Assertion failure: gShmemMapped >= mMappedSize (Can't unmap more than mapped), at /builds/worker/checkouts/gecko/ipc/glue/SharedMemory.cpp:70
Categories
(Core :: IPC, defect, P3)
Tracking
()
People
(Reporter: tsmith, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, testcase)
Attachments
(1 file)
398 bytes,
text/html
|
Details |
Found while fuzzing m-c 20230131-351f3b41f9fb (--enable-debug --enable-fuzzing)
The attached test case only reproduces the issue on 32 bit builds. Marking as s-s to be safe.
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --cpu x86 -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
Assertion failure: gShmemMapped >= mMappedSize (Can't unmap more than mapped), at /builds/worker/checkouts/gecko/ipc/glue/SharedMemory.cpp:70
#0 0xe589fcb0 in mozilla::ipc::SharedMemory::Unmapped() /builds/worker/checkouts/gecko/ipc/glue/SharedMemory.cpp:70:3
#1 0xe57b7cd1 in ~SharedMemory /builds/worker/workspace/obj-build/dist/include/mozilla/ipc/SharedMemory.h:36:5
#2 0xe57b7cd1 in ~SharedMemoryBasic /builds/worker/workspace/obj-build/dist/include/mozilla/ipc/SharedMemoryBasic_chromium.h:79:32
#3 0xe57b7cd1 in mozilla::ipc::SharedMemoryBasic::~SharedMemoryBasic() /builds/worker/workspace/obj-build/dist/include/mozilla/ipc/SharedMemoryBasic_chromium.h:79:32
#4 0xe5e90cb5 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/ipc/SharedMemory.h:78:3
#5 0xe5e90cb5 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:50:40
#6 0xe5e90cb5 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:381:36
#7 0xe5e90cb5 in ~RefPtr /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:81:7
#8 0xe5e90cb5 in mozilla::gfx::SourceSurfaceSharedDataWrapper::~SourceSurfaceSharedDataWrapper() /builds/worker/workspace/obj-build/dist/include/mozilla/layers/SourceSurfaceSharedData.h:35:7
#9 0xe5e90e62 in mozilla::gfx::SourceSurfaceSharedDataWrapper::~SourceSurfaceSharedDataWrapper() /builds/worker/workspace/obj-build/dist/include/mozilla/layers/SourceSurfaceSharedData.h:35:7
#10 0xe5ceff5d in mozilla::SupportsThreadSafeWeakPtr<mozilla::gfx::SourceSurface>::Release() const /builds/worker/workspace/obj-build/dist/include/mozilla/ThreadSafeWeakPtr.h:179:7
#11 0xe637cc72 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:50:40
#12 0xe637cc72 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:381:36
#13 0xe637cc72 in ~RefPtr /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:81:7
#14 0xe637cc72 in ~RenderSharedSurfaceTextureHost /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderSharedSurfaceTextureHost.cpp:25:1
#15 0xe637cc72 in mozilla::wr::RenderSharedSurfaceTextureHost::~RenderSharedSurfaceTextureHost() /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderSharedSurfaceTextureHost.cpp:23:67
#16 0xe6388f6e in Release /builds/worker/workspace/obj-build/dist/include/mozilla/webrender/RenderTextureHost.h:42:3
#17 0xe6388f6e in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:50:40
#18 0xe6388f6e in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:381:36
#19 0xe6388f6e in ~RefPtr /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:81:7
#20 0xe6388f6e in destroy<RefPtr<mozilla::wr::RenderTextureHost> > /builds/worker/fetches/sysroot-i686-linux-gnu/usr/lib/gcc/i586-linux-gnu/7.5.0/../../../../include/c++/7.5.0/ext/new_allocator.h:140:28
#21 0xe6388f6e in destroy<RefPtr<mozilla::wr::RenderTextureHost> > /builds/worker/fetches/sysroot-i686-linux-gnu/usr/lib/gcc/i586-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/alloc_traits.h:487:8
#22 0xe6388f6e in std::__cxx11::_List_base<RefPtr<mozilla::wr::RenderTextureHost>, std::allocator<RefPtr<mozilla::wr::RenderTextureHost>>>::_M_clear() /builds/worker/fetches/sysroot-i686-linux-gnu/usr/lib/gcc/i586-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/list.tcc:76:4
#23 0xe6385186 in clear /builds/worker/fetches/sysroot-i686-linux-gnu/usr/lib/gcc/i586-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_list.h:1406:9
#24 0xe6385186 in mozilla::wr::RenderThread::DeferredRenderTextureHostDestroy() /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:903:27
#25 0xe638e2e2 in applyImpl<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1162:12
#26 0xe638e2e2 in apply<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1168:12
#27 0xe638e2e2 in mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1215:13
#28 0xe4be7812 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1219:16
#29 0xe4bee012 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477:10
#30 0xe587bd49 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:330:5
#31 0xe5798fcc in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#32 0xe5798eda in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#33 0xe5798eda in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#34 0xe4be2c8a in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:384:10
#35 0xf6ff9a30 in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
#36 0xf798eb90 (/lib/i386-linux-gnu/libc.so.6+0x86b90) (BuildId: 0494f075afbcfa9004eaaedccbea53807b7bf669)
#37 0xf7a2b64b (/lib/i386-linux-gnu/libc.so.6+0x12364b) (BuildId: 0494f075afbcfa9004eaaedccbea53807b7bf669)
Reporter | ||
Updated•2 years ago
|
Comment 1•2 years ago
|
||
gShmemMapped is only used by memory reporting so this shouldn't be exploitable. (will break tests though)
Updated•2 years ago
|
Comment 2•2 years ago
|
||
It's unfortunately a somewhat known issue that the counters for SharedMemory
are a bit messed up right now, so I'm not too surprised that we have some situation like this where we try to unmap more memory than we had previously mapped. At some point we should probably clean up this code and make sure that the about:memory shared memory reporter is working correctly going forward, but for now this is S3 unless it becomes a fuzz blocker.
Description
•