Closed Bug 1696312 Opened 3 years ago Closed 3 years ago

heap-use-after-free in [@ webrender::compositor::sw_compositor::SwCompositeGraphNode::take_band]

Categories

(Core :: Graphics: WebRender, defect)

Product:
Core
Component:
Graphics: WebRender
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
88 Branch
Tracking Flags:
Tracking Status
thunderbird_esr78 --- unaffected
firefox-esr78 --- unaffected
firefox86 --- unaffected
firefox87 --- unaffected
firefox88 --- fixed

People

(Reporter: tsmith, Assigned: lsalzman)

References

(Blocks 2 open bugs)

Details

(Keywords: crash, csectype-uaf, sec-high, Whiteboard: [sec-survey][post-critsmash-triage])

Attachments

(1 file)

Bug 1696312 - Reset SwCompositor job cache on completion. r?aosmond
48 bytes, text/x-phabricator-request
Details | Review

Only reported once by fuzzers so far with m-c 20210302-b2c9624b48f0.

I cannot reproduce with the reported test case.

==21863==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d00037d09e at pc 0x7f9cb057fdfc bp 0x7f9c6f78a9d0 sp 0x7f9c6f78a9c8
WRITE of size 1 at 0x60d00037d09e thread T86 (SwComposite)
    #0 0x7f9cb057fdfb in core::sync::atomic::atomic_add::h20ea5ea9c11d9d9f /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/sync/atomic.rs:2389:23
    #1 0x7f9cb057fdfb in core::sync::atomic::AtomicU8::fetch_add::hbb201debaf82ae1e /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/sync/atomic.rs:1722:30
    #2 0x7f9cb057fdfb in webrender::compositor::sw_compositor::SwCompositeGraphNode::take_band::h7840f9ea46220e69 /gecko/gfx/wr/webrender/src/compositor/sw_compositor.rs:560:26
    #3 0x7f9cb057fdfb in webrender::compositor::sw_compositor::SwCompositeThread::try_take_job::h72963a36da1d7941 /gecko/gfx/wr/webrender/src/compositor/sw_compositor.rs:751:33
    #4 0x7f9cb057fdfb in webrender::compositor::sw_compositor::SwCompositeThread::take_job::hf1bd257dbebee0f9 /gecko/gfx/wr/webrender/src/compositor/sw_compositor.rs:770:36
    #5 0x7f9cb057f4aa in webrender::compositor::sw_compositor::SwCompositeThread::new::_$u7b$$u7b$closure$u7d$$u7d$::hc314024c265daa9d /gecko/gfx/wr/webrender/src/compositor/sw_compositor.rs:652:47
    #6 0x7f9cb057f4aa in std::sys_common::backtrace::__rust_begin_short_backtrace::he4ef15832560245b /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/sys_common/backtrace.rs:125:18
    #7 0x7f9cb057f007 in std::thread::Builder::spawn_unchecked::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h6b00b043309263e9 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/thread/mod.rs:474:17
    #8 0x7f9cb057f007 in _$LT$std..panic..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h010f5050f4ea8917 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panic.rs:322:9
    #9 0x7f9cb057f007 in std::panicking::try::do_call::ha40af360a51109bb /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:381:40
    #10 0x7f9cb057f007 in std::panicking::try::h30dae83f951d7014 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panicking.rs:345:19
    #11 0x7f9cb057f007 in std::panic::catch_unwind::hc1d3836dcb3358f2 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/panic.rs:396:14
    #12 0x7f9cb057f007 in std::thread::Builder::spawn_unchecked::_$u7b$$u7b$closure$u7d$$u7d$::h25e5203b49ce6cca /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/thread/mod.rs:473:30
    #13 0x7f9cb057f007 in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::h7d34da4d4b626022 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ops/function.rs:227:5
    #14 0x7f9cae9feef4 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h9e7afb7a0a438236 /rustc/74f7e32f43b5fb0f83896d124566d8242eb786b1/library/alloc/src/boxed.rs:1307:9
    #15 0x7f9cae9feef4 in _$LT$alloc..boxed..Box$LT$F$C$A$GT$$u20$as$u20$core..ops..function..FnOnce$LT$Args$GT$$GT$::call_once::h70c646c4271337a1 /rustc/74f7e32f43b5fb0f83896d124566d8242eb786b1/library/alloc/src/boxed.rs:1307:9
    #16 0x7f9cae9feef4 in std::sys::unix::thread::Thread::new::thread_start::h35d2b8d36f210d02 /rustc/74f7e32f43b5fb0f83896d124566d8242eb786b1/library/std/src/sys/unix/thread.rs:71:17
    #17 0x7f9cbf5cf608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477:8
    #18 0x7f9cbf198292 in clone /build/glibc-eX1tMB/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

0x60d00037d09e is located 142 bytes inside of 144-byte region [0x60d00037d010,0x60d00037d0a0)
freed by thread T51 (Renderer) here:
    #0 0x5566cf58efad in free /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:123:3
    #1 0x7f9cb07d1453 in _$LT$alloc..sync..Arc$LT$T$GT$$u20$as$u20$core..ops..drop..Drop$GT$::drop::hc424df90c6a8d36d /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/alloc/src/sync.rs:1471:13
    #2 0x7f9cb07d1453 in core::ptr::drop_in_place::hc63064f4cf7aec49 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:175:1
    #3 0x7f9cb07d1453 in core::ptr::drop_in_place::h30e6d34f257d1079 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:175:1
    #4 0x7f9cb07d1453 in core::ptr::drop_in_place::h818f47fcb24884bb /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:175:1
    #5 0x7f9cb07d1453 in _$LT$webrender..compositor..sw_compositor..SwCompositor$u20$as$u20$webrender..composite..Compositor$GT$::destroy_tile::h3eaacf260ab95e3c /gecko/gfx/wr/webrender/src/compositor/sw_compositor.rs:1424:13
    #6 0x7f9cb06f64ef in webrender::renderer::Renderer::update_native_surfaces::h085b6ee1f6a38096 /gecko/gfx/wr/webrender/src/renderer/mod.rs:4278:29
    #7 0x7f9cb0715224 in webrender::renderer::Renderer::render_impl::haaab4f61b5bcc954 /gecko/gfx/wr/webrender/src/renderer/mod.rs:2111:13
    #8 0x7f9cb0736e64 in webrender::renderer::Renderer::render::h845e2e42e61a5df0 /gecko/gfx/wr/webrender/src/renderer/mod.rs:1886:30
    #9 0x7f9cb09a474e in wr_renderer_render /gecko/gfx/webrender_bindings/src/bindings.rs:637:11
    #10 0x7f9ca209a10e in mozilla::wr::RendererOGL::UpdateAndRender(mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*, mozilla::wr::RendererStats*) /gecko/gfx/webrender_bindings/RendererOGL.cpp:186:8
    #11 0x7f9ca2098852 in mozilla::wr::RenderThread::UpdateAndRender(mozilla::wr::WrWindowId, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp const&, bool, mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*) /gecko/gfx/webrender_bindings/RenderThread.cpp:482:31
    #12 0x7f9ca20979ee in mozilla::wr::RenderThread::HandleFrameOneDoc(mozilla::wr::WrWindowId, bool) /gecko/gfx/webrender_bindings/RenderThread.cpp:337:3
    #13 0x7f9ca20afc16 in applyImpl<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByConstLRef<bool> , 0, 1> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1148:12
    #14 0x7f9ca20afc16 in apply<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1154:12
    #15 0x7f9ca20afc16 in mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), true, (mozilla::RunnableKind)0, mozilla::wr::WrWindowId, bool>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1201:13
    #16 0x7f9ca02d4c97 in MessageLoop::RunTask(already_AddRefed<nsIRunnable>) /gecko/ipc/chromium/src/base/message_loop.cc:468:11
    #17 0x7f9ca02d59fe in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask&&) /gecko/ipc/chromium/src/base/message_loop.cc:477:5
    #18 0x7f9ca02d629b in MessageLoop::DoWork() /gecko/ipc/chromium/src/base/message_loop.cc:552:13
    #19 0x7f9ca02d7596 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /gecko/ipc/chromium/src/base/message_pump_default.cc:35:31
    #20 0x7f9ca02d4841 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #21 0x7f9ca02d4841 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #22 0x7f9ca02d4841 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #23 0x7f9ca02f2b48 in base::Thread::ThreadMain() /gecko/ipc/chromium/src/base/thread.cc:191:16
    #24 0x7f9ca02e673c in ThreadFunc(void*) /gecko/ipc/chromium/src/base/platform_thread_posix.cc:40:13
    #25 0x7f9cbf5cf608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477:8

previously allocated by thread T51 (Renderer) here:
    #0 0x5566cf58f22d in malloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
    #1 0x7f9cb07d1a0b in alloc::alloc::alloc::ha5d8a14cce03bc63 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/alloc/src/alloc.rs:84:14
    #2 0x7f9cb07d1a0b in alloc::alloc::Global::alloc_impl::h1db8143211b9bb91 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/alloc/src/alloc.rs:164:73
    #3 0x7f9cb07d1a0b in _$LT$alloc..alloc..Global$u20$as$u20$core..alloc..AllocRef$GT$::alloc::h982bde6b3a4ffa5c /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/alloc/src/alloc.rs:224:9
    #4 0x7f9cb07d1a0b in alloc::alloc::exchange_malloc::h7da272848c4b14e1 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/alloc/src/alloc.rs:314:11
    #5 0x7f9cb07d1a0b in alloc::sync::Arc$LT$T$GT$::new::hc6fe01f5e9e5f042 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/alloc/src/sync.rs:330:25
    #6 0x7f9cb07d1a0b in webrender::compositor::sw_compositor::SwCompositeGraphNodeRef::new::he4e1c278964a88ec /gecko/gfx/wr/webrender/src/compositor/sw_compositor.rs:460:33
    #7 0x7f9cb07d1a0b in webrender::compositor::sw_compositor::SwCompositeGraphNode::new::h6484d7ec50910cf1 /gecko/gfx/wr/webrender/src/compositor/sw_compositor.rs:520:9
    #8 0x7f9cb07d1a0b in webrender::compositor::sw_compositor::SwTile::new::h099466dd86a7fe62 /gecko/gfx/wr/webrender/src/compositor/sw_compositor.rs:56:25
    #9 0x7f9cb07d1a0b in _$LT$webrender..compositor..sw_compositor..SwCompositor$u20$as$u20$webrender..composite..Compositor$GT$::create_tile::h12c68f85cb8f6b52 /gecko/gfx/wr/webrender/src/compositor/sw_compositor.rs:1364:28
    #10 0x7f9cb06f686a in webrender::renderer::Renderer::update_native_surfaces::h085b6ee1f6a38096 /gecko/gfx/wr/webrender/src/renderer/mod.rs:4275:29
    #11 0x7f9cb0715224 in webrender::renderer::Renderer::render_impl::haaab4f61b5bcc954 /gecko/gfx/wr/webrender/src/renderer/mod.rs:2111:13
    #12 0x7f9cb0736e64 in webrender::renderer::Renderer::render::h845e2e42e61a5df0 /gecko/gfx/wr/webrender/src/renderer/mod.rs:1886:30
    #13 0x7f9cb09a474e in wr_renderer_render /gecko/gfx/webrender_bindings/src/bindings.rs:637:11
    #14 0x7f9ca209a10e in mozilla::wr::RendererOGL::UpdateAndRender(mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*, mozilla::wr::RendererStats*) /gecko/gfx/webrender_bindings/RendererOGL.cpp:186:8
    #15 0x7f9ca2098852 in mozilla::wr::RenderThread::UpdateAndRender(mozilla::wr::WrWindowId, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp const&, bool, mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*) /gecko/gfx/webrender_bindings/RenderThread.cpp:482:31
    #16 0x7f9ca20979ee in mozilla::wr::RenderThread::HandleFrameOneDoc(mozilla::wr::WrWindowId, bool) /gecko/gfx/webrender_bindings/RenderThread.cpp:337:3
    #17 0x7f9ca20afc16 in applyImpl<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByConstLRef<bool> , 0, 1> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1148:12
    #18 0x7f9ca20afc16 in apply<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1154:12
    #19 0x7f9ca20afc16 in mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), true, (mozilla::RunnableKind)0, mozilla::wr::WrWindowId, bool>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1201:13
    #20 0x7f9ca02d4c97 in MessageLoop::RunTask(already_AddRefed<nsIRunnable>) /gecko/ipc/chromium/src/base/message_loop.cc:468:11
    #21 0x7f9ca02d59fe in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask&&) /gecko/ipc/chromium/src/base/message_loop.cc:477:5
    #22 0x7f9ca02d629b in MessageLoop::DoWork() /gecko/ipc/chromium/src/base/message_loop.cc:552:13
    #23 0x7f9ca02d7596 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /gecko/ipc/chromium/src/base/message_pump_default.cc:35:31
    #24 0x7f9ca02d4841 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #25 0x7f9ca02d4841 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #26 0x7f9ca02d4841 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #27 0x7f9ca02f2b48 in base::Thread::ThreadMain() /gecko/ipc/chromium/src/base/thread.cc:191:16
    #28 0x7f9ca02e673c in ThreadFunc(void*) /gecko/ipc/chromium/src/base/platform_thread_posix.cc:40:13
    #29 0x7f9cbf5cf608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477:8

