Closed
Bug 1693765
Opened 4 years ago
Closed 3 years ago
Crash in [@ core::ptr::drop_in_place<T> | core::ptr::drop_in_place<T> | webrender_bindings::bindings::wr_api_delete] [@ wr_api_delete]
Categories
(Core :: Graphics: WebRender, defect, P2)
Core
Graphics: WebRender
Tracking
()
RESOLVED
DUPLICATE
of bug 1704227
People
(Reporter: aryx, Unassigned)
Details
(Keywords: csectype-uaf, intermittent-failure, sec-high)
Crash Data
Observed during a central-as-early-beta simulation.
Failure log: https://treeherder.mozilla.org/logviewer?job_id=330502194&repo=try
task 2021-02-19T11:36:57.599Z] 11:36:57 INFO - TEST-START | dom/html/test/test_iframe_sandbox_popups_inheritance.html
[task 2021-02-19T11:37:17.904Z] 11:37:17 INFO - wait for org.mozilla.geckoview.test complete; top activity=com.android.launcher3
[task 2021-02-19T11:37:17.904Z] 11:37:17 INFO - runtestsremote.py | Application ran for: 0:01:24.959056
[task 2021-02-19T11:37:18.047Z] 11:37:18 INFO - mozcrash Downloading symbols from: https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/JmumlToQTmCRS2ZSAznRDQ/artifacts/public/build/en-US/target.crashreporter-symbols.zip
[task 2021-02-19T11:37:22.485Z] 11:37:22 INFO - mozcrash Copy/paste: /builds/worker/fetches/minidump_stackwalk/minidump_stackwalk /tmp/tmpSkFJkc/04330c11-fd75-0a96-a2d9-6b15d9f8b16b.dmp /tmp/tmppL0ydR
[task 2021-02-19T11:37:26.612Z] 11:37:26 INFO - mozcrash Saved minidump as /builds/worker/workspace/build/blobber_upload_dir/04330c11-fd75-0a96-a2d9-6b15d9f8b16b.dmp
[task 2021-02-19T11:37:26.613Z] 11:37:26 INFO - mozcrash Saved app info as /builds/worker/workspace/build/blobber_upload_dir/04330c11-fd75-0a96-a2d9-6b15d9f8b16b.extra
[task 2021-02-19T11:37:26.626Z] 11:37:26 WARNING - PROCESS-CRASH | dom/html/test/test_iframe_sandbox_popups_inheritance.html | application crashed [@ wr_api_delete]
[task 2021-02-19T11:37:26.626Z] 11:37:26 INFO - Crash dump filename: /tmp/tmpSkFJkc/04330c11-fd75-0a96-a2d9-6b15d9f8b16b.dmp
[task 2021-02-19T11:37:26.626Z] 11:37:26 INFO - Operating system: Android
[task 2021-02-19T11:37:26.627Z] 11:37:26 INFO - 0.0.0 Linux 3.10.0+ #260 SMP PREEMPT Fri May 19 12:48:14 PDT 2017 x86_64
[task 2021-02-19T11:37:26.627Z] 11:37:26 INFO - CPU: amd64
[task 2021-02-19T11:37:26.627Z] 11:37:26 INFO - family 6 model 6 stepping 3
[task 2021-02-19T11:37:26.627Z] 11:37:26 INFO - 4 CPUs
[task 2021-02-19T11:37:26.627Z] 11:37:26 INFO - GPU: UNKNOWN
[task 2021-02-19T11:37:26.627Z] 11:37:26 INFO - Crash reason: SIGSEGV /0x00000080
[task 2021-02-19T11:37:26.627Z] 11:37:26 INFO - Crash address: 0x0
[task 2021-02-19T11:37:26.627Z] 11:37:26 INFO - Process uptime: not available
[task 2021-02-19T11:37:26.628Z] 11:37:26 INFO - Thread 50 (crashed)
[task 2021-02-19T11:37:26.628Z] 11:37:26 INFO - 0 libxul.so!wr_api_delete [bindings.rs:8cdb00c1f8f9632ec6100800770692b5814283c0 : 1717 + 0xd8]
[task 2021-02-19T11:37:26.628Z] 11:37:26 INFO - rax = 0xe5e5e5e5e5e5e5e5 rdx = 0x0000000000000000
