Closed
Bug 1786136
Opened 2 years ago
Closed 2 years ago
Intermittent SUMMARY: ThreadSanitizer: data race /builds/worker/workspace/obj-build/dist/include/mozilla/gfx/UserData.h:78:25 in RemoveAndDestroy
Categories
(Core :: Graphics: Canvas2D, defect, P3)
Core
Graphics: Canvas2D
Tracking
()
RESOLVED
FIXED
106 Branch
| Tracking | Status | |
|---|---|---|
| firefox-esr91 | --- | unaffected |
| firefox-esr102 | --- | unaffected |
| firefox104 | --- | disabled |
| firefox105 | --- | disabled |
| firefox106 | --- | fixed |
People
(Reporter: intermittent-bug-filer, Assigned: lsalzman)
Details
(Keywords: csectype-race, intermittent-failure, sec-moderate, Whiteboard: [post-critsmash-triage])
Attachments
(2 files)
Filed by: mlaza [at] mozilla.com
Parsed log: https://treeherder.mozilla.org/logviewer?job_id=387945220&repo=autoland
Full log: https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/eJWS2yjLQmCYg3uTDC6E4A/runs/0/artifacts/public/logs/live_backing.log
[task 2022-08-20T11:10:48.238Z] 11:10:48 INFO - PID 17364 | #47 XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:892:20 (libxul.so+0x853c999) (BuildId: 7ff4bae6fbb5b8170c023901f93f39d263d191ee)
[task 2022-08-20T11:10:48.239Z] 11:10:48 INFO - PID 17364 | #48 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9 (libxul.so+0x1e43b0d) (BuildId: 7ff4bae6fbb5b8170c023901f93f39d263d191ee)
[task 2022-08-20T11:10:48.240Z] 11:10:48 INFO - PID 17364 | #49 RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10 (libxul.so+0x1d6161c) (BuildId: 7ff4bae6fbb5b8170c023901f93f39d263d191ee)
[task 2022-08-20T11:10:48.240Z] 11:10:48 INFO - PID 17364 | #50 RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3 (libxul.so+0x1d6161c)
[task 2022-08-20T11:10:48.241Z] 11:10:48 INFO - PID 17364 | #51 MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3 (libxul.so+0x1d6161c)
[task 2022-08-20T11:10:48.242Z] 11:10:48 INFO - PID 17364 | #52 XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:751:34 (libxul.so+0x853c13c) (BuildId: 7ff4bae6fbb5b8170c023901f93f39d263d191ee)
[task 2022-08-20T11:10:48.242Z] 11:10:48 INFO - PID 17364 | #53 mozilla::BootstrapImpl::XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/Bootstrap.cpp:67:12 (libxul.so+0x8545732) (BuildId: 7ff4bae6fbb5b8170c023901f93f39d263d191ee)
[task 2022-08-20T11:10:48.243Z] 11:10:48 INFO - PID 17364 | #54 content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28 (firefox+0xdefa7) (BuildId: 61771a56da68479d7902082de7e73144a77484cf)
[task 2022-08-20T11:10:48.244Z] 11:10:48 INFO - PID 17364 | #55 main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:362:18 (firefox+0xdefa7)
[task 2022-08-20T11:10:48.244Z] 11:10:48 INFO - PID 17364 | SUMMARY: ThreadSanitizer: data race /builds/worker/workspace/obj-build/dist/include/mozilla/gfx/UserData.h:78:25 in RemoveAndDestroy
[task 2022-08-20T11:10:48.245Z] 11:10:48 INFO - PID 17364 | ==================
[task 2022-08-20T11:10:48.268Z] 11:10:48 INFO - PID 17364 | A content process crashed and MOZ_CRASHREPORTER_SHUTDOWN is set, shutting down
[task 2022-08-20T11:10:48.278Z] 11:10:48 INFO - PID 17364 | [Parent 17364, Main Thread] WARNING: ContentParent: id=7b6400172000 - BlockShutdown: NotifyImpendingShutdown.: file /builds/worker/checkouts/gecko/dom/ipc/ContentParent.cpp:3626
[task 2022-08-20T11:10:48.279Z] 11:10:48 INFO - PID 17364 | [Parent 17364, Main Thread] WARNING: ContentParent: id=7b640018ce00 - BlockShutdown: NotifyImpendingShutdown.: file /builds/worker/checkouts/gecko/dom/ipc/ContentParent.cpp:3626
[task 2022-08-20T11:10:48.280Z] 11:10:48 INFO - PID 17364 | [Parent 17364, Main Thread] WARNING: ContentParent: id=7b6400027600 - BlockShutdown: NotifyImpendingShutdown.: file /builds/worker/checkouts/gecko/dom/ipc/ContentParent.cpp:3626
[task 2022-08-20T11:10:48.281Z] 11:10:48 INFO - PID 17364 | [Parent 17364, Main Thread] WARNING: ContentParent: id=7b6400278d00 - BlockShutdown: NotifyImpendingShutdown.: file /builds/worker/checkouts/gecko/dom/ipc/ContentParent.cpp:3626
[task 2022-08-20T11:10:48.282Z] 11:10:48 INFO - PID 17364 | [Parent 17364, Main Thread] WARNING: ContentParent: id=7b640011a300 - BlockShutdown: NotifyImpendingShutdown.: file /builds/worker/checkouts/gecko/dom/ipc/ContentParent.cpp:3626
[task 2022-08-20T11:10:48.283Z] 11:10:48 INFO - PID 17364 | [Parent 17364, Main Thread] WARNING: ContentParent: id=7b64001e3700 - BlockShutdown: NotifyImpendingShutdown.: file /builds/worker/checkouts/gecko/dom/ipc/ContentParent.cpp:3626
[task 2022-08-20T11:10:48.283Z] 11:10:48 INFO - PID 17364 | [Parent 17364, Main Thread] WARNING: ContentParent: id=7b640028e100 - BlockShutdown: NotifyImpendingShutdown.: file /builds/worker/checkouts/gecko/dom/ipc/ContentParent.cpp:3626
[task 2022-08-20T11:10:48.791Z] 11:10:48 INFO - PID 17364 | 1660993848789 Marionette INFO Stopped listening on port 45571
[task 2022-08-20T11:10:49.051Z] 11:10:49 INFO - Browser not responding, setting status to CRASH
[task 2022-08-20T11:10:49.052Z] 11:10:49 INFO - TEST-UNEXPECTED-CRASH | /webcodecs/video-encoder.https.any.worker.html | expected OK
[task 2022-08-20T11:10:49.052Z] 11:10:49 INFO - TEST-INFO took 3222ms
|
||
Updated•2 years ago
|
Group: core-security → gfx-core-security
|
|
||
Comment 1•2 years ago
|
||
|
|
||
Updated•2 years ago
|
Component: Graphics → Graphics: Canvas2D
|
|
||
Comment 2•2 years ago
|
||
It looks like the main thread is tearing down a CanvasRenderingContext2D at the same time as a DOM worker is looking at some kind of glyph cache.
Keywords: csectype-race
|
||
Comment 3•2 years ago
|
||
Looks like a race that would result in a UAF if we lose, and all the parts are controllable by web content. going with sec-high
Keywords: csectype-uaf,
sec-high
|
||
Updated•2 years ago
|
Flags: needinfo?(aosmond)
|
|
||
Updated•2 years ago
|
Severity: -- → S3
Priority: -- → P1
|
||
Comment 4•2 years ago
|
||
The severity field for this bug is set to S3. However, the bug is flagged with the sec-high keyword.
:lsalzman, could you consider increasing the severity of this security bug?
For more information, please visit auto_nag documentation.
Flags: needinfo?(lsalzman)
|
Assignee | |
Comment 5•2 years ago
|
||
This is just a race, not a use-after-free. This is just two threads stepping on ScaledFont's user data at the same time.
Flags: needinfo?(lsalzman)
|
|
||
Updated•2 years ago
|
|
|
Assignee | |
Comment 6•2 years ago
|
||
|
||
Updated•2 years ago
|
Assignee: nobody → lsalzman
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 7•2 years ago
|
||
This only affects accelerated canvas, which is only enabled in nightly.
status-firefox104:
--- → disabled
status-firefox105:
--- → disabled
status-firefox106:
--- → disabled
status-firefox-esr102:
--- → unaffected
status-firefox-esr91:
--- → unaffected
Priority: P1 → P3
|
|
Assignee | |
Updated•2 years ago
|
Flags: needinfo?(aosmond)
|
||
Comment 8•2 years ago
|
||
Make UserData thread-safe. r=jrmuizel
https://hg.mozilla.org/integration/autoland/rev/dbd5c8759f72e371fd3ce76fc3c1199b956eaa17
https://hg.mozilla.org/mozilla-central/rev/dbd5c8759f72
Group: gfx-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 106 Branch
|
||
Updated•2 years ago
|
Whiteboard: [post-critsmash-triage]
|
|
||
Updated•2 years ago
|
Flags: qe-verify-
|
|
||
Updated•1 year ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•