shutdown crash near null in [@ _gtk_settings_get_style_cascade]
Categories
(Core :: Widget: Gtk, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr78 | --- | unaffected |
firefox89 | --- | unaffected |
firefox90 | --- | unaffected |
firefox91 | --- | verified |
firefox92 | --- | verified |
People
(Reporter: tsmith, Assigned: glandium)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: crash, regression, testcase, Whiteboard: [fuzzblocker][bugmon:bisected,confirmed][tbird crash])
Crash Data
Attachments
(2 files)
138 bytes,
text/html
|
Details | |
48 bytes,
text/x-phabricator-request
|
pascalc
:
approval-mozilla-beta+
|
Details | Review |
Found while fuzzing m-c 20210625-b9a82200b994 (--enable-address-sanitizer --enable-fuzzing)
Marking as fuzzblocker. This was first found just over a week ago and we already have over 10,000 reports.
==9314==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x7f0541336361 bp 0x000000000001 sp 0x7ffcc26d13e0 T0)
==9314==The signal is caused by a READ memory access.
==9314==Hint: address points to the zero page.
#0 0x7f0541336361 in _gtk_settings_get_style_cascade debian/build/deb/gtk/../../../../gtk/gtksettings.c:1836:23
#1 0x7f05411ef074 in gtk_css_node_get_style_provider_or_null debian/build/deb/gtk/../../../../gtk/gtkcssnode.c:121:10
#2 0x7f05411ef074 in gtk_css_node_reposition debian/build/deb/gtk/../../../../gtk/gtkcssnode.c:778:11
#3 0x7f05413ff435 in gtk_widget_unparent debian/build/deb/gtk/../../../../gtk/gtkwidget.c:4706:3
#4 0x7f054118a716 in gtk_box_remove debian/build/deb/gtk/../../../../gtk/gtkbox.c:2633:4
#5 0x7f054084cf02 in g_cclosure_marshal_VOID__OBJECTv ../../../gobject/gmarshal.c:1910:3
#6 0x7f0540849a55 in _g_closure_invoke_va ../../../gobject/gclosure.c:873:7
#7 0x7f0540868b47 in g_signal_emit_valist ../../../gobject/gsignal.c:3408:8
#8 0x7f05408690f2 in g_signal_emit ../../../gobject/gsignal.c:3555:3
#9 0x7f05411d50eb in gtk_container_remove debian/build/deb/gtk/../../../../gtk/gtkcontainer.c:1906:3
#10 0x7f05413f5797 in gtk_widget_dispose debian/build/deb/gtk/../../../../gtk/gtkwidget.c:12151:5
#11 0x7f05408504d0 in g_object_run_dispose ../../../gobject/gobject.c:1226:3
#12 0x7f054118a66f in gtk_box_forall debian/build/deb/gtk/../../../../gtk/gtkbox.c:2675:3
#13 0x7f05411d6bc9 in gtk_container_destroy debian/build/deb/gtk/../../../../gtk/gtkcontainer.c:1701:3
#14 0x7f0540849707 in g_closure_invoke ../../../gobject/gclosure.c:810:7
#15 0x7f054085db04 in signal_emit_unlocked_R ../../../gobject/gsignal.c:3859:7
#16 0x7f0540868bbd in g_signal_emit_valist ../../../gobject/gsignal.c:3499:5
#17 0x7f05408690f2 in g_signal_emit ../../../gobject/gsignal.c:3555:3
#18 0x7f05413f586f in gtk_widget_dispose debian/build/deb/gtk/../../../../gtk/gtkwidget.c:12162:7
#19 0x7f05408504d0 in g_object_run_dispose ../../../gobject/gobject.c:1226:3
#20 0x7f0541401ce8 in gtk_window_forall debian/build/deb/gtk/../../../../gtk/gtkwindow.c:8745:6
#21 0x7f05411d6bc9 in gtk_container_destroy debian/build/deb/gtk/../../../../gtk/gtkcontainer.c:1701:3
#22 0x7f0540849801 in g_closure_invoke ../../../gobject/gclosure.c:810:7
#23 0x7f054085db04 in signal_emit_unlocked_R ../../../gobject/gsignal.c:3859:7
#24 0x7f0540868bbd in g_signal_emit_valist ../../../gobject/gsignal.c:3499:5
#25 0x7f05408690f2 in g_signal_emit ../../../gobject/gsignal.c:3555:3
#26 0x7f05413f586f in gtk_widget_dispose debian/build/deb/gtk/../../../../gtk/gtkwidget.c:12162:7
#27 0x7f05414094eb in gtk_window_dispose debian/build/deb/gtk/../../../../gtk/gtkwindow.c:3167:3
#28 0x7f05408504d0 in g_object_run_dispose ../../../gobject/gobject.c:1226:3
#29 0x7f05413ace70 in gtk_tooltip_dispose debian/build/deb/gtk/../../../../gtk/gtktooltip.c:222:7
#30 0x7f054084ec92 ../../../gobject/gobject.c:3461:7
#31 0x7f054084ec92 in g_object_unref ../../../gobject/gobject.c:3391:1
#32 0x7f0540849801 in g_closure_invoke ../../../gobject/gclosure.c:810:7
#33 0x7f054085d813 in signal_emit_unlocked_R ../../../gobject/gsignal.c:3743:8
#34 0x7f0540868bbd in g_signal_emit_valist ../../../gobject/gsignal.c:3499:5
#35 0x7f05408690f2 in g_signal_emit ../../../gobject/gsignal.c:3555:3
#36 0x7f0540f8d039 in gdk_display_close ../../../../gdk/gdkdisplay.c:397:7
#37 0x7f05307d16f4 in XREMain::~XREMain() /gecko/toolkit/xre/nsAppRunner.cpp:3389:7
#38 0x7f05307d1398 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /gecko/toolkit/xre/nsAppRunner.cpp:5519:1
#39 0x563dd48a215a in do_main /gecko/browser/app/nsBrowserApp.cpp:225:22
#40 0x563dd48a215a in main /gecko/browser/app/nsBrowserApp.cpp:378:16
#41 0x7f0545bab0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#42 0x563dd47f2a49 in _start (/home/worker/builds/m-c-20210629092640-fuzzing-asan-opt/firefox+0x5ba49)
Reporter | ||
Updated•3 years ago
|
Comment 1•3 years ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20210708154614-ab46ef66acce.
The bug appears to have been introduced in the following build range:
Start: 531323de1a48ea8a49a329fb22f08373e46df620 (20210625093436)
End: b9a82200b994f1d8c24f4cc2881b01f245c82757 (20210625215152)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=531323de1a48ea8a49a329fb22f08373e46df620&tochange=b9a82200b994f1d8c24f4cc2881b01f245c82757
Comment 2•3 years ago
|
||
#38 0x7f05307d1398 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /gecko/toolkit/xre/nsAppRunner.cpp:5519:1
This line has been modified by:
41d6f4cf3ec38a5f854279049009d6fd30671585 Mike Hommey — Bug 1718131 - Close GdkDisplay in XREMain destructor. r=stransky
Updated•3 years ago
|
Updated•3 years ago
|
Updated•3 years ago
|
Comment 4•3 years ago
|
||
Mike, do you have some insight on what happens here? thanks
Assignee | ||
Comment 5•3 years ago
|
||
Return of bug 1626536 :(
Assignee | ||
Comment 6•3 years ago
|
||
It turns out calling gdk_display_close gets us a rematch of bug 1626536,
so remove the call that was added in bug 1718131, and adjust valgrind
suppressions accordingly.
Assignee | ||
Comment 8•3 years ago
|
||
Comment on attachment 9231469 [details]
Bug 1719237 - Revert bug 1718131.
Beta/Release Uplift Approval Request
- User impact if declined: Shutdown crash on some Linux systems
- Is this code covered by automated tests?: No
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): It removes code that was added in bug 1718131
- String changes made/needed: N/A
Comment 9•3 years ago
|
||
bugherder |
Comment 10•3 years ago
|
||
Comment on attachment 9231469 [details]
Bug 1719237 - Revert bug 1718131.
Linux crash fix, regression introduced in 91, approved for uplift in 91.0b5, thanks.
Comment 11•3 years ago
|
||
bugherder uplift |
Comment 12•3 years ago
|
||
Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20210716214302-38aa248ef576.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Updated•3 years ago
|
Description
•