Closed
Bug 1770832
Opened 3 years ago
Closed 3 years ago
Intermittent docshell/test/unit/test_privacy_transition.js | application crashed [@ _platform_memchr$VARIANT$Haswell + 0x1d]
Categories
(Core :: Layout: Text and Fonts, defect)
Core
Layout: Text and Fonts
Tracking
()
RESOLVED
FIXED
102 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr91 | --- | unaffected |
| firefox100 | --- | unaffected |
| firefox101 | --- | unaffected |
| firefox102 | --- | fixed |
People
(Reporter: intermittent-bug-filer, Assigned: jfkthame)
References
(Regression)
Details
(4 keywords)
Crash Data
Attachments
(1 file)
|
48 bytes,
text/x-phabricator-request
|
Details |
Filed by: imoraru [at] mozilla.com
Parsed log: https://treeherder.mozilla.org/logviewer?job_id=379009754&repo=autoland
Full log: https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/PqeyOPynQmeywljkQHAsJg/runs/0/artifacts/public/logs/live_backing.log
[task 2022-05-23T19:12:04.862Z] 19:12:04 INFO - TEST-START | docshell/test/unit/test_privacy_transition.js
[task 2022-05-23T19:12:05.239Z] 19:12:05 WARNING - TEST-UNEXPECTED-FAIL | docshell/test/unit/test_privacy_transition.js | xpcshell return code: 1
[task 2022-05-23T19:12:05.239Z] 19:12:05 INFO - TEST-INFO took 376ms
[task 2022-05-23T19:12:05.239Z] 19:12:05 INFO - >>>>>>>
[task 2022-05-23T19:12:05.240Z] 19:12:05 INFO - PID 6857 | [Parent 6857, Main Thread] WARNING: Couldn't get the user appdata directory. Crash events may not be produced.: file /builds/worker/checkouts/gecko/toolkit/crashreporter/nsExceptionHandler.cpp:2981
[task 2022-05-23T19:12:05.240Z] 19:12:05 INFO - (xpcshell/head.js) | test MAIN run_test pending (1)
[task 2022-05-23T19:12:05.240Z] 19:12:05 INFO - TEST-PASS | docshell/test/unit/test_privacy_transition.js | run_test - [run_test : 20] 2 == 2
[task 2022-05-23T19:12:05.240Z] 19:12:05 INFO - (xpcshell/head.js) | test MAIN run_test finished (1)
[task 2022-05-23T19:12:05.240Z] 19:12:05 INFO - exiting test
[task 2022-05-23T19:12:05.241Z] 19:12:05 INFO - PID 6857 | Couldn't convert chrome URL: chrome://branding/locale/brand.properties
[task 2022-05-23T19:12:05.241Z] 19:12:05 INFO - PID 6857 | [Parent 6857, Main Thread] WARNING: Could not get the program name for a cubeb stream.: 'NS_SUCCEEDED(rv)', file /builds/worker/checkouts/gecko/dom/media/CubebUtils.cpp:413
[task 2022-05-23T19:12:05.241Z] 19:12:05 INFO - "CONSOLE_MESSAGE: (info) No chrome package registered for chrome://branding/locale/brand.properties"
[task 2022-05-23T19:12:05.242Z] 19:12:05 INFO - PID 6857 | GL_VENDOR: Intel Inc.
[task 2022-05-23T19:12:05.242Z] 19:12:05 INFO - PID 6857 | mVendor: Intel
[task 2022-05-23T19:12:05.242Z] 19:12:05 INFO - PID 6857 | GL_RENDERER: Intel(R) UHD Graphics 630
[task 2022-05-23T19:12:05.242Z] 19:12:05 INFO - PID 6857 | mRenderer: Unknown
[task 2022-05-23T19:12:05.242Z] 19:12:05 INFO - PID 6857 | mIsMesa: 0
[task 2022-05-23T19:12:05.243Z] 19:12:05 INFO - PID 6857 | [Parent 6857, Main Thread] WARNING: NS_ENSURE_TRUE(currentInner) failed: file /builds/worker/checkouts/gecko/dom/base/WindowDestroyedEvent.cpp:113
[task 2022-05-23T19:12:05.243Z] 19:12:05 INFO - PID 6857 | [Parent 6857, Main Thread] WARNING: Extra shutdown CC: 'i < NORMAL_SHUTDOWN_COLLECTIONS', file /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:3359
[task 2022-05-23T19:12:05.243Z] 19:12:05 INFO - <<<<<<<
[task 2022-05-23T19:12:07.375Z] 19:12:07 WARNING - PROCESS-CRASH | docshell/test/unit/test_privacy_transition.js | application crashed [@ _platform_memchr$VARIANT$Haswell + 0x1d]
[task 2022-05-23T19:12:07.375Z] 19:12:07 INFO - Crash dump filename: /var/folders/d2/5tp6gfw54cx77ys65797tmv8000014/T/xpc-other-b0o5_jeb/FB2FBE99-F15F-49B4-AA57-03882C178E34.dmp
[task 2022-05-23T19:12:07.375Z] 19:12:07 INFO - Operating system: Mac OS X
[task 2022-05-23T19:12:07.375Z] 19:12:07 INFO - 10.15.7 19H524
[task 2022-05-23T19:12:07.375Z] 19:12:07 INFO - CPU: amd64
[task 2022-05-23T19:12:07.376Z] 19:12:07 INFO - family 6 model 158 stepping 10
[task 2022-05-23T19:12:07.376Z] 19:12:07 INFO - 12 CPUs
[task 2022-05-23T19:12:07.376Z] 19:12:07 INFO - Crash reason: EXC_BAD_ACCESS / EXC_I386_GPFLT
[task 2022-05-23T19:12:07.376Z] 19:12:07 INFO - Crash address: 0x0
[task 2022-05-23T19:12:07.376Z] 19:12:07 INFO - Mac Crash Info:
[task 2022-05-23T19:12:07.377Z] 19:12:07 INFO - Process uptime: 1 seconds
[task 2022-05-23T19:12:07.377Z] 19:12:07 INFO - Thread 8 InitFontList (crashed)
[task 2022-05-23T19:12:07.377Z] 19:12:07 INFO - 0 libsystem_platform.dylib!_platform_memchr$VARIANT$Haswell + 0x1d
[task 2022-05-23T19:12:07.377Z] 19:12:07 INFO - rax = 0x00000000e5e5e5e5 rdx = 0x00000000e5e5e5e5
[task 2022-05-23T19:12:07.378Z] 19:12:07 INFO - rcx = 0x0000000000000025 rbx = 0xe5e5e5e5e5e5e5e5
[task 2022-05-23T19:12:07.378Z] 19:12:07 INFO - rsi = 0x000000000000003a rdi = 0xe5e5e5e5e5e5e5c0
[task 2022-05-23T19:12:07.378Z] 19:12:07 INFO - rbp = 0x00007000119598d0 rsp = 0x00007000119598d0
[task 2022-05-23T19:12:07.378Z] 19:12:07 INFO - r8 = 0x0000000000000006 r9 = 0x0000000000000000
[task 2022-05-23T19:12:07.378Z] 19:12:07 INFO - r10 = 0x000000010ae15300 r11 = 0xffffffffeb6b0834
[task 2022-05-23T19:12:07.379Z] 19:12:07 INFO - r12 = 0x0000700011959a20 r13 = 0x00007000119599c0
[task 2022-05-23T19:12:07.379Z] 19:12:07 INFO - r14 = 0x000000011f4e2268 r15 = 0x0000700011959ba0
[task 2022-05-23T19:12:07.379Z] 19:12:07 INFO - rip = 0x00007fff73d901bd
[task 2022-05-23T19:12:07.379Z] 19:12:07 INFO - Found by: given as instruction pointer in context
[task 2022-05-23T19:12:07.379Z] 19:12:07 INFO - 1 0x7000119598ef
[task 2022-05-23T19:12:07.380Z] 19:12:07 INFO - rbx = 0xe5e5e5e5e5e5e5e5 rbp = 0x00007000119598d0
[task 2022-05-23T19:12:07.380Z] 19:12:07 INFO - rsp = 0x00007000119598d8 r12 = 0x0000700011959a20
[task 2022-05-23T19:12:07.380Z] 19:12:07 INFO - r13 = 0x00007000119599c0 r14 = 0x000000011f4e2268
[task 2022-05-23T19:12:07.380Z] 19:12:07 INFO - r15 = 0x0000700011959ba0 rip = 0x00007000119598f0
[task 2022-05-23T19:12:07.381Z] 19:12:07 INFO - Found by: call frame info
[task 2022-05-23T19:12:07.381Z] 19:12:07 INFO - 2 XUL!mozilla::detail::nsTStringRepr<char>::FindChar(char, unsigned long) const [nsTSubstring.cpp:9c02215258911eb4b5d040dc9a2f588c28b0cf63 : 1063 + 0x14]
[task 2022-05-23T19:12:07.381Z] 19:12:07 INFO - rbp = 0x00007000119598f0 rsp = 0x00007000119598e0
[task 2022-05-23T19:12:07.381Z] 19:12:07 INFO - rip = 0x000000010c47fa03
[task 2022-05-23T19:12:07.382Z] 19:12:07 INFO - Found by: previous frame's frame pointer
[task 2022-05-23T19:12:07.382Z] 19:12:07 INFO - 3 XUL!gfxMacPlatformFontList::InitAliasesForSingleFaceList() [gfxMacPlatformFontList.mm:9c02215258911eb4b5d040dc9a2f588c28b0cf63 : 1243 + 0xe]
[task 2022-05-23T19:12:07.382Z] 19:12:07 INFO - rbx = 0x0000000000000730 rbp = 0x0000700011959ab0
[task 2022-05-23T19:12:07.382Z] 19:12:07 INFO - rsp = 0x0000700011959900 rip = 0x000000010d66d8fd
[task 2022-05-23T19:12:07.383Z] 19:12:07 INFO - Found by: call frame info
[task 2022-05-23T19:12:07.383Z] 19:12:07 INFO - 4 XUL!gfxMacPlatformFontList::InitSharedFontListForPlatform() [gfxMacPlatformFontList.mm:9c02215258911eb4b5d040dc9a2f588c28b0cf63 : 1228 + 0x4]
[task 2022-05-23T19:12:07.383Z] 19:12:07 INFO - rbx = 0x0000000000000730 rbp = 0x0000700011959d90
[task 2022-05-23T19:12:07.383Z] 19:12:07 INFO - rsp = 0x0000700011959ac0 r12 = 0x0000000000000001
[task 2022-05-23T19:12:07.384Z] 19:12:07 INFO - r13 = 0x0000700011959cc0 r14 = 0x0000700011959bb0
[task 2022-05-23T19:12:07.384Z] 19:12:07 INFO - r15 = 0x0000700011959ba0 rip = 0x000000010d66d686
[task 2022-05-23T19:12:07.384Z] 19:12:07 INFO - Found by: call frame info
[task 2022-05-23T19:12:07.384Z] 19:12:07 INFO - 5 XUL!gfxPlatformFontList::InitFontList() [gfxPlatformFontList.cpp:9c02215258911eb4b5d040dc9a2f588c28b0cf63 : 563 + 0xc]
[task 2022-05-23T19:12:07.385Z] 19:12:07 INFO - rbx = 0x000000011f4dc620 rbp = 0x0000700011959f40
[task 2022-05-23T19:12:07.385Z] 19:12:07 INFO - rsp = 0x0000700011959da0 r12 = 0x000000011f4db000
[task 2022-05-23T19:12:07.385Z] 19:12:07 INFO - r13 = 0x0000000000000000 r14 = 0x000000011624bff4
[task 2022-05-23T19:12:07.385Z] 19:12:07 INFO - r15 = 0x0000000000000000 rip = 0x000000010d62bbe2
[task 2022-05-23T19:12:07.386Z] 19:12:07 INFO - Found by: call frame info
[task 2022-05-23T19:12:07.386Z] 19:12:07 INFO - 6 XUL!InitFontListCallback(void*) [gfxPlatformFontList.cpp:9c02215258911eb4b5d040dc9a2f588c28b0cf63 : 242 + 0x7]
[task 2022-05-23T19:12:07.386Z] 19:12:07 INFO - rbx = 0x000000011f4db000 rbp = 0x0000700011959f70
[task 2022-05-23T19:12:07.386Z] 19:12:07 INFO - rsp = 0x0000700011959f50 r12 = 0x000000010ae7d670
[task 2022-05-23T19:12:07.387Z] 19:12:07 INFO - r13 = 0x0000000000000000 r14 = 0x000000011624bff4
[task 2022-05-23T19:12:07.387Z] 19:12:07 INFO - r15 = 0x0000000000000002 rip = 0x000000010d62b683
[task 2022-05-23T19:12:07.387Z] 19:12:07 INFO - Found by: call frame info
[task 2022-05-23T19:12:07.387Z] 19:12:07 INFO - 7 libnss3.dylib!_pt_root [ptthread.c:9c02215258911eb4b5d040dc9a2f588c28b0cf63 : 201 + 0x9]
[task 2022-05-23T19:12:07.388Z] 19:12:07 INFO - rbx = 0x000070001195a000 rbp = 0x0000700011959fb0
[task 2022-05-23T19:12:07.388Z] 19:12:07 INFO - rsp = 0x0000700011959f80 r12 = 0x000000010ae7d670
[task 2022-05-23T19:12:07.388Z] 19:12:07 INFO - r13 = 0x0000000000000000 r14 = 0x000070001195a000
[task 2022-05-23T19:12:07.388Z] 19:12:07 INFO - r15 = 0x0000000000000002 rip = 0x000000010a9795a9
[task 2022-05-23T19:12:07.389Z] 19:12:07 INFO - Found by: call frame info
[task 2022-05-23T19:12:07.389Z] 19:12:07 INFO - 8 libsystem_pthread.dylib!_pthread_start + 0x93
[task 2022-05-23T19:12:07.389Z] 19:12:07 INFO - rbx = 0x000070001195a000 rbp = 0x0000700011959fd0
[task 2022-05-23T19:12:07.389Z] 19:12:07 INFO - rsp = 0x0000700011959fc0 r12 = 0x0000000000000000
[task 2022-05-23T19:12:07.389Z] 19:12:07 INFO - r13 = 0x0000000000000000 r14 = 0x0000000000000000
[task 2022-05-23T19:12:07.390Z] 19:12:07 INFO - r15 = 0x0000000000000000 rip = 0x00007fff73d9e109
[task 2022-05-23T19:12:07.390Z] 19:12:07 INFO - Found by: call frame info
[task 2022-05-23T19:12:07.390Z] 19:12:07 INFO - 9 libsystem_pthread.dylib!thread_start + 0xe
[task 2022-05-23T19:12:07.390Z] 19:12:07 INFO - rbx = 0x0000000000000000 rbp = 0x0000700011959ff0
[task 2022-05-23T19:12:07.391Z] 19:12:07 INFO - rsp = 0x0000700011959fe0 r12 = 0x0000000000000000
[task 2022-05-23T19:12:07.391Z] 19:12:07 INFO - r13 = 0x0000000000000000 r14 = 0x0000000000000000
[task 2022-05-23T19:12:07.391Z] 19:12:07 INFO - r15 = 0x0000000000000000 rip = 0x00007fff73d99b8b
[task 2022-05-23T19:12:07.391Z] 19:12:07 INFO - Found by: call frame info
|
||
Comment 1•3 years ago
|
||
Looks like a UAF in font code. I don't know if it is a dupe of some existing issue or not.
Group: core-security → layout-core-security
Component: DOM: Navigation → Layout: Text and Fonts
Keywords: csectype-uaf,
sec-high
|
||
Updated•3 years ago
|
|
||
Comment 2•3 years ago
|
||
Set release status flags based on info from the regressing bug 1770290
status-firefox100:
--- → unaffected
status-firefox101:
--- → unaffected
status-firefox-esr91:
--- → unaffected
|
Assignee | |
Comment 3•3 years ago
|
||
Oh, I see.... the patch landed in bug 1770290 was not 100% sufficient to fix the issue, because the gfxMacPlatformFontList derived class will destroy its additional members before the base-class destructor runs and therefore before that patch has a chance to protect us. So it's still possible for an immediate shutdown to pull the rug out from under the InitFontList thread.
For a robust fix, we need the protection in the derived-class destructor, not just the ~gfxPlatformFontList base.
(Although this is currently a Mac-only issue, as that's the only platform where we run the InitFontList thread, we should fix all the platform subclasses so as to avoid running into this on other platforms if future changes introduce the use of an InitFontList thread there as well.)
Rather than explicitly joining the thread, let's fix this by requiring the destructor to hold the font-list mutex; as the InitFontList thread claims the mutex while it's running, that will ensure we block until it has finished.
Flags: needinfo?(jfkthame)
|
|
Assignee | |
Comment 4•3 years ago
|
||
|
||
Updated•3 years ago
|
Assignee: nobody → jfkthame
Status: NEW → ASSIGNED
|
|
||
Updated•3 years ago
|
Has Regression Range: --- → yes
|
|
||
Comment 5•3 years ago
|
||
Ensure the destructor of the platform-specific derived fontlist class blocks until the mutex is available. r=lsalzman
https://hg.mozilla.org/integration/autoland/rev/403158c151080af071fb66f1abcd1cf137bf3a19
https://hg.mozilla.org/mozilla-central/rev/403158c15108
Group: layout-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → 102 Branch
|
||
Updated•3 years ago
|
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify-
|
||
Updated•3 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•