Closed
Bug 1735852
(CVE-2021-4128)
Opened 3 years ago
Closed 3 years ago
Intermittent [tier2] dom/html/test/test_fullscreen-api-race.html | application crashed [@ nsCocoaWindow::DoMakeFullScreen(bool, bool)]
Categories
(Core :: Graphics, defect)
Core
Graphics
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox-esr91 | --- | unaffected |
| firefox93 | --- | unaffected |
| firefox94 | --- | wontfix |
| firefox95 | --- | fixed |
| firefox96 | --- | fixed |
People
(Reporter: intermittent-bug-filer, Unassigned)
References
Details
(4 keywords, Whiteboard: [adv-main95+r])
Crash Data
Filed by: abutkovits [at] mozilla.com
Parsed log: https://treeherder.mozilla.org/logviewer?job_id=354790877&repo=autoland
Full log: https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/c-QOWpJGSve-mABLJfp9rw/runs/0/artifacts/public/logs/live_backing.log
[task 2021-10-14T16:01:32.132Z] 16:01:32 INFO - mozcrash Downloading symbols from: https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/aOTiTtrfTxqINuQO_UGaYw/artifacts/public/build/target.crashreporter-symbols.zip
[task 2021-10-14T16:01:36.540Z] 16:01:36 INFO - mozcrash Copy/paste: /opt/worker/tasks/task_163422606348914/fetches/minidump_stackwalk/minidump_stackwalk /var/folders/db/3zrknqk954d_sn2t59z8ydsh000014/T/tmpqbxfdjr1.mozrunner/minidumps/9A84A0AB-EB47-447A-ABF4-356050F5767C.dmp /var/folders/db/3zrknqk954d_sn2t59z8ydsh000014/T/tmp0647css6
[task 2021-10-14T16:01:42.137Z] 16:01:42 INFO - mozcrash Saved minidump as /opt/worker/tasks/task_163422606348914/build/blobber_upload_dir/9A84A0AB-EB47-447A-ABF4-356050F5767C.dmp
[task 2021-10-14T16:01:42.137Z] 16:01:42 INFO - mozcrash Saved app info as /opt/worker/tasks/task_163422606348914/build/blobber_upload_dir/9A84A0AB-EB47-447A-ABF4-356050F5767C.extra
[task 2021-10-14T16:01:42.516Z] 16:01:42 INFO - PROCESS-CRASH | dom/html/test/test_fullscreen-api-race.html | application crashed [@ nsCocoaWindow::DoMakeFullScreen(bool, bool)]
[task 2021-10-14T16:01:42.516Z] 16:01:42 INFO - Crash dump filename: /var/folders/db/3zrknqk954d_sn2t59z8ydsh000014/T/tmpqbxfdjr1.mozrunner/minidumps/9A84A0AB-EB47-447A-ABF4-356050F5767C.dmp
[task 2021-10-14T16:01:42.516Z] 16:01:42 INFO - Operating system: Mac OS X
[task 2021-10-14T16:01:42.516Z] 16:01:42 INFO - 10.15.7 19H524
[task 2021-10-14T16:01:42.516Z] 16:01:42 INFO - CPU: amd64
[task 2021-10-14T16:01:42.516Z] 16:01:42 INFO - family 6 model 158 stepping 10
[task 2021-10-14T16:01:42.516Z] 16:01:42 INFO - 12 CPUs
[task 2021-10-14T16:01:42.516Z] 16:01:42 INFO -
[task 2021-10-14T16:01:42.517Z] 16:01:42 INFO - GPU: UNKNOWN
[task 2021-10-14T16:01:42.517Z] 16:01:42 INFO -
[task 2021-10-14T16:01:42.517Z] 16:01:42 INFO - Crash reason: EXC_BAD_ACCESS / EXC_I386_GPFLT
[task 2021-10-14T16:01:42.517Z] 16:01:42 INFO - Crash address: 0x0
[task 2021-10-14T16:01:42.517Z] 16:01:42 INFO - Process uptime: 87 seconds
[task 2021-10-14T16:01:42.517Z] 16:01:42 INFO -
[task 2021-10-14T16:01:42.517Z] 16:01:42 INFO - Thread 0 tid 775 (crashed) - GeckoMain 0 XUL!mozilla::layers::NativeLayerRootCA::SetWindowIsFullscreen(bool) [NativeLayerCA.mm:68f5bca6b432346740523a54babd677e6a08ae1a : 479 + 0x1c]
[task 2021-10-14T16:01:42.517Z] 16:01:42 INFO - rax = 0x000000012b8dddd0 rdx = 0x0000000117fcbca8
[task 2021-10-14T16:01:42.517Z] 16:01:42 INFO - rcx = 0x0000000000000001 rbx = 0xe5e5e5e5e5e5e5e5
[task 2021-10-14T16:01:42.517Z] 16:01:42 INFO - rsi = 0x00000000e5e5e5e5 rdi = 0x0000000120cb5520
[task 2021-10-14T16:01:42.517Z] 16:01:42 INFO - rbp = 0x00007ffee8561be0 rsp = 0x00007ffee8561bc0
[task 2021-10-14T16:01:42.517Z] 16:01:42 INFO - r8 = 0x0000000000000002 r9 = 0x0000000100000000
[task 2021-10-14T16:01:42.517Z] 16:01:42 INFO - r10 = 0x0000000117fcbca8 r11 = 0x00000001145b8810
[task 2021-10-14T16:01:42.517Z] 16:01:42 INFO - r12 = 0x0000000000000007 r13 = 0x000000010c30b600
[task 2021-10-14T16:01:42.517Z] 16:01:42 INFO - r14 = 0x000000012a85fee0 r15 = 0x0000000000000004
[task 2021-10-14T16:01:42.517Z] 16:01:42 INFO - rip = 0x0000000112fa22e3
[task 2021-10-14T16:01:42.517Z] 16:01:42 INFO - Found by: given as instruction pointer in context
[task 2021-10-14T16:01:42.517Z] 16:01:42 INFO - 1 XUL!nsCocoaWindow::DoMakeFullScreen(bool, bool) [nsCocoaWindow.mm:68f5bca6b432346740523a54babd677e6a08ae1a : 1675 + 0x17]
[task 2021-10-14T16:01:42.517Z] 16:01:42 INFO - rbx = 0x0000000000000000 rbp = 0x00007ffee8561c10
[task 2021-10-14T16:01:42.517Z] 16:01:42 INFO - rsp = 0x00007ffee8561bf0 r12 = 0x0000000000000000
[task 2021-10-14T16:01:42.517Z] 16:01:42 INFO - r13 = 0x000000010c30b600 r14 = 0x0000000000000000
[task 2021-10-14T16:01:42.517Z] 16:01:42 INFO - r15 = 0x000000010c30b600 rip = 0x00000001145ed81b
[task 2021-10-14T16:01:42.517Z] 16:01:42 INFO - Found by: call frame info
[task 2021-10-14T16:01:42.517Z] 16:01:42 INFO - 2 XUL!nsGlobalWindowOuter::SetWidgetFullscreen(FullscreenReason, bool, nsIWidget*, nsIScreen*) [nsGlobalWindowOuter.cpp:68f5bca6b432346740523a54babd677e6a08ae1a : 4654 + 0x6]
[task 2021-10-14T16:01:42.517Z] 16:01:42 INFO - rbx = 0x0000000107949bc0 rbp = 0x00007ffee8561c60
[task 2021-10-14T16:01:42.517Z] 16:01:42 INFO - rsp = 0x00007ffee8561c20 r12 = 0x0000000000000002
[task 2021-10-14T16:01:42.518Z] 16:01:42 INFO - r13 = 0x000000010c30b600 r14 = 0x0000000000000000
[task 2021-10-14T16:01:42.518Z] 16:01:42 INFO - r15 = 0x0000000000000000 rip = 0x00000001130d2e6c
[task 2021-10-14T16:01:42.518Z] 16:01:42 INFO - Found by: call frame info
[task 2021-10-14T16:01:42.518Z] 16:01:42 INFO - 3 XUL!MakeWidgetFullscreen(nsGlobalWindowOuter*, FullscreenReason, bool) [nsGlobalWindowOuter.cpp:68f5bca6b432346740523a54babd677e6a08ae1a : 4509 + 0x15]
[task 2021-10-14T16:01:42.518Z] 16:01:42 INFO - rbx = 0x0000000107949bc0 rbp = 0x00007ffee8561d10
[task 2021-10-14T16:01:42.518Z] 16:01:42 INFO - rsp = 0x00007ffee8561c70 r12 = 0x0000000000000002
[task 2021-10-14T16:01:42.518Z] 16:01:42 INFO - r13 = 0x0000000107949be0 r14 = 0x000000010c30b600
[task 2021-10-14T16:01:42.518Z] 16:01:42 INFO - r15 = 0x0000000000000000 rip = 0x00000001130d35ee
[task 2021-10-14T16:01:42.518Z] 16:01:42 INFO - Found by: call frame info
[task 2021-10-14T16:01:42.518Z] 16:01:42 INFO - 4 XUL!nsGlobalWindowOuter::SetFullscreenInternal(FullscreenReason, bool) [nsGlobalWindowOuter.cpp:68f5bca6b432346740523a54babd677e6a08ae1a : 4601 + 0xd]
[task 2021-10-14T16:01:42.518Z] 16:01:42 INFO - rbx = 0x0000000000000000 rbp = 0x00007ffee8561d80
[task 2021-10-14T16:01:42.518Z] 16:01:42 INFO - rsp = 0x00007ffee8561d20 r12 = 0x0000000000000000
[task 2021-10-14T16:01:42.518Z] 16:01:42 INFO - r13 = 0x0000000107949be0 r14 = 0x0000000107949bc0
[task 2021-10-14T16:01:42.518Z] 16:01:42 INFO - r15 = 0x0000000000000002 rip = 0x00000001130d289a
[task 2021-10-14T16:01:42.518Z] 16:01:42 INFO - Found by: call frame info
[task 2021-10-14T16:01:42.518Z] 16:01:42 INFO - 5 XUL!mozilla::dom::ExitFullscreenScriptRunnable::Run() [Document.cpp:68f5bca6b432346740523a54babd677e6a08ae1a : 14134 + 0x10]
[task 2021-10-14T16:01:42.518Z] 16:01:42 INFO - rbx = 0x00000001618deb50 rbp = 0x00007ffee8561db0
[task 2021-10-14T16:01:42.518Z] 16:01:42 INFO - rsp = 0x00007ffee8561d90 r12 = 0x00007ffee8561e68
[task 2021-10-14T16:01:42.518Z] 16:01:42 INFO - r13 = 0x00007ffee8561e78 r14 = 0x00000001618deb50
[task 2021-10-14T16:01:42.518Z] 16:01:42 INFO - r15 = 0x00000001618deb50 rip = 0x0000000113149cd7
[task 2021-10-14T16:01:42.518Z] 16:01:42 INFO - Found by: call frame info
[task 2021-10-14T16:01:42.518Z] 16:01:42 INFO - 6 XUL!nsContentUtils::AddScriptRunner(already_AddRefed<nsIRunnable>) [nsContentUtils.cpp:68f5bca6b432346740523a54babd677e6a08ae1a : 5757 + 0x9]
[task 2021-10-14T16:01:42.518Z] 16:01:42 INFO - rbx = 0x0000000121414000 rbp = 0x00007ffee8561e40
[task 2021-10-14T16:01:42.518Z] 16:01:42 INFO - rsp = 0x00007ffee8561dc0 r12 = 0x00007ffee8561e68
[task 2021-10-14T16:01:42.518Z] 16:01:42 INFO - r13 = 0x00007ffee8561e78 r14 = 0x00000001618deb50
[task 2021-10-14T16:01:42.518Z] 16:01:42 INFO - r15 = 0x00000001618deb50 rip = 0x0000000110f15e9b
[task 2021-10-14T16:01:42.518Z] 16:01:42 INFO - Found by: call frame info
[task 2021-10-14T16:01:42.519Z] 16:01:42 INFO - 7 XUL!mozilla::dom::Document::ExitFullscreenInDocTree(mozilla::dom::Document*) [Document.cpp:68f5bca6b432346740523a54babd677e6a08ae1a : 14188 + 0x8]
[task 2021-10-14T16:01:42.519Z] 16:01:42 INFO - rbx = 0x0000000121414000 rbp = 0x00007ffee8561eb0
[task 2021-10-14T16:01:42.519Z] 16:01:42 INFO - rsp = 0x00007ffee8561e50 r12 = 0x00007ffee8561e68
[task 2021-10-14T16:01:42.519Z] 16:01:42 INFO - r13 = 0x00007ffee8561e78 r14 = 0x0000000121414000
[task 2021-10-14T16:01:42.519Z] 16:01:42 INFO - r15 = 0x00000001618deb50 rip = 0x0000000113127659
[task 2021-10-14T16:01:42.519Z] 16:01:42 INFO - Found by: call frame info
[task 2021-10-14T16:01:42.519Z] 16:01:42 INFO - 8 XUL!mozilla::dom::Document::OnPageHide(bool, mozilla::dom::EventTarget*, bool) [Document.cpp:68f5bca6b432346740523a54babd677e6a08ae1a : 11731 + 0x8]
[task 2021-10-14T16:01:42.519Z] 16:01:42 INFO - rbx = 0x0000000000000000 rbp = 0x00007ffee8561f30
[task 2021-10-14T16:01:42.519Z] 16:01:42 INFO - rsp = 0x00007ffee8561ec0 r12 = 0x00007ffee8561ee0
[task 2021-10-14T16:01:42.519Z] 16:01:42 INFO - r13 = 0x0000000121414000 r14 = 0x0000000001040200
[task 2021-10-14T16:01:42.519Z] 16:01:42 INFO - r15 = 0x00007ffee8561ef0 rip = 0x0000000110f96cb9
[task 2021-10-14T16:01:42.519Z] 16:01:42 INFO - Found by: call frame info
[task 2021-10-14T16:01:42.519Z] 16:01:42 INFO - 9 XUL!nsDocumentViewer::PageHide(bool) [nsDocumentViewer.cpp:68f5bca6b432346740523a54babd677e6a08ae1a : 1389 + 0x15]
[task 2021-10-14T16:01:42.519Z] 16:01:42 INFO - rbx = 0x000022d7708992e0 rbp = 0x00007ffee8562020
[task 2021-10-14T16:01:42.519Z] 16:01:42 INFO - rsp = 0x00007ffee8561f40 r12 = 0x0000000000000000
[task 2021-10-14T16:01:42.519Z] 16:01:42 INFO - r13 = 0x0000000000000001 r14 = 0x0000000000000001
[task 2021-10-14T16:01:42.519Z] 16:01:42 INFO - r15 = 0x000000010ea2e640 rip = 0x0000000111556671
[task 2021-10-14T16:01:42.519Z] 16:01:42 INFO - Found by: call frame info
[task 2021-10-14T16:01:42.519Z] 16:01:42 INFO - 10 XUL!nsDocShell::FirePageHideNotificationInternal(bool, bool) [nsDocShell.cpp:68f5bca6b432346740523a54babd677e6a08ae1a : 1119 + 0x10]
[task 2021-10-14T16:01:42.519Z] 16:01:42 INFO - rbx = 0x0000000000000000 rbp = 0x00007ffee85620e0
[task 2021-10-14T16:01:42.519Z] 16:01:42 INFO - rsp = 0x00007ffee8562030 r12 = 0x0000000000000001
[task 2021-10-14T16:01:42.519Z] 16:01:42 INFO - r13 = 0x0000000000000001 r14 = 0x000000010ea2e640
[task 2021-10-14T16:01:42.519Z] 16:01:42 INFO - r15 = 0x000000012ae7f800 rip = 0x00000001117e5d00
[task 2021-10-14T16:01:42.520Z] 16:01:42 INFO - Found by: call frame info
[task 2021-10-14T16:01:42.520Z] 16:01:42 INFO - 11 XUL!nsDocShell::Destroy() [nsDocShell.cpp:68f5bca6b432346740523a54babd677e6a08ae1a : 4409 + 0xf]
[task 2021-10-14T16:01:42.520Z] 16:01:42 INFO - rbx = 0x0000000123946c00 rbp = 0x00007ffee8562130
[task 2021-10-14T16:01:42.520Z] 16:01:42 INFO - rsp = 0x00007ffee85620f0 r12 = 0x00007ffee85620f8
[task 2021-10-14T16:01:42.520Z] 16:01:42 INFO - r13 = 0x000000012ae7f800 r14 = 0x000000010b2c9b40
[task 2021-10-14T16:01:42.520Z] 16:01:42 INFO - r15 = 0x000000012ae7f990 rip = 0x00000001117e1cc0
[task 2021-10-14T16:01:42.520Z] 16:01:42 INFO - Found by: call frame info
[task 2021-10-14T16:01:42.520Z] 16:01:42 INFO - 12 XUL!mozilla::AppWindow::Destroy() [AppWindow.cpp:68f5bca6b432346740523a54babd677e6a08ae1a : 632 + 0xa]
[task 2021-10-14T16:01:42.520Z] 16:01:42 INFO - rbx = 0x0000000123946c00 rbp = 0x00007ffee8562190
[task 2021-10-14T16:01:42.520Z] 16:01:42 INFO - rsp = 0x00007ffee8562140 r12 = 0x000000010e129700
[task 2021-10-14T16:01:42.520Z] 16:01:42 INFO - r13 = 0x0000000000000003 r14 = 0x000000010e129710
[task 2021-10-14T16:01:42.520Z] 16:01:42 INFO - r15 = 0x0000000121799470 rip = 0x0000000111804390
[task 2021-10-14T16:01:42.520Z] 16:01:42 INFO - Found by: call frame info
[task 2021-10-14T16:01:42.520Z] 16:01:42 INFO - 13 XUL!{virtual override thunk({offset(-8)}, nsChromeTreeOwner::Destroy())} + 0x12
[task 2021-10-14T16:01:42.520Z] 16:01:42 INFO - rbx = 0x000000010b27f308 rbp = 0x00007ffee85621a0
[task 2021-10-14T16:01:42.520Z] 16:01:42 INFO - rsp = 0x00007ffee85621a0 r12 = 0x00000001209cdc00
[task 2021-10-14T16:01:42.520Z] 16:01:42 INFO - r13 = 0x0000000000000003 r14 = 0x0000000107949bc0
[task 2021-10-14T16:01:42.520Z] 16:01:42 INFO - r15 = 0x000000011800da50 rip = 0x0000000115160212
[task 2021-10-14T16:01:42.520Z] 16:01:42 INFO - Found by: call frame info
[task 2021-10-14T16:01:42.520Z] 16:01:42 INFO - 14 XUL!nsGlobalWindowOuter::ReallyCloseWindow() [nsGlobalWindowOuter.cpp:68f5bca6b432346740523a54babd677e6a08ae1a : 6356 + 0x9]
[task 2021-10-14T16:01:42.520Z] 16:01:42 INFO - rbx = 0x000000010b27f308 rbp = 0x00007ffee85621c0
[task 2021-10-14T16:01:42.520Z] 16:01:42 INFO - rsp = 0x00007ffee85621b0 r12 = 0x00000001209cdc00
[task 2021-10-14T16:01:42.520Z] 16:01:42 INFO - r13 = 0x0000000000000003 r14 = 0x0000000107949bc0
[task 2021-10-14T16:01:42.521Z] 16:01:42 INFO - r15 = 0x000000011800da50 rip = 0x00000001130d88eb
[task 2021-10-14T16:01:42.521Z] 16:01:42 INFO - Found by: call frame info
[task 2021-10-14T16:01:42.521Z] 16:01:42 INFO - 15 XUL!nsCloseEvent::Run() [nsGlobalWindowOuter.cpp:68f5bca6b432346740523a54babd677e6a08ae1a : 6157 + 0x5]
[task 2021-10-14T16:01:42.521Z] 16:01:42 INFO - rbx = 0x000000000000000c rbp = 0x00007ffee85621d0
[task 2021-10-14T16:01:42.521Z] 16:01:42 INFO - rsp = 0x00007ffee85621d0 r12 = 0x00000001209cdc00
[task 2021-10-14T16:01:42.521Z] 16:01:42 INFO - r13 = 0x0000000000000003 r14 = 0x000000012a044040
[task 2021-10-14T16:01:42.521Z] 16:01:42 INFO - r15 = 0x000000011800da50 rip = 0x00000001130da78b
[task 2021-10-14T16:01:42.521Z] 16:01:42 INFO - Found by: call frame info
[task 2021-10-14T16:01:42.521Z] 16:01:42 INFO - 16 XUL!mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) [TaskController.cpp:68f5bca6b432346740523a54babd677e6a08ae1a : 770 + 0x263]
[task 2021-10-14T16:01:42.521Z] 16:01:42 INFO - rbx = 0x000000000000000c rbp = 0x00007ffee85627f0
[task 2021-10-14T16:01:42.521Z] 16:01:42 INFO - rsp = 0x00007ffee85621e0 r12 = 0x00000001209cdc00
[task 2021-10-14T16:01:42.521Z] 16:01:42 INFO - r13 = 0x0000000000000003 r14 = 0x000000012a044040
[task 2021-10-14T16:01:42.521Z] 16:01:42 INFO - r15 = 0x000000011800da50 rip = 0x000000011087cb76
[task 2021-10-14T16:01:42.521Z] 16:01:42 INFO - Found by: call frame info
[task 2021-10-14T16:01:42.521Z] 16:01:42 INFO - 17 XUL!nsThread::ProcessNextEvent(bool, bool*) [nsThread.cpp:68f5bca6b432346740523a54babd677e6a08ae1a : 1151 + 0x3f]
[task 2021-10-14T16:01:42.521Z] 16:01:42 INFO - rbx = 0x00007ffee85629f0 rbp = 0x00007ffee8562a70
[task 2021-10-14T16:01:42.521Z] 16:01:42 INFO - rsp = 0x00007ffee8562800 r12 = 0x0000000107955900
[task 2021-10-14T16:01:42.521Z] 16:01:42 INFO - r13 = 0x000000010b259040 r14 = 0x000000010b27adf0
[task 2021-10-14T16:01:42.521Z] 16:01:42 INFO - r15 = 0x000000010b259040 rip = 0x000000011088bfb8
[task 2021-10-14T16:01:42.521Z] 16:01:42 INFO - Found by: call frame info
[task 2021-10-14T16:01:42.521Z] 16:01:42 INFO - 18 XUL!NS_ProcessPendingEvents(nsIThread*, unsigned int) [nsThreadUtils.cpp:68f5bca6b432346740523a54babd677e6a08ae1a : 432 + 0x1e]
[task 2021-10-14T16:01:42.522Z] 16:01:42 INFO - rbx = 0x0000000000000000 rbp = 0x00007ffee8562ac0
[task 2021-10-14T16:01:42.522Z] 16:01:42 INFO - rsp = 0x00007ffee8562a80 r12 = 0x00007ffee8562a8f
[task 2021-10-14T16:01:42.522Z] 16:01:42 INFO - r13 = 0x000000010b259040 r14 = 0x000000011088b8f0
[task 2021-10-14T16:01:42.522Z] 16:01:42 INFO - r15 = 0x00000000001302ed rip = 0x000000011088939b
[task 2021-10-14T16:01:42.522Z] 16:01:42 INFO - Found by: call frame info
[task 2021-10-14T16:01:42.522Z] 16:01:42 INFO - 19 XUL!nsAppShell::ProcessGeckoEvents(void*) [nsAppShell.mm:68f5bca6b432346740523a54babd677e6a08ae1a : 500 + 0x50]
[task 2021-10-14T16:01:42.522Z] 16:01:42 INFO - rbx = 0x0000000000000000 rbp = 0x00007ffee8562b20
[task 2021-10-14T16:01:42.522Z] 16:01:42 INFO - rsp = 0x00007ffee8562ad0 r12 = 0x0000000000000001
[task 2021-10-14T16:01:42.522Z] 16:01:42 INFO - r13 = 0x000000010b2c1920 r14 = 0x000000010b259040
[task 2021-10-14T16:01:42.522Z] 16:01:42 INFO - r15 = 0x0000000600002e00 rip = 0x000000011147189a
[task 2021-10-14T16:01:42.522Z] 16:01:42 INFO - Found by: call frame info
[task 2021-10-14T16:01:42.522Z] 16:01:42 INFO - 20 CoreFoundation!__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 0x11
[task 2021-10-14T16:01:42.522Z] 16:01:42 INFO - rbx = 0x0000000111471790 rbp = 0x00007ffee8562b30
[task 2021-10-14T16:01:42.522Z] 16:01:42 INFO - rsp = 0x00007ffee8562b30 r12 = 0x0000000000000001
[task 2021-10-14T16:01:42.523Z] 16:01:42 INFO - r13 = 0x0000000000002c01 r14 = 0x000000010b2c1920
[task 2021-10-14T16:01:42.523Z] 16:01:42 INFO - r15 = 0x0000000600002e88 rip = 0x00007fff340fdd52
[task 2021-10-14T16:01:42.523Z] 16:01:42 INFO - Found by: call frame info
[task 2021-10-14T16:01:42.523Z] 16:01:42 INFO - 21 CoreFoundation!__CFRunLoopDoSource0 + 0x67
[task 2021-10-14T16:01:42.523Z] 16:01:42 INFO - rbp = 0x00007ffee8562b60 rsp = 0x00007ffee8562b40
[task 2021-10-14T16:01:42.523Z] 16:01:42 INFO - rip = 0x00007fff340fdcf1
[task 2021-10-14T16:01:42.523Z] 16:01:42 INFO - Found by: previous frame's frame pointer
[task 2021-10-14T16:01:42.523Z] 16:01:42 INFO - 22 CoreFoundation!__CFRunLoopDoSources0 + 0xd1
[task 2021-10-14T16:01:42.523Z] 16:01:42 INFO - rbp = 0x00007ffee8562bd0 rsp = 0x00007ffee8562b70
[task 2021-10-14T16:01:42.523Z] 16:01:42 INFO - rip = 0x00007fff340fdb0b
[task 2021-10-14T16:01:42.523Z] 16:01:42 INFO - Found by: previous frame's frame pointer
[task 2021-10-14T16:01:42.523Z] 16:01:42 INFO - 23 CoreFoundation!__CFRunLoopRun + 0x39f
[task 2021-10-14T16:01:42.523Z] 16:01:42 INFO - rbp = 0x00007ffee85638e0 rsp = 0x00007ffee8562be0
[task 2021-10-14T16:01:42.523Z] 16:01:42 INFO - rip = 0x00007fff340fc83a
[task 2021-10-14T16:01:42.523Z] 16:01:42 INFO - Found by: previous frame's frame pointer
[task 2021-10-14T16:01:42.523Z] 16:01:42 INFO - 24 CoreFoundation!CFRunLoopRunSpecific + 0x1ce
[task 2021-10-14T16:01:42.523Z] 16:01:42 INFO - rbp = 0x00007ffee8563970 rsp = 0x00007ffee85638f0
[task 2021-10-14T16:01:42.524Z] 16:01:42 INFO - rip = 0x00007fff340fbe3e
[task 2021-10-14T16:01:42.524Z] 16:01:42 INFO - Found by: previous frame's frame pointer
[task 2021-10-14T16:01:42.524Z] 16:01:42 INFO - 25 HIToolbox!RunCurrentEventLoopInMode + 0x124
[task 2021-10-14T16:01:42.524Z] 16:01:42 INFO - rbp = 0x00007ffee85639c0 rsp = 0x00007ffee8563980
[task 2021-10-14T16:01:42.524Z] 16:01:42 INFO - rip = 0x00007fff32d28abd
[task 2021-10-14T16:01:42.524Z] 16:01:42 INFO - Found by: previous frame's frame pointer
[task 2021-10-14T16:01:42.524Z] 16:01:42 INFO - 26 HIToolbox!ReceiveNextEventCommon + 0x248
[task 2021-10-14T16:01:42.524Z] 16:01:42 INFO - rbx = 0x0000000000000001 rbp = 0x00007ffee8563a40
[task 2021-10-14T16:01:42.524Z] 16:01:42 INFO - rsp = 0x00007ffee85639d0 r12 = 0x0000000000000000
[task 2021-10-14T16:01:42.524Z] 16:01:42 INFO - r13 = 0x0000000000000000 r14 = 0x0000000000000000
[task 2021-10-14T16:01:42.524Z] 16:01:42 INFO - r15 = 0x00000000ffffd96d rip = 0x00007fff32d287d5
[task 2021-10-14T16:01:42.524Z] 16:01:42 INFO - Found by: call frame info
[task 2021-10-14T16:01:42.524Z] 16:01:42 INFO - 27 HIToolbox!_BlockUntilNextEventMatchingListInModeWithFilter + 0x40
[task 2021-10-14T16:01:42.524Z] 16:01:42 INFO - rbx = 0xffffffffffffffff rbp = 0x00007ffee8563a60
[task 2021-10-14T16:01:42.524Z] 16:01:42 INFO - rsp = 0x00007ffee8563a50 r12 = 0x0000000000000001
[task 2021-10-14T16:01:42.524Z] 16:01:42 INFO - r13 = 0x0000000000000000 r14 = 0x00007fff948ad4c0
[task 2021-10-14T16:01:42.525Z] 16:01:42 INFO - r15 = 0x00007fff8b9b0b00 rip = 0x00007fff32d28579
[task 2021-10-14T16:01:42.525Z] 16:01:42 INFO - Found by: call frame info
[task 2021-10-14T16:01:42.525Z] 16:01:42 INFO - 28 AppKit!_DPSNextEvent + 0x373
[task 2021-10-14T16:01:42.525Z] 16:01:42 INFO - rbx = 0xffffffffffffffff rbp = 0x00007ffee8563e60
[task 2021-10-14T16:01:42.525Z] 16:01:42 INFO - rsp = 0x00007ffee8563a70 r12 = 0x0000000000000001
[task 2021-10-14T16:01:42.525Z] 16:01:42 INFO - r13 = 0x0000000000000000 r14 = 0x00007fff948ad4c0
[task 2021-10-14T16:01:42.525Z] 16:01:42 INFO - r15 = 0x00007fff8b9b0b00 rip = 0x00007fff3136e039
[task 2021-10-14T16:01:42.525Z] 16:01:42 INFO - Found by: call frame info
[task 2021-10-14T16:01:42.525Z] 16:01:42 INFO - 29 AppKit!-[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 0x548
[task 2021-10-14T16:01:42.525Z] 16:01:42 INFO - rbp = 0x00007ffee85640c0 rsp = 0x00007ffee8563e70
[task 2021-10-14T16:01:42.525Z] 16:01:42 INFO - rip = 0x00007fff3136c880
[task 2021-10-14T16:01:42.525Z] 16:01:42 INFO - Found by: previous frame's frame pointer
[task 2021-10-14T16:01:42.525Z] 16:01:42 INFO - 30 XUL!-[GeckoNSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] [nsAppShell.mm:68f5bca6b432346740523a54babd677e6a08ae1a : 173 + 0x25]
[task 2021-10-14T16:01:42.525Z] 16:01:42 INFO - rbp = 0x00007ffee8564130 rsp = 0x00007ffee85640d0
[task 2021-10-14T16:01:42.525Z] 16:01:42 INFO - rip = 0x0000000111470e11
[task 2021-10-14T16:01:42.525Z] 16:01:42 INFO - Found by: previous frame's frame pointer
[task 2021-10-14T16:01:42.525Z] 16:01:42 INFO - 31 AppKit!-[NSApplication run] + 0x292
[task 2021-10-14T16:01:42.525Z] 16:01:42 INFO - rbx = 0x000000010794e2f0 rbp = 0x00007ffee85641f0
[task 2021-10-14T16:01:42.525Z] 16:01:42 INFO - rsp = 0x00007ffee8564140 r12 = 0x000000012afdebb0
[task 2021-10-14T16:01:42.526Z] 16:01:42 INFO - r13 = 0x00007fff6ce4f800 r14 = 0x0000000000000000
[task 2021-10-14T16:01:42.526Z] 16:01:42 INFO - r15 = 0x000000011ed16880 rip = 0x00007fff3135e58e
[task 2021-10-14T16:01:42.526Z] 16:01:42 INFO - Found by: call frame info
[task 2021-10-14T16:01:42.526Z] 16:01:42 INFO - 32 XUL!nsAppShell::Run() [nsAppShell.mm:68f5bca6b432346740523a54babd677e6a08ae1a : 792 + 0x1a]
[task 2021-10-14T16:01:42.526Z] 16:01:42 INFO - rbp = 0x00007ffee8564220 rsp = 0x00007ffee8564200
[task 2021-10-14T16:01:42.526Z] 16:01:42 INFO - rip = 0x000000011147206b
[task 2021-10-14T16:01:42.526Z] 16:01:42 INFO - Found by: previous frame's frame pointer
....
|
||
Updated•3 years ago
|
Group: core-security
|
||
Comment 1•3 years ago
|
||
The actual crash is on a null value, but there are a few poison-y values in the registers. The crash looks like it is happening at the interface between DOM and Widget code. The crash is happening during test_fullscreen-api-race.html which I guess does seem like something that could cause a crash like this.
Group: core-security → dom-core-security
|
|
||
Comment 2•3 years ago
|
||
Edgar, do you think there's anything actionable here? Thanks.
Flags: needinfo?(echen)
|
||
Comment 3•3 years ago
|
||
There appear to be a very small number of crashes in the wild, for example
bp-f3041bef-ff33-45ce-9709-c31d50210928
bp-13299d9f-aee2-4c3f-bee8-8321f0211022
Crash Signature: [@ nsCocoaWindow::DoMakeFullScreen(bool, bool)] → [@ nsCocoaWindow::DoMakeFullScreen(bool, bool)]
[@ mozilla::layers::NativeLayerRootCA::SetWindowIsFullscreen ]
[@ mozilla::detail::InvalidArrayIndex_CRASH | mozilla::layers::NativeLayerRootCA::SetWindowIsFullscreen ]
Keywords: csectype-uaf,
sec-high
|
||
Comment 5•3 years ago
|
||
I think this is a regression of bug 1653417 which introduces https://searchfox.org/mozilla-central/rev/4f9bbbe5487da6d1c3680488e016f7bb0cbaa128/gfx/layers/NativeLayerCA.mm#541. Seems like someone changes mSublayers (maybe from a different thread?) while we iterate it.
Hi Brad, is this something that would be also fixed by bug 1731956 which adds a mutex lock in https://searchfox.org/mozilla-central/rev/4f9bbbe5487da6d1c3680488e016f7bb0cbaa128/gfx/layers/NativeLayerCA.mm#536?
Flags: needinfo?(echen) → needinfo?(bwerth)
|
|
||
Updated•3 years ago
|
|
||
Comment 6•3 years ago
|
||
(In reply to Edgar Chen [:edgar] from comment #5)
I think this is a regression of bug 1653417 which introduces https://searchfox.org/mozilla-central/rev/4f9bbbe5487da6d1c3680488e016f7bb0cbaa128/gfx/layers/NativeLayerCA.mm#541. Seems like someone changes
mSublayers(maybe from a different thread?) while we iterate it.Hi Brad, is this something that would be also fixed by bug 1731956 which adds a mutex lock in https://searchfox.org/mozilla-central/rev/4f9bbbe5487da6d1c3680488e016f7bb0cbaa128/gfx/layers/NativeLayerCA.mm#536?
Yes, Bug 1731956 and Bug 1736446 should have resolved this. I've been keeping an eye on the crash signature to ensure that it's not reoccurring.
Flags: needinfo?(bwerth)
|
|
||
Comment 7•3 years ago
|
||
Thanks! Close per comment 6.
Status: NEW → RESOLVED
Closed: 3 years ago
Component: DOM: Core & HTML → Graphics
Resolution: --- → FIXED
|
|
||
Updated•3 years ago
|
|
||
Updated•3 years ago
|
Group: dom-core-security → core-security-release
status-firefox93:
--- → unaffected
status-firefox-esr91:
--- → unaffected
|
||
Updated•3 years ago
|
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify-
|
||
Updated•3 years ago
|
Whiteboard: [adv-main95+]
|
|
||
Updated•3 years ago
|
Whiteboard: [adv-main95+] → [adv-main95+r]
|
||
Updated•3 years ago
|
Alias: CVE-2021-4128
|
|
||
Updated•3 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•