Closed Bug 1719237 Opened 3 years ago Closed 3 years ago

shutdown crash near null in [@ _gtk_settings_get_style_cascade]

Categories

(Core :: Widget: Gtk, defect)

x86_64
Linux
defect

Tracking

()

VERIFIED FIXED
92 Branch
Tracking Status
firefox-esr78 --- unaffected
firefox89 --- unaffected
firefox90 --- unaffected
firefox91 --- verified
firefox92 --- verified

People

(Reporter: tsmith, Assigned: glandium)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: crash, regression, testcase, Whiteboard: [fuzzblocker][bugmon:bisected,confirmed][tbird crash])

Crash Data

Attachments

(2 files)

Attached file testcase.html

Found while fuzzing m-c 20210625-b9a82200b994 (--enable-address-sanitizer --enable-fuzzing)

Marking as fuzzblocker. This was first found just over a week ago and we already have over 10,000 reports.

==9314==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x7f0541336361 bp 0x000000000001 sp 0x7ffcc26d13e0 T0)
==9314==The signal is caused by a READ memory access.
==9314==Hint: address points to the zero page.
    #0 0x7f0541336361 in _gtk_settings_get_style_cascade debian/build/deb/gtk/../../../../gtk/gtksettings.c:1836:23
    #1 0x7f05411ef074 in gtk_css_node_get_style_provider_or_null debian/build/deb/gtk/../../../../gtk/gtkcssnode.c:121:10
    #2 0x7f05411ef074 in gtk_css_node_reposition debian/build/deb/gtk/../../../../gtk/gtkcssnode.c:778:11
    #3 0x7f05413ff435 in gtk_widget_unparent debian/build/deb/gtk/../../../../gtk/gtkwidget.c:4706:3
    #4 0x7f054118a716 in gtk_box_remove debian/build/deb/gtk/../../../../gtk/gtkbox.c:2633:4
    #5 0x7f054084cf02 in g_cclosure_marshal_VOID__OBJECTv ../../../gobject/gmarshal.c:1910:3
    #6 0x7f0540849a55 in _g_closure_invoke_va ../../../gobject/gclosure.c:873:7
    #7 0x7f0540868b47 in g_signal_emit_valist ../../../gobject/gsignal.c:3408:8
    #8 0x7f05408690f2 in g_signal_emit ../../../gobject/gsignal.c:3555:3
    #9 0x7f05411d50eb in gtk_container_remove debian/build/deb/gtk/../../../../gtk/gtkcontainer.c:1906:3
    #10 0x7f05413f5797 in gtk_widget_dispose debian/build/deb/gtk/../../../../gtk/gtkwidget.c:12151:5
    #11 0x7f05408504d0 in g_object_run_dispose ../../../gobject/gobject.c:1226:3
    #12 0x7f054118a66f in gtk_box_forall debian/build/deb/gtk/../../../../gtk/gtkbox.c:2675:3
    #13 0x7f05411d6bc9 in gtk_container_destroy debian/build/deb/gtk/../../../../gtk/gtkcontainer.c:1701:3
    #14 0x7f0540849707 in g_closure_invoke ../../../gobject/gclosure.c:810:7
    #15 0x7f054085db04 in signal_emit_unlocked_R ../../../gobject/gsignal.c:3859:7
    #16 0x7f0540868bbd in g_signal_emit_valist ../../../gobject/gsignal.c:3499:5
    #17 0x7f05408690f2 in g_signal_emit ../../../gobject/gsignal.c:3555:3
    #18 0x7f05413f586f in gtk_widget_dispose debian/build/deb/gtk/../../../../gtk/gtkwidget.c:12162:7
    #19 0x7f05408504d0 in g_object_run_dispose ../../../gobject/gobject.c:1226:3
    #20 0x7f0541401ce8 in gtk_window_forall debian/build/deb/gtk/../../../../gtk/gtkwindow.c:8745:6
    #21 0x7f05411d6bc9 in gtk_container_destroy debian/build/deb/gtk/../../../../gtk/gtkcontainer.c:1701:3
    #22 0x7f0540849801 in g_closure_invoke ../../../gobject/gclosure.c:810:7
    #23 0x7f054085db04 in signal_emit_unlocked_R ../../../gobject/gsignal.c:3859:7
    #24 0x7f0540868bbd in g_signal_emit_valist ../../../gobject/gsignal.c:3499:5
    #25 0x7f05408690f2 in g_signal_emit ../../../gobject/gsignal.c:3555:3
    #26 0x7f05413f586f in gtk_widget_dispose debian/build/deb/gtk/../../../../gtk/gtkwidget.c:12162:7
    #27 0x7f05414094eb in gtk_window_dispose debian/build/deb/gtk/../../../../gtk/gtkwindow.c:3167:3
    #28 0x7f05408504d0 in g_object_run_dispose ../../../gobject/gobject.c:1226:3
    #29 0x7f05413ace70 in gtk_tooltip_dispose debian/build/deb/gtk/../../../../gtk/gtktooltip.c:222:7
    #30 0x7f054084ec92  ../../../gobject/gobject.c:3461:7
    #31 0x7f054084ec92 in g_object_unref ../../../gobject/gobject.c:3391:1
    #32 0x7f0540849801 in g_closure_invoke ../../../gobject/gclosure.c:810:7
    #33 0x7f054085d813 in signal_emit_unlocked_R ../../../gobject/gsignal.c:3743:8
    #34 0x7f0540868bbd in g_signal_emit_valist ../../../gobject/gsignal.c:3499:5
    #35 0x7f05408690f2 in g_signal_emit ../../../gobject/gsignal.c:3555:3
    #36 0x7f0540f8d039 in gdk_display_close ../../../../gdk/gdkdisplay.c:397:7
    #37 0x7f05307d16f4 in XREMain::~XREMain() /gecko/toolkit/xre/nsAppRunner.cpp:3389:7
    #38 0x7f05307d1398 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /gecko/toolkit/xre/nsAppRunner.cpp:5519:1
    #39 0x563dd48a215a in do_main /gecko/browser/app/nsBrowserApp.cpp:225:22
    #40 0x563dd48a215a in main /gecko/browser/app/nsBrowserApp.cpp:378:16
    #41 0x7f0545bab0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #42 0x563dd47f2a49 in _start (/home/worker/builds/m-c-20210629092640-fuzzing-asan-opt/firefox+0x5ba49)
Severity: -- → S2
Flags: in-testsuite?
Blocks: domino
No longer blocks: grizzly

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20210708154614-ab46ef66acce.
The bug appears to have been introduced in the following build range:

Start: 531323de1a48ea8a49a329fb22f08373e46df620 (20210625093436)
End: b9a82200b994f1d8c24f4cc2881b01f245c82757 (20210625215152)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=531323de1a48ea8a49a329fb22f08373e46df620&tochange=b9a82200b994f1d8c24f4cc2881b01f245c82757

Whiteboard: [fuzzblocker] → [fuzzblocker][bugmon:bisected,confirmed]

#38 0x7f05307d1398 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /gecko/toolkit/xre/nsAppRunner.cpp:5519:1

This line has been modified by:

41d6f4cf3ec38a5f854279049009d6fd30671585 Mike Hommey — Bug 1718131 - Close GdkDisplay in XREMain destructor. r=stransky

Crash Signature: [@ _gtk_settings_get_style_cascade]
Keywords: regression
OS: Unspecified → Linux
Regressed by: 1718131
Hardware: Unspecified → x86_64
Has Regression Range: --- → yes
Whiteboard: [fuzzblocker][bugmon:bisected,confirmed] → [fuzzblocker][bugmon:bisected,confirmed][bugzilla
Whiteboard: [fuzzblocker][bugmon:bisected,confirmed][bugzilla → [fuzzblocker][bugmon:bisected,confirmed][tbird crash]

Mike, do you have some insight on what happens here? thanks

Flags: needinfo?(mh+mozilla)

Return of bug 1626536 :(

Assignee: nobody → mh+mozilla
Flags: needinfo?(mh+mozilla)

It turns out calling gdk_display_close gets us a rematch of bug 1626536,
so remove the call that was added in bug 1718131, and adjust valgrind
suppressions accordingly.

Comment on attachment 9231469 [details]
Bug 1719237 - Revert bug 1718131.

Beta/Release Uplift Approval Request

  • User impact if declined: Shutdown crash on some Linux systems
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): It removes code that was added in bug 1718131
  • String changes made/needed: N/A
Attachment #9231469 - Flags: approval-mozilla-beta?
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → 92 Branch

Comment on attachment 9231469 [details]
Bug 1719237 - Revert bug 1718131.

Linux crash fix, regression introduced in 91, approved for uplift in 91.0b5, thanks.

Attachment #9231469 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20210716214302-38aa248ef576.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
Keywords: bugmon
Crash Signature: [@ _gtk_settings_get_style_cascade] → [@ _gtk_settings_get_style_cascade] [@ wl_map_insert_at]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: