Closed
Bug 1828264
Opened 2 years ago
Closed 1 year ago
Assertion from creating a OffscreenCanvas on a media track graph thread
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
VERIFIED
FIXED
116 Branch
People
(Reporter: d4ni31, Assigned: peterv)
References
Details
(Keywords: crash, csectype-dos, reporter-external)
Attachments
(5 files)
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36
Steps to reproduce:
Title
- Memory Corruption in CanvasRenderingContext2D
Summary
- A Memory Corruption exists in the CanvasRenderingContext2D
- The browser process crashes when triggering this bug.
Test environment
Product : Mozilla Firefox 112.0
OS : Windows 11 x64
Trace
void OffscreenCanvasRenderingContext2D::AddShutdownObserver() {
WorkerPrivate* workerPrivate = GetCurrentThreadWorkerPrivate();
if (!workerPrivate) {
// We may be using OffscreenCanvas on the main thread.
CanvasRenderingContext2D::AddShutdownObserver(); // [1]
return;
}
mOffscreenShutdownObserver =
MakeAndAddRef<OffscreenCanvasShutdownObserver>(this);
mWorkerRef = WeakWorkerRef::Create(
workerPrivate,
[observer = mOffscreenShutdownObserver] { observer->OnShutdown(); });
}
void CanvasRenderingContext2D::AddShutdownObserver() {
MOZ_ASSERT(!mShutdownObserver);
MOZ_ASSERT(NS_IsMainThread());
mShutdownObserver = new CanvasShutdownObserver(this);
nsContentUtils::RegisterShutdownObserver(mShutdownObserver); // [2]
}
/* static */
void nsContentUtils::RegisterShutdownObserver(nsIObserver* aObserver) {
nsCOMPtr<nsIObserverService> observerService =
mozilla::services::GetObserverService(); // [3]
if (observerService) {
observerService->AddObserver(aObserver, NS_XPCOM_SHUTDOWN_OBSERVER_ID,
false);
}
}
namespace mozilla {
namespace services {
already_AddRefed<nsIObserverService> GetObserverService()
{
if (MOZ_UNLIKELY(gXPCOMShuttingDown)) {
return nullptr;
}
if (!gObserverService) {
nsCOMPtr<nsIObserverService> os = do_GetService("@mozilla.org/observer-service;1");
os.swap(gObserverService);
}
return do_AddRef(gObserverService); // [4]
}
}
}
template <class T>
inline already_AddRefed<T> do_AddRef(T* aObj) {
RefPtr<T> ref(aObj); // [5]
return ref.forget();
}
AddressSanitizer
[Child 58153, Main Thread] WARNING: NS_ENSURE_TRUE(nsContentUtils::IsJavascriptMIMEType(type)) failed: file /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:908
Assertion failure: NS_IsMainThread(), at /builds/worker/checkouts/gecko/dom/canvas/CanvasRenderingContext2D.cpp:1169
#01: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x1a96bf67]
#02: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x1a94e788]
#03: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x1a9d0313]
#04: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x1ab20a13]
#05: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x1ab20c0f]
#06: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x1a9d0e8c]
#07: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x1ab1f744]
#08: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x17920db3]
#09: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x1a69e7da]
#10: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x26897beb]
#11: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x26896602]
#12: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x26874e16]
#13: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x268571db]
#14: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x26896633]
#15: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x2689a1b2]
#16: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x26acf279]
#17: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x19cfdde4]
#18: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x1b799588]
#19: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x1b7969ea]
#20: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x1b73432b]
#21: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x1b73686e]
#22: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x1b713a3e]
#23: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x1b71117c]
#24: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x1b7190b1]
#25: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x1b72300d]
#26: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x1b699c6a]
#27: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x1b74bf1c]
#28: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x1f360281]
#29: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x1f35edcb]
#30: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x11872452]
#31: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x118670d1]
#32: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x1c6ed958]
#33: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x1c6ee5e1]
#34: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x1c2a92d9]
#35: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x1c2ac3c6]
#36: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x1c4094c0]
#37: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x11872452]
#38: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x11885d4a]
#39: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x1398ff61]
#40: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x137385a4]
#41: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x13738207]
#42: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x118648d5]
#43: ???[/home/dohyun/Desktop/debug_firefox/libnspr4.so +0x9e388]
#44: ???[/lib/x86_64-linux-gnu/libpthread.so.0 +0x8609]
#45: clone[/lib/x86_64-linux-gnu/libc.so.6 +0x11f133]
#46: ??? (???:???)
Program /home/dohyun/Desktop/debug_firefox/firefox (pid = 58153) received signal 11.
Stack:
#01: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x29d9aeae]
#02: ???[/lib/x86_64-linux-gnu/libpthread.so.0 +0x14420]
#03: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x1a96bf9c]
[Parent 57791, IPDL Background] WARNING: Call to Send() failed: file /builds/worker/checkouts/gecko/ipc/glue/NodeChannel.cpp:217
#04: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x1a94e788]
#05: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x1a9d0313]
#06: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x1ab20a13]
#07: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x1ab20c0f]
#08: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x1a9d0e8c]
[Parent 57791, Main Thread] WARNING: Dropping message as channel has been closed: file /builds/worker/checkouts/gecko/ipc/glue/NodeChannel.cpp:209
#09: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x1ab1f744]
#10: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x17920db3]
[Parent 57791, IPC I/O Parent] WARNING: [1.1]: Ignoring message 'EVENT_MESSAGE' to unknown peer 254CB52223948247.70FD630D961C290C: file /builds/worker/checkouts/gecko/ipc/glue/NodeController.cpp:344
#11: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x1a69e7da]
[Parent 57791, IPC I/O Parent] WARNING: [1.1]: Ignoring message 'EVENT_MESSAGE' to unknown peer 254CB52223948247.70FD630D961C290C: file /builds/worker/checkouts/gecko/ipc/glue/NodeController.cpp:344
#12: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x26897beb]
[Parent 57791, IPC I/O Parent] WARNING: [1.1]: Ignoring message 'EVENT_MESSAGE' to unknown peer 254CB52223948247.70FD630D961C290C: file /builds/worker/checkouts/gecko/ipc/glue/NodeController.cpp:344
[Parent 57791, IPC I/O Parent] WARNING: [1.1]: Ignoring message 'EVENT_MESSAGE' to unknown peer 254CB52223948247.70FD630D961C290C: file /builds/worker/checkouts/gecko/ipc/glue/NodeController.cpp:344
[Parent 57791, IPC I/O Parent] WARNING: [1.1]: