Windows 32-bit WOFF2 Crash [@ moz_wasm2c_trap_handler]
Categories
(Core :: Security: RLBox, defect)
Tracking
()
People
(Reporter: bholley, Assigned: shravanrn)
References
Details
Crash Data
Attachments
(1 file)
|
48 bytes,
text/x-phabricator-request
|
diannaS
:
approval-mozilla-beta+
|
Details | Review |
Forked off of bug 1744460 comment 19.
(In reply to Bogdan Maris [:bogdan_maris], Release Desktop QA from comment #19)
I reproduced the crash with the signature reported here [@ w2c_memset] using old Nightly build https://crash-stats.mozilla.org/report/index/6f90c406-ce87-4bc5-94f8-99e9a0211221.
Using latest Nightly (97.0a1) and Beta (96.0b7) builds I still get a crash using steps from comment 0 but with a different crash signature [@ moz_wasm2c_trap_handler], not sure if they are related or not. Shravanrn could you please take a look at these crashes?https://crash-stats.mozilla.org/report/index/1ac73c92-cb61-4c29-b9a3-cd0070211221 - Nightly
https://crash-stats.mozilla.org/report/index/ee216d5b-9c20-4455-8227-bcb8f0211221 - Beta
|
Reporter | |
Updated•3 years ago
|
|
|
Reporter | |
Updated•3 years ago
|
|
||
Updated•3 years ago
|
|
Assignee | |
Comment 1•3 years ago
|
||
The source of the issue is a malloc that fails inside woff2 sandboxed code. The malloc result inside woff2 is not checked and so further memory ops (performed on offsets on this null pointer) corrupt the insides of the sandbox. So, we need to be more generous with the sizing of the woff2 sandbox
We are currently setting the size to 1.33 * (aLength + expectedSize)
When using 2* (aLength + expectedSize) and the sandbox memory appears sufficient for this use case.
I'll submit a patch with this fix shortly
We have added a crash reporter annotation that tracks this, so this is an easy way to see if this bug occurs again going forward
https://searchfox.org/mozilla-central/source/config/external/rlbox_wasm2c_sandbox/rlbox_wasm2c_thread_locals.cpp#39
One orthogonal issue here is that this crash only appears on builds from try, and not local builds. I am not immediately sure why this is the case. But somehow the inference from these behaviors is that malloc is somehow different on local builds and try builds. The sandboxed code uses dlmalloc to implement its memory allocation on a pool of memory, so this should not be inconsistent across the two builds.
|
|
Assignee | |
Updated•3 years ago
|
|
|
Assignee | |
Comment 2•3 years ago
|
||
|
||
Comment 4•3 years ago
|
||
| bugherder | ||
|
|
Reporter | |
Comment 5•3 years ago
|
||
Comment on attachment 9256894 [details]
Bug 1747586 - Increase woff2 rlbox sbx size to prevent win32 crash r=bholley
Beta/Release Uplift Approval Request
- User impact if declined: Crashes.
- Is this code covered by automated tests?: No
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Extremely low-risk patch. Just bumps a pre-existing safety margin from 1.3x to 2x to eliminate some edge-case OOMs.
- String changes made/needed:
|
||
Comment 6•3 years ago
|
||
I'm not getting the crash anymore with the latest Nightly 97.0a1 from treeherder.
|
||
Comment 7•3 years ago
|
||
Comment on attachment 9256894 [details]
Bug 1747586 - Increase woff2 rlbox sbx size to prevent win32 crash r=bholley
Approved for 96.0b10
|
|
||
Comment 8•3 years ago
|
||
| bugherder uplift | ||
|
||
Updated•3 years ago
|
|
|
||
Comment 9•3 years ago
|
||
Also verified that this is fixed using 96.0b10, no crashes recorded.
Description
•