Closed Bug 1718912 Opened 4 years ago Closed 3 years ago

Crash in [@ objc_msgSend | _NSKeyValueRetainedObservationInfoForObject]

Categories

(Core :: Graphics: WebRender, defect)

Product:
Core
Component:
Graphics: WebRender
Version:
78 Branch
Platform:
Unspecified
macOS
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: wsmwk, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, csectype-uaf, sec-high, Whiteboard: [tbird crash])

Crash Data

top 20 crash for Mac, Thunderbird 78.11.0

Crash report: https://crash-stats.mozilla.org/report/index/a5c62170-6815-484e-8236-3923a0210701

Reason: EXC_BAD_ACCESS / KERN_INVALID_ADDRESS

Top 10 frames of crashing thread:

0 libobjc.A.dylib objc_msgSend 
1 Foundation _NSKeyValueRetainedObservationInfoForObject 
2 Foundation NSKeyValueWillChangeWithPerThreadPendingNotifications 
3 Foundation NSKeyValuePropertyIsEqual 
4 libobjc.A.dylib cache_getImp 
5  @0xe748a389723d0072 
6 QuartzCore CA::Layer::begin_change 
7 QuartzCore CA::Transaction::get_value 
8 QuartzCore CA::Layer::remove_sublayer 
9 QuartzCore CA::Layer::remove_from_superlayer
Severity: -- → S2

This spiked the same date as bug 1719219 -- two weeks after the release. Did we have a delayed roll-out of WR on Mac or something?

Keywords: csectype-uaf, sec-high

We don't have Web Render on ESR-78 so that link seems unlikely, though that is the kind of thing that might have gotten turned on with a roll-out.

Another instance of this crash in CI, based on latest Nightly.

Group: mail-core-security → gfx-core-security
Component: General → Graphics: Layers
Product: Thunderbird → Core
Version: 78 → 78 Branch

This doesn't seem very actionable based on where the main thread is (processing events). Markus, any thoughts?

Flags: needinfo?(mstange.moz)

Not even sure this is wr related. But I'm sure it's not related to the old layers system, which we've largely stopped using on mac.

Component: Graphics: Layers → Graphics: WebRender

It's happening during destruction of the native widget hierarchy. Maybe there's a dead CALayer still attached to a view.
I'm not sure how to act on this, other than through code inspection.

Flags: needinfo?(mstange.moz)
Crash Signature: [@ objc_msgSend | _NSKeyValueRetainedObservationInfoForObject] → [@ objc_msgSend | _NSKeyValueRetainedObservationInfoForObject] [@ _NSKeyValueRetainedObservationInfoForObject + 0x41]
Crash Signature: [@ objc_msgSend | _NSKeyValueRetainedObservationInfoForObject] [@ _NSKeyValueRetainedObservationInfoForObject + 0x41] → [@ objc_msgSend | _NSKeyValueRetainedObservationInfoForObject] [@ _NSKeyValueRetainedObservationInfoForObject + 0x41]
Keywords: stalled

bp-c0f47989-0cff-4e75-ae29-5a7f80210928 TB 91.1.0

Whiteboard: [tbird crash]
See Also: → 1734962

Like the other Thunderbird Mac crashes, the crash rate dropped to zero - only one bp-ac8bdba8-d653-4bed-aa9e-d05550211022 91.2.0 and, no surprise, also ja-JP-macos OS X 10.15

See Also: → 1718911

From a Thunderbird POV I don't see us making progress.
Feel free to reopen if you think it will be useful.

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WORKSFORME

Since the bug is closed, the stalled keyword is now meaningless.
For more information, please visit auto_nag documentation.

Keywords: stalled
Group: gfx-core-security
You need to log in before you can comment on or make changes to this bug.