Closed Bug 1812498 Opened 2 years ago Closed 2 years ago

Intermittent toolkit/components/pictureinpicture/tests/browser_backgroundTab.js | single tracking bug

Categories

(Core :: Graphics: WebRender, defect)

Product:
Core
Component:
Graphics: WebRender
Platform:
Unspecified
macOS
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
113 Branch
Tracking Flags:
Tracking Status
firefox-esr102 112+ fixed
firefox110 --- wontfix
firefox111 --- wontfix
firefox112 + fixed
firefox113 + fixed

People

(Reporter: intermittent-bug-filer, Assigned: sotaro)

References

(Depends on 1 open bug)

Details

(4 keywords, Whiteboard: [post-critsmash-triage][adv-main112+r][adv-esr102.10+r])

Attachments

(2 files)

Bug 1812498 - Destroy RenderBufferTextureHosts that use VideoBridgeParent's Shmems in VideoBridgeParent::OnChannelError()
48 bytes, text/x-phabricator-request
diannaS
: approval-mozilla-beta+
tjr
: sec-approval+
Details | Review
Bug 1812498 - patch for ESR102 with Bug 1817674 fix
48 bytes, text/x-phabricator-request
RyanVM
: approval-mozilla-esr102+
Details | Review

Filed by: ctuns [at] mozilla.com
Parsed log: https://treeherder.mozilla.org/logviewer?job_id=403559352&repo=mozilla-central
Full log: https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/SSkRJxt2R4m77-arSJo8Og/runs/0/artifacts/public/logs/live_backing.log

[task 2023-01-26T00:50:26.110Z] 00:50:26     INFO - TEST-PASS | toolkit/components/pictureinpicture/tests/browser_backgroundTab.js | The originating browser tab should be in STATE_LOADED. - 2 == 2 - 
[task 2023-01-26T00:50:26.110Z] 00:50:26     INFO - Leaving test bound 
[task 2023-01-26T00:50:26.111Z] 00:50:26     INFO - Buffered messages finished
[task 2023-01-26T00:50:26.112Z] 00:50:26    ERROR - TEST-UNEXPECTED-FAIL | toolkit/components/pictureinpicture/tests/browser_backgroundTab.js | application terminated with exit code 1
[task 2023-01-26T00:50:26.112Z] 00:50:26     INFO - runtests.py | Application ran for: 0:00:13.746375
[task 2023-01-26T00:50:26.113Z] 00:50:26     INFO - zombiecheck | Reading PID log: C:\Users\task_1674690213\AppData\Local\Temp\tmpsnehncoipidlog
[task 2023-01-26T00:50:26.114Z] 00:50:26     INFO - ==> process 4316 launched child process 7456 ("Z:\task_1674690213\build\application\firefox\firefox.exe" -contentproc --channel="4316.0.428805293\686475561" -childID 1 -isForBrowser -prefsHandle 2012 -prefMapHandle 2000 -prefsLen 20667 -prefMapSize 247956 -jsInitHandle 968 -jsInitLen 255436 -parentBuildID 20230125215201 -appDir "Z:\task_1674690213\build\application\firefox\browser" - {9cc88696-ccd2-4bd8-bdd8-5af172bb5542} 4316 "\\.\pipe\gecko-crash-server-pipe.4316" 2096 113d3e00 tab)
[task 2023-01-26T00:50:26.115Z] 00:50:26     INFO - ==> process 4316 launched child process 3632 ("Z:\task_1674690213\build\application\firefox\firefox.exe" -contentproc --channel="4316.1.1863388073\156121643" -childID 2 -isForBrowser -prefsHandle 2496 -prefMapHandle 2492 -prefsLen 22222 -prefMapSize 247956 -jsInitHandle 968 -jsInitLen 255436 -parentBuildID 20230125215201 -appDir "Z:\task_1674690213\build\application\firefox\browser" - {01d6c3ea-bc63-4c07-bb91-de20df6946b1} 4316 "\\.\pipe\gecko-crash-server-pipe.4316" 2508 1a468e00 tab)
[task 2023-01-26T00:50:26.116Z] 00:50:26     INFO - ==> process 4316 launched child process 5968 ("Z:\task_1674690213\build\application\firefox\firefox.exe" -contentproc --channel="4316.2.1372023120\1010947677" -childID 3 -isForBrowser -prefsHandle 2636 -prefMapHandle 2496 -prefsLen 21905 -prefMapSize 247956 -jsInitHandle 968 -jsInitLen 255436 -parentBuildID 20230125215201 -appDir "Z:\task_1674690213\build\application\firefox\browser" - {0ed1135f-92e5-4262-99da-e29ccaa67eb5} 4316 "\\.\pipe\gecko-crash-server-pipe.4316" 2648 1a468110 tab)
[task 2023-01-26T00:50:26.118Z] 00:50:26     INFO - ==> process 4316 launched child process 7952 ("Z:\task_1674690213\build\application\firefox\firefox.exe" -contentproc --channel="4316.3.2118188584\1608995360" -parentBuildID 20230125215201 -prefsHandle 2904 -prefMapHandle 2900 -prefsLen 23380 -prefMapSize 247956 -appDir "Z:\task_1674690213\build\application\firefox\browser" - {ff171b51-bc3a-4796-aa7b-11a3bc1112ce} 4316 "\\.\pipe\gecko-crash-server-pipe.4316" 2916 11480af0 rdd)
[task 2023-01-26T00:50:26.119Z] 00:50:26     INFO - ==> process 4316 launched child process 7136 ("Z:\task_1674690213\build\application\firefox\firefox.exe" -contentproc --channel="4316.4.396427376\295100459" -childID 4 -isForBrowser -prefsHandle 3368 -prefMapHandle 3372 -prefsLen 27755 -prefMapSize 247956 -jsInitHandle 968 -jsInitLen 255436 -parentBuildID 20230125215201 -appDir "Z:\task_1674690213\build\application\firefox\browser" - {944cb10c-e557-42af-a902-9fad759e102f} 4316 "\\.\pipe\gecko-crash-server-pipe.4316" 3384 1c94cb20 tab)
[task 2023-01-26T00:50:26.120Z] 00:50:26     INFO - ==> process 4316 launched child process 8112 ("Z:\task_1674690213\build\application\firefox\firefox.exe" -contentproc --channel="4316.5.1675517465\82580869" -childID 5 -isForBrowser -prefsHandle 3400 -prefMapHandle 3404 -prefsLen 27755 -prefMapSize 247956 -jsInitHandle 968 -jsInitLen 255436 -parentBuildID 20230125215201 -appDir "Z:\task_1674690213\build\application\firefox\browser" - {efeb546c-9473-4e6e-b9e9-3ea4964b711d} 4316 "\\.\pipe\gecko-crash-server-pipe.4316" 3424 1c94c110 tab)
[task 2023-01-26T00:50:26.121Z] 00:50:26     INFO - ==> process 4316 launched child process 1144 ("Z:\task_1674690213\build\application\firefox\firefox.exe" -contentproc --channel="4316.6.48866992\533850585" -childID 6 -isForBrowser -prefsHandle 3512 -prefMapHandle 3504 -prefsLen 27755 -prefMapSize 247956 -jsInitHandle 968 -jsInitLen 255436 -parentBuildID 20230125215201 -appDir "Z:\task_1674690213\build\application\firefox\browser" - {bc6fc6df-b0d2-4cd6-bfb0-6ef296f89686} 4316 "\\.\pipe\gecko-crash-server-pipe.4316" 2288 1c94c280 tab)
[task 2023-01-26T00:50:26.122Z] 00:50:26     INFO - ==> process 4316 launched child process 6880 ("Z:\task_1674690213\build\application\firefox\firefox.exe" -contentproc --channel="4316.7.1201403221\1346849874" -childID 7 -isForBrowser -prefsHandle 3608 -prefMapHandle 3612 -prefsLen 30418 -prefMapSize 247956 -jsInitHandle 968 -jsInitLen 255436 -parentBuildID 20230125215201 -appDir "Z:\task_1674690213\build\application\firefox\browser" - {b2305660-45cd-495e-98ff-274ed6367ec7} 4316 "\\.\pipe\gecko-crash-server-pipe.4316" 3792 1c94c3f0 tab)
[task 2023-01-26T00:50:26.124Z] 00:50:26     INFO - ==> process 4316 launched child process 6252 ("Z:\task_1674690213\build\application\firefox\firefox.exe" -contentproc --channel="4316.8.1896829116\726507259" -childID 8 -isForBrowser -prefsHandle 4416 -prefMapHandle 4372 -prefsLen 27913 -prefMapSize 247956 -jsInitHandle 968 -jsInitLen 255436 -parentBuildID 20230125215201 -appDir "Z:\task_1674690213\build\application\firefox\browser" - {92c5d401-fd28-4aa4-9fac-a761d49528b9} 4316 "\\.\pipe\gecko-crash-server-pipe.4316" 4360 1c94cc90 tab)
[task 2023-01-26T00:50:26.125Z] 00:50:26     INFO - ==> process 4316 launched child process 7256 ("Z:\task_1674690213\build\application\firefox\firefox.exe" -contentproc --channel="4316.9.105087947\605003173" -childID 9 -isForBrowser -prefsHandle 4480 -prefMapHandle 4484 -prefsLen 27913 -prefMapSize 247956 -jsInitHandle 968 -jsInitLen 255436 -parentBuildID 20230125215201 -appDir "Z:\task_1674690213\build\application\firefox\browser" - {5249df58-25f9-4514-b116-ae34b96ea2a2} 4316 "\\.\pipe\gecko-crash-server-pipe.4316" 4472 21390110 tab)
[task 2023-01-26T00:50:26.126Z] 00:50:26     INFO - ==> process 4316 launched child process 1584 ("Z:\task_1674690213\build\application\firefox\firefox.exe" -contentproc --channel="4316.10.507627332\107554721" -childID 10 -isForBrowser -prefsHandle 3828 -prefMapHandle 3688 -prefsLen 27983 -prefMapSize 247956 -jsInitHandle 968 -jsInitLen 255436 -parentBuildID 20230125215201 -appDir "Z:\task_1674690213\build\application\firefox\browser" - {4da7e38c-72ae-451a-a54a-8af8f9155d40} 4316 "\\.\pipe\gecko-crash-server-pipe.4316" 3792 213909b0 tab)
[task 2023-01-26T00:50:26.127Z] 00:50:26     INFO - ==> process 4316 launched child process 7152 ("Z:\task_1674690213\build\application\firefox\firefox.exe" -contentproc --channel="4316.11.2067679770\498895919" -childID 11 -isForBrowser -prefsHandle 4132 -prefMapHandle 3784 -prefsLen 28148 -prefMapSize 247956 -jsInitHandle 968 -jsInitLen 255436 -parentBuildID 20230125215201 -appDir "Z:\task_1674690213\build\application\firefox\browser" - {d83a4391-dabf-4465-8e94-c63f7b6513ab} 4316 "\\.\pipe\gecko-crash-server-pipe.4316" 4460 1c94cc90 tab)
[task 2023-01-26T00:50:26.129Z] 00:50:26     INFO - ==> process 4316 launched child process 2748 ("Z:\task_1674690213\build\application\firefox\firefox.exe" -contentproc --channel="4316.12.598709448\966969959" -childID 12 -isForBrowser -prefsHandle 4508 -prefMapHandle 4500 -prefsLen 28148 -prefMapSize 247956 -jsInitHandle 968 -jsInitLen 255436 -parentBuildID 20230125215201 -appDir "Z:\task_1674690213\build\application\firefox\browser" - {8a2472af-f466-4735-b7f7-658ea4587574} 4316 "\\.\pipe\gecko-crash-server-pipe.4316" 4504 1c94c280 tab)
[task 2023-01-26T00:50:26.129Z] 00:50:26     INFO - zombiecheck | Checking for orphan process with PID: 7456
[task 2023-01-26T00:50:26.130Z] 00:50:26     INFO - zombiecheck | Checking for orphan process with PID: 7136
[task 2023-01-26T00:50:26.131Z] 00:50:26     INFO - zombiecheck | Checking for orphan process with PID: 6880
[task 2023-01-26T00:50:26.131Z] 00:50:26     INFO - zombiecheck | Checking for orphan process with PID: 6252
[task 2023-01-26T00:50:26.132Z] 00:50:26     INFO - zombiecheck | Checking for orphan process with PID: 7952
[task 2023-01-26T00:50:26.132Z] 00:50:26     INFO - zombiecheck | Checking for orphan process with PID: 3632
[task 2023-01-26T00:50:26.133Z] 00:50:26     INFO - zombiecheck | Checking for orphan process with PID: 5968
[task 2023-01-26T00:50:26.133Z] 00:50:26     INFO - zombiecheck | Checking for orphan process with PID: 8112
[task 2023-01-26T00:50:26.134Z] 00:50:26     INFO - zombiecheck | Checking for orphan process with PID: 1584
[task 2023-01-26T00:50:26.134Z] 00:50:26     INFO - zombiecheck | Checking for orphan process with PID: 7152
[task 2023-01-26T00:50:26.135Z] 00:50:26     INFO - zombiecheck | Checking for orphan process with PID: 1144
[task 2023-01-26T00:50:26.135Z] 00:50:26     INFO - zombiecheck | Checking for orphan process with PID: 7256
[task 2023-01-26T00:50:26.136Z] 00:50:26     INFO - zombiecheck | Checking for orphan process with PID: 2748
[task 2023-01-26T00:50:26.136Z] 00:50:26     INFO - mozcrash Downloading symbols from: https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/I_PStef_TQ202kSpfG1O7g/artifacts/public/build/target.crashreporter-symbols.zip
[task 2023-01-26T00:50:43.088Z] 00:50:43     INFO - mozcrash Copy/paste: Z:/task_1674690213/fetches\minidump-stackwalk\minidump-stackwalk.exe --symbols-url=https://symbols.mozilla.org/ --cyborg=C:\Users\task_1674690213\AppData\Local\Temp\tmp24oucvyg\b9b73fc5-3a9b-48b2-a246-4d0d89afb770.trace C:\Users\task_1674690213\AppData\Local\Temp\tmpljnf3isy.mozrunner\minidumps\b9b73fc5-3a9b-48b2-a246-4d0d89afb770.dmp C:\Users\task_1674690213\AppData\Local\Temp\tmpq74s822m
[task 2023-01-26T00:50:53.483Z] 00:50:53     INFO - mozcrash Saved minidump as Z:\task_1674690213\build\blobber_upload_dir\b9b73fc5-3a9b-48b2-a246-4d0d89afb770.dmp
[task 2023-01-26T00:50:53.488Z] 00:50:53     INFO - mozcrash Saved app info as Z:\task_1674690213\build\blobber_upload_dir\b9b73fc5-3a9b-48b2-a246-4d0d89afb770.extra
[task 2023-01-26T00:50:54.329Z] 00:50:54     INFO - PROCESS-CRASH | toolkit/components/pictureinpicture/tests/browser_backgroundTab.js | application crashed [@ glsl::combine(unsigned char[4], unsigned char[4])]
[task 2023-01-26T00:50:54.330Z] 00:50:54     INFO - Crash dump filename: C:\Users\task_1674690213\AppData\Local\Temp\tmpljnf3isy.mozrunner\minidumps\b9b73fc5-3a9b-48b2-a246-4d0d89afb770.dmp
[task 2023-01-26T00:50:54.330Z] 00:50:54     INFO - Operating system: Windows NT
[task 2023-01-26T00:50:54.330Z] 00:50:54     INFO -                   6.1.7601 Service Pack 1
[task 2023-01-26T00:50:54.330Z] 00:50:54     INFO - CPU: x86
[task 2023-01-26T00:50:54.330Z] 00:50:54     INFO -      GenuineIntel family 6 model 63 stepping 2
[task 2023-01-26T00:50:54.330Z] 00:50:54     INFO -      8 CPUs
[task 2023-01-26T00:50:54.330Z] 00:50:54     INFO - 
[task 2023-01-26T00:50:54.330Z] 00:50:54     INFO - Crash reason:  EXCEPTION_ACCESS_VIOLATION_READ
[task 2023-01-26T00:50:54.330Z] 00:50:54     INFO - Crash address: 0x8be2388c
[task 2023-01-26T00:50:54.330Z] 00:50:54     INFO - Process uptime: 13 seconds
[task 2023-01-26T00:50:54.330Z] 00:50:54     INFO - 
[task 2023-01-26T00:50:54.330Z] 00:50:54     INFO - Thread 74  (crashed)
[task 2023-01-26T00:50:54.330Z] 00:50:54     INFO -  0  xul.dll!glsl::combine(unsigned char[4], unsigned char[4]) [vector_type.h:45cd9ed42ad7f9e8f3b477c99142ec710aa43a09 : 32]
[task 2023-01-26T00:50:54.330Z] 00:50:54     INFO -     Found by: inlining
[task 2023-01-26T00:50:54.330Z] 00:50:54     INFO -  1  xul.dll!glsl::combine(unsigned char[2], unsigned char[2], unsigned char[2], unsigned char[2]) [vector_type.h:45cd9ed42ad7f9e8f3b477c99142ec710aa43a09 : 417]
[task 2023-01-26T00:50:54.331Z] 00:50:54     INFO -     Found by: inlining
[task 2023-01-26T00:50:54.331Z] 00:50:54     INFO -  2  xul.dll!linearRowTapsR8(glsl::sampler2DRect_impl*, int[4], int, int, short) [composite.h:45cd9ed42ad7f9e8f3b477c99142ec710aa43a09 : 781]
[task 2023-01-26T00:50:54.331Z] 00:50:54     INFO -     Found by: inlining
[task 2023-01-26T00:50:54.331Z] 00:50:54     INFO -  3  xul.dll!textureLinearRowR8(glsl::sampler2DRect_impl*, int[4], int, int, short) [composite.h:45cd9ed42ad7f9e8f3b477c99142ec710aa43a09 : 807]
[task 2023-01-26T00:50:54.331Z] 00:50:54     INFO -     Found by: inlining
[task 2023-01-26T00:50:54.331Z] 00:50:54     INFO -  4  xul.dll!linear_row_yuv<0>(unsigned int*, int, glsl::sampler2DRect_impl*, glsl::vec2_scalar const&, float, glsl::sampler2DRect_impl*, glsl::sampler2DRect_impl*, glsl::vec2_scalar const&, float, int, YUVMatrix const&) [composite.h:45cd9ed42ad7f9e8f3b477c99142ec710aa43a09 : 1126 + 0x70]
[task 2023-01-26T00:50:54.331Z] 00:50:54     INFO -      eip = 0x54a10fd1    esp = 0x023ef610    ebp = 0x023ef92c    ebx = 0x00000000
[task 2023-01-26T00:50:54.331Z] 00:50:54     INFO -      esi = 0x00000190    edi = 0xe5e5e5e3    eax = 0xe5e5e5e3    ecx = 0xa5fc52a9
[task 2023-01-26T00:50:54.331Z] 00:50:54     INFO -      edx = 0xc0166cc4 eflags = 0x00010287
[task 2023-01-26T00:50:54.331Z] 00:50:54     INFO -     Found by: given as instruction pointer in context
[task 2023-01-26T00:50:54.331Z] 00:50:54     INFO -  5  xul.dll!linear_convert_yuv(Texture&, Texture&, Texture&, YUVMatrix const&, int, IntRect const&, Texture&, IntRect const&, bool, bool, IntRect const&) [composite.h:45cd9ed42ad7f9e8f3b477c99142ec710aa43a09 : 1198]
[task 2023-01-26T00:50:54.331Z] 00:50:54     INFO -     Found by: inlining
[task 2023-01-26T00:50:54.331Z] 00:50:54     INFO -  6  xul.dll!CompositeYUV(Texture*, Texture*, Texture*, Texture*, YUVRangedColorSpace, unsigned int, int, int, int, int, int, int, int, int, unsigned char, unsigned char, int, int, int, int) [composite.h:45cd9ed42ad7f9e8f3b477c99142ec710aa43a09 : 1382 + 0x1dc]
[task 2023-01-26T00:50:54.331Z] 00:50:54     INFO -      eip = 0x54a00290    esp = 0x023ef934    ebp = 0x023efa7c    ebx = 0x0000004c
[task 2023-01-26T00:50:54.332Z] 00:50:54     INFO -      esi = 0x2ad5bc24    edi = 0x00000190
[task 2023-01-26T00:50:54.332Z] 00:50:54     INFO -     Found by: call frame info
[task 2023-01-26T00:50:54.332Z] 00:50:54     INFO -  7  xul.dll!swgl::swgl_fns::LockedResource::composite_yuv(swgl::swgl_fns::LockedResource*, swgl::swgl_fns::LockedResource*, swgl::swgl_fns::LockedResource*, swgl::swgl_fns::YuvRangedColorSpace, unsigned int, int, int, int, int, int, int, int, int, bool, bool, int, int, int, int) [swgl_fns.rs:45cd9ed42ad7f9e8f3b477c99142ec710aa43a09 : 2383 + 0x3f]
[task 2023-01-26T00:50:54.332Z] 00:50:54     INFO -      eip = 0x59261c19    esp = 0x023efa84    ebp = 0x023efae0    ebx = 0x00000000
[task 2023-01-26T00:50:54.332Z] 00:50:54     INFO -      esi = 0x187526dc    edi = 0x187526e8
[task 2023-01-26T00:50:54.332Z] 00:50:54     INFO -     Found by: call frame info
[task 2023-01-26T00:50:54.332Z] 00:50:54     INFO -  8  xul.dll!webrender::compositor::sw_compositor::SwCompositeJob::process(int) [sw_compositor.rs:45cd9ed42ad7f9e8f3b477c99142ec710aa43a09 : 264]
[task 2023-01-26T00:50:54.332Z] 00:50:54     INFO -     Found by: inlining
[task 2023-01-26T00:50:54.332Z] 00:50:54     INFO -  9  xul.dll!webrender::compositor::sw_compositor::SwCompositeGraphNode::process_job(int) [sw_compositor.rs:45cd9ed42ad7f9e8f3b477c99142ec710aa43a09 : 411]
[task 2023-01-26T00:50:54.332Z] 00:50:54     INFO -     Found by: inlining
[task 2023-01-26T00:50:54.332Z] 00:50:54     INFO - 10  xul.dll!webrender::compositor::sw_compositor::SwCompositeThread::process_job(webrender::compositor::sw_compositor::SwCompositeGraphNode*, int) [sw_compositor.rs:45cd9ed42ad7f9e8f3b477c99142ec710aa43a09 : 523 + 0xad]
[task 2023-01-26T00:50:54.332Z] 00:50:54     INFO -      eip = 0x55a87e8c    esp = 0x023efae8    ebp = 0x023efb90    ebx = 0x00000168
[task 2023-01-26T00:50:54.332Z] 00:50:54     INFO -      esi = 0x00000000    edi = 0x187526d8
[task 2023-01-26T00:50:54.332Z] 00:50:54     INFO -     Found by: call frame info
[task 2023-01-26T00:50:54.332Z] 00:50:54     INFO - 11  xul.dll!webrender::compositor::sw_compositor::impl$11::new::closure$0(webrender::compositor::sw_compositor::impl$11::new::closure_env$0) [sw_compositor.rs:45cd9ed42ad7f9e8f3b477c99142ec710aa43a09 : 500]
[task 2023-01-26T00:50:54.333Z] 00:50:54     INFO -     Found by: inlining
[task 2023-01-26T00:50:54.333Z] 00:50:54     INFO - 12  xul.dll!std::sys_common::backtrace::__rust_begin_short_backtrace<webrender::compositor::sw_compositor::impl$11::new::closure_env$0,tuple$<> >(webrender::compositor::sw_compositor::impl$11::new::closure_env$0) [backtrace.rs : 121 + 0x43]
[task 2023-01-26T00:50:54.333Z] 00:50:54     INFO -      eip = 0x55a68d94    esp = 0x023efb98    ebp = 0x023efbb8    ebx = 0x00000002
[task 2023-01-26T00:50:54.333Z] 00:50:54     INFO -      esi = 0x1ab09df8    edi = 0x00000001
[task 2023-01-26T00:50:54.333Z] 00:50:54     INFO -     Found by: call frame info
[task 2023-01-26T00:50:54.333Z] 00:50:54     INFO - 13  xul.dll!std::thread::impl$0::spawn_unchecked_::closure$1::closure$0(std::thread::impl$0::spawn_unchecked_::closure$1::closure_env$0<webrender::compositor::sw_compositor::impl$11::new::closure_env$0,tuple$<> >) [mod.rs : 551]
[task 2023-01-26T00:50:54.333Z] 00:50:54     INFO -     Found by: inlining
[task 2023-01-26T00:50:54.333Z] 00:50:54     INFO - 14  xul.dll!core::panic::unwind_safe::impl$23::call_once(core::panic::unwind_safe::AssertUnwindSafe<std::thread::impl$0::spawn_unchecked_::closure$1::closure_env$0<webrender::compositor::sw_compositor::impl$11::new::closure_env$0,tuple$<> > >) [unwind_safe.rs : 271]
[task 2023-01-26T00:50:54.333Z] 00:50:54     INFO -     Found by: inlining
[task 2023-01-26T00:50:54.333Z] 00:50:54     INFO - 15  xul.dll!std::panicking::try::do_call(unsigned char*) [panicking.rs : 483]
[task 2023-01-26T00:50:54.333Z] 00:50:54     INFO -     Found by: inlining
[task 2023-01-26T00:50:54.333Z] 00:50:54     INFO - 16  xul.dll!std::panicking::try(core::panic::unwind_safe::AssertUnwindSafe<std::thread::impl$0::spawn_unchecked_::closure$1::closure_env$0<webrender::compositor::sw_compositor::impl$11::new::closure_env$0,tuple$<> > >) [panicking.rs : 447]
[task 2023-01-26T00:50:54.333Z] 00:50:54     INFO -     Found by: inlining
[task 2023-01-26T00:50:54.333Z] 00:50:54     INFO - 17  xul.dll!std::panic::catch_unwind(core::panic::unwind_safe::AssertUnwindSafe<std::thread::impl$0::spawn_unchecked_::closure$1::closure_env$0<webrender::compositor::sw_compositor::impl$11::new::closure_env$0,tuple$<> > >) [panic.rs : 137]
[task 2023-01-26T00:50:54.333Z] 00:50:54     INFO -     Found by: inlining
[task 2023-01-26T00:50:54.334Z] 00:50:54     INFO - 18  xul.dll!std::thread::impl$0::spawn_unchecked_::closure$1(std::thread::impl$0::spawn_unchecked_::closure_env$1<webrender::compositor::sw_compositor::impl$11::new::closure_env$0,tuple$<> >) [mod.rs : 550]
[task 2023-01-26T00:50:54.334Z] 00:50:54     INFO -     Found by: inlining
[task 2023-01-26T00:50:54.334Z] 00:50:54     INFO - 19  xul.dll!core::ops::function::FnOnce::call_once<std::thread::impl$0::spawn_unchecked_::closure_env$1<webrender::compositor::sw_compositor::impl$11::new::closure_env$0,tuple$<> >,tuple$<> >(std::thread::impl$0::spawn_unchecked_::closure_env$1<webrender::compositor::sw_compositor::impl$11::new::closure_env$0,tuple$<> >*) [function.rs : 251 + 0x5e]
[task 2023-01-26T00:50:54.334Z] 00:50:54     INFO -      eip = 0x55a6d0ca    esp = 0x023efbc0    ebp = 0x023efbe0    ebx = 0x1a3d4b98
[task 2023-01-26T00:50:54.334Z] 00:50:54     INFO -      esi = 0x1abd51e0    edi = 0x549efce0
[task 2023-01-26T00:50:54.334Z] 00:50:54     INFO -     Found by: call frame info
[task 2023-01-26T00:50:54.334Z] 00:50:54     INFO - 20  xul.dll!alloc::boxed::impl$45::call_once() [boxed.rs:69f9c33d71c871fc16ac445211281c6e7a340943 : 1987]
[task 2023-01-26T00:50:54.334Z] 00:50:54     INFO -     Found by: inlining
[task 2023-01-26T00:50:54.334Z] 00:50:54     INFO - 21  xul.dll!alloc::boxed::impl$45::call_once() [boxed.rs:69f9c33d71c871fc16ac445211281c6e7a340943 : 1987]
[task 2023-01-26T00:50:54.334Z] 00:50:54     INFO -     Found by: inlining
[task 2023-01-26T00:50:54.334Z] 00:50:54     INFO - 22  xul.dll!std::sys::windows::thread::impl$0::new::thread_start() [thread.rs:69f9c33d71c871fc16ac445211281c6e7a340943 : 56 + 0x18]
[task 2023-01-26T00:50:54.334Z] 00:50:54     INFO -      eip = 0x549efd46    esp = 0x023efbe8    ebp = 0x023efc28    ebx = 0x1a3d4b98
[task 2023-01-26T00:50:54.334Z] 00:50:54     INFO -      esi = 0x023efbec    edi = 0x549efce0
[task 2023-01-26T00:50:54.334Z] 00:50:54     INFO -     Found by: call frame info
[task 2023-01-26T00:50:54.334Z] 00:50:54     INFO - 23  kernel32.dll!BaseThreadInitThunk + 0x11
[task 2023-01-26T00:50:54.335Z] 00:50:54     INFO -      eip = 0x76a5ef3c    esp = 0x023efc30    ebp = 0x023efc34    ebx = 0x1a3d4b98
[task 2023-01-26T00:50:54.335Z] 00:50:54     INFO -      esi = 0x00000000    edi = 0x549efce0
[task 2023-01-26T00:50:54.335Z] 00:50:54     INFO -     Found by: call frame info
[task 2023-01-26T00:50:54.335Z] 00:50:54     INFO - 24  mozglue.dll!mozilla::interceptor::FuncHook<mozilla::interceptor::WindowsDllInterceptor<mozilla::interceptor::VMSharingPolicyShared>,void (*)(int, void *, void *) __attribute__((fastcall))>::operator()(int&, void*&, void*&) const [nsWindowsDllInterceptor.h:45cd9ed42ad7f9e8f3b477c99142ec710aa43a09 : 150]
[task 2023-01-26T00:50:54.335Z] 00:50:54     INFO -     Found by: inlining
[task 2023-01-26T00:50:54.335Z] 00:50:54     INFO - 25  mozglue.dll!patched_BaseThreadInitThunk(int, void*, void*) [WindowsDllBlocklist.cpp:45cd9ed42ad7f9e8f3b477c99142ec710aa43a09 : 596 + 0x8]
[task 2023-01-26T00:50:54.335Z] 00:50:54     INFO -      eip = 0x6af13e62    esp = 0x023efc3c    ebp = 0x023efc70    ebx = 0x1a3d4b98
[task 2023-01-26T00:50:54.335Z] 00:50:54     INFO -      esi = 0x00000000    edi = 0x549efce0
[task 2023-01-26T00:50:54.335Z] 00:50:54     INFO -     Found by: call frame info
[task 2023-01-26T00:50:54.335Z] 00:50:54     INFO - 26  ntdll.dll!__RtlUserThreadStart + 0x26
[task 2023-01-26T00:50:54.335Z] 00:50:54     INFO -      eip = 0x77183618    esp = 0x023efc78    ebp = 0x023efcb0    ebx = 0x1a3d4b98
[task 2023-01-26T00:50:54.335Z] 00:50:54     INFO -      esi = 0x00000000    edi = 0x00000000
[task 2023-01-26T00:50:54.335Z] 00:50:54     INFO -     Found by: call frame info
[task 2023-01-26T00:50:54.335Z] 00:50:54     INFO - 27  ntdll.dll!_RtlUserThreadStart + 0x1a
[task 2023-01-26T00:50:54.335Z] 00:50:54     INFO -      eip = 0x771835eb    esp = 0x023efcb8    ebp = 0x023efcc8    ebx = 0x1a3d4b98
[task 2023-01-26T00:50:54.335Z] 00:50:54     INFO -      esi = 0x00000000    edi = 0x00000000
[task 2023-01-26T00:50:54.336Z] 00:50:54     INFO -     Found by: call frame info
[task 2023-01-26T00:50:54.336Z] 00:50:54     INFO - 
[task 2023-01-26T00:50:54.336Z] 00:50:54     INFO - Thread 0

I assume this got filed as a security bug because there are poison values in the eax and edi registers in linear_row_yuv.

Group: firefox-core-security → gfx-core-security
Component: Picture-in-Picture → Graphics: WebRender
Keywords: csectype-uaf
Product: Toolkit → Core

The stack looks like swgl so I moved it to WebRender.

I'll mark this sec-high, but it doesn't seem particularly actionable. Hopefully we can close it as WFM in a few weeks if it doesn't come back.

Keywords: sec-high
OS: Unspecified → macOS

SWGL, so @lsalzman: Anything you can add here?

Flags: needinfo?(lsalzman)

Looks like the test this way reported against is a PiP test, related to video, which makes sense since the YUV decoding inside SWGL compositor is being used at the same. However, the incidence of this crash signature [glsl::combine] and in particular, this crash coming from [CompositeYUV], seems to be low. There are other crashes reported against [glsl::combine], but not all are coming from [CompositiveYUV] and video compositing.

Sotaro, do you have any idea if there is something here about if the video is getting sent over as shmem and getting unmapped before SWGL is done compositing it?

Flags: needinfo?(lsalzman) → needinfo?(sotaro.ikeda.g)
Depends on: 1816053
Depends on: 1816065

If RDD process is crashed, PVideoBridgeParent::OnChannelError() is called in compositor thread. It deallocates all Shmems by calling DeallocShmems(). It might be related to the problem. Shmems are used in Renderer thread or SwComposite thread.

From the above same problem seems to exist for Shmems that are allocated by CompositorBridgeParent/CompositorManagerParent.

It seems that there are 2 ways to address the problem.

  • [1] Synchronously block compositor thread until all Shmem usages are cleared.
    • It forces to unregister all external images of Shmems. And it needs to do sync wait.
  • [2] Do not deallocate Shmems in OnChannelError(). Instread Shmem users(like ShmemTextureHost) deallocate Shemms.
    • It does not have sync wait. We need to ensure all users deallocate Shemms correctly.

D169796 is implementation of [1] of comment 7.

Assignee: nobody → sotaro.ikeda.g
Flags: needinfo?(sotaro.ikeda.g)

Comment on attachment 9317579 [details]
Bug 1812498 - Destroy RenderBufferTextureHosts that use VideoBridgeParent's Shmems in VideoBridgeParent::OnChannelError()

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: It is hard.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
  • Which older supported branches are affected by this flaw?: 87
  • If not all supported branches, which bug introduced the flaw?: Bug 1689203
  • Do you have backports for the affected branches?: No
  • If not, how different, hard to create, and risky will they be?: It is easy to create. And it is not risky.
  • How likely is this patch to cause regressions; how much testing does it need?: It seems not likely to cause a regression.
  • Is Android affected?: No
Attachment #9317579 - Flags: sec-approval?

Comment on attachment 9317579 [details]
Bug 1812498 - Destroy RenderBufferTextureHosts that use VideoBridgeParent's Shmems in VideoBridgeParent::OnChannelError()

Approved to request uplift and land.

Attachment #9317579 - Flags: sec-approval? → sec-approval+

FYI, this is going to need a rebased patch for ESR102.

status-firefox110: --- → wontfix
status-firefox111: --- → affected
status-firefox112: --- → affected
status-firefox-esr102: --- → affected
tracking-firefox111: --- → +
tracking-firefox112: --- → +
tracking-firefox-esr102: --- → 111+
Flags: needinfo?(sotaro.ikeda.g)
Depends on: 1817674

:sotaro the final 111 beta builds on 2023-03-02. Next week is RC week.
This needs to land if it's going to make it for the 111 cycle.

D169796 needs Bug 1817674 fix(D171313). D171313 is waiting for review.

Flags: needinfo?(sotaro.ikeda.g)

This missed 111
:tjr can this still land whenever it's ready, or should it wait until later in the cycle?

status-firefox111: fixedwontfix
Flags: needinfo?(tom)

We'll need to wait until after the merge

Flags: needinfo?(tom)

This is good to land now. Just a reminder that we're going to need a rebased patch for ESR102 also.

Flags: needinfo?(sotaro.ikeda.g)
Flags: needinfo?(sotaro.ikeda.g)

Destroy RenderBufferTextureHosts that use VideoBridgeParent's Shmems in VideoBridgeParent::OnChannelError() r=lsalzman
https://hg.mozilla.org/integration/autoland/rev/23d0e7931bde341915318ec2417ccbee19a02b1e
https://hg.mozilla.org/mozilla-central/rev/23d0e7931bde

Group: gfx-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox113: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 113 Branch

The patch landed in nightly and beta is affected.
:sotaro, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox112 to wontfix.

For more information, please visit auto_nag documentation.

Flags: needinfo?(sotaro.ikeda.g)

Comment on attachment 9317579 [details]
Bug 1812498 - Destroy RenderBufferTextureHosts that use VideoBridgeParent's Shmems in VideoBridgeParent::OnChannelError()

Beta/Release Uplift Approval Request

  • User impact if declined: Crash might happen when RDD process crashes during video decoding.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): The change affects only to a situation of RDD process crash. And the change uses existing error handling of RenderBufferTextureHost.
  • String changes made/needed: none
  • Is Android affected?: No

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration:
  • User impact if declined: Crash might happen when RDD process crashes during video decoding.
  • Fix Landed on Version: 113
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): The change affects only to a situation of RDD process crash. And the change uses existing error handling of RenderBufferTextureHost.
Flags: needinfo?(sotaro.ikeda.g)
Attachment #9317579 - Flags: approval-mozilla-esr102?
Attachment #9317579 - Flags: approval-mozilla-beta?
Attachment #9323420 - Flags: approval-mozilla-esr102?

Comment on attachment 9317579 [details]
Bug 1812498 - Destroy RenderBufferTextureHosts that use VideoBridgeParent's Shmems in VideoBridgeParent::OnChannelError()

Approved for 112.0b5 and 102.10esr

Attachment #9317579 - Flags: approval-mozilla-esr102?
Attachment #9317579 - Flags: approval-mozilla-esr102+
Attachment #9317579 - Flags: approval-mozilla-beta?
Attachment #9317579 - Flags: approval-mozilla-beta+
Attachment #9317579 - Flags: approval-mozilla-esr102+
Attachment #9323420 - Flags: approval-mozilla-esr102? → approval-mozilla-esr102+
Whiteboard: [post-critsmash-triage]
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main112+r]
Whiteboard: [post-critsmash-triage][adv-main112+r] → [post-critsmash-triage][adv-main112+r][adv-esr102.10+r]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: