Closed Bug 1633112 Opened 4 years ago Closed 4 years ago

Crash in [@ GMut::EnsureInUse] through [@ mozilla::layers::WebRenderBridgeParent::AddPendingScrollPayload] with use-after-free

Categories

(Core :: Panning and Zooming, defect)

Product:
Core
Component:
Panning and Zooming
Platform:
Unspecified
Windows 10
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla75
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox75 --- fixed
firefox76 --- fixed

People

(Reporter: decoder, Assigned: sefeng)

References

(Blocks 1 open bug)

Details

(Keywords: crash)

Crash Data

This bug is for crash report bp-98669b45-687a-4f10-b1f6-239970200306.

Top 10 frames of crashing thread:

0 mozglue.dll GMut::EnsureInUse memory/replace/phc/PHC.cpp:683
1 mozglue.dll replace_realloc memory/replace/phc/PHC.cpp:1117
2 mozglue.dll moz_xrealloc memory/mozalloc/mozalloc.cpp:72
3 xul.dll nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>::EnsureCapacity<nsTArrayInfallibleAllocator> xpcom/ds/nsTArray-inl.h:191
4 xul.dll mozilla::layers::WebRenderBridgeParent::AddPendingScrollPayload gfx/layers/wr/WebRenderBridgeParent.cpp:1055
5 xul.dll mozilla::layers::APZCTreeManager::SampleForWebRender gfx/layers/apz/src/APZCTreeManager.cpp:722
6 xul.dll mozilla::layers::APZSampler::SampleForWebRender gfx/layers/apz/src/APZSampler.cpp:99
7 xul.dll static mozilla::layers::APZSampler::SampleForWebRender gfx/layers/apz/src/APZSampler.cpp:74
8 xul.dll apz_sample_transforms gfx/layers/apz/src/APZSampler.cpp:276
9 xul.dll webrender_bindings::bindings::{{impl}}::sample gfx/webrender_bindings/src/bindings.rs:975

PHC Free/Alloc Stacks:

Free stack:

#0    PLDHashTable::RemoveEntry(PLDHashEntryHdr*) (xul.pdb)
#1    mozilla::layers::WebRenderBridgeParent::RemovePendingScrollPayload(std::pair<mozilla::wr::PipelineId,mozilla::wr::Epoch> const&) (xul.pdb)
#2    mozilla::layers::CompositorBridgeParent::NotifyPipelineRendered(mozilla::wr::PipelineId const&, mozilla::wr::Epoch const&, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp&, mozilla::TimeStamp&, mozilla::TimeStamp&, mozilla::wr::RendererStats*) (xul.pdb)
#3    mozilla::wr::NotifyDidRender(mozilla::layers::CompositorBridgeParent*, RefPtr<const mozilla::wr::WebRenderPipelineInfo>, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, mozilla::TimeStamp, mozilla::TimeStamp, bool, mozilla::wr::RendererStats) (xul.pdb)
#4    RunnableFunction<void (*)(mozilla::layers::CompositorBridgeParent *, RefPtr<const mozilla::wr::WebRenderPipelineInfo>, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, mozilla::TimeStamp, mozilla::TimeStamp, bool, mozilla::wr::RendererStats),mozilla::Tuple<mozilla::layers::CompositorBridgeParent *,RefPtr<const mozilla::wr::WebRenderPipelineInfo>,mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>,mozilla::TimeStamp,mozilla::TimeStamp,mozilla::TimeStamp,bool,mozilla::wr::RendererStats> >::Run() (xul.pdb)
#5    MessageLoop::DoWork() (xul.pdb)
#6    base::MessagePumpForUI::DoRunLoop() (xul.pdb)
#7    base::MessagePumpWin::Run(base::MessagePump::Delegate*) (xul.pdb)
#8    MessageLoop::RunHandler() (xul.pdb)
#9    MessageLoop::Run() (xul.pdb)
#10    base::Thread::ThreadMain() (xul.pdb)
#11    `anonymous namespace'::ThreadFunc(void*) (xul.pdb)
#12    BaseThreadInitThunk (kernel32.pdb)
#13    patched_BaseThreadInitThunk(int, void*, void*) (mozglue.pdb)
#14    RtlUserThreadStart (ntdll.pdb)

Alloc stack:

#0    nsTArray_base<nsTArrayInfallibleAllocator,nsTArray_CopyWithMemutils>::EnsureCapacity<nsTArrayInfallibleAllocator>(unsigned long long, unsigned long long) (xul.pdb)
#1    mozilla::layers::WebRenderBridgeParent::AddPendingScrollPayload(mozilla::layers::CompositionPayload&, std::pair<mozilla::wr::PipelineId,mozilla::wr::Epoch> const&) (xul.pdb)
#2    mozilla::layers::APZCTreeManager::SampleForWebRender(mozilla::wr::TransactionWrapper&, mozilla::TimeStamp const&, mozilla::wr::RenderRoot, nsTArray<mozilla::wr::WrPipelineIdAndEpoch> const*) (xul.pdb)
#3    mozilla::layers::APZSampler::SampleForWebRender(mozilla::wr::TransactionWrapper&, mozilla::wr::RenderRoot, nsTArray<mozilla::wr::WrPipelineIdAndEpoch> const*) (xul.pdb)
#4    static mozilla::layers::APZSampler::SampleForWebRender(mozilla::wr::WrWindowId const&, mozilla::wr::Transaction*, mozilla::wr::DocumentId const&, nsTArray<mozilla::wr::WrPipelineIdAndEpoch> const*) (xul.pdb)
#5    apz_sample_transforms(mozilla::wr::WrWindowId, mozilla::wr::Transaction*, mozilla::wr::DocumentId, nsTArray<mozilla::wr::WrPipelineIdAndEpoch> const*) (xul.pdb)
#6    webrender_bindings::bindings::{{impl}}::sample(webrender_bindings::bindings::SamplerCallback*, webrender_api::api::DocumentId, std::collections::hash::map::HashMap<webrender_api::api::PipelineId, webrender_api::api::Epoch, core::hash::BuildHasherDefault<fxhash::FxHasher>>*) (xul.pdb)
#7    webrender::render_backend::RenderBackend::update_document(webrender_api::api::DocumentId, alloc::vec::Vec<webrender_api::api::ResourceUpdate>, core::option::Option<webrender::scene_builder_thread::InternerUpdates>, alloc::vec::Vec<webrender_api::api::FrameMsg>, alloc::vec::Vec<webrender_api::api::NotificationRequest>, bool, bool, unsigned int*, webrender::profiler::BackendProfileCounters*, bool) (xul.pdb)
#8    webrender::render_backend::RenderBackend::run(webrender::profiler::BackendProfileCounters) (xul.pdb)
#9    std::sys_common::backtrace::__rust_begin_short_backtrace<closure-4,()>(webrender::renderer::{{impl}}::new::closure-4) (xul.pdb)
#10    core::ops::function::FnOnce::call_once<closure-0,()>(std::thread::{{impl}}::spawn_unchecked::closure-0*) (xul.pdb)
#11    alloc::boxed::{{impl}}::call_once<(),FnOnce<()>>() (xul.pdb)
#12    std::sys::windows::thread::{{impl}}::new::thread_start() (xul.pdb)
#13    BaseThreadInitThunk (kernel32.pdb)
#14    patched_BaseThreadInitThunk(int, void*, void*) (mozglue.pdb)
#15    RtlUserThreadStart (ntdll.pdb)

This is an older report from March that I only saw now but it might still be valid. If necessary, we can symbolize the alloc/free traces locally to get line numbers.

Flags: needinfo?(botond)
Blocks: PHC
Group: core-security → gfx-core-security

I don't think we need to worry about this.

There was a bug in https://phabricator.services.mozilla.com/D60046 that two threads accessing mPendingScrollPayloads in the same time, one adding and one removing for the same key, and since it wasn't thread safe, it caused this use after free.

The patch got landed (Feb 21) backed out (Feb 24), and we fixed and relanded (March 12). This crash build was 20200223214228, so it used the older version of the patch. And based on the graph, there are no further crashes. I think we are good here.

Fixed by the backout/reland in bug 1600793.

Thanks for double-checking!

Status: NEW → RESOLVED
Closed: 4 years ago
Flags: needinfo?(botond)
Resolution: --- → FIXED
Assignee: nobody → sefeng
status-firefox75: affectedfixed
status-firefox76: --- → fixed
status-firefox-esr68: --- → unaffected
Target Milestone: --- → mozilla75
Group: gfx-core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.