[task 2021-02-19T11:37:26.628Z] 11:37:26 INFO - rcx = 0x000076dd1f384bf0 rbx = 0x000076dcece6e200
[task 2021-02-19T11:37:26.628Z] 11:37:26 INFO - rsi = 0x0000000000000081 rdi = 0x000076dd1cc00018
[task 2021-02-19T11:37:26.628Z] 11:37:26 INFO - rbp = 0xcbcbcbcbcbcbcbcb rsp = 0x000076dcf349aab0
[task 2021-02-19T11:37:26.628Z] 11:37:26 INFO - r8 = 0x0000000000000000 r9 = 0x0000000000000000
[task 2021-02-19T11:37:26.629Z] 11:37:26 INFO - r10 = 0x0000000000000000 r11 = 0x0000000000000246
[task 2021-02-19T11:37:26.629Z] 11:37:26 INFO - r12 = 0x000076dcef3bff20 r13 = 0xe5e5e5e5e5e5e5e5
[task 2021-02-19T11:37:26.629Z] 11:37:26 INFO - r14 = 0x000076dcece6e230 r15 = 0x000076dcece6e238
[task 2021-02-19T11:37:26.629Z] 11:37:26 INFO - rip = 0x000076dd007a6fec
[task 2021-02-19T11:37:26.629Z] 11:37:26 INFO - Found by: given as instruction pointer in context
[task 2021-02-19T11:37:26.629Z] 11:37:26 INFO - 1 libmozglue.so!Allocator<MozJemallocBase>::malloc(unsigned long) [malloc_decls.h:8cdb00c1f8f9632ec6100800770692b5814283c0 : 51 + 0x23]
[task 2021-02-19T11:37:26.629Z] 11:37:26 INFO - rbp = 0xcbcbcbcbcbcbcbcb rsp = 0x000076dcf349ab50
[task 2021-02-19T11:37:26.630Z] 11:37:26 INFO - rip = 0x000076dd043576db
[task 2021-02-19T11:37:26.630Z] 11:37:26 INFO - Found by: stack scanning
[task 2021-02-19T11:37:26.630Z] 11:37:26 INFO - 2 libmozglue.so!mozilla::detail::MutexImpl::unlock() [Mutex_posix.cpp:8cdb00c1f8f9632ec6100800770692b5814283c0 : 121 + 0x5]
[task 2021-02-19T11:37:26.630Z] 11:37:26 INFO - rbp = 0xcbcbcbcbcbcbcbcb rsp = 0x000076dcf349aba0
[task 2021-02-19T11:37:26.630Z] 11:37:26 INFO - rip = 0x000076dd043baf0a
[task 2021-02-19T11:37:26.630Z] 11:37:26 INFO - Found by: stack scanning
[task 2021-02-19T11:37:26.630Z] 11:37:26 INFO - 3 libxul.so!mozilla::wr::WebRenderAPI::~WebRenderAPI() [WebRenderAPI.cpp:8cdb00c1f8f9632ec6100800770692b5814283c0 : 444 + 0x9]
[task 2021-02-19T11:37:26.631Z] 11:37:26 INFO - rbp = 0xcbcbcbcbcbcbcbcb rsp = 0x000076dcf349abe0
[task 2021-02-19T11:37:26.631Z] 11:37:26 INFO - rip = 0x000076dcfd7214b5
[task 2021-02-19T11:37:26.631Z] 11:37:26 INFO - Found by: stack scanning
[task 2021-02-19T11:37:26.631Z] 11:37:26 INFO - 4 libxul.so!mozilla::layers::WebRenderBridgeParent::ClearAnimationResources() [WebRenderBridgeParent.cpp:8cdb00c1f8f9632ec6100800770692b5814283c0 : 2471 + 0x2e]
[task 2021-02-19T11:37:26.631Z] 11:37:26 INFO - rbp = 0xcbcbcbcbcbcbcbcb rsp = 0x000076dcf349ac00
[task 2021-02-19T11:37:26.631Z] 11:37:26 INFO - rip = 0x000076dcfd5e1ead
[task 2021-02-19T11:37:26.631Z] 11:37:26 INFO - Found by: stack scanning
[task 2021-02-19T11:37:26.632Z] 11:37:26 INFO - 5 libxul.so!mozilla::wr::WebRenderAPI::Release() [WebRenderAPI.h:8cdb00c1f8f9632ec6100800770692b5814283c0 : 230 + 0x1e]
[task 2021-02-19T11:37:26.632Z] 11:37:26 INFO - rbp = 0xcbcbcbcbcbcbcbcb rsp = 0x000076dcf349ac40
[task 2021-02-19T11:37:26.632Z] 11:37:26 INFO - rip = 0x000076dcfd5ed710