Thread T86 (SwComposite) created by T51 (Renderer) here:
    #0 0x5566cf579c9a in pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cpp:214:3
    #1 0x7f9cae9fec61 in std::sys::unix::thread::Thread::new::h22569b440084b552 /rustc/74f7e32f43b5fb0f83896d124566d8242eb786b1/library/std/src/sys/unix/thread.rs:50:19

Thread T51 (Renderer) created by T0 here:
    #0 0x5566cf579c9a in pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cpp:214:3
    #1 0x7f9ca02e0c2c in CreateThread /gecko/ipc/chromium/src/base/platform_thread_posix.cc:123:14
    #2 0x7f9ca02e0c2c in PlatformThread::Create(unsigned long, PlatformThread::Delegate*, unsigned long*) /gecko/ipc/chromium/src/base/platform_thread_posix.cc:134:10
    #3 0x7f9ca02f236d in base::Thread::StartWithOptions(base::Thread::Options const&) /gecko/ipc/chromium/src/base/thread.cc:97:8
    #4 0x7f9ca20945e1 in mozilla::wr::RenderThread::Start() /gecko/gfx/webrender_bindings/RenderThread.cpp:90:16
    #5 0x7f9ca1e085a9 in gfxPlatform::InitLayersIPC() /gecko/gfx/thebes/gfxPlatform.cpp:1321:7
    #6 0x7f9ca1e03fc1 in gfxPlatform::Init() /gecko/gfx/thebes/gfxPlatform.cpp:962:3
    #7 0x7f9ca1e0291b in gfxPlatform::GetPlatform() /gecko/gfx/thebes/gfxPlatform.cpp:483:5
    #8 0x7f9ca6b0b70c in mozilla::widget::GfxInfoBase::GetContentBackend(nsTSubstring<char16_t>&) /gecko/widget/GfxInfoBase.cpp:1766:25
    #9 0x7f9c9f1f0841 in NS_InvokeByIndex /gecko/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:101
    #10 0x7f9ca118982a in Invoke /gecko/js/xpconnect/src/XPCWrappedNative.cpp:1623:10
    #11 0x7f9ca118982a in Call /gecko/js/xpconnect/src/XPCWrappedNative.cpp:1176:19
    #12 0x7f9ca118982a in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /gecko/js/xpconnect/src/XPCWrappedNative.cpp:1142:23
    #13 0x7f9ca118f1b5 in GetAttribute /gecko/js/xpconnect/src/xpcprivate.h:1468:12
    #14 0x7f9ca118f1b5 in XPC_WN_GetterSetter(JSContext*, unsigned int, JS::Value*) /gecko/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:965:10
    #15 0x7f9caa86b0f6 in CallJSNative /gecko/js/src/vm/Interpreter.cpp:435:13
    #16 0x7f9caa86b0f6 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:520:12
    #17 0x7f9caa86ce8e in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:580:10
    #18 0x7f9caa86d10b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:597:8
    #19 0x7f9caa86e668 in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/Interpreter.cpp:721:10
    #20 0x7f9caad93937 in CallGetter /gecko/js/src/vm/NativeObject.cpp:2104:12
    #21 0x7f9caad93937 in GetExistingProperty<js::CanGC> /gecko/js/src/vm/NativeObject.cpp:2134:12
    #22 0x7f9caad93937 in NativeGetPropertyInline<js::CanGC> /gecko/js/src/vm/NativeObject.cpp:2278:14
    #23 0x7f9caad93937 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/NativeObject.cpp:2308:10
    #24 0x7f9caa858b18 in GetProperty /gecko/js/src/vm/ObjectOperations-inl.h:116:10
    #25 0x7f9caa858b18 in GetObjectElementOperation /gecko/js/src/vm/Interpreter-inl.h:453:10
    #26 0x7f9caa858b18 in GetElementOperationWithStackIndex /gecko/js/src/vm/Interpreter-inl.h:560:10
    #27 0x7f9caa858b18 in Interpret(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:3050:14
    #28 0x7f9caa839ee3 in js::RunScript(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:405:13
    #29 0x7f9caa86b226 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:552:13
    #30 0x7f9caa86ce8e in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:580:10
    #31 0x7f9caa86d10b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:597:8
    #32 0x7f9cab0e6970 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /gecko/js/src/jsapi.cpp:2800:10
    #33 0x7f9ca117c621 in nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) /gecko/js/xpconnect/src/XPCWrappedJSClass.cpp:970:17
    #34 0x7f9c9f1f2190 in PrepareAndDispatch /gecko/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:115:37
    #35 0x7f9c9f1f0f2a in SharedStub (/home/worker/builds/m-c-20210302134918-fuzzing-asan-opt/libxul.so+0x508df2a)
    #36 0x7f9c9f157eb8 in NS_CreateServicesFromCategory(char const*, nsISupports*, char const*, char16_t const*) /gecko/xpcom/components/nsCategoryManager.cpp:689:19
    #37 0x7f9caa62e082 in nsXREDirProvider::DoStartup() /gecko/toolkit/xre/nsXREDirProvider.cpp:1004:11
    #38 0x7f9caa609b39 in XREMain::XRE_mainRun() /gecko/toolkit/xre/nsAppRunner.cpp:5013:18
    #39 0x7f9caa60d0ee in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /gecko/toolkit/xre/nsAppRunner.cpp:5471:8
    #40 0x7f9caa60dce3 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /gecko/toolkit/xre/nsAppRunner.cpp:5534:21
    #41 0x5566cf5c23e2 in do_main /gecko/browser/app/nsBrowserApp.cpp:220:22
    #42 0x5566cf5c23e2 in main /gecko/browser/app/nsBrowserApp.cpp:347:16
    #43 0x7f9cbf09d0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
Keywords: sec-high
Blocks: gfx-triage
Assignee: nobody → lsalzman
Status: NEW → ASSIGNED
Blocks: sw-wr-stability
No longer blocks: gfx-triage

This only affects nightly and only when SW-WR is enabled.

status-firefox86: --- → unaffected
status-firefox87: --- → unaffected
status-firefox-esr78: --- → unaffected
status-thunderbird_esr78: --- → unaffected

Reset SwCompositor job cache on completion. r=aosmond
https://hg.mozilla.org/integration/autoland/rev/f810969ca1082808e29e0811f8658dfeced4001d
https://hg.mozilla.org/mozilla-central/rev/f810969ca108

Group: gfx-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox88: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 88 Branch

As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.

Please visit this google form to reply.

Flags: needinfo?(lsalzman)
Whiteboard: [sec-survey]
Flags: needinfo?(lsalzman)
Flags: qe-verify-
Whiteboard: [sec-survey] → [sec-survey][post-critsmash-triage]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: