Closed
Bug 1780938
Opened 2 years ago
Closed 2 years ago
[macOS 13] Crashes [@ _platform_strlen | IsThisUrlOrRealPath ] on com.apple.TextToSpeech.SpeechThread
Categories
(Core :: Web Speech, defect)
Tracking
()
People
(Reporter: smichaud, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash, Whiteboard: STR in comment #21)
Crash Data
Attachments
(1 file)
Crashing Thread (102), Name: com.apple.TextToSpeech.SpeechThread
Frame Module Signature Source Trust
0 libsystem_platform.dylib _platform_strlen context
Ø 1 None @0x000070000da90f9f cfi
2 TextToSpeechMauiSupport IsThisUrlOrRealPath frame_pointer
3 TextToSpeechMauiSupport ve_ttsResourceLoad cfi
4 TextToSpeechMauiSupport -[TTSMauiVocalizer _ttsVocalizerReallyLoadResource:rules:resource:supportsAccurateWordCallbacks:resourceIdentifier:] cfi
5 TextToSpeechBundleSupport -[TTSVocalizer _ttsVocalizerLoadProgrammaticRules:forTests:] cfi
6 TextToSpeechBundleSupport -[TTSSpeechServerInstance _initializeSpeechEngine:] cfi
7 TextToSpeechBundleSupport -[TTSSpeechServerInstance _initializeSpeech:] cfi
8 TextToSpeechBundleSupport -[TTSSpeechServerInstance _processCurrentRequest:] cfi
9 TextToSpeechBundleSupport -[TTSSpeechServerInstance _handleSpeechThread] cfi
10 TextToSpeechBundleSupport _SpeechThread cfi
11 libsystem_pthread.dylib _pthread_start cfi
12 libsystem_pthread.dylib thread_start cfi
bp-b165a494-a375-4eba-850f-d55b60220716
These are mostly on Apple Silicon. They happen on all the macOS 13 betas released so far, but have increased substantially on build 22A5295i (Beta 3 Update, the latest).
These are almost certainly an Apple bug. It's only for convenience that I'm filing this bug under Disability Access.
|
Reporter | |
Comment 1•2 years ago
|
||
|
|
Reporter | |
Comment 2•2 years ago
|
||
These are almost certainly an Apple bug.
I'm no longer so sure. Here's the main thread's stack from bp-b165a494-a375-4eba-850f-d55b60220716 above. It looks like SpeechTaskCallback::~SpeechTaskCallback() is being called prematurely.
Thread 0, Name: MainThread
Frame Module Signature Source
0 libsystem_kernel.dylib mach_msg2_trap None
1 libsystem_kernel.dylib mach_msg2_internal None
2 libsystem_kernel.dylib mach_msg_overwrite None
3 libsystem_kernel.dylib mach_msg None
4 CoreFoundation __CFRunLoopServiceMachPort None
5 CoreFoundation __CFRunLoopRun None
6 CoreFoundation CFRunLoopRunSpecific None
7 TextToSpeechBundleSupport -[TTSSpeechServerInstance dealloc] None
8 TextToSpeech TTSSpeechUnitTestingMode None
9 SpeechSynthesis -[BFSpeechChannel .cxx_destruct] None
10 libobjc.A.dylib object_cxxDestructFromClass(objc_object*, objc_class*) None
11 libobjc.A.dylib objc_destructInstance None
12 libobjc.A.dylib _objc_rootDealloc None
13 SpeechSynthesis -[BabelFish killChannel:] None
14 SpeechSynthesis BFDisposeSpeechChannel(SpeechChannelRecord*) None
15 AppKit -[NSSpeechSynthesizerVars dealloc] None
16 AppKit -[NSSpeechSynthesizer dealloc] None
17 XUL SpeechTaskCallback::~SpeechTaskCallback() dom/media/webspeech/synth/cocoa/OSXSpeechSynthesizerService.mm:115
18 XUL SpeechTaskCallback::cycleCollection::DeleteCycleCollectable(void*) dom/media/webspeech/synth/cocoa/OSXSpeechSynthesizerService.mm:40
19 XUL void nsPurpleBuffer::VisitEntries<SnowWhiteKiller>(SnowWhiteKiller&) xpcom/base/nsCycleCollector.cpp:954
20 XUL nsCycleCollector::FreeSnowWhiteWithBudget(js::SliceBudget&) xpcom/base/nsCycleCollector.cpp:2612
21 XUL AsyncFreeSnowWhite::Run() js/xpconnect/src/XPCJSRuntime.cpp:150
22 XUL IdleRunnableWrapper::Run() xpcom/threads/nsThreadUtils.cpp:309
23 XUL mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) xpcom/threads/TaskController.cpp:788
24 XUL NS_ProcessPendingEvents(nsIThread*, unsigned int) xpcom/threads/nsThreadUtils.cpp:430
25 XUL nsAppShell::ProcessGeckoEvents(void*) widget/cocoa/nsAppShell.mm:508
26 CoreFoundation __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ None
27 CoreFoundation __CFRunLoopDoSource0 None
28 CoreFoundation __CFRunLoopDoSources0 None
29 CoreFoundation __CFRunLoopRun None
30 CoreFoundation CFRunLoopRunSpecific None
31 HIToolbox RunCurrentEventLoopInMode None
32 HIToolbox ReceiveNextEventCommon None
33 HIToolbox _BlockUntilNextEventMatchingListInModeWithFilter None
34 AppKit _DPSNextEvent None
35 AppKit -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] None
36 XUL -[GeckoNSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] widget/cocoa/nsAppShell.mm:174
37 AppKit -[NSApplication run] None
38 XUL nsAppShell::Run() widget/cocoa/nsAppShell.mm:800
39 XUL nsAppStartup::Run() toolkit/components/startup/nsAppStartup.cpp:295
40 XUL XREMain::XRE_mainRun() toolkit/xre/nsAppRunner.cpp:5746
41 XUL XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) toolkit/xre/nsAppRunner.cpp:5940
42 XUL XRE_main(int, char**, mozilla::BootstrapConfig const&) toolkit/xre/nsAppRunner.cpp:6004
43 firefox main browser/app/nsBrowserApp.cpp:406
|
|
Reporter | |
Comment 3•2 years ago
|
||
Unlike macOS 13, macOS 12.5 doesn't have any "SpeechThread". So I suspect what takes place on the com.apple.TextToSpeech.SpeechThread in macOS 13 used to take place on the main thread in prior versions of macOS. This could explain why these crashes don't happen on those prior verions.
Something similar is happening at bug 1777889.
See Also: → 1777889
|
|
Reporter | |
Updated•2 years ago
|
Crash Signature: [@ _platform_strlen | IsThisUrlOrRealPath ]
|
|
Reporter | |
Comment 4•2 years ago
|
||
For what it's worth, here's a speech synthesis demo that works in Firefox. I don't crash with it on macOS 13, even with fairly long texts.
|
|
Reporter | |
Comment 5•2 years ago
|
||
And yes, that demo exercises the code where this bug's crashes happen. I tested with a local build (mozilla-central, current) in lldb (./mach run --debug).
|
|
Reporter | |
Comment 6•2 years ago
|
||
It'd be interesting to see if these crashes are associated with particular URLs. I don't have the permissions to check for myself.
| Comment hidden (obsolete) |
|
|
Reporter | |
Comment 8•2 years ago
|
||
For what it's worth, I see the following errors (in Terminal) with a (mozilla-central) local build, made and run on macOS 13, using the speech synthesis demo from comment #4. I don't see them with a local build made and run on macOS 12.5.
2022-07-23 21:33:30.505 firefox[686:6749] NSSpeechSynthesizer: [NSSpeechSynthesizer _setupCallbacks] - NSSpeechSynthesizer: Error setting soSyncCallBack
2022-07-23 21:33:30.505 firefox[686:6749] NSSpeechSynthesizer: [NSSpeechSynthesizer _setupCallbacks] - NSSpeechSynthesizer: Error setting soPhonemeCallBack
|
|
Reporter | |
Comment 9•2 years ago
|
||
Makoto, I'm NI-ing you here because you created the macOS backend for WebSpeech synthesis (in bug 1003452), and seem best-placed to deal with this bug.
Flags: needinfo?(m_kato)
|
||
Updated•2 years ago
|
Component: Disability Access → Web Speech
Product: Firefox → Core
|
|
Reporter | |
Comment 10•2 years ago
•
|
||
Here are a couple more non-corrupted main thread stacks, from two (rare) instances of this bug's crashes on AMD64 hardware:
bp-5a829a93-7285-4990-8671-33fe50220726
Thread 0, Name: MainThread
Frame Module Signature Source
0 libsystem_kernel.dylib __psynch_mutexwait None
1 libsystem_pthread.dylib _pthread_mutex_firstfit_lock_wait None
2 libsystem_pthread.dylib _pthread_mutex_firstfit_lock_slow None
3 TextToSpeechBundleSupport -[TTSSpeechServerInstance getSpeechIsActiveForRequest:reply:] None
4 TextToSpeech _TTSNameForVoiceInformation None
5 TextToSpeech TTSSpeechUnitTestingMode None
6 libdispatch.dylib _dispatch_client_callout None
7 libdispatch.dylib _dispatch_lane_barrier_sync_invoke_and_complete None
8 TextToSpeech TTSSpeechUnitTestingMode None
9 SpeechSynthesis __31-[BFSpeechChannel speechActive]_block_invoke None
10 libdispatch.dylib _dispatch_client_callout None
11 libdispatch.dylib _dispatch_lane_barrier_sync_invoke_and_complete None
12 SpeechSynthesis -[BFSpeechChannel speechActive] None
13 SpeechSynthesis invocation function for block in BFCopySpeechProperty(SpeechChannelRecord*, __CFString const*, void const**) None
14 SpeechSynthesis -[BabelFish performForChannel:block:] None
15 SpeechSynthesis BFCopySpeechProperty(SpeechChannelRecord*, __CFString const*, void const**) None
16 SpeechSynthesis BFGetSpeechInfo(SpeechChannelRecord*, __CFString const*, void*) None
17 SpeechSynthesis GetSpeechInfo None
18 AppKit -[NSSpeechSynthesizer isSpeaking] None
19 AppKit -[NSSpeechSynthesizer stopSpeaking] None
20 XUL SpeechTaskCallback::OnCancel() dom/media/webspeech/synth/cocoa/OSXSpeechSynthesizerService.mm:122
21 XUL mozilla::dom::nsSpeechTask::Cancel() dom/media/webspeech/synth/nsSpeechTask.cpp:305
22 XUL mozilla::dom::SpeechSynthesisRequestParent::RecvCancel() dom/media/webspeech/synth/ipc/SpeechSynthesisParent.cpp:99
23 XUL mozilla::dom::PSpeechSynthesisRequestParent::OnMessageReceived(IPC::Message const&) ipc/ipdl/PSpeechSynthesisRequestParent.cpp:415
24 XUL mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) ipc/ipdl/PContentParent.cpp:6618
25 XUL mozilla::ipc::MessageChannel::MessageTask::Run() ipc/glue/MessageChannel.cpp:1604
26 XUL mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) xpcom/threads/TaskController.cpp:788
27 XUL NS_ProcessPendingEvents(nsIThread*, unsigned int) xpcom/threads/nsThreadUtils.cpp:430
28 XUL nsAppShell::ProcessGeckoEvents(void*) widget/cocoa/nsAppShell.mm:508
29 CoreFoundation __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ None
30 CoreFoundation __CFRunLoopDoSource0 None
31 CoreFoundation __CFRunLoopDoSources0 None
32 CoreFoundation __CFRunLoopRun None
33 CoreFoundation CFRunLoopRunSpecific None
34 HIToolbox RunCurrentEventLoopInMode None
35 HIToolbox ReceiveNextEventCommon None
36 HIToolbox _BlockUntilNextEventMatchingListInModeWithFilter None
37 AppKit _DPSNextEvent None
38 AppKit -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] None
39 XUL -[GeckoNSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] widget/cocoa/nsAppShell.mm:174
40 AppKit -[NSApplication run] None
41 XUL nsAppShell::Run() widget/cocoa/nsAppShell.mm:800
42 XUL nsAppStartup::Run() toolkit/components/startup/nsAppStartup.cpp:295