[task 2021-02-19T11:37:26.632Z] 11:37:26 INFO - Found by: stack scanning
[task 2021-02-19T11:37:26.633Z] 11:37:26 INFO - 6 libxul.so!mozilla::layers::WebRenderBridgeParent::ClearResources() [WebRenderBridgeParent.cpp:8cdb00c1f8f9632ec6100800770692b5814283c0 : 2462 + 0xa]
[task 2021-02-19T11:37:26.633Z] 11:37:26 INFO - rbp = 0xcbcbcbcbcbcbcbcb rsp = 0x000076dcf349ac50
[task 2021-02-19T11:37:26.633Z] 11:37:26 INFO - rip = 0x000076dcfd5de5aa
[task 2021-02-19T11:37:26.633Z] 11:37:26 INFO - Found by: stack scanning
[task 2021-02-19T11:37:26.633Z] 11:37:26 INFO - 7 libc.so + 0x28db5
[task 2021-02-19T11:37:26.633Z] 11:37:26 INFO - rbp = 0xcbcbcbcbcbcbcbcb rsp = 0x000076dcf349ac60
[task 2021-02-19T11:37:26.633Z] 11:37:26 INFO - rip = 0x000076dd1f322db5
[task 2021-02-19T11:37:26.633Z] 11:37:26 INFO - Found by: stack scanning
[task 2021-02-19T11:37:26.634Z] 11:37:26 INFO - 8 libxul.so!mp4parse::read_sinf [lib.rs:8cdb00c1f8f9632ec6100800770692b5814283c0 : 3868 + 0x31a]
[task 2021-02-19T11:37:26.634Z] 11:37:26 INFO - rbp = 0xcbcbcbcbcbcbcbcb rsp = 0x000076dcf349ac80
[task 2021-02-19T11:37:26.634Z] 11:37:26 INFO - rip = 0x000076dd00000009
[task 2021-02-19T11:37:26.634Z] 11:37:26 INFO - Found by: stack scanning
[task 2021-02-19T11:37:26.634Z] 11:37:26 INFO - 9 libxul.so!mozilla::layers::WebRenderBridgeParent::HandleShutdown() [WebRenderBridgeParent.cpp:8cdb00c1f8f9632ec6100800770692b5814283c0 : 420 + 0x5]
[task 2021-02-19T11:37:26.634Z] 11:37:26 INFO - rbp = 0xcbcbcbcbcbcbcbcb rsp = 0x000076dcf349acc0
[task 2021-02-19T11:37:26.634Z] 11:37:26 INFO - rip = 0x000076dcfd5de2ef
[task 2021-02-19T11:37:26.634Z] 11:37:26 INFO - Found by: stack scanning
[task 2021-02-19T11:37:26.635Z] 11:37:26 INFO - 10 libxul.so!mozilla::layers::PWebRenderBridgeParent::OnMessageReceived(IPC::Message const&) [PWebRenderBridgeParent.cpp: : 891 + 0xc]
[task 2021-02-19T11:37:26.635Z] 11:37:26 INFO - rbp = 0xcbcbcbcbcbcbcbcb rsp = 0x000076dcf349ace0
[task 2021-02-19T11:37:26.635Z] 11:37:26 INFO - rip = 0x000076dcfd344322
[task 2021-02-19T11:37:26.635Z] 11:37:26 INFO - Found by: stack scanning
[task 2021-02-19T11:37:26.635Z] 11:37:26 INFO - 11 libmozglue.so!RedBlackTree<arena_chunk_map_t, ArenaRunTreeTrait>::LeanLeft(RedBlackTree<arena_chunk_map_t, ArenaRunTreeTrait>::TreeNode) [rb.h:8cdb00c1f8f9632ec6100800770692b5814283c0 : 572 + 0x5]
[task 2021-02-19T11:37:26.635Z] 11:37:26 INFO - rbp = 0xcbcbcbcbcbcbcbcb rsp = 0x000076dcf349ad00
[task 2021-02-19T11:37:26.635Z] 11:37:26 INFO - rip = 0x000076dd043575ee
[task 2021-02-19T11:37:26.635Z] 11:37:26 INFO - Found by: stack scanning
[task 2021-02-19T11:37:26.636Z] 11:37:26 INFO - 12 libmozglue.so!RedBlackTree<arena_chunk_map_t, ArenaRunTreeTrait>::Insert(RedBlackTree<arena_chunk_map_t, ArenaRunTreeTrait>::TreeNode) [rb.h:8cdb00c1f8f9632ec6100800770692b5814283c0 : 377 + 0xa]
[task 2021-02-19T11:37:26.636Z] 11:37:26 INFO - rbp = 0xcbcbcbcbcbcbcbcb rsp = 0x000076dcf349ad30
