Closed Bug 1676343 Opened 4 years ago Closed 2 years ago

Hard to explain macOS-specific use-after-free crashes on macOS 10.15 and older

Categories

(Core :: Memory Allocator, defect)

Product:
Core
Component:
Memory Allocator
Platform:
x86_64
macOS
Type:
defect

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: gsvelto, Unassigned)

References

Details

(Keywords: csectype-race, sec-moderate)

+++ This bug was initially created as a clone of Bug #1665411 +++

Follow-up to bug 1665411. It seems that my change there largely mitigated the problem on older versions of macOS but did not fix it. Filing this to fix the remaining issues.

The severity field is not set for this bug.
:glandium, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(mh+mozilla)

On the one hand this is S1-kind-of-bad but on other hand the volume isn't huge, so maybe S2?

Depends on: 1681017

Repeating my last comment from bug 1654335 for public consumption:

I spent some time poring over these crashes again and there's something that suddenly jumped out: there are no crashes happening on macOS 11 under any of the signatures in the linked bugs. The only crash report I could find for macOS 11 has a different stack and isn't an UAF so it's unrelated.

So this is very, very likely to be a bug in macOS 10.15 and older. Either in the POSIX thread library where mutexes are implemented or in the kernel-level mutexes. Given that the memory allocator is involved - because we're allocating/deallocating objects on the spot where we crash - it might be worth mentioning that the locks we use there pass different options to the macOS kernel compared to the pthread mutexes; so it might as well be a bug in how those two types of kernel-level mutexes interact.

Summary: Hard to explain macOS-specific use-after-free crashes on macOS 10.15+ → Hard to explain macOS-specific use-after-free crashes on macOS 10.15 and lower
Summary: Hard to explain macOS-specific use-after-free crashes on macOS 10.15 and lower → Hard to explain macOS-specific use-after-free crashes on macOS 10.15 and older
Depends on: 1688587
Depends on: 1689981
Severity: -- → S2
Flags: needinfo?(mh+mozilla)

Moving to Memory Allocator.

Component: mozglue → Memory Allocator

I'm going over the remaining crashes and it seems that indeed bug 1784018 fixed them. The last few UAF-like crashes we have on file happened on versions prior to landing that patch, after that there are no more. Once we close bug 1689981 (which is sec so requires a bit of extra work) we can close this as fixed.

Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED

Since the bug is closed, the stalled keyword is now meaningless.
For more information, please visit auto_nag documentation.

Keywords: stalled
You need to log in before you can comment on or make changes to this bug.