Closed
Bug 1730445
Opened 3 years ago
Closed 7 months ago
Intermittent Assertion failure: page.mBaseAddr == aPtr, at /builds/worker/checkouts/gecko/memory/replace/phc/PHC.cpp:779
Categories
(Core :: Widget: Cocoa, defect, P3)
Core
Widget: Cocoa
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: intermittent-bug-filer, Unassigned)
References
(Depends on 1 open bug)
Details
(Keywords: assertion, intermittent-failure, sec-high, Whiteboard: [needs 1741905 fixed to make progress])
Crash Data
Attachments
(1 obsolete file)
Filed by: ctuns [at] mozilla.com
Parsed log: https://treeherder.mozilla.org/logviewer?job_id=351344919&repo=autoland
Full log: https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/QW7SKBGgTjSEPS_91wx7lg/runs/0/artifacts/public/logs/live_backing.log
[task 2021-09-13T05:50:05.196Z] 05:50:05 INFO - TEST-START | toolkit/content/tests/chrome/test_menuchecks.xhtml
[task 2021-09-13T05:50:05.198Z] 05:50:05 INFO - GECKO(12618) | [Parent 12618, Main Thread] WARNING: NS_ENSURE_SUCCESS(rv, rv) failed with result 0x80004005 (NS_ERROR_FAILURE): file /builds/worker/checkouts/gecko/chrome/nsChromeRegistry.cpp:180
[task 2021-09-13T05:50:05.199Z] 05:50:05 INFO - GECKO(12618) | [Parent 12618, Main Thread] WARNING: NS_ENSURE_SUCCESS(rv, rv) failed with result 0x80004005 (NS_ERROR_FAILURE): file /builds/worker/checkouts/gecko/dom/security/nsCSPService.cpp:191
[task 2021-09-13T05:50:05.259Z] 05:50:05 INFO - GECKO(12618) | [Parent 12618, Main Thread] WARNING: NS_ENSURE_SUCCESS(rv, rv) failed with result 0x80004005 (NS_ERROR_FAILURE): file /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:4002
[task 2021-09-13T05:50:05.294Z] 05:50:05 INFO - GECKO(12618) | [Parent 12618, Main Thread] WARNING: Must complete empty transaction when compositing!: file /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6246
[task 2021-09-13T05:50:05.308Z] 05:50:05 INFO - GECKO(12618) | [Parent 12618, Main Thread] WARNING: Must complete empty transaction when compositing!: file /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6246
[task 2021-09-13T05:50:05.456Z] 05:50:05 INFO - GECKO(12618) | [Parent 12618, Main Thread] WARNING: Must complete empty transaction when compositing!: file /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6246
[task 2021-09-13T05:50:05.625Z] 05:50:05 INFO - GECKO(12618) | [Parent 12618, Main Thread] WARNING: Must complete empty transaction when compositing!: file /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6246
[task 2021-09-13T05:50:05.644Z] 05:50:05 INFO - GECKO(12618) | [Parent 12618, Main Thread] WARNING: Must complete empty transaction when compositing!: file /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6246
[task 2021-09-13T05:50:05.728Z] 05:50:05 INFO - GECKO(12618) | [Parent 12618, Main Thread] WARNING: Must complete empty transaction when compositing!: file /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6246
[task 2021-09-13T05:50:06.030Z] 05:50:06 INFO - GECKO(12618) | [Parent 12618, Main Thread] WARNING: Must complete empty transaction when compositing!: file /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6246
[task 2021-09-13T05:50:06.100Z] 05:50:06 INFO - GECKO(12618) | [Parent 12618, Main Thread] WARNING: Must complete empty transaction when compositing!: file /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6246
[task 2021-09-13T05:50:06.224Z] 05:50:06 INFO - GECKO(12618) | [Parent 12618, Main Thread] WARNING: Must complete empty transaction when compositing!: file /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6246
[task 2021-09-13T05:50:06.242Z] 05:50:06 INFO - GECKO(12618) | [Parent 12618, Main Thread] WARNING: Must complete empty transaction when compositing!: file /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6246
[task 2021-09-13T05:50:06.479Z] 05:50:06 INFO - GECKO(12618) | [Parent 12618, Main Thread] WARNING: Must complete empty transaction when compositing!: file /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6246
[task 2021-09-13T05:50:06.671Z] 05:50:06 INFO - GECKO(12618) | [Parent 12618, Main Thread] WARNING: Must complete empty transaction when compositing!: file /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6246
[task 2021-09-13T05:50:06.692Z] 05:50:06 INFO - GECKO(12618) | [Parent 12618, Main Thread] WARNING: Must complete empty transaction when compositing!: file /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6246
[task 2021-09-13T05:50:06.891Z] 05:50:06 INFO - GECKO(12618) | [Parent 12618, Main Thread] WARNING: Must complete empty transaction when compositing!: file /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6246
[task 2021-09-13T05:50:07.121Z] 05:50:07 INFO - GECKO(12618) | [Parent 12618, Main Thread] WARNING: Must complete empty transaction when compositing!: file /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6246
[task 2021-09-13T05:50:07.145Z] 05:50:07 INFO - GECKO(12618) | [Parent 12618, Main Thread] WARNING: Must complete empty transaction when compositing!: file /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6246
[task 2021-09-13T05:50:07.338Z] 05:50:07 INFO - GECKO(12618) | [Parent 12618, Main Thread] WARNING: Must complete empty transaction when compositing!: file /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6246
[task 2021-09-13T05:50:07.579Z] 05:50:07 INFO - GECKO(12618) | [Parent 12618, Main Thread] WARNING: Must complete empty transaction when compositing!: file /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6246
[task 2021-09-13T05:50:07.590Z] 05:50:07 INFO - GECKO(12618) | [Parent 12618, Main Thread] WARNING: Must complete empty transaction when compositing!: file /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6246
[task 2021-09-13T05:50:07.955Z] 05:50:07 INFO - GECKO(12618) | [Parent 12618, Main Thread] WARNING: Must complete empty transaction when compositing!: file /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6246
[task 2021-09-13T05:50:08.012Z] 05:50:08 INFO - GECKO(12618) | [Parent 12618, Main Thread] WARNING: Must complete empty transaction when compositing!: file /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6246
[task 2021-09-13T05:50:08.039Z] 05:50:08 INFO - GECKO(12618) | [Parent 12618, Main Thread] WARNING: Must complete empty transaction when compositing!: file /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6246
[task 2021-09-13T05:50:08.227Z] 05:50:08 INFO - GECKO(12618) | [Parent 12618, Main Thread] WARNING: Must complete empty transaction when compositing!: file /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6246
[task 2021-09-13T05:50:08.228Z] 05:50:08 INFO - GECKO(12618) | Assertion failure: page.mBaseAddr == aPtr, at /builds/worker/checkouts/gecko/memory/replace/phc/PHC.cpp:779
[task 2021-09-13T05:50:08.259Z] 05:50:08 INFO - GECKO(12618) | #01: replace_malloc_usable_size(void const*) [memory/replace/phc/PHC.cpp:1356]
[task 2021-09-13T05:50:08.261Z] 05:50:08 INFO - GECKO(12618) | #02: malloc_size [/usr/lib/system/libsystem_malloc.dylib + 0x7fc2]
[task 2021-09-13T05:50:08.275Z] 05:50:08 INFO - GECKO(12618) | #03: -[CIImage initWithCGImage:options:] [/System/Library/Frameworks/CoreImage.framework/Versions/A/CoreImage + 0x210e]
<...>
[task 2021-09-13T05:50:08.382Z] 05:50:08 INFO - GECKO(12618) | [Child 12777, IPC I/O Child] WARNING: [22B5F87BE9CF4946.27CA08B87375253E]: Ignoring message 'EVENT_MESSAGE' to peer 1.1 due to a missing broker: file /builds/worker/checkouts/gecko/ipc/glue/NodeController.cpp:297
[task 2021-09-13T05:50:08.382Z] 05:50:08 INFO - GECKO(12618) | Exiting due to channel error.
[task 2021-09-13T05:50:08.383Z] 05:50:08 INFO - TEST-INFO | Main app process: exit 1
[task 2021-09-13T05:50:08.383Z] 05:50:08 INFO - Buffered messages logged at 05:50:05
[task 2021-09-13T05:50:08.384Z] 05:50:08 INFO - TEST-PASS | toolkit/content/tests/chrome/test_menuchecks.xhtml | initial
|
||
Comment 1•3 years ago
|
||
Sounds like a macOS system library is either doing a double-free, or something else wrong. Presumably, this should be visible as crashes in the wild.
Flags: needinfo?(kwright)
|
|
||
Comment 2•3 years ago
|
||
|
||
Updated•3 years ago
|
Group: gfx-core-security
|
|
||
Updated•3 years ago
|
Component: Memory Allocator → Widget: Cocoa
|
||
Comment 3•3 years ago
|
||
This looks like we might be drawing a menu icon on a menu that has already been freed? I'm not familiar enough with the coca widget to know for sure. Here's the stack from the log, since the bug filing bot seems to have missed it:
INFO - GECKO(12618) | Assertion failure: page.mBaseAddr == aPtr, at /builds/worker/checkouts/gecko/memory/replace/phc/PHC.cpp:779
[task 2021-09-13T05:50:08.259Z] 05:50:08 INFO - GECKO(12618) | #01: replace_malloc_usable_size(void const*) [memory/replace/phc/PHC.cpp:1356]
[task 2021-09-13T05:50:08.261Z] 05:50:08 INFO - GECKO(12618) | #02: malloc_size [/usr/lib/system/libsystem_malloc.dylib + 0x7fc2]
[task 2021-09-13T05:50:08.275Z] 05:50:08 INFO - GECKO(12618) | #03: -[CIImage initWithCGImage:options:] [/System/Library/Frameworks/CoreImage.framework/Versions/A/CoreImage + 0x210e]
[task 2021-09-13T05:50:08.275Z] 05:50:08 INFO - GECKO(12618) | #04: +[CIImage imageWithCGImage:options:] [/System/Library/Frameworks/CoreImage.framework/Versions/A/CoreImage + 0x38d38]
[task 2021-09-13T05:50:08.282Z] 05:50:08 INFO - GECKO(12618) | #05: CUIRenderer::CreateImageByApplyingEffectsToImage(CUIDescriptor const*, long, __CFArray const*, CGImage*, double, unsigned char, unsigned char, CGBlendMode&, bool) const [/System/Library/PrivateFrameworks/CoreUI.framework/Versions/A/CoreUI + 0x1c0bd]
[task 2021-09-13T05:50:08.283Z] 05:50:08 INFO - GECKO(12618) | #06: CUIRenderer::CreateImage(CGRect, long, CUIDescriptor const*, unsigned char, CGImage**, long long*, unsigned char*, CGBlendMode*) const [/System/Library/PrivateFrameworks/CoreUI.framework/Versions/A/CoreUI + 0x1a923]
[task 2021-09-13T05:50:08.284Z] 05:50:08 INFO - GECKO(12618) | #07: CUIRenderer::DrawImage(CGRect, long, CUIDescriptor const*) const [/System/Library/PrivateFrameworks/CoreUI.framework/Versions/A/CoreUI + 0x19085]
[task 2021-09-13T05:50:08.284Z] 05:50:08 INFO - GECKO(12618) | #08: CUICoreThemeRenderer::Draw(CUIDescriptor const*, CGAffineTransform, CUIReturnInfo&) [/System/Library/PrivateFrameworks/CoreUI.framework/Versions/A/CoreUI + 0x181f6]
[task 2021-09-13T05:50:08.285Z] 05:50:08 INFO - GECKO(12618) | #09: CUIRenderer::Draw(CGRect, CGContext*, __CFDictionary const*, __CFDictionary const**) [/System/Library/PrivateFrameworks/CoreUI.framework/Versions/A/CoreUI + 0x1790d]
[task 2021-09-13T05:50:08.286Z] 05:50:08 INFO - GECKO(12618) | #10: CUIDraw [/System/Library/PrivateFrameworks/CoreUI.framework/Versions/A/CoreUI + 0x171ec]
[task 2021-09-13T05:50:08.286Z] 05:50:08 INFO - GECKO(12618) | #11: __44-[NSAppearance _drawInRect:context:options:]_block_invoke [/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit + 0x1c1461]
[task 2021-09-13T05:50:08.287Z] 05:50:08 INFO - GECKO(12618) | #12: -[NSCompositeAppearance _callCoreUIWithBlock:options:requireBezelTintColor:] [/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit + 0x4c013]
[task 2021-09-13T05:50:08.287Z] 05:50:08 INFO - GECKO(12618) | #13: -[NSAppearance _drawInRect:context:options:] [/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit + 0x1c142c]
[task 2021-09-13T05:50:08.288Z] 05:50:08 INFO - GECKO(12618) | #14: nsNativeThemeCocoa::DrawMenuIcon(CGContext*, CGRect const&, nsNativeThemeCocoa::MenuIconParams const&) [widget/cocoa/nsNativeThemeCocoa.mm:1111]
[task 2021-09-13T05:50:08.289Z] 05:50:08 INFO - GECKO(12618) | #15: nsNativeThemeCocoa::RenderWidget(nsNativeThemeCocoa::WidgetInfo const&, mozilla::LookAndFeel::ColorScheme, mozilla::gfx::DrawTarget&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, float) [widget/cocoa/nsNativeThemeCocoa.mm:2713]
[task 2021-09-13T05:50:08.290Z] 05:50:08 INFO - GECKO(12618) | #16: nsNativeThemeCocoa::DrawWidgetBackground(gfxContext*, nsIFrame*, mozilla::StyleAppearance, nsRect const&, nsRect const&, nsITheme::DrawOverflow) [widget/cocoa/nsNativeThemeCocoa.mm:2608]
[task 2021-09-13T05:50:08.291Z] 05:50:08 INFO - GECKO(12618) | #17: {virtual override thunk({offset(-224)}, nsNativeThemeCocoa::DrawWidgetBackground(gfxContext*, nsIFrame*, mozilla::StyleAppearance, nsRect const&, nsRect const&, nsITheme::DrawOverflow))} [/opt/worker/tasks/task_163149170587405/build/application/Firefox NightlyDebug.app/Contents/MacOS/XUL + 0x4203814]
[task 2021-09-13T05:50:08.291Z] 05:50:08 INFO - GECKO(12618) | #18: mozilla::nsDisplayThemedBackground::PaintInternal(mozilla::nsDisplayListBuilder*, gfxContext*, nsRect const&, nsRect*) [layout/painting/nsDisplayList.cpp:3915]
[task 2021-09-13T05:50:08.292Z] 05:50:08 INFO - GECKO(12618) | #19: mozilla::nsDisplayThemedBackground::Paint(mozilla::nsDisplayListBuilder*, gfxContext*) [layout/painting/nsDisplayList.cpp:3899]
[task 2021-09-13T05:50:08.293Z] 05:50:08 INFO - GECKO(12618) | #20: mozilla::nsDisplayList::Paint(mozilla::nsDisplayListBuilder*, gfxContext*, int) [layout/painting/nsDisplayList.cpp:2296]
[task 2021-09-13T05:50:08.293Z] 05:50:08 INFO - GECKO(12618) | #21: mozilla::FallbackRenderer::EndTransactionWithList(mozilla::nsDisplayListBuilder*, mozilla::nsDisplayList*, int, mozilla::WindowRenderer::EndTransactionFlags) [layout/painting/WindowRenderer.cpp:214]
[task 2021-09-13T05:50:08.294Z] 05:50:08 INFO - GECKO(12618) | #22: mozilla::nsDisplayList::PaintRoot(mozilla::nsDisplayListBuilder*, gfxContext*, unsigned int, mozilla::Maybe<double>) [layout/painting/nsDisplayList.cpp:2438]
[task 2021-09-13T05:50:08.295Z] 05:50:08 INFO - GECKO(12618) | #23: nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, mozilla::nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) [layout/base/nsLayoutUtils.cpp:3446]
[task 2021-09-13T05:50:08.295Z] 05:50:08 INFO - GECKO(12618) | #24: mozilla::PresShell::Paint(nsView*, nsRegion const&, mozilla::PaintFlags) [layout/base/PresShell.cpp:6268]
[task 2021-09-13T05:50:08.296Z] 05:50:08 INFO - GECKO(12618) | #25: nsViewManager::Refresh(nsView*, mozilla::gfx::IntRegionTyped<mozilla::LayoutDevicePixel> const&) [view/nsViewManager.cpp:343]
[task 2021-09-13T05:50:08.296Z] 05:50:08 INFO - GECKO(12618) | #26: nsViewManager::PaintWindow(nsIWidget*, mozilla::gfx::IntRegionTyped<mozilla::LayoutDevicePixel> const&) [view/nsViewManager.cpp:656]
[task 2021-09-13T05:50:08.297Z] 05:50:08 INFO - GECKO(12618) | #27: nsView::PaintWindow(nsIWidget*, mozilla::gfx::IntRegionTyped<mozilla::LayoutDevicePixel>) [view/nsView.cpp:1058]
[task 2021-09-13T05:50:08.297Z] 05:50:08 INFO - GECKO(12618) | #28: nsChildView::PaintWindow(mozilla::gfx::IntRegionTyped<mozilla::LayoutDevicePixel>) [widget/cocoa/nsChildView.mm:1322]
[task 2021-09-13T05:50:08.298Z] 05:50:08 INFO - GECKO(12618) | #29: nsChildView::PaintWindowInDrawTarget(mozilla::gfx::DrawTarget*, mozilla::gfx::IntRegionTyped<mozilla::LayoutDevicePixel> const&, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&) [widget/cocoa/nsChildView.mm:1353]
[task 2021-09-13T05:50:08.299Z] 05:50:08 INFO - GECKO(12618) | #30: nsChildView::PaintWindowInContentLayer() [widget/cocoa/nsChildView.mm:1393]
[task 2021-09-13T05:50:08.299Z] 05:50:08 INFO - GECKO(12618) | #31: nsChildView::HandleMainThreadCATransaction() [widget/cocoa/nsChildView.mm:1419]
[task 2021-09-13T05:50:08.300Z] 05:50:08 INFO - GECKO(12618) | #32: -[ChildView updateRootCALayer] [widget/cocoa/nsChildView.mm:2505]
[task 2021-09-13T05:50:08.300Z] 05:50:08 INFO - GECKO(12618) | #33: _NSViewUpdateLayer [/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit + 0x12c7a7]
[task 2021-09-13T05:50:08.301Z] 05:50:08 INFO - GECKO(12618) | #34: -[_NSViewBackingLayer display] [/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit + 0x12c05c]
[task 2021-09-13T05:50:08.303Z] 05:50:08 INFO - GECKO(12618) | #35: CA::Layer::display_if_needed(CA::Transaction*) [/System/Library/Frameworks/QuartzCore.framework/Versions/A/QuartzCore + 0x25e09]
[task 2021-09-13T05:50:08.304Z] 05:50:08 INFO - GECKO(12618) | #36: CA::Context::commit_transaction(CA::Transaction*, double) [/System/Library/Frameworks/QuartzCore.framework/Versions/A/QuartzCore + 0x4106]
[task 2021-09-13T05:50:08.304Z] 05:50:08 INFO - GECKO(12618) | #37: CA::Transaction::commit() [/System/Library/Frameworks/QuartzCore.framework/Versions/A/QuartzCore + 0x2cf0]
[task 2021-09-13T05:50:08.305Z] 05:50:08 INFO - GECKO(12618) | #38: CA::Transaction::observer_callback(__CFRunLoopObserver*, unsigned long, void*) [/System/Library/Frameworks/QuartzCore.framework/Versions/A/QuartzCore + 0x3f151]
[task 2021-09-13T05:50:08.306Z] 05:50:08 INFO - GECKO(12618) | #39: __CFRUNLOOP_IS_CALLING_OUT_TO_AN_OBSERVER_CALLBACK_FUNCTION__ [/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation + 0x83335]
[task 2021-09-13T05:50:08.307Z] 05:50:08 INFO - GECKO(12618) | #40: __CFRunLoopDoObservers [/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation + 0x83267]
[task 2021-09-13T05:50:08.307Z] 05:50:08 INFO - GECKO(12618) | #41: CFRunLoopRunSpecific [/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation + 0x81e79]
[task 2021-09-13T05:50:08.308Z] 05:50:08 INFO - GECKO(12618) | #42: RunCurrentEventLoopInMode [/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox + 0x2fabd]
[task 2021-09-13T05:50:08.308Z] 05:50:08 INFO - GECKO(12618) | #43: ReceiveNextEventCommon [/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox + 0x2f7d5]
[task 2021-09-13T05:50:08.309Z] 05:50:08 INFO - GECKO(12618) | #44: _BlockUntilNextEventMatchingListInModeWithFilter [/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox + 0x2f579]
[task 2021-09-13T05:50:08.309Z] 05:50:08 INFO - GECKO(12618) | #45: _DPSNextEvent [/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit + 0x41039]
[task 2021-09-13T05:50:08.310Z] 05:50:08 INFO - GECKO(12618) | #46: -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] [/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit + 0x3f880]
[task 2021-09-13T05:50:08.310Z] 05:50:08 INFO - GECKO(12618) | #47: -[GeckoNSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] [widget/cocoa/nsAppShell.mm:173]
[task 2021-09-13T05:50:08.311Z] 05:50:08 INFO - GECKO(12618) | #48: -[NSApplication run] [/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit + 0x3158e]
[task 2021-09-13T05:50:08.311Z] 05:50:08 INFO - GECKO(12618) | #49: nsAppShell::Run() [widget/cocoa/nsAppShell.mm:751]
[task 2021-09-13T05:50:08.312Z] 05:50:08 INFO - GECKO(12618) | #50: nsAppStartup::Run() [toolkit/components/startup/nsAppStartup.cpp:290]
[task 2021-09-13T05:50:08.312Z] 05:50:08 INFO - GECKO(12618) | #51: XREMain::XRE_mainRun() [toolkit/xre/nsAppRunner.cpp:5291]
[task 2021-09-13T05:50:08.313Z] 05:50:08 INFO - GECKO(12618) | #52: XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) [toolkit/xre/nsAppRunner.cpp:5476]
[task 2021-09-13T05:50:08.313Z] 05:50:08 INFO - GECKO(12618) | #53: XRE_main(int, char**, mozilla::BootstrapConfig const&) [toolkit/xre/nsAppRunner.cpp:5535]
[task 2021-09-13T05:50:08.314Z] 05:50:08 INFO - GECKO(12618) | #54: main [browser/app/nsBrowserApp.cpp:386]
Stephen, would you be able to look at this?
Flags: needinfo?(kwright) → needinfo?(spohl.mozilla.bugs)
|
||
Comment 4•3 years ago
|
||
Markus, do you have any immediate thoughts here?
Flags: needinfo?(spohl.mozilla.bugs) → needinfo?(mstange.moz)
|
|
||
Comment 5•3 years ago
|
||
I thought I'd seen some UAF-ish crashes before with DrawMenuIcon in the stack, but I couldn't find any such open bugs in Bugzilla when I searched.
|
||
Comment 6•3 years ago
|
||
No immediate thoughts. Where can I read more on what exactly I'm looking at here? What does it mean if the crash stack is inside malloc? Was this issue only caught due to PHC? This document says that PHC records the allocation stack - where can I see that stack?
Flags: needinfo?(mstange.moz)
|
|
||
Comment 7•3 years ago
|
||
Unfortunately, that a PHC assert rather than a PHC crash. It might be worth turning it into a PHC crash... Kris, do you want to take that?
Flags: needinfo?(kwright)
|
|
||
Comment 8•3 years ago
|
||
The assertion here is that a pointer is being passed into malloc_size that is not a pointer to the start of the block. I tried poking around to see if somehow malloc_size had a looser requirement than free on OSX or something but I didn't turn up anything.
We've had similar errors before that were detected by ASan. "AddressSanitizer: attempting to call malloc_usable_size() for pointer which is not owned" For instance, bug 1625734. https://bugzilla.mozilla.org/buglist.cgi?short_desc_type=allwordssubstr&query_format=advanced&list_id=15838531&classification=Client%20Software&classification=Developer%20Infrastructure&classification=Components&classification=Server%20Software&classification=Other&short_desc=AddressSanitizer%20attempting%20to%20call%20malloc_usable_size
|
|
||
Comment 9•3 years ago
|
||
it's probably a malloc_size() on a pointer that's already freed.
|
||
Comment 10•3 years ago
|
||
The stacks under this signatures are identical to comment 3.
Crash Signature: [@ replace_malloc_usable_size]
|
|
||
Comment 11•3 years ago
|
||
(In reply to Mike Hommey [:glandium] from comment #7)
Unfortunately, that a PHC assert rather than a PHC crash. It might be worth turning it into a PHC crash... Kris, do you want to take that?
It probably should be a crash, yes. I will put up a fix for this.
Assignee: nobody → kwright
Flags: needinfo?(kwright)
|
|
||
Comment 12•3 years ago
|
||
(In reply to Kris Wright :KrisWright from comment #3)
INFO - GECKO(12618) | Assertion failure: page.mBaseAddr == aPtr, at /builds/worker/checkouts/gecko/memory/replace/phc/PHC.cpp:779 [task 2021-09-13T05:50:08.259Z] 05:50:08 INFO - GECKO(12618) | #01: replace_malloc_usable_size(void const*) [memory/replace/phc/PHC.cpp:1356] [task 2021-09-13T05:50:08.261Z] 05:50:08 INFO - GECKO(12618) | #02: malloc_size [/usr/lib/system/libsystem_malloc.dylib + 0x7fc2] [task 2021-09-13T05:50:08.275Z] 05:50:08 INFO - GECKO(12618) | #03: -[CIImage initWithCGImage:options:] [/System/Library/Frameworks/CoreImage.framework/Versions/A/CoreImage + 0x210e] [task 2021-09-13T05:50:08.275Z] 05:50:08 INFO - GECKO(12618) | #04: +[CIImage imageWithCGImage:options:] [/System/Library/Frameworks/CoreImage.framework/Versions/A/CoreImage + 0x38d38] [task 2021-09-13T05:50:08.282Z] 05:50:08 INFO - GECKO(12618) | #05: CUIRenderer::CreateImageByApplyingEffectsToImage(CUIDescriptor const*, long, __CFArray const*, CGImage*, double, unsigned char, unsigned char, CGBlendMode&, bool) const [/System/Library/PrivateFrameworks/CoreUI.framework/Versions/A/CoreUI + 0x1c0bd] [...] [task 2021-09-13T05:50:08.287Z] 05:50:08 INFO - GECKO(12618) | #12: -[NSCompositeAppearance _callCoreUIWithBlock:options:requireBezelTintColor:] [/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit + 0x4c013] [task 2021-09-13T05:50:08.287Z] 05:50:08 INFO - GECKO(12618) | #13: -[NSAppearance _drawInRect:context:options:] [/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit + 0x1c142c] [task 2021-09-13T05:50:08.288Z] 05:50:08 INFO - GECKO(12618) | #14: nsNativeThemeCocoa::DrawMenuIcon(CGContext*, CGRect const&, nsNativeThemeCocoa::MenuIconParams const&) [widget/cocoa/nsNativeThemeCocoa.mm:1111]
I was thinking that it might have to do with the fact that we're calling the undocumented API -[NSAppearance _drawInRect:context:options:] for drawing icons in non-native menus. But then Steven showed me bug 1732942 which is basically the same issue but for native menus, with fully supported APIs.
|
|
||
Comment 13•3 years ago
|
||
This should turn the assertion failures in try to full crashes. There are a few other places where I thought a crash might help make the tests a bit noisier (like arena checks) but I figure I should probably address those in their own bug.
|
|
||
Comment 16•3 years ago
|
||
I took a look at our crash reports and it looks like the number of reports has suddenly fallen off a cliff. There don't seem to be any reports for versions after 95.0a1. It could be that we landed a patch at some point that either fixed this crash or changed the signature to make it no longer appear under the same signature.
|
|
||
Comment 17•3 years ago
|
||
This is a signature change, I've added the new signature which we also encountered in automation apparently (bug 1738025).
Crash Signature: [@ replace_malloc_usable_size] → [@ replace_malloc_usable_size]
[@ zone_size]
|
||
Comment 18•3 years ago
|
||
Comment on attachment 9243750 [details]
Bug 1730445 - Crash when a pointer doesn't match its base address.
Revision D127132 was moved to bug 1741905. Setting attachment 9243750 [details] to obsolete.
Attachment #9243750 -
Attachment is obsolete: true
|
|
||
Updated•3 years ago
|
Assignee: kwright → nobody
|
||
Comment 19•3 years ago
|
||
Stephen, with PHC now crashing instead of asserting, are we able to make progress on this one?
Assignee: nobody → spohl.mozilla.bugs
Severity: S4 → S2
Priority: P5 → P1
|
|
||
Comment 20•3 years ago
|
||
Going back to comment 6, do we now have an allocation stack that wasn't available to us before?
Flags: needinfo?(mh+mozilla)
|
|
||
Comment 22•3 years ago
|
||
(In reply to Gian-Carlo Pascutto [:gcp] from comment #19)
Stephen, with PHC now crashing instead of asserting, are we able to make progress on this one?
:gcp, I assumed that work must have occurred outside of bug 1741905 to turn asserts into crashes, but were you referring to bug 1741905? If so, I believe we are still stuck here.
Assignee: spohl.mozilla.bugs → nobody
Flags: needinfo?(gpascutto)
|
||
Updated•3 years ago
|
Group: gfx-core-security → dom-core-security
|
|
||
Comment 23•3 years ago
|
||
Lowering priority for now to remove this bug from the tracking alert emails.
Priority: P1 → P2
|
|
||
Comment 24•3 years ago
|
||
I thought bug 1741905 had landed, but it seems to have stalled.
Flags: needinfo?(gpascutto)
|
||
Updated•3 years ago
|
Crash Signature: [@ replace_malloc_usable_size]
[@ zone_size] → [@ replace_malloc_usable_size]
[@ zone_size]
[@ replace_malloc_usable_size(void const*)]
|
|
||
Updated•3 years ago
|
Crash Signature: [@ replace_malloc_usable_size]
[@ zone_size]
[@ replace_malloc_usable_size(void const*)] → [@ replace_malloc_usable_size]
[@ zone_size]
[@ replace_malloc_usable_size(void const*)]
|
|
||
Comment 27•2 years ago
|
||
Blocked by bug 1741905, which currently does not have a priority or severity set.
Severity: S2 → S4
Priority: P2 → P3
|
|
||
Comment 28•2 years ago
|
||
The severity field for this bug is set to S4. However, the bug is flagged with the sec-high keyword.
:spohl, could you consider increasing the severity of this security bug?
For more information, please visit auto_nag documentation.
Flags: needinfo?(spohl.mozilla.bugs)
|
|
||
Updated•2 years ago
|
Flags: needinfo?(spohl.mozilla.bugs)
|
||
Updated•2 years ago
|
Crash Signature: [@ replace_malloc_usable_size]
[@ zone_size]
[@ replace_malloc_usable_size(void const*)] → [@ replace_malloc_usable_size]
[@ zone_size]
[@ replace_malloc_usable_size]
|
|
||
Comment 30•11 months ago
|
||
There's currently only two crashes with this signature. Looks like the same person on Firefox 99.0b2 on macOS 10.12.0 16A323, with the crashes about two weeks apart in Jan 2024. It's not useful to have this hanging around as a sec-high
|
|
||
Comment 31•7 months ago
|
||
This hasn't shown up in a few years in automation, so let's just close this.
Status: NEW → RESOLVED
Closed: 7 months ago
Resolution: --- → WORKSFORME
|
||
Comment 32•7 months ago
|
||
Since the bug is closed, the stalled keyword is now meaningless.
For more information, please visit BugBot documentation.
Keywords: stalled
|
|
||
Updated•6 months ago
|
Group: dom-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•