[task 2021-02-19T11:37:26.636Z] 11:37:26 INFO - rip = 0x000076dd04357449
[task 2021-02-19T11:37:26.636Z] 11:37:26 INFO - Found by: stack scanning
[task 2021-02-19T11:37:26.636Z] 11:37:26 INFO - 13 libmozglue.so!arena_t::DallocSmall(arena_chunk_t*, void*, arena_chunk_map_t*) [mozjemalloc.cpp:8cdb00c1f8f9632ec6100800770692b5814283c0 : 3336 + 0xc]
[task 2021-02-19T11:37:26.636Z] 11:37:26 INFO - rbp = 0xcbcbcbcbcbcbcbcb rsp = 0x000076dcf349adb0
[task 2021-02-19T11:37:26.636Z] 11:37:26 INFO - rip = 0x000076dd043571a7
[task 2021-02-19T11:37:26.637Z] 11:37:26 INFO - Found by: stack scanning
[task 2021-02-19T11:37:26.637Z] 11:37:26 INFO - 14 libc.so + 0x8ac26
[task 2021-02-19T11:37:26.637Z] 11:37:26 INFO - rbp = 0xcbcbcbcbcbcbcbcb rsp = 0x000076dcf349ade0
[task 2021-02-19T11:37:26.637Z] 11:37:26 INFO - rip = 0x000076dd1f384c26
[task 2021-02-19T11:37:26.637Z] 11:37:26 INFO - Found by: stack scanning
[task 2021-02-19T11:37:26.637Z] 11:37:26 INFO - 15 libc.so + 0x8abf0
[task 2021-02-19T11:37:26.637Z] 11:37:26 INFO - rbp = 0xcbcbcbcbcbcbcbcb rsp = 0x000076dcf349adf0
[task 2021-02-19T11:37:26.637Z] 11:37:26 INFO - rip = 0x000076dd1f384bf0
[task 2021-02-19T11:37:26.637Z] 11:37:26 INFO - Found by: stack scanning
[task 2021-02-19T11:37:26.638Z] 11:37:26 INFO - 16 libmozglue.so!Allocator<MozJemallocBase>::free(void*) [malloc_decls.h:8cdb00c1f8f9632ec6100800770692b5814283c0 : 54 + 0x23]
[task 2021-02-19T11:37:26.638Z] 11:37:26 INFO - rbp = 0xcbcbcbcbcbcbcbcb rsp = 0x000076dcf349ae20
[task 2021-02-19T11:37:26.638Z] 11:37:26 INFO - rip = 0x000076dd04357799
[task 2021-02-19T11:37:26.638Z] 11:37:26 INFO - Found by: stack scanning
[task 2021-02-19T11:37:26.638Z] 11:37:26 INFO - 17 libxul.so!PLDHashTable::Search(void const*) const [PLDHashTable.cpp:8cdb00c1f8f9632ec6100800770692b5814283c0 : 496 + 0x3d]
[task 2021-02-19T11:37:26.638Z] 11:37:26 INFO - rbp = 0xcbcbcbcbcbcbcbcb rsp = 0x000076dcf349ae30
[task 2021-02-19T11:37:26.638Z] 11:37:26 INFO - rip = 0x000076dcfcda3538
[task 2021-02-19T11:37:26.638Z] 11:37:26 INFO - Found by: stack scanning
[task 2021-02-19T11:37:26.639Z] 11:37:26 INFO - 18 libxul.so!mozilla::ipc::SharedMemory::Release() [SharedMemory.h:8cdb00c1f8f9632ec6100800770692b5814283c0 : 83 + 0x1c]
[task 2021-02-19T11:37:26.639Z] 11:37:26 INFO - rbp = 0xcbcbcbcbcbcbcbcb rsp = 0x000076dcf349ae40
[task 2021-02-19T11:37:26.639Z] 11:37:26 INFO - rip = 0x000076dcfd194dfc
[task 2021-02-19T11:37:26.639Z] 11:37:26 INFO - Found by: stack scanning
[task 2021-02-19T11:37:26.639Z] 11:37:26 INFO - 19 libxul.so + 0xe1b4c2
[task 2021-02-19T11:37:26.639Z] 11:37:26 INFO - rbp = 0xcbcbcbcbcbcbcbcb rsp = 0x000076dcf349ae48
[task 2021-02-19T11:37:26.639Z] 11:37:26 INFO - rip = 0x000076dcfd1a44c2
[task 2021-02-19T11:37:26.639Z] 11:37:26 INFO - Found by: stack scanning
[task 2021-02-19T11:37:26.639Z] 11:37:26 INFO - 20 libxul.so!mozilla::layers::PCompositorManagerParent::OnMessageReceived(IPC::Message const&) [PCompositorManagerParent.cpp: : 205 + 0x10]
[task 2021-02-19T11:37:26.639Z] 11:37:26 INFO - rbp = 0xcbcbcbcbcbcbcbcb rsp = 0x000076dcf349aeb0
[task 2021-02-19T11:37:26.640Z] 11:37:26 INFO - rip = 0x000076dcfd202669
[task 2021-02-19T11:37:26.640Z] 11:37:26 INFO - Found by: stack scanning
[task 2021-02-19T11:37:26.640Z] 11:37:26 INFO - 21 libc.so + 0x29175
[task 2021-02-19T11:37:26.640Z] 11:37:26 INFO - rbp = 0xcbcbcbcbcbcbcbcb rsp = 0x000076dcf349aed0
[task 2021-02-19T11:37:26.640Z] 11:37:26 INFO - rip = 0x000076dd1f323175
[task 2021-02-19T11:37:26.640Z] 11:37:26 INFO - Found by: stack scanning
[task 2021-02-19T11:37:26.640Z] 11:37:26 INFO - 22 libxul.so!mozilla::ipc::MessageChannel::AddProfilerMarker(IPC::Message const&, mozilla::ipc::MessageDirection) [MessageChannel.cpp:8cdb00c1f8f9632ec6100800770692b5814283c0 : 2792 + 0xa]
[task 2021-02-19T11:37:26.640Z] 11:37:26 INFO - rbp = 0xcbcbcbcbcbcbcbcb rsp = 0x000076dcf349af00
[task 2021-02-19T11:37:26.640Z] 11:37:26 INFO - rip = 0x000076dcfd19c54a
[task 2021-02-19T11:37:26.641Z] 11:37:26 INFO - Found by: stack scanning
[task 2021-02-19T11:37:26.641Z] 11:37:26 INFO - 23 libmozglue.so!RedBlackTree<arena_chunk_map_t, ArenaAvailTreeTrait>::LeanLeft(RedBlackTree<arena_chunk_map_t, ArenaAvailTreeTrait>::TreeNode) [rb.h:8cdb00c1f8f9632ec6100800770692b5814283c0 : 572 + 0x5]
[task 2021-02-19T11:37:26.641Z] 11:37:26 INFO - rbp = 0xcbcbcbcbcbcbcbcb rsp = 0x000076dcf349af10
[task 2021-02-19T11:37:26.641Z] 11:37:26 INFO - rip = 0x000076dd0435a902
[task 2021-02-19T11:37:26.641Z] 11:37:26 INFO - Found by: stack scanning
[task 2021-02-19T11:37:26.641Z] 11:37:26 INFO - 24 libnss3.so!PR_GetCurrentThread [ptthread.c:8cdb00c1f8f9632ec6100800770692b5814283c0 : 640 + 0xb]
[task 2021-02-19T11:37:26.641Z] 11:37:26 INFO - rbp = 0xcbcbcbcbcbcbcbcb rsp = 0x000076dcf349af20
[task 2021-02-19T11:37:26.641Z] 11:37:26 INFO - rip = 0x000076dd03fb46a5
[task 2021-02-19T11:37:26.641Z] 11:37:26 INFO - Found by: stack scanning
[task 2021-02-19T11:37:26.641Z] 11:37:26 INFO - 25 libnss3.so!PR_GetCurrentThread [ptthread.c:8cdb00c1f8f9632ec6100800770692b5814283c0 : 640 + 0xb]
[task 2021-02-19T11:37:26.642Z] 11:37:26 INFO - rbp = 0xcbcbcbcbcbcbcbcb rsp = 0x000076dcf349af30
[task 2021-02-19T11:37:26.642Z] 11:37:26 INFO - rip = 0x000076dd03fb46a5
[task 2021-02-19T11:37:26.642Z] 11:37:26 INFO - Found by: stack scanning
[task 2021-02-19T11:37:26.642Z] 11:37:26 INFO - 26 libxul.so!mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) [MessageChannel.cpp:8cdb00c1f8f9632ec6100800770692b5814283c0 : 2153 + 0xd]
[task 2021-02-19T11:37:26.642Z] 11:37:26 INFO - rbp = 0xcbcbcbcbcbcbcbcb rsp = 0x000076dcf349af70
[task 2021-02-19T11:37:26.642Z] 11:37:26 INFO - rip = 0x000076dcfd19f377
[task 2021-02-19T11:37:26.642Z] 11:37:26 INFO - Found by: stack scanning
[task 2021-02-19T11:37:26.642Z] 11:37:26 INFO - 27 libxul.so!mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) [MessageChannel.cpp:8cdb00c1f8f9632ec6100800770692b5814283c0 : 2077 + 0x5]
[task 2021-02-19T11:37:26.642Z] 11:37:26 INFO - rbp = 0xcbcbcbcbcbcbcbcb rsp = 0x000076dcf349afb0
[task 2021-02-19T11:37:26.642Z] 11:37:26 INFO - rip = 0x000076dcfd19e937
[task 2021-02-19T11:37:26.643Z] 11:37:26 INFO - Found by: stack scanning
[task 2021-02-19T11:37:26.643Z] 11:37:26 INFO - 28 libxul.so!NS_TableDrivenQI(void*, nsID const&, void**, QITableEntry const*) [nsISupportsImpl.cpp:8cdb00c1f8f9632ec6100800770692b5814283c0 : 21 + 0x8]
[task 2021-02-19T11:37:26.643Z] 11:37:26 INFO - rbp = 0xcbcbcbcbcbcbcbcb rsp = 0x000076dcf349b030
[task 2021-02-19T11:37:26.643Z] 11:37:26 INFO - rip = 0x000076dcfcd8a21f
[task 2021-02-19T11:37:26.643Z] 11:37:26 INFO - Found by: stack scanning
[task 2021-02-19T11:37:26.643Z] 11:37:26 INFO - 29 libnss3.so!PR_GetCurrentThread [ptthread.c:8cdb00c1f8f9632ec6100800770692b5814283c0 : 640 + 0xb]
[task 2021-02-19T11:37:26.643Z] 11:37:26 INFO - rbp = 0xcbcbcbcbcbcbcbcb rsp = 0x000076dcf349b040
[task 2021-02-19T11:37:26.643Z] 11:37:26 INFO - rip = 0x000076dd03fb46a5
[task 2021-02-19T11:37:26.643Z] 11:37:26 INFO - Found by: stack scanning
[task 2021-02-19T11:37:26.643Z] 11:37:26 INFO - 30 libxul.so!mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) [MessageChannel.cpp:8cdb00c1f8f9632ec6100800770692b5814283c0 : 1925 + 0xb]
[task 2021-02-19T11:37:26.644Z] 11:37:26 INFO - rbp = 0xcbcbcbcbcbcbcbcb rsp = 0x000076dcf349b080
[task 2021-02-19T11:37:26.644Z] 11:37:26 INFO - rip = 0x000076dcfd19ed5d
[task 2021-02-19T11:37:26.644Z] 11:37:26 INFO - Found by: stack scanning
[task 2021-02-19T11:37:26.644Z] 11:37:26 INFO - 31 libxul.so!mozilla::ipc::MessageChannel::MessageTask::Run() [MessageChannel.cpp:8cdb00c1f8f9632ec6100800770692b5814283c0 : 1956 + 0xc]
[task 2021-02-19T11:37:26.644Z] 11:37:26 INFO - rbp = 0xcbcbcbcbcbcbcbcb rsp = 0x000076dcf349b0b0
[task 2021-02-19T11:37:26.644Z] 11:37:26 INFO - rip = 0x000076dcfd19ef3f
[task 2021-02-19T11:37:26.644Z] 11:37:26 INFO - Found by: stack scanning
[task 2021-02-19T11:37:26.644Z] 11:37:26 INFO - 32 libxul.so!nsThread::ProcessNextEvent(bool, bool*) [nsThread.cpp:8cdb00c1f8f9632ec6100800770692b5814283c0 : 1148 + 0x12]
[task 2021-02-19T11:37:26.644Z] 11:37:26 INFO - rbp = 0xcbcbcbcbcbcbcbcb rsp = 0x000076dcf349b0d0
[task 2021-02-19T11:37:26.644Z] 11:37:26 INFO - rip = 0x000076dcfcdee9f9
[task 2021-02-19T11:37:26.644Z] 11:37:26 INFO - Found by: stack scanning
[task 2021-02-19T11:37:26.645Z] 11:37:26 INFO - 33 libxul.so!mp4parse::read_sinf [lib.rs:8cdb00c1f8f9632ec6100800770692b5814283c0 : 3868 + 0x310]
[task 2021-02-19T11:37:26.645Z] 11:37:26 INFO - rbp = 0xcbcbcbcbcbcbcbcb rsp = 0x000076dcf349b0f0
[task 2021-02-19T11:37:26.645Z] 11:37:26 INFO - rip = 0x000076dcffffffff
[task 2021-02-19T11:37:26.645Z] 11:37:26 INFO - Found by: stack scanning