43 XUL XREMain::XRE_mainRun() toolkit/xre/nsAppRunner.cpp:5746
44 XUL XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) toolkit/xre/nsAppRunner.cpp:5940
45 XUL XRE_main(int, char**, mozilla::BootstrapConfig const&) toolkit/xre/nsAppRunner.cpp:6004
46 firefox main browser/app/nsBrowserApp.cpp:406
bp-42ac02af-d723-48b7-ae9e-fe20e0220802
Thread 0, Name: MainThread
Frame Module Signature Source
0 libsystem_kernel.dylib mach_msg2_trap None
1 libsystem_kernel.dylib mach_msg2_internal None
2 libsystem_kernel.dylib mach_msg_overwrite None
3 libsystem_kernel.dylib mach_msg None
4 CoreFoundation __CFRunLoopServiceMachPort None
5 CoreFoundation __CFRunLoopRun None
6 CoreFoundation CFRunLoopRunSpecific None
7 HIToolbox RunCurrentEventLoopInMode None
8 HIToolbox ReceiveNextEventCommon None
9 HIToolbox _BlockUntilNextEventMatchingListInModeWithFilter None
10 AppKit _DPSNextEvent None
11 AppKit -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] None
12 XUL -[GeckoNSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] widget/cocoa/nsAppShell.mm:175
13 AppKit -[NSApplication run] None
14 XUL nsAppShell::Run() widget/cocoa/nsAppShell.mm:801
15 XUL nsAppStartup::Run() toolkit/components/startup/nsAppStartup.cpp:295
16 XUL XREMain::XRE_mainRun() toolkit/xre/nsAppRunner.cpp:5748
17 XUL XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) toolkit/xre/nsAppRunner.cpp:5942
18 XUL XRE_main(int, char**, mozilla::BootstrapConfig const&) toolkit/xre/nsAppRunner.cpp:6010
19 firefox main browser/app/nsBrowserApp.cpp:406
|
|
Reporter | |
Comment 11•2 years ago
|
||
If use the speech synthesizer demo in a local ASAN Apple Silicon build, I get the following errors:
2022-08-03 11:18:34.942 firefox[74497:144372] NSSpeechSynthesizer: [NSSpeechSynthesizer _setupCallbacks] - NSSpeechSynthesizer: Error setting soSyncCallBack
2022-08-03 11:18:34.942 firefox[74497:144372] NSSpeechSynthesizer: [NSSpeechSynthesizer _setupCallbacks] - NSSpeechSynthesizer: Error setting soPhonemeCallBack
=================================================================
==74497==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x0002b81e4c89 at pc 0x000104dbfeb0 bp 0x00017e279fd0 sp 0x00017e279790
READ of size 1066122 at 0x0002b81e4c89 thread T135
#0 0x104dbfeac in wrap_strlen+0x150 (libclang_rt.asan_osx_dynamic.dylib:arm64+0x13eac) (BuildId: 4c4c44b955553144a19fa87825077bc432000000200000000100000000000b00)
#1 0x23205c244 in IsThisUrlOrRealPath+0x30 (TextToSpeechMauiSupport:arm64+0x30244) (BuildId: 17fd69abd32f3722a9a5c579da63cb8432000000200000000100000000000d00)
#2 0x572800232498b0c (<unknown module>)
#3 0xaa2400023202f40c (<unknown module>)
#4 0xe17c00023153288c (<unknown module>)
#5 0x1a1c00023152ea78 (<unknown module>)
#6 0x453b80023152dfdc (<unknown module>)
#7 0x4e3880023152eb6c (<unknown module>)
#8 0xf31e80023152a418 (<unknown module>)
#9 0xd03b80023152b9e8 (<unknown module>)
#10 0x873b00023152a3ac (<unknown module>)
#11 0x56190001b4bd2068 (<unknown module>)
#12 0xf2f8001b4bcce28 (<unknown module>)
0x0002b81e4c89 is located 0 bytes to the right of 1066121-byte region [0x0002b80e0800,0x0002b81e4c89)
allocated by thread T135 here:
#0 0x104de98d0 in wrap_realloc+0x94 (libclang_rt.asan_osx_dynamic.dylib:arm64+0x3d8d0) (BuildId: 4c4c44b955553144a19fa87825077bc432000000200000000100000000000b00)
#1 0x1b4c8b2e8 in __CFSafelyReallocate+0x1c (CoreFoundation:arm64+0x5b2e8) (BuildId: 6c5e8146bc9436f4952ad9f8133448be32000000200000000100000000000d00)
#2 0xb598001b5ba0f00 (<unknown module>)
#3 0x60260001b5b82528 (<unknown module>)
#4 0xaf6580023152e810 (<unknown module>)
#5 0x7a3880023152e9b8 (<unknown module>)
#6 0x453b80023152dfdc (<unknown module>)
#7 0x4e3880023152eb6c (<unknown module>)
#8 0xf31e80023152a418 (<unknown module>)
#9 0xd03b80023152b9e8 (<unknown module>)
#10 0x873b00023152a3ac (<unknown module>)
#11 0x56190001b4bd2068 (<unknown module>)
#12 0xf2f8001b4bcce28 (<unknown module>)
Thread T135 created by T0 here:
#0 0x104de3950 in wrap_pthread_create+0x50 (libclang_rt.asan_osx_dynamic.dylib:arm64+0x37950) (BuildId: 4c4c44b955553144a19fa87825077bc432000000200000000100000000000b00)
#1 0x23152a34c in -[TTSSpeechServerInstance _startSpeechThread]+0x68 (TextToSpeechBundleSupport:arm64+0x1a34c) (BuildId: 41ffe099b1973b0294f4f41c4b9e1a0f32000000200000000100000000000d00)
#2 0x376e00023152a2a4 (<unknown module>)
#3 0x8a5600023152a164 (<unknown module>)
#4 0x3c778002315303c8 (<unknown module>)
#5 0xc97c0001e144e770 (<unknown module>)
#6 0xec100001e144aa64 (<unknown module>)
#7 0x88001b4a4b630 (<unknown module>)
#8 0xa62c8001b4a5ab68 (<unknown module>)
#9 0x6d648001e144a790 (<unknown module>)
#10 0x6b700001c3585a0c (<unknown module>)
#11 0x52788001b4a4b630 (<unknown module>)
#12 0x5e538001b4a5ab68 (<unknown module>)
#13 0xbf788001c358470c (<unknown module>)
#14 0xc9508001c357d154 (<unknown module>)
#15 0xb5218001c35891f0 (<unknown module>)
#16 0xf67e8001c357d0b8 (<unknown module>)
#17 0xd2300001b81e68b8 (<unknown module>)
#18 0x11800012e0a79ac (<unknown module>)
#19 0x12e094b1c in mozilla::dom::nsSynthVoiceRegistry::SpeakImpl(mozilla::dom::VoiceData*, mozilla::dom::nsSpeechTask*, nsTSubstring<char16_t> const&, float const&, float const&, float const&)+0x1e4 (XUL:arm64+0x77c4b1c) (BuildId: 4c4c446955553144a1813b604e280c6b32000000200000000100000000000b00)
#20 0x12e0874c4 in mozilla::dom::nsSynthVoiceRegistry::Speak(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, float const&, float const&, float const&, mozilla::dom::nsSpeechTask*)+0x59c (XUL:arm64+0x77b74c4) (BuildId: 4c4c446955553144a1813b604e280c6b32000000200000000100000000000b00)
#21 0x12e086efc in mozilla::dom::SpeechSynthesisParent::RecvPSpeechSynthesisRequestConstructor(mozilla::dom::PSpeechSynthesisRequestParent*, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, float const&, float const&, float const&, bool const&)+0x70 (XUL:arm64+0x77b6efc) (BuildId: 4c4c446955553144a1813b604e280c6b32000000200000000100000000000b00)
#22 0x12e09ad10 in mozilla::dom::PSpeechSynthesisParent::OnMessageReceived(IPC::Message const&)+0x720 (XUL:arm64+0x77cad10) (BuildId: 4c4c446955553144a1813b604e280c6b32000000200000000100000000000b00)
#23 0x12ebe3c34 in mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&)+0x1b6c (XUL:arm64+0x8313c34) (BuildId: 4c4c446955553144a1813b604e280c6b32000000200000000100000000000b00)
#24 0x1285f599c in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&)+0x158 (XUL:arm64+0x1d2599c) (BuildId: 4c4c446955553144a1813b604e280c6b32000000200000000100000000000b00)
#25 0x1285f2a9c in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message> >)+0x478 (XUL:arm64+0x1d22a9c) (BuildId: 4c4c446955553144a1813b604e280c6b32000000200000000100000000000b00)
#26 0x1285f3950 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&)+0x2fc (XUL:arm64+0x1d23950) (BuildId: 4c4c446955553144a1813b604e280c6b32000000200000000100000000000b00)
#27 0x1285f4454 in mozilla::ipc::MessageChannel::MessageTask::Run()+0x16c (XUL:arm64+0x1d24454) (BuildId: 4c4c446955553144a1813b604e280c6b32000000200000000100000000000b00)
#28 0x1272a6290 in mozilla::RunnableTask::Run()+0x2b4 (XUL:arm64+0x9d6290) (BuildId: 4c4c446955553144a1813b604e280c6b32000000200000000100000000000b00)
#29 0x12725f81c in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&)+0x1184 (XUL:arm64+0x98f81c) (BuildId: 4c4c446955553144a1813b604e280c6b32000000200000000100000000000b00)
#30 0x12725cd8c in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&)+0xd8 (XUL:arm64+0x98cd8c) (BuildId: 4c4c446955553144a1813b604e280c6b32000000200000000100000000000b00)
#31 0x12725d49c in mozilla::TaskController::ProcessPendingMTTask(bool)+0x104 (XUL:arm64+0x98d49c) (BuildId: 4c4c446955553144a1813b604e280c6b32000000200000000100000000000b00)
#32 0x1272afe68 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run()+0x14 (XUL:arm64+0x9dfe68) (BuildId: 4c4c446955553144a1813b604e280c6b32000000200000000100000000000b00)
#33 0x127282078 in nsThread::ProcessNextEvent(bool, bool*)+0xcc8 (XUL:arm64+0x9b2078) (BuildId: 4c4c446955553144a1813b604e280c6b32000000200000000100000000000b00)
#34 0x12727bfcc in NS_ProcessPendingEvents(nsIThread*, unsigned int)+0x19c (XUL:arm64+0x9abfcc) (BuildId: 4c4c446955553144a1813b604e280c6b32000000200000000100000000000b00)
#35 0x12f74dbd8 in nsBaseAppShell::NativeEventCallback()+0x188 (XUL:arm64+0x8e7dbd8) (BuildId: 4c4c446955553144a1813b604e280c6b32000000200000000100000000000b00)
#36 0x12f859dfc in nsAppShell::ProcessGeckoEvents(void*)+0x2a4 (XUL:arm64+0x8f89dfc) (BuildId: 4c4c446955553144a1813b604e280c6b32000000200000000100000000000b00)
#37 0x1b4cb2e78 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__+0x18 (CoreFoundation:arm64+0x82e78) (BuildId: 6c5e8146bc9436f4952ad9f8133448be32000000200000000100000000000d00)
#38 0x8e3c0001b4cb2e0c (<unknown module>)
#39 0xf75f8001b4cb2b7c (<unknown module>)
#40 0x80250001b4cb1780 (<unknown module>)
#41 0x74088001b4cb0ce8 (<unknown module>)
#42 0x56550001be35ba64 (<unknown module>)
#43 0xbc638001be35b8a8 (<unknown module>)
#44 0x51610001be35b5f0 (<unknown module>)
#45 0xaf5d0001b7ed90f4 (<unknown module>)
#46 0xca158001b7ed8284 (<unknown module>)
#47 0x941000012f85833c (<unknown module>)
#48 0x1b7ecc604 in -[NSApplication run]+0x1cc (AppKit:arm64+0x2c604) (BuildId: 06a6506428203ce9b6a6df51517562a132000000200000000100000000000d00)
#49 0x8a5100012f85add0 (<unknown module>)
#50 0x132d4e074 in nsAppStartup::Run()+0x1e8 (XUL:arm64+0xc47e074) (BuildId: 4c4c446955553144a1813b604e280c6b32000000200000000100000000000b00)
#51 0x132f8751c in XREMain::XRE_mainRun()+0x178c (XUL:arm64+0xc6b751c) (BuildId: 4c4c446955553144a1813b604e280c6b32000000200000000100000000000b00)
#52 0x132f89564 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&)+0xafc (XUL:arm64+0xc6b9564) (BuildId: 4c4c446955553144a1813b604e280c6b32000000200000000100000000000b00)
#53 0x132f8a64c in XRE_main(int, char**, mozilla::BootstrapConfig const&)+0x1d0 (XUL:arm64+0xc6ba64c) (BuildId: 4c4c446955553144a1813b604e280c6b32000000200000000100000000000b00)
#54 0x10479117c in main+0x6f0 (firefox:arm64+0x10000117c) (BuildId: 4c4c44d755553144a13c342f46ef88c132000000200000000100000000000b00)
#55 0x23aca0da4 (<unknown module>)
#56 0xf360fffffffffffc (<unknown module>)
SUMMARY: AddressSanitizer: heap-buffer-overflow (libclang_rt.asan_osx_dynamic.dylib:arm64+0x13eac) (BuildId: 4c4c44b955553144a19fa87825077bc432000000200000000100000000000b00) in wrap_strlen+0x150
Shadow bytes around the buggy address:
0x00705705c940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00705705c950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00705705c960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00705705c970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00705705c980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x00705705c990: 00[01]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x00705705c9a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x00705705c9b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x00705705c9c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x00705705c9d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x00705705c9e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==74497==ABORTING
|
||
Comment 12•2 years ago
|
||
(I don't have macOS 13 beta env and My test laptop has no space to install it..., so I have to look for hardware that can setup test environment)
|
|
Reporter | |
Comment 13•2 years ago
|
||
From comment #11
0x0002b81e4c89 is located 0 bytes to the right of 1066121-byte region [0x0002b80e0800,0x0002b81e4c89)
allocated by thread T135 here:
#0 0x104de98d0 in wrap_realloc+0x94 (libclang_rt.asan_osx_dynamic.dylib:arm64+0x3d8d0) (BuildId: 4c4c44b955553144a19fa87825077bc432000000200000000100000000000b00)
#1 0x1b4c8b2e8 in __CFSafelyReallocate+0x1c (CoreFoundation:arm64+0x5b2e8) (BuildId: 6c5e8146bc9436f4952ad9f8133448be32000000200000000100000000000d00)
#2 0xb598001b5ba0f00 (<unknown module>)
#3 0x60260001b5b82528 (<unknown module>)
#4 0xaf6580023152e810 (<unknown module>)
#5 0x7a3880023152e9b8 (<unknown module>)
#6 0x453b80023152dfdc (<unknown module>)
#7 0x4e3880023152eb6c (<unknown module>)
#8 0xf31e80023152a418 (<unknown module>)
#9 0xd03b80023152b9e8 (<unknown module>)
#10 0x873b00023152a3ac (<unknown module>)
#11 0x56190001b4bd2068 (<unknown module>)
#12 0xf2f8001b4bcce28 (<unknown module>)
From the context, I think this stack should be symbolicated as follows:
* thread #103, name = 'com.apple.TextToSpeech.SpeechThread', stop reason = breakpoint 2.1
* frame #0: 0x00000001b4c8b2cc CoreFoundation`__CFSafelyReallocate
frame #1: 0x00000001b5ba0f04 Foundation`_NSMutableDataGrowBytes + 328
frame #2: 0x00000001b5b8252c Foundation`-[NSConcreteMutableData appendBytes:length:] + 336
frame #3: 0x000000023152e814 TextToSpeechBundleSupport`-[TTSSpeechServerInstance _unzipFile:withPassword:] + 508
frame #4: 0x000000023152e9bc TextToSpeechBundleSupport`-[TTSSpeechServerInstance _loadOnDiskRules:] + 272
frame #5: 0x000000023152dfe0 TextToSpeechBundleSupport`-[TTSSpeechServerInstance _initializeSpeechEngine:] + 3696
frame #6: 0x000000023152eb70 TextToSpeechBundleSupport`-[TTSSpeechServerInstance _initializeSpeech:] + 56
frame #7: 0x000000023152a41c TextToSpeechBundleSupport`-[TTSSpeechServerInstance _processCurrentRequest:] + 84
frame #8: 0x000000023152b9ec TextToSpeechBundleSupport`-[TTSSpeechServerInstance _handleSpeechThread] + 1480
frame #9: 0x000000023152a3b0 TextToSpeechBundleSupport`_SpeechThread + 44
frame #10: 0x00000001b4bd206c libsystem_pthread.dylib`_pthread_start + 148
And no, I don't know what this means. The fact that it's so low-level (including the _unzipFile business), makes me swing back to thinking that this is an Apple bug, after all.
By the way, this particular stack appears four times for each use of the speech synthesizer demo.
|
|
Reporter | |
Comment 14•2 years ago
|
||
Another thing:
Apple creates a new 'com.apple.TextToSpeech.SpeechThread' every time the speech synthesizer demo is used. That's just weird :-(
|
|
Reporter | |
Comment 15•2 years ago
|
||
TextToSpeechBundleSupport`-[TTSSpeechServerInstance _startSpeechThread]
This is also called every time the speech synthesizer demo is used. Here's a typical stack:
* thread #1, name = 'MainThread', queue = 'TTSSpeechSynthesizer', stop reason = breakpoint 1.1
* frame #0: 0x000000023152a2e4 TextToSpeechBundleSupport`-[TTSSpeechServerInstance _startSpeechThread]
frame #1: 0x000000023152a2a8 TextToSpeechBundleSupport`-[TTSSpeechServerInstance _appendSpeechRequestAndStart:] + 188
frame #2: 0x000000023152a168 TextToSpeechBundleSupport`-[TTSSpeechServerInstance startSpeechRequest:] + 2012
frame #3: 0x00000002315303cc TextToSpeechBundleSupport`-[TTSSpeechServer startSpeechRequest:] + 104
frame #4: 0x00000001e144e774 TextToSpeech`___lldb_unnamed_symbol1461 + 172
frame #5: 0x00000001e144aa68 TextToSpeech`___lldb_unnamed_symbol1330 + 40
frame #6: 0x00000001b4a4b634 libdispatch.dylib`_dispatch_client_callout + 20
frame #7: 0x00000001b4a5ab6c libdispatch.dylib`_dispatch_lane_barrier_sync_invoke_and_complete + 56
frame #8: 0x00000001e144a794 TextToSpeech`___lldb_unnamed_symbol1328 + 3360
frame #9: 0x00000001c3585a10 SpeechSynthesis`__25-[BFSpeechChannel speak:]_block_invoke + 4628
frame #10: 0x00000001b4a4b634 libdispatch.dylib`_dispatch_client_callout + 20
frame #11: 0x00000001b4a5ab6c libdispatch.dylib`_dispatch_lane_barrier_sync_invoke_and_complete + 56
frame #12: 0x00000001c3584710 SpeechSynthesis`-[BFSpeechChannel speak:] + 240
frame #13: 0x00000001c357d158 SpeechSynthesis`invocation function for block in BFSpeakCFString(SpeechChannelRecord*, __CFString const*) + 24
frame #14: 0x00000001c35891f4 SpeechSynthesis`-[BabelFish performForChannel:block:] + 172
frame #15: 0x00000001c357d0bc SpeechSynthesis`BFSpeakCFString(SpeechChannelRecord*, __CFString const*) + 192
frame #16: 0x00000001b81e68bc AppKit`-[NSSpeechSynthesizer _beginSpeakingString:optionallyToURL:] + 372
frame #17: 0x0000000111825ef4 XUL`mozilla::dom::OSXSpeechSynthesizerService::Speak(this=<unavailable>, aText=<unavailable>, aUri=<unavailable>, aVolume=-32, aRate=1, aPitch=1.08420217E-19, aTask=0x0000000140843280) at OSXSpeechSynthesizerService.mm:393:18 [opt]
frame #18: 0x000000011181f538 XUL`mozilla::dom::nsSynthVoiceRegistry::SpeakImpl(this=<unavailable>, aVoice=0x0000000141b8c9f0, aTask=0x0000000140843280, aText=0x000000016fdfb6e8, aVolume=0x000000016fdfb684, aRate=0x000000016fdfb680, aPitch=0x000000016fdfb67c) at nsSynthVoiceRegistry.cpp:759:7 [opt]
frame #19: 0x000000011181af00 XUL`mozilla::dom::nsSynthVoiceRegistry::Speak(this=<unavailable>, aText=<unavailable>, aLang=<unavailable>, aUri=<unavailable>, aVolume=<unavailable>, aRate=<unavailable>, aPitch=<unavailable>, aTask=<unavailable>) at nsSynthVoiceRegistry.cpp:682:5 [opt] [artificial]
frame #20: 0x000000011181ac00 XUL`mozilla::dom::SpeechSynthesisParent::RecvPSpeechSynthesisRequestConstructor(this=<unavailable>, aActor=0x000000013038b240, aText=<unavailable>, aLang=<unavailable>, aUri=<unavailable>, aVolume=<unavailable>, aRate=<unavailable>, aPitch=<unavailable>, aIsChrome=<unavailable>) at SpeechSynthesisParent.cpp:51:40 [opt]
frame #21: 0x0000000111821f08 XUL`mozilla::dom::PSpeechSynthesisParent::OnMessageReceived(this=0x000000012f2707c0, msg__=<unavailable>) at PSpeechSynthesisParent.cpp:505:89 [opt]
frame #22: 0x0000000111ba88f4 XUL`mozilla::dom::PContentParent::OnMessageReceived(this=<unavailable>, msg__=0x0000000131d78e00) at PContentParent.cpp:6616:32 [opt]
frame #23: 0x000000010fbc917c XUL`mozilla::ipc::MessageChannel::DispatchAsyncMessage(this=0x000000013b4ed878, aProxy=0x0000000139609fe0, aMsg=0x0000000131d78e00) at MessageChannel.cpp:1749:25 [opt]
frame #24: 0x000000010fbc81d8 XUL`mozilla::ipc::MessageChannel::DispatchMessage(this=0x000000013b4ed878, aProxy=0x0000000139609fe0, aMsg=UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message> > @ 0x000000016fdfcaf0) at MessageChannel.cpp:1674:9 [opt]
frame #25: 0x000000010fbc855c XUL`mozilla::ipc::MessageChannel::RunMessage(this=0x000000013b4ed878, aProxy=0x0000000139609fe0, aTask=0x0000000131eb1280) at MessageChannel.cpp:1474:3 [opt]
frame #26: 0x000000010fbc8abc XUL`mozilla::ipc::MessageChannel::MessageTask::Run(this=0x0000000131eb1280) at MessageChannel.cpp:1572:14 [opt]
frame #27: 0x000000010f560150 XUL`mozilla::RunnableTask::Run(this=0x000000012da14ca0) at TaskController.cpp:538:16 [opt]
frame #28: 0x000000010f546cc0 XUL`mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(this=0x00000001005a6240, aProofOfLock=0x000000016fdfd230) at TaskController.cpp:851:26 [opt]
frame #29: 0x000000010f545c28 XUL`mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(this=0x00000001005a6240, aProofOfLock=0x000000016fdfd230) at TaskController.cpp:683:15 [opt]
frame #30: 0x000000010f562f90 XUL`mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() [inlined] mozilla::TaskController::ProcessPendingMTTask(this=0x00000001005a6240, aMayWait=false) at TaskController.cpp:461:36 [opt]
frame #31: 0x000000010f562f78 XUL`mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() [inlined] mozilla::TaskController::InitializeInternal(this=<unavailable>)::$_0::operator()() const at TaskController.cpp:187:37 [opt]
frame #32: 0x000000010f562f70 XUL`mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run(this=<unavailable>) at nsThreadUtils.h:531:5 [opt]
frame #33: 0x000000010f552af0 XUL`nsThread::ProcessNextEvent(this=0x0000000100575c40, aMayWait=<unavailable>, aResult=0x000000016fdfd3d7) at nsThread.cpp:1205:16 [opt]
frame #34: 0x000000010f550b40 XUL`NS_ProcessPendingEvents(aThread=0x0000000100575c40, aTimeout=10) at nsThreadUtils.cpp:430:19 [opt]
frame #35: 0x0000000111f3c698 XUL`nsBaseAppShell::NativeEventCallback(this=0x000000010c5ccb80) at nsBaseAppShell.cpp:89:3 [opt]
frame #36: 0x0000000111f999a4 XUL`nsAppShell::ProcessGeckoEvents(aInfo=0x000000010c5ccb80) at nsAppShell.mm:509:11 [opt]
frame #37: 0x00000001b4cb2e7c CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 28
frame #38: 0x00000001b4cb2e10 CoreFoundation`__CFRunLoopDoSource0 + 176
frame #39: 0x00000001b4cb2b80 CoreFoundation`__CFRunLoopDoSources0 + 244
frame #40: 0x00000001b4cb1784 CoreFoundation`__CFRunLoopRun + 836
frame #41: 0x00000001b4cb0cec CoreFoundation`CFRunLoopRunSpecific + 612
frame #42: 0x00000001be35ba68 HIToolbox`RunCurrentEventLoopInMode + 292
frame #43: 0x00000001be35b8ac HIToolbox`ReceiveNextEventCommon + 672
frame #44: 0x00000001be35b5f4 HIToolbox`_BlockUntilNextEventMatchingListInModeWithFilter + 72
frame #45: 0x00000001b7ed90f8 AppKit`_DPSNextEvent + 632
frame #46: 0x00000001b7ed8288 AppKit`-[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 728
frame #47: 0x0000000111f98fa8 XUL`-[GeckoNSApplication nextEventMatchingMask:untilDate:inMode:dequeue:](self=0x000000010056d060, _cmd=<unavailable>, mask=18446744073709551615, expiration=4001-01-01 00:00:00 UTC, mode="kCFRunLoopDefaultMode", flag=YES) at nsAppShell.mm:175:24 [opt]
frame #48: 0x00000001b7ecc608 AppKit`-[NSApplication run] + 464
frame #49: 0x0000000111f99f78 XUL`nsAppShell::Run(this=0x000000010c5ccb80) at nsAppShell.mm:801:5 [opt]
frame #50: 0x00000001130f0fc8 XUL`nsAppStartup::Run(this=0x000000010c585800) at nsAppStartup.cpp:295:30 [opt]
frame #51: 0x00000001131bca40 XUL`XREMain::XRE_mainRun(this=0x000000016fdfec50) at nsAppRunner.cpp:5706:22 [opt]
frame #52: 0x00000001131bd070 XUL`XREMain::XRE_main(this=0x000000016fdfec50, argc=5, argv=0x000000016fdff528, aConfig=<unavailable>) at nsAppRunner.cpp:5900:8 [opt]
frame #53: 0x00000001131bd40c XUL`XRE_main(argc=<unavailable>, argv=<unavailable>, aConfig=<unavailable>) at nsAppRunner.cpp:5956:21 [opt]
frame #54: 0x0000000100000bb8 firefox`main [inlined] do_main(argc=5, argv=0x000000016fdff528, envp=<unavailable>) at nsBrowserApp.cpp:228:22 [opt]
frame #55: 0x0000000100000a14 firefox`main(argc=<unavailable>, argv=<unavailable>, envp=<unavailable>) at nsBrowserApp.cpp:427:16 [opt]
frame #56: 0x000000023aca0da8 dyld`start + 2376
|
|
Reporter | |
Comment 16•2 years ago
|
||
-[TTSSpeechServerInstance _unzipFile:withPassword:]
For what it's worth, I've found out what the "file" and "password" are:
* thread #131, name = 'com.apple.TextToSpeech.SpeechThread', stop reason = breakpoint 1.1
frame #0: 0x000000023152e618 TextToSpeechBundleSupport`-[TTSSpeechServerInstance _unzipFile:withPassword:]
TextToSpeechBundleSupport`-[TTSSpeechServerInstance _unzipFile:withPassword:]:
-> 0x23152e618 <+0>: pacibsp
0x23152e61c <+4>: sub sp, sp, #0x90
0x23152e620 <+8>: stp x26, x25, [sp, #0x40]
0x23152e624 <+12>: stp x24, x23, [sp, #0x50]
Target 0: (firefox) stopped.
(lldb) call (void) CFShow($x2)
/System/Library/PrivateFrameworks/TextToSpeechMauiSupport.framework/Resources/TTSResources/en-US/pronunciation_rules
(lldb) call (void) CFShow($x3)
liEdAgaZeSErf28CavIe
|
|
Reporter | |
Comment 17•2 years ago
|
||
The "file" from comment #16 does exist on my Apple Silicon machine, and I can unzip it with the "password". It's large, but I figure it might be interesting to see the contents.
|
|
Reporter | |
Comment 18•2 years ago
|
||
* thread #103, name = 'com.apple.TextToSpeech.SpeechThread', stop reason = breakpoint 2.1
* frame #0: 0x00000001b4c8b2cc CoreFoundation`__CFSafelyReallocate
frame #1: 0x00000001b5ba0f04 Foundation`_NSMutableDataGrowBytes + 328
frame #2: 0x00000001b5b8252c Foundation`-[NSConcreteMutableData appendBytes:length:] + 336
frame #3: 0x000000023152e814 TextToSpeechBundleSupport`-[TTSSpeechServerInstance _unzipFile:withPassword:] + 508
frame #4: 0x000000023152e9bc TextToSpeechBundleSupport`-[TTSSpeechServerInstance _loadOnDiskRules:] + 272
frame #5: 0x000000023152dfe0 TextToSpeechBundleSupport`-[TTSSpeechServerInstance _initializeSpeechEngine:] + 3696
frame #6: 0x000000023152eb70 TextToSpeechBundleSupport`-[TTSSpeechServerInstance _initializeSpeech:] + 56
frame #7: 0x000000023152a41c TextToSpeechBundleSupport`-[TTSSpeechServerInstance _processCurrentRequest:] + 84
frame #8: 0x000000023152b9ec TextToSpeechBundleSupport`-[TTSSpeechServerInstance _handleSpeechThread] + 1480
frame #9: 0x000000023152a3b0 TextToSpeechBundleSupport`_SpeechThread + 44
frame #10: 0x00000001b4bd206c libsystem_pthread.dylib`_pthread_start + 148
The first parameter of _CFSafelyReallocate() (the buffer being reallocated) is (or will soon become) the contents (a C string) of the "file" from comment #16 and comment #17. The second parameter (the new size) keeps getting larger on each new call to _CFSafelyReallocate() (each one of the four). My local ASAN build diagnoses this bug as a heap overflow -- not a UAF. So my guess is that this bug happens when the code that crashes reads from the "wrong" buffer (of the four returned by _CFSafelyReallocate() -- that is, not the last one), and triggers a buffer overflow trying to read past its end.
If I'm right, this is definitely an Apple bug. (Though there may be some way for Mozilla to work around it.) But I haven't really finished my investigation, and I'm not going to have time to do so before I go away for a week. If nobody else has beaten me to it, I'll open a bug with Apple after I get back.
|
|
Reporter | |
Comment 19•2 years ago
•
|
||
* thread #142, name = 'com.apple.TextToSpeech.SpeechThread', stop reason = EXC_BAD_ACCESS (code=2, address=0x1410fc000)
* frame #0: 0x00000001b4bfd730 libsystem_platform.dylib`_platform_strlen + 48
frame #1: 0x000000023205c248 TextToSpeechMauiSupport`IsThisUrlOrRealPath + 52
frame #2: 0x0000000232498b10 TextToSpeechMauiSupport`ve_ttsResourceLoad + 368
frame #3: 0x000000023202f410 TextToSpeechMauiSupport`-[TTSMauiVocalizer _ttsVocalizerReallyLoadResource:rules:resource:supportsAccurateWordCallbacks:resourceIdentifier:] + 388
frame #4: 0x0000000231532a4c TextToSpeechBundleSupport`-[TTSVocalizer _ttsVocalizerLoadProgrammaticRules:forTests:] + 232
frame #5: 0x000000023152e01c TextToSpeechBundleSupport`-[TTSSpeechServerInstance _initializeSpeechEngine:] + 3756
frame #6: 0x000000023152eb70 TextToSpeechBundleSupport`-[TTSSpeechServerInstance _initializeSpeech:] + 56
frame #7: 0x000000023152a41c TextToSpeechBundleSupport`-[TTSSpeechServerInstance _processCurrentRequest:] + 84
frame #8: 0x000000023152b9ec TextToSpeechBundleSupport`-[TTSSpeechServerInstance _handleSpeechThread] + 1480
frame #9: 0x000000023152a3b0 TextToSpeechBundleSupport`_SpeechThread + 44
frame #10: 0x00000001b4bd206c libsystem_pthread.dylib`_pthread_start + 148
When this bug's crashes happen, the "s" parameter for _platform_strlen() is the (C string) contents of the file from comment #16 and comment #17. If the wrong buffer is being examined, there's presumably no terminal NULL. So _platform_strlen() ends up reading past the buffer's end.
|
|
Reporter | |
Comment 20•2 years ago
|
||
2022-08-03 19:22:56.661971-0500 firefox[25957:507484] NSSpeechSynthesizer: [NSSpeechSynthesizer _setupCallbacks] - NSSpeechSynthesizer: Error setting soSyncCallBack
2022-08-03 19:22:56.662012-0500 firefox[25957:507484] NSSpeechSynthesizer: [NSSpeechSynthesizer _setupCallbacks] - NSSpeechSynthesizer: Error setting soPhonemeCallBack
These errors happen even when the crashes don't. They may be irrelevant.
|
|
Reporter | |
Comment 21•2 years ago
|
||
STR for this bug. It's more likely to trigger a crash in a local build (running in lldb). But with persistence you can also trigger these crashes in release Firefox.
-
Visit https://mdn.github.io/dom-examples/web-speech-api/speak-easy-synthesis/ and enter a short word. I used a four-letter one :-)
-
Repeatedly and rapidly click on the "Play" button.
|
|
Reporter | |
Updated•2 years ago
|
Has STR: --- → yes
Whiteboard: STR in comment #21
| Comment hidden (obsolete) |
|
|
Reporter | |
Comment 23•2 years ago
•
|
||
Duh, the fix here is really simple. Apple should be using strnlen(), not strlen()!
|
|
Reporter | |
Updated•2 years ago
|
Crash Signature: [@ _platform_strlen | IsThisUrlOrRealPath ] → [@ _platform_strlen | IsThisUrlOrRealPath ]
[@ IsThisUrlOrRealPath ]
|
|
Reporter | |
Comment 24•2 years ago
•
|
||
(Following up comment #18)
So my guess is that this bug happens when the code that crashes reads from the "wrong" buffer (of the four returned by
_CFSafelyReallocate()-- that is, not the last one), and triggers a buffer overflow trying to read past its end.
-[TTSSpeechServerInstance _unzipFile:withPassword:] returns a CFData object containing the (unzipped) contents of the file. Now I think it's more likely that this bug's crashes are triggered when the CFData object is incomplete (that it doesn't contain the whole file). Since the (unzipped) file is a text file, this would (presumably) mean that it doesn't contain a terminal NULL. So _platform_strlen() would attempt to read past its end.
I also suspect there can be problems reading the "file" from comment #16 and comment #17 when a lot of 'com.apple.TextToSpeech.SpeechThread' threads are contending to read it. Lots of these threads do pile up (temporarily) when you follow the STR from comment #21.
|
||
Updated•2 years ago
|
status-firefox103:
--- → wontfix
status-firefox104:
--- → wontfix
status-firefox105:
--- → affected
status-firefox-esr102:
--- → affected
status-firefox-esr91:
--- → wontfix
Keywords: crash
|
|
Reporter | |
Comment 26•2 years ago
|
||
I put an enormous amount of work into figuring out how to use lldb to log messages to diagnose this bug, but found I can no longer reproduce it. And looking at Mozilla's crash stats, it looks like Apple may have fixed this bug in macOS 13 Beta 5 (build 22A5321d) -- the build I've been testing on.
Let's wait a few more days, but it looks like we should be able to close this WORKSFORME.
|
|
Reporter | |
Comment 27•2 years ago
•
|
||
For the record (and for my own future reference), here's what I did with lldb:
-
b -[TTSSpeechServerInstance _unzipFile:withPassword:] -
br command add -o "br set -b objc_autoreleaseReturnValue -t current -o true -C 'call (long) CFDataGetLength($x0)' -G true" -
br modify -G true
These contortions display the length of the CFData object returned by -[TTSSpeechServerInstance _unzipFile:withPassword:] without stopping at each breakpoint. From comment #24 above, my hunch was that this bug's crashes were triggered by this object getting truncated (so that it no longer had a terminal NULL). If my hunch was right, I should have seen the length change just before a crash. I did this on an Apple Silicon Mac running macOS 13 Beta 5 (build 22A5321d).
|
|
Reporter | |
Comment 28•2 years ago
•
|
||
A current local ASAN build no longer complains (on macOS 13 Beta 5 build 22A5321d) when I run the the speech synthesizer demo in it.
|
|
Reporter | |
Updated•2 years ago
|
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → WORKSFORME
|
|
||
Updated•2 years ago
|
Flags: needinfo?(m_kato)
|
|
||
Updated•2 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•