Closed Bug 1713973 Opened 1 year ago Closed 11 months ago

[Win32k lockdown] NS_GetComplexLineBreaks crash in [@ RtlpWaitOnCriticalSection | RtlpEnterCriticalSectionContended | RtlEnterCriticalSection | ThaiBreak]

Categories

(Core :: Layout: Text and Fonts, defect)

Unspecified
Windows 10
defect

Tracking

()

RESOLVED FIXED
95 Branch
Tracking Status
firefox-esr78 --- unaffected
firefox-esr91 --- disabled
firefox88 --- disabled
firefox89 --- disabled
firefox90 --- disabled
firefox91 --- disabled
firefox92 --- disabled
firefox93 --- disabled
firefox94 --- disabled
firefox95 --- fixed

People

(Reporter: cpeterson, Assigned: bobowen)

References

(Blocks 1 open bug)

Details

(Keywords: crash, Whiteboard: [not-a-fission-bug])

Crash Data

Attachments

(4 files, 3 obsolete files)

This crash seems to be Fission related. There had been only about one crash report per release cycle until Beta 90.0b started today. Just today we have already received 13 reports from 5 different installations and they all had Fission enabled.

All of the crashes are on Windows 10.

Crash report: https://crash-stats.mozilla.org/report/index/dcbfef71-4201-430e-b6f4-f62370210601

Reason: EXCEPTION_ACCESS_VIOLATION_WRITE

Top 10 frames of crashing thread:

0 ntdll.dll RtlpWaitOnCriticalSection 
1 ntdll.dll RtlpEnterCriticalSectionContended 
2 ntdll.dll RtlEnterCriticalSection 
3 gdi32full.dll long ThaiBreak 
4 gdi32full.dll ScriptBreak 
5 xul.dll NS_GetComplexLineBreaks intl/lwbrk/nsUniscribeBreaker.cpp:69
6 xul.dll mozilla::intl::LineBreaker::GetJISx4051Breaks intl/lwbrk/LineBreaker.cpp:1113
7 xul.dll nsLineBreaker::FlushCurrentWord dom/base/nsLineBreaker.cpp:83
8 xul.dll nsLineBreaker::Reset dom/base/nsLineBreaker.cpp:501
9 xul.dll BuildTextRunsScanner::FlushLineBreaks layout/generic/nsTextFrame.cpp:1679

Here is a similar NS_GetComplexLineBreaks crash:

Crash report: https://crash-stats.mozilla.org/report/index/a32d53ce-5df3-4a16-986c-fba590210601

Reason: EXCEPTION_ACCESS_VIOLATION_WRITE

Top 10 frames of crashing thread:

0 ntdll.dll RtlpWaitOnCriticalSection 
1 ntdll.dll RtlpEnterCriticalSectionContended 
2 ntdll.dll RtlEnterCriticalSection 
3 gdi32full.dll int UspInitMemory 
4 gdi32full.dll CUspShapingClient::AllocMem 
5 textshaping.dll textshaping.dll@0x999f 
6 textshaping.dll textshaping.dll@0x15888 
7 gdi32full.dll XLATEOBJ_piVector 
8 ntdll.dll LdrResolveDelayLoadedAPI 
9 textshaping.dll textshaping.dll@0x8919 
10 gdi32full.dll XLATEOBJ_piVector
11 gdi32full.dll ScriptBreak 
12 xul.dll NS_GetComplexLineBreaks intl/lwbrk/nsUniscribeBreaker.cpp:69
13 xul.dll mozilla::intl::LineBreaker::GetJISx4051Breaks intl/lwbrk/LineBreaker.cpp:1113
14 xul.dll nsLineBreaker::FlushCurrentWord dom/base/nsLineBreaker.cpp:83
15 xul.dll nsLineBreaker::Reset dom/base/nsLineBreaker.cpp:501
16 xul.dll BuildTextRunsScanner::FlushLineBreaks layout/generic/nsTextFrame.cpp:1679
Severity: -- → S2

Bob, is this related to win32k lockdown? I see "contentWin32kLockdownState":1 in the crash annotations...

nsUniscribeBreaker.cpp has code here to fall back to a non-Uniscribe code path, but that's Nightly-only.

Flags: needinfo?(bobowencode)

(In reply to Jonathan Kew (:jfkthame) from comment #1)

Bob, is this related to win32k lockdown? I see "contentWin32kLockdownState":1 in the crash annotations...

Sounds like this is a win32k sandboxing issue, not Fission.

Fission Milestone: ? → ---
Summary: Fission? NS_GetComplexLineBreaks crash in [@ RtlpWaitOnCriticalSection | RtlpEnterCriticalSectionContended | RtlEnterCriticalSection | ThaiBreak] → NS_GetComplexLineBreaks crash in [@ RtlpWaitOnCriticalSection | RtlpEnterCriticalSectionContended | RtlEnterCriticalSection | ThaiBreak]

(In reply to Jonathan Kew (:jfkthame) from comment #1)

Bob, is this related to win32k lockdown? I see "contentWin32kLockdownState":1 in the crash annotations...

nsUniscribeBreaker.cpp has code here to fall back to a non-Uniscribe code path, but that's Nightly-only.

Yes, it looks like people must have flipped the content win32k lockdown pref.
The pref has been there for a while, so it's possible that people have tried it before and crashed elsewhere, but now it works to a greater extent, but crashes if they hit this.

Flags: needinfo?(bobowencode)
Whiteboard: [not-a-fission-bug]
See Also: → 1707767

I had a problem and it does look like it is related to win32k lockdown. All is working fine now. Everything seemed to, sort of, work until I tried to open a tab in a container, bit it didn't always. Where the latest ones have one thing in common where I where the tab crashed every single time
I tried to access accounts.google.com.

I had enabled security.sandbox.content.win32k-disable. Seen this bug report, remembered I enabled it. Disabled and all is now working. Hope he crash reports are of use to whoever will be looking into this.

I'm on FF 90.0b9.

Related (multiple) crash reports:

bp-cd4f294c-8909-4ee3-857f-de4580210618 	18/06/2021, 12:32 	
bp-9efff08f-1a7c-49cd-a20c-1a8270210618 	18/06/2021, 12:32 	
bp-56ef3d01-c14f-4e76-ba69-545310210618 	18/06/2021, 12:29 	
bp-18bf83c5-26eb-4daf-84f5-6b9d90210618 	18/06/2021, 12:29 	
bp-37a26b19-e0e3-4666-9d93-cd6420210618 	18/06/2021, 12:21 	
bp-d028e681-a3d5-4289-b777-28e630210618 	18/06/2021, 12:19 	
bp-4a3f1d8c-5091-46cd-a4dc-d83420210618 	18/06/2021, 12:19 	
bp-8879d4f2-c0c4-434b-8391-649fd0210618 	18/06/2021, 12:18 	
bp-590f8647-102a-48d3-80fc-7a06d0210618 	18/06/2021, 12:17 	
bp-9f919eae-4e63-4bcf-97d9-b3b7e0210618 	18/06/2021, 12:17 	
bp-31ceba46-c859-464e-83bb-4a4730210617 	17/06/2021, 17:51 	
bp-49a4b65d-1442-4723-8a9d-45e880210617 	17/06/2021, 17:51 	
bp-215c71c8-a945-4b6b-8ed8-9f66c0210617 	17/06/2021, 17:51 	
bp-95dd0bba-3463-4285-99c0-fa1a40210617 	17/06/2021, 17:51 	
bp-96998fed-6c01-42ba-b6d9-2fa590210617 	17/06/2021, 17:51 	
bp-dbbfad14-1370-4f45-b220-ce0870210617 	17/06/2021, 17:51 	
bp-86aecfc0-cea3-411c-9bdf-ddd830210617 	17/06/2021, 17:51 	
bp-b27baac7-01a8-4fe2-a71b-c3db80210617 	17/06/2021, 17:51 	
bp-a99c232f-45ac-49d9-a9fc-d5a5c0210617 	17/06/2021, 17:51 	
bp-5f938042-9799-4b32-9b3a-9a5fb0210617 	17/06/2021, 17:51 	
bp-bce9623c-e8b9-4ec4-8aea-4c3600210617 	17/06/2021, 17:51 	
bp-5730703c-4750-465b-ba68-8f0720210617 	17/06/2021, 17:51 	
bp-7d5cdee9-712a-4318-9512-ff2fd0210617 	17/06/2021, 17:51 	
bp-dc431137-e6e0-4ce4-af16-5fd380210617 	17/06/2021, 17:51 	
bp-8c3533d8-dbc4-4a88-a4f9-7ecde0210617 	17/06/2021, 17:51 	
bp-ff32e4c0-0523-43ab-b3bd-a346d0210617 	17/06/2021, 17:51 	
bp-ed0f07ea-17a8-4584-acc7-618820210617 	17/06/2021, 17:51 	
bp-a13e818c-4275-486c-985e-71cae0210617 	17/06/2021, 17:51 	
bp-ac868e9a-1168-4122-8899-317260210617 	17/06/2021, 17:50 	
bp-6dc31c73-2e7b-4e3c-99cf-5264c0210617 	17/06/2021, 17:50 	
bp-5c1a8c73-33e2-415d-a217-65c570210617 	17/06/2021, 17:50 	
bp-fec59fdb-7954-4dc9-b2b5-e52100210617 	17/06/2021, 17:50 	
bp-ed874129-2246-45ff-a6f5-f7efb0210617 	17/06/2021, 17:50 	
bp-d1849b45-2c30-4626-a815-9484d0210617 	17/06/2021, 17:49 	
bp-00fbe052-732f-40c4-b801-0c7ec0210617 	17/06/2021, 17:48 	
bp-374e1ba1-dde5-40d0-b0ff-3687d0210617 	17/06/2021, 17:48 	
bp-de338bf0-bbeb-442e-8792-8a53f0210617 	17/06/2021, 17:48 	
bp-3552e5d9-e1ec-4d63-aea7-a3a0c0210617 	17/06/2021, 17:47 	
bp-9089670f-32ad-445d-9437-2d1c90210616 	16/06/2021, 17:40 	
bp-362d8f1c-d596-492a-a634-b226a0210616 	16/06/2021, 17:39 	

It was not Fission. Same crashes were occurring when I turned off Fission.

(In reply to Bob Owen (:bobowen) from comment #3)

Yes, it looks like people must have flipped the content win32k lockdown pref.

So to clarify, this crash doesn't affect the regular user population, right? This only affects folks who have manually toggled this about:config pref?

(Also, does that mean this belongs in a different component, or is it classified correctly?)

Flags: needinfo?(bobowencode)
Blocks: 1383524
Summary: NS_GetComplexLineBreaks crash in [@ RtlpWaitOnCriticalSection | RtlpEnterCriticalSectionContended | RtlEnterCriticalSection | ThaiBreak] → [Win32k lockdown] NS_GetComplexLineBreaks crash in [@ RtlpWaitOnCriticalSection | RtlpEnterCriticalSectionContended | RtlEnterCriticalSection | ThaiBreak]

(In reply to Daniel Holbert [:dholbert] from comment #6)

(In reply to Bob Owen (:bobowen) from comment #3)

Yes, it looks like people must have flipped the content win32k lockdown pref.

So to clarify, this crash doesn't affect the regular user population, right? This only affects folks who have manually toggled this about:config pref?

(Also, does that mean this belongs in a different component, or is it classified correctly?)

Yes this is with a pref flip, I guess it could be people using a profile from Nightly where they had used the Nightly Experiments to flip the pref. I'm not sure how easy that is to do any more.

Over the classification, because sandboxing tends to be cross-cutting this is a bit of a grey area.
It would be nice to get to a position where the sandboxing component is only used for bugs in the actual sandboxing code, as opposed to the effects of it. However it does often get used for bugs caused by code that then fails in components elsewhere.
This becomes even more murky when it is something we are working at turning on. :-)
Maybe we should think of having a separate sandboxing components for the code and its effects or a keyword adding, I'll raise at our meeting.

Flags: needinfo?(bobowencode)
Duplicate of this bug: 1721322
Duplicate of this bug: 1707767
Crash Signature: [@ RtlpWaitOnCriticalSection | RtlpEnterCriticalSectionContended | RtlEnterCriticalSection | ThaiBreak] [@ RtlpWaitOnCriticalSection | RtlpEnterCriticalSectionContended | RtlEnterCriticalSection | UspInitMemory] → [@ RtlpWaitOnCriticalSection | RtlpEnterCriticalSectionContended | RtlEnterCriticalSection | ThaiBreak] [@ RtlpWaitOnCriticalSection | RtlpEnterCriticalSectionContended | RtlEnterCriticalSection | UspInitMemory] [@ RtlpWaitOnCriticalSection | XLATEOBJ_p…

on nightly 92, scholar.google.com isn't affected with win32k lockdown, on 90 stable it did. It will crash even restored. See the crash report related to this bug

No longer blocks: 1383524

There are 20 crash reports from 2 installs of Firefox 92.0. They all have Fission enabled, "ContentSandboxWin32kState: Win32k Lockdown enabled", and locale ja.

Crash Signature: XLATEOBJ_piVector ] → XLATEOBJ_piVector ] [@ RtlpWaitOnCriticalSection | <unknown in gdi32full.dll> | RtlpEnterCriticalSectionContended | RtlEnterCriticalSection | UspInitMemory] [@ RtlpWaitOnCriticalSection | <unknown in gdi32full.dll> | RtlpEnterCriticalSectionContended |…
Crash Signature: | _tailMerge_d3dcompiler_47.dll | RtlEnterCriticalSection | UspInitMemory] → | _tailMerge_d3dcompiler_47.dll | RtlEnterCriticalSection | UspInitMemory] [@ RtlpWaitOnCriticalSection | <unknown in gdi32full.dll> | ScriptTokenize]
Assignee: nobody → bobowencode
Attachment #9243258 - Attachment is obsolete: true
Attached patch revised-chunking.patch (obsolete) — Splinter Review

Revised heuristic for chunk-overlap that has less risk of making errors near the boundary.

Depends on: 1736393
Duplicate of this bug: 1735276
Attachment #9243258 - Attachment is obsolete: false
Attachment #9243258 - Attachment description: WIP: Bug 1713973: WIP Line Breaking via chromium-sandbox IPC. → Bug 1713973 p2: Add Uniscribe Line Breaking via chromium-sandbox IPC. r=tkikuchi!,jfkthame!
Attachment #9246408 - Attachment is obsolete: true
Attachment #9246409 - Attachment is obsolete: true
Attachment #9246429 - Attachment is obsolete: true
Attachment #9247053 - Attachment description: Bug 1713973 p3: Use brokered complex line breaking when win32k lockdown is enabled. r=jfkthame! → Bug 1713973 p3: Use brokered complex line breaking when win32k lockdown is enabled. r=tkikuchi!,jfkthame!
Pushed by bobowencode@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/2f4ebffa454c
p1: Add caching for calls to NS_GetComplexLineBreaks. r=jfkthame
https://hg.mozilla.org/integration/autoland/rev/d37fc64caa47
p2: Add Uniscribe Line Breaking via chromium-sandbox IPC. r=tkikuchi,jfkthame
https://hg.mozilla.org/integration/autoland/rev/45862297ac71
p3: Use brokered complex line breaking when win32k lockdown is enabled. r=jfkthame,tkikuchi
https://hg.mozilla.org/integration/autoland/rev/5d9a715cee85
p4: Test brokered complex breaker against Uniscribe in content. r=jfkthame
Regressions: 1737914

Is it fixed in the latest Firefox Developer Edition ?
I still get an exception with gpu.sandbox set.

Can you confirm that you've got version 95.0b1?

Flags: needinfo?(nn1436401)

Yes.
The issue reproduces with the following settings:
security.sandbox.content.level 20
security.sandbox.gpu.level 1

Navigate to https://addons.mozilla.org/

Flags: needinfo?(nn1436401)
Flags: needinfo?(bobowencode)

(In reply to NN from comment #25)

Yes.
The issue reproduces with the following settings:
security.sandbox.content.level 20
security.sandbox.gpu.level 1

Navigate to https://addons.mozilla.org/

It's possible that you are still hitting a related problem, but this one was specifically to do with win32k lockdown.
It's great that you are testing these other settings though, please would you file a new bug (I'm guessing that https://addons.mozilla.org/ might trigger something for you because of your locale, for the steps to reproduce, it would be best if you used a page that doesn't depend on locale to trigger the issue, to make it easier to test).
Also any crash report links would be very useful.

Flags: needinfo?(bobowencode)
Depends on: 1740362
See Also: → 1739831
You need to log in before you can comment on or make changes to this bug.