Closed Bug 1732667 Opened 3 years ago Closed 3 years ago

Crash in [@ core::ptr::drop_in_place<T> | style::stylist::GenericElementAndPseudoRules<T>::clear]

Categories

(Core :: CSS Parsing and Computation, defect)

Product:
Core
Component:
CSS Parsing and Computation
Platform:
Unspecified
All
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1406996

People

(Reporter: gsvelto, Unassigned)

Details

(Keywords: crash)

Crash Data

Crash report: https://crash-stats.mozilla.org/report/index/66f4f81f-84e5-431b-840d-536580210924

Reason: EXC_BAD_ACCESS / KERN_INVALID_ADDRESS

Top 10 frames of crashing thread:

0 XUL core::ptr::drop_in_place<smallvec::SmallVec<[style::stylist::Rule; 1]>> library/core/src/ptr/mod.rs:192
1 XUL style::stylist::GenericElementAndPseudoRules<style::selector_map::SelectorMap<style::stylist::Rule>>::clear servo/components/style/stylist.rs:1882
2 XUL style::stylist::CascadeData::clear_cascade_data servo/components/style/stylist.rs:2644
3 XUL style::stylist::CascadeData::clear servo/components/style/stylist.rs:2664
4 XUL style::stylist::CascadeData::rebuild servo/components/style/stylist.rs:2045
5 XUL Servo_StyleSet_FlushStyleSheets servo/ports/geckolib/glue.rs:1938
6 XUL mozilla::ServoStyleSet::UpdateStylist layout/style/ServoStyleSet.cpp:1219
7 XUL mozilla::ServoStyleSet::ShellDetachedFromDocument layout/style/ServoStyleSet.cpp:156
8 XUL mozilla::dom::Document::DeletePresShell dom/base/Document.cpp:6914
9 XUL mozilla::PresShell::Destroy layout/base/PresShell.cpp:1383

Not sure what to make of this. At first sight it appears like it might be an issue caused by bad hardware as the crash addresses are not entirely consistent but there's a few things that worry me:

  • Many crashes are hitting the poison pattern indicating a potential UAF
  • Many other crashes are hitting an address that's close to 0 but always different, this could be an integer in an object that has been written inside one that was previously freed (and which we're still accessing via the dangling pointer)

Comments and URLs aren't very helpful unfortunately, nothing specific to pin this on. Given the potential nature of this bug and the relatively high volume I think it's worth investigating.

Group: gfx-core-security → layout-core-security
Component: Graphics: WebRender → CSS Parsing and Computation

emilio, maybe you could take a look?

Flags: needinfo?(emilio)

This seems a variant of bug 1406996, just with a different signature.

We did a fairly extensive investigation in the past and ended up concluding that these hashmaps (which are huge and super-common) are very prone to hit either corruptions from other parts of Gecko or bit flips due to bad hardware (we used to have very similar issues with the C++ hashmaps that the Rust code replaced). In particular, we mprotect-ed these and guarded all accesses etc, and we still were hitting crashes that bypassed our canary checks and guards.

See https://github.com/servo/servo/pull/18995 for all the diagnostics that we had that we ended up reverting.

Status: NEW → RESOLVED
Closed: 3 years ago
Flags: needinfo?(emilio)
Resolution: --- → DUPLICATE

Thanks Emilio! I think we should remove the security flag then and make the bug public so that it appears when looking at crashes and we know we don't care about these.

I don't have the relevant permission to remove the security flag. Do you know who does? I guess Tom Ritter / Dveditz?

Group: layout-core-security
Severity: S2 → S3
You need to log in before you can comment on or make changes to this bug.