Crash in [@ core::ptr::drop_in_place<T> | style::stylist::GenericElementAndPseudoRules<T>::clear]
Categories
(Core :: CSS Parsing and Computation, defect)
Tracking
()
People
(Reporter: gsvelto, Unassigned)
Details
(Keywords: crash)
Crash Data
Crash report: https://crash-stats.mozilla.org/report/index/66f4f81f-84e5-431b-840d-536580210924
Reason: EXC_BAD_ACCESS / KERN_INVALID_ADDRESS
Top 10 frames of crashing thread:
0 XUL core::ptr::drop_in_place<smallvec::SmallVec<[style::stylist::Rule; 1]>> library/core/src/ptr/mod.rs:192
1 XUL style::stylist::GenericElementAndPseudoRules<style::selector_map::SelectorMap<style::stylist::Rule>>::clear servo/components/style/stylist.rs:1882
2 XUL style::stylist::CascadeData::clear_cascade_data servo/components/style/stylist.rs:2644
3 XUL style::stylist::CascadeData::clear servo/components/style/stylist.rs:2664
4 XUL style::stylist::CascadeData::rebuild servo/components/style/stylist.rs:2045
5 XUL Servo_StyleSet_FlushStyleSheets servo/ports/geckolib/glue.rs:1938
6 XUL mozilla::ServoStyleSet::UpdateStylist layout/style/ServoStyleSet.cpp:1219
7 XUL mozilla::ServoStyleSet::ShellDetachedFromDocument layout/style/ServoStyleSet.cpp:156
8 XUL mozilla::dom::Document::DeletePresShell dom/base/Document.cpp:6914
9 XUL mozilla::PresShell::Destroy layout/base/PresShell.cpp:1383
Not sure what to make of this. At first sight it appears like it might be an issue caused by bad hardware as the crash addresses are not entirely consistent but there's a few things that worry me:
- Many crashes are hitting the poison pattern indicating a potential UAF
- Many other crashes are hitting an address that's close to 0 but always different, this could be an integer in an object that has been written inside one that was previously freed (and which we're still accessing via the dangling pointer)
Comments and URLs aren't very helpful unfortunately, nothing specific to pin this on. Given the potential nature of this bug and the relatively high volume I think it's worth investigating.
Updated•3 years ago
|
Comment 2•3 years ago
|
||
This seems a variant of bug 1406996, just with a different signature.
We did a fairly extensive investigation in the past and ended up concluding that these hashmaps (which are huge and super-common) are very prone to hit either corruptions from other parts of Gecko or bit flips due to bad hardware (we used to have very similar issues with the C++ hashmaps that the Rust code replaced). In particular, we mprotect-ed these and guarded all accesses etc, and we still were hitting crashes that bypassed our canary checks and guards.
See https://github.com/servo/servo/pull/18995 for all the diagnostics that we had that we ended up reverting.
Reporter | ||
Comment 3•3 years ago
|
||
Thanks Emilio! I think we should remove the security flag then and make the bug public so that it appears when looking at crashes and we know we don't care about these.
Comment 4•3 years ago
|
||
I don't have the relevant permission to remove the security flag. Do you know who does? I guess Tom Ritter / Dveditz?
Updated•3 years ago
|
Updated•2 years ago
|
Description
•