[task 2021-02-19T11:37:26.645Z] 11:37:26 INFO - 34 libxul.so!mp4parse::read_sinf [lib.rs:8cdb00c1f8f9632ec6100800770692b5814283c0 : 3868 + 0x311]
[task 2021-02-19T11:37:26.645Z] 11:37:26 INFO - rbp = 0xcbcbcbcbcbcbcbcb rsp = 0x000076dcf349b100
[task 2021-02-19T11:37:26.645Z] 11:37:26 INFO - rip = 0x000076dd00000000
[task 2021-02-19T11:37:26.645Z] 11:37:26 INFO - Found by: stack scanning
[task 2021-02-19T11:37:26.645Z] 11:37:26 INFO - 35 libxul.so!nsTimerImpl::Callback::~Callback() [nsTimerImpl.h:8cdb00c1f8f9632ec6100800770692b5814283c0 : 108 + 0x9]
[task 2021-02-19T11:37:26.645Z] 11:37:26 INFO - rbp = 0xcbcbcbcbcbcbcbcb rsp = 0x000076dcf349b140
[task 2021-02-19T11:37:26.645Z] 11:37:26 INFO - rip = 0x000076dcfcdf3607
[task 2021-02-19T11:37:26.646Z] 11:37:26 INFO - Found by: stack scanning
[task 2021-02-19T11:37:26.646Z] 11:37:26 INFO - 36 libxul.so!nsTimerImpl::CancelImpl(bool) [nsTimerImpl.cpp:8cdb00c1f8f9632ec6100800770692b5814283c0 : 419 + 0x17]
[task 2021-02-19T11:37:26.646Z] 11:37:26 INFO - rbp = 0xcbcbcbcbcbcbcbcb rsp = 0x000076dcf349b150
[task 2021-02-19T11:37:26.646Z] 11:37:26 INFO - rip = 0x000076dcfcdf32c5
[task 2021-02-19T11:37:26.646Z] 11:37:26 INFO - Found by: stack scanning
[task 2021-02-19T11:37:26.646Z] 11:37:26 INFO - 37 libxul.so!NS_ProcessNextEvent(nsIThread*, bool) [nsThreadUtils.cpp:8cdb00c1f8f9632ec6100800770692b5814283c0 : 548 + 0x11]
[task 2021-02-19T11:37:26.646Z] 11:37:26 INFO - rbp = 0xcbcbcbcbcbcbcbcb rsp = 0x000076dcf349b1a0
[task 2021-02-19T11:37:26.646Z] 11:37:26 INFO - rip = 0x000076dcfcdf0b21
[task 2021-02-19T11:37:26.646Z] 11:37:26 INFO - Found by: stack scanning
[task 2021-02-19T11:37:26.646Z] 11:37:26 INFO - 38 libxul.so!mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) [MessagePump.cpp:8cdb00c1f8f9632ec6100800770692b5814283c0 : 302 + 0xa]
[task 2021-02-19T11:37:26.647Z] 11:37:26 INFO - rbp = 0xcbcbcbcbcbcbcbcb rsp = 0x000076dcf349b1c0
[task 2021-02-19T11:37:26.647Z] 11:37:26 INFO - rip = 0x000076dcfd1a0e84
[task 2021-02-19T11:37:26.647Z] 11:37:26 INFO - Found by: stack scanning
[task 2021-02-19T11:37:26.647Z] 11:37:26 INFO - 39 libnss3.so!pt_recvfrom_cont [ptio.c:8cdb00c1f8f9632ec6100800770692b5814283c0 : 987 + 0x2f]
[task 2021-02-19T11:37:26.647Z] 11:37:26 INFO - rbp = 0xcbcbcbcbcbcbcbcb rsp = 0x000076dcf349b1e0
[task 2021-02-19T11:37:26.647Z] 11:37:26 INFO - rip = 0x000076dd03fb84c5
[task 2021-02-19T11:37:26.647Z] 11:37:26 INFO - Found by: stack scanning
[task 2021-02-19T11:37:26.647Z] 11:37:26 INFO - 40 libxul.so!MessageLoop::Run() [message_loop.cc:8cdb00c1f8f9632ec6100800770692b5814283c0 : 310 + 0xc]
[task 2021-02-19T11:37:26.647Z] 11:37:26 INFO - rbp = 0xcbcbcbcbcbcbcbcb rsp = 0x000076dcf349b200
[task 2021-02-19T11:37:26.647Z] 11:37:26 INFO - rip = 0x000076dcfd171911
[task 2021-02-19T11:37:26.647Z] 11:37:26 INFO - Found by: stack scanning
[task 2021-02-19T11:37:26.648Z] 11:37:26 INFO - 41 libxul.so!nsThread::ThreadFunc(void*) [nsThread.cpp:8cdb00c1f8f9632ec6100800770692b5814283c0 : 391 + 0x8]
[task 2021-02-19T11:37:26.648Z] 11:37:26 INFO - rbp = 0xcbcbcbcbcbcbcbcb rsp = 0x000076dcf349b230
[task 2021-02-19T11:37:26.648Z] 11:37:26 INFO - rip = 0x000076dcfcded5c5
[task 2021-02-19T11:37:26.648Z] 11:37:26 INFO - Found by: stack scanning
|
Reporter | |
Updated•4 years ago
|
Keywords: intermittent-failure
|
||
Comment 1•4 years ago
|
||
This doesn't look actionable, but it is a UAF.
Group: layout-core-security → gfx-core-security
Keywords: csectype-uaf,
sec-high
|
|
Reporter | |
Comment 2•4 years ago
|
||
We are also seeing these for 88 betas on Windows 7, e.g. bp-8fb734b1-48ed-49e9-b4cd-776d60210330.
Crash Signature: [@ wr_api_delete] → [@ core::ptr::drop_in_place<T> | core::ptr::drop_in_place<T> | webrender_bindings::bindings::wr_api_delete]
[@ wr_api_delete]
status-firefox88:
--- → affected
Keywords: stalled
Summary: Intermittent dom/html/test/test_iframe_sandbox_popups_inheritance.html | application crashed [@ wr_api_delete] → Crash in [@ core::ptr::drop_in_place<T> | core::ptr::drop_in_place<T> | webrender_bindings::bindings::wr_api_delete] [@ wr_api_delete]
|
|
Reporter | |
Updated•4 years ago
|
Crash Signature: [@ core::ptr::drop_in_place<T> | core::ptr::drop_in_place<T> | webrender_bindings::bindings::wr_api_delete]
[@ wr_api_delete] → [@ core::ptr::drop_in_place<T> | core::ptr::drop_in_place<T> | webrender_bindings::bindings::wr_api_delete]
[@ core::ptr::drop_in_place<T> | webrender_bindings::bindings::wr_api_delete]
[@ wr_api_delete]
|
||
Comment 3•4 years ago
|
||
Hey Jim, with the new info from Sebastian, is this no longer stalled?
Flags: needinfo?(jmathies)
|
||
Updated•4 years ago
|
status-firefox89:
--- → affected
|
|
||
Updated•4 years ago
|
Blocks: gfx-triage
Flags: needinfo?(jmathies)
|
|
||
Updated•4 years ago
|
|
||
Comment 4•4 years ago
|
||
Reviewing the crash report in comment 2, I believe this is a duplicate of bug 1704227. We'll see if it stops reproducing in nightly/beta in the wild now that it has landed.
My rationale:
WRSceneBuilder is the crashing thread, issuing a wr_finished_scene_build callback, where we try to get the CompositorBridgeParent for the window ID on said thread. In bug 1704227 I determined this was not thread safe, because without holding the mutex, we could destroy the WebRenderAPI reference when we close a window.
If we look at what the main and Compositor threads are doing, we see that we are recreating the widget, deallocating WebRenderBridgeParent (and WebRenderAPI), which will behave very similarly to closing a window for the purposes of bug 1704227.
Flags: needinfo?(aosmond)
|
|
||
Updated•3 years ago
|
Blocks: gfx-triage
|
|
||
Updated•3 years ago
|
|
|
||
Comment 6•3 years ago
|
||
We haven't seen a crash since bug 1704227 landed, rationale in comment 4 explains why.
|
|
||
Updated•3 years ago
|
|
||
Updated•1 year ago
|
Group: gfx-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•