Closed
Bug 1800278
Opened 2 years ago
Closed 2 years ago
Crash in [@ mozilla::ThreadSafeAutoRefCnt::operator++]
Categories
(Core :: Widget: Gtk, defect)
Core
Widget: Gtk
Tracking
()
RESOLVED
FIXED
108 Branch
People
(Reporter: gsvelto, Assigned: stransky)
References
(Blocks 1 open bug)
Details
(Keywords: crash, csectype-uaf, sec-high, Whiteboard: [fixed by bug 1796130])
Crash Data
Crash report: https://crash-stats.mozilla.org/report/index/a7fbc98f-5acb-4461-a7d5-9e48f0221103
Reason: SIGSEGV / SEGV_ACCERR
Top 10 frames of crashing thread:
0 libxul.so std::__atomic_base<unsigned long>::fetch_add /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/include/c++/7/bits/atomic_base.h:514
0 libxul.so mozilla::ThreadSafeAutoRefCnt::operator++ xpcom/base/nsISupportsImpl.h:354
0 libxul.so nsBaseWidget::AddRef widget/nsBaseWidget.cpp:131
1 libxul.so mozilla::RefPtrTraits<nsWindow>::AddRef mfbt/RefPtr.h:49
1 libxul.so RefPtr<nsWindow>::ConstRemovingRefPtrTraits<nsWindow>::AddRef mfbt/RefPtr.h:380
1 libxul.so RefPtr<nsWindow>::RefPtr mfbt/RefPtr.h:109
1 libxul.so mozilla::WaylandVsyncSource::FrameCallback widget/gtk/WaylandVsyncSource.cpp:283
2 libffi.so.8 ffi_call_unix64
3 libffi.so.8 ffi_call_int.lto_priv.0
4 libwayland-client.so.0 wl_closure_invoke.constprop.0 src/connection.c:1025
This is a use-after-free crash detected by PHC. The crash signature is unfortunately generic and we'll try to improve it. The allocation stack for the dead object is:
#0 moz_xmalloc (firefox-bin)
#1 nsAppShellService::JustCreateTopWindow(nsIAppWindow*, nsIURI*, unsigned int, int, int, bool, mozilla::AppWindow**) (libxul.so)
#2 nsAppShellService::CreateTopLevelWindow(nsIAppWindow*, nsIURI*, unsigned int, int, int, nsIAppWindow**) (libxul.so)
#3 mozilla::AppWindow::CreateNewChromeWindow(int, nsIAppWindow**) (libxul.so)
#4 nsAppStartup::CreateChromeWindow(nsIWebBrowserChrome*, unsigned int, nsIOpenWindowInfo*, bool*, nsIWebBrowserChrome**) (libxul.so)
#5 nsWindowWatcher::CreateChromeWindow(nsIWebBrowserChrome*, unsigned int, nsIOpenWindowInfo*, nsIWebBrowserChrome**) (libxul.so)
#6 nsWindowWatcher::OpenWindowInternal(mozIDOMWindowProxy*, nsTSubstring<char> const&, nsTSubstring<char> const&, nsTSubstring<char> const&, bool, bool, bool, nsIArray*, bool, bool, bool, nsPIWindowWatcher::PrintKind, nsDocShellLoadState*, mozilla::dom::BrowsingContext**) (libxul.so)
#7 {virtual override thunk({offset(-8)}, nsWindowWatcher::OpenWindow2(mozIDOMWindowProxy*, nsTSubstring<char> const&, nsTSubstring<char> const&, nsTSubstring<char> const&, bool, bool, bool, nsISupports*, bool, bool, bool, nsPIWindowWatcher::PrintKind, nsDocShellLoadState*, mozilla::dom::BrowsingContext**))} (libxul.so)
#8 nsGlobalWindowOuter::OpenInternal(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, bool, bool, bool, bool, bool, nsIArray*, nsISupports*, nsDocShellLoadState*, bool, nsGlobalWindowOuter::PrintKind, mozilla::dom::BrowsingContext**) (libxul.so)
#9 nsGlobalWindowOuter::OpenDialogOuter(JSContext*, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::dom::Sequence<JS::Value> const&, mozilla::ErrorResult&) (libxul.so)
#10 nsGlobalWindowInner::OpenDialog(JSContext*, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::dom::Sequence<JS::Value> const&, mozilla::ErrorResult&) (libxul.so)
#11 mozilla::dom::Window_Binding::openDialog(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) (libxul.so)
#12 mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::MaybeCrossOriginObjectThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) (libxul.so)
#13 Interpret(JSContext*, js::RunState&) (libxul.so)
#14 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) (libxul.so)
#15 JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) (libxul.so)
And the free stack is:
#0 free (firefox-bin)
#1 nsBaseWidget::Release() (libxul.so)
#2 delete_event_cb(_GtkWidget*, _GdkEventAny*) (libxul.so)
#3 _gtk_marshal_BOOLEAN__BOXEDv (libgtk-3.so.0)
#4 g_signal_emit_valist (libgobject-2.0.so.0)
#5 g_signal_emit (libgobject-2.0.so.0)
#6 gtk_widget_event_internal.part.0.lto_priv.0 (libgtk-3.so.0)
#7 gtk_main_do_event (libgtk-3.so.0)
#8 send_delete_event.lto_priv.0 (libgtk-3.so.0)
#9 gdk_threads_dispatch (libgdk-3.so.0)
#10 g_main_context_dispatch (libglib-2.0.so.0)
#11 g_main_context_iterate.constprop.0 (libglib-2.0.so.0)
#12 g_main_context_iteration (libglib-2.0.so.0)
#13 NS_ProcessNextEvent(nsIThread*, bool) (libxul.so)
#14 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) (libxul.so)
#15 MessageLoop::Run() (libxul.so)
|
Assignee | |
Comment 1•2 years ago
|
||
This should be already fixed by Bug 1796130.
|
Reporter | |
Comment 2•2 years ago
|
||
I'm preemptively adding the signature that will come out of bug 1800460, I'll remove the generic signature once that's landed.
(In reply to Martin Stránský [:stransky] (ni? me) from comment #1)
This should be already fixed by Bug 1796130.
Thanks for the quick fix!
Crash Signature: [@ mozilla::ThreadSafeAutoRefCnt::operator++] → [@ mozilla::ThreadSafeAutoRefCnt::operator++]
[@ nsBaseWidget::AddRef]
|
||
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
Group: core-security → layout-core-security
|
||
Updated•2 years ago
|
Group: layout-core-security → dom-core-security
|
||
Comment 3•2 years ago
|
||
This should be already fixed by Bug 1796130.
Crash rate seems consistent with this being fixed, closing.
|
|
||
Updated•2 years ago
|
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
|
||
Updated•2 years ago
|
Assignee: nobody → stransky
Group: dom-core-security → core-security-release
See Also: 1796130 →
Target Milestone: --- → 108 Branch
|
|
||
Updated•1 year ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•