:3
[task 2019-11-06T17:35:25.069Z] 17:35:25 INFO - #12 0x7f93e6e02f5e in non-virtual thunk to nsLayoutStylesheetCache::CollectReports(nsIHandleReportCallback*, nsISupports*, bool) /builds/worker/workspace/build/src/layout/style/nsLayoutStylesheetCache.cpp
[task 2019-11-06T17:35:25.077Z] 17:35:25 INFO - #13 0x7f93de46a79d in operator() /builds/worker/workspace/build/src/xpcom/base/nsMemoryReporterManager.cpp:1864:19
[task 2019-11-06T17:35:25.077Z] 17:35:25 INFO - #14 0x7f93de46a79d in mozilla::detail::RunnableFunction<nsMemoryReporterManager::DispatchReporter(nsIMemoryReporter*, bool, nsIHandleReportCallback*, nsISupports*, bool)::$_0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:564:5
[task 2019-11-06T17:35:25.093Z] 17:35:25 INFO - #15 0x7f93de5d7ab3 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1225:14
[task 2019-11-06T17:35:25.093Z] 17:35:25 INFO - #16 0x7f93de5de611 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
[task 2019-11-06T17:35:25.094Z] 17:35:25 INFO - #17 0x7f93df70102c in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21
[task 2019-11-06T17:35:25.102Z] 17:35:25 INFO - #18 0x7f93df625242 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
[task 2019-11-06T17:35:25.103Z] 17:35:25 INFO - #19 0x7f93df625242 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308:3
[task 2019-11-06T17:35:25.103Z] 17:35:25 INFO - #20 0x7f93df625242 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290:3
[task 2019-11-06T17:35:25.107Z] 17:35:25 INFO - #21 0x7f93e690b448 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
[task 2019-11-06T17:35:25.107Z] 17:35:25 INFO - #22 0x7f93ea7bbb06 in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:934:20
[task 2019-11-06T17:35:25.108Z] 17:35:25 INFO - #23 0x7f93df625242 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
[task 2019-11-06T17:35:25.109Z] 17:35:25 INFO - #24 0x7f93df625242 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308:3
[task 2019-11-06T17:35:25.109Z] 17:35:25 INFO - #25 0x7f93df625242 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290:3
[task 2019-11-06T17:35:25.110Z] 17:35:25 INFO - #26 0x7f93ea7bb3ba in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:769:34
[task 2019-11-06T17:35:25.110Z] 17:35:25 INFO - #27 0x55982f960882 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
[task 2019-11-06T17:35:25.110Z] 17:35:25 INFO - #28 0x55982f960882 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:272:18
[task 2019-11-06T17:35:25.189Z] 17:35:25 INFO - #29 0x7f93fedd982f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
[task 2019-11-06T17:35:25.190Z] 17:35:25 INFO - #30 0x55982f8b5d98 in _start (/builds/worker/workspace/build/application/firefox/firefox+0x46d98)
[task 2019-11-06T17:35:25.190Z] 17:35:25 INFO - Address 0x7f51d58c9088 is a wild pointer.
[task 2019-11-06T17:35:25.190Z] 17:35:25 INFO - SUMMARY: AddressSanitizer: bad-malloc_usable_size /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:198:3 in malloc_usable_size

Flags: needinfo?(emilio)
Attachment #9106607 - Attachment description: Bug 1593865 - Simplify code for keeping alive shared memory until all sheets go away. → Bug 1593865 - Simplify code for keeping alive shared memory until all sheets go away. r=jwatt
Attachment #9106608 - Attachment description: Bug 1593865 - Leak shared memory for the lifetime of the process. → Bug 1593865 - Leak shared memory for the lifetime of the process. r=heycam
Flags: needinfo?(emilio)
Group: layout-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla72
Flags: qe-verify+
Whiteboard: [post-critsmash-triage]

Does this need a Beta uplift request?

Flags: needinfo?(emilio)

Comment on attachment 9106607 [details]
Bug 1593865 - Simplify code for keeping alive shared memory until all sheets go away. r=jwatt

Beta/Release Uplift Approval Request

  • User impact if declined: Shutdown crashes
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Cleanup + leak shared memory to avoid using them too late after shutdown.
  • String changes made/needed: none
Flags: needinfo?(emilio)
Attachment #9106607 - Flags: approval-mozilla-beta?
Attachment #9106608 - Flags: approval-mozilla-beta?
QA Whiteboard: [qa-triaged]

Comment on attachment 9106607 [details]
Bug 1593865 - Simplify code for keeping alive shared memory until all sheets go away. r=jwatt

Fixes a shutdown crash, approved for 71.0b12.

Attachment #9106607 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Attachment #9106608 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

Hello!
Reproduced the issue using Bof asan build mozilla-central rev 5647ec4ba6f2 (Firefox72.0a1- buildID- 20191104214406) on Ubuntu 18.04 using the prefs.js and the test case provided.
The issue is verified fixed with asan Bof Firefox 72.0a1 (20191120234543) and asan Bof Firefox 71.0b12 (20191120205119) from comment 20 on Ubuntu 18.04.
Thanks Emilio for the provided STR and your time.

Status: RESOLVED → VERIFIED
Flags: qe-verify+
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main71+r]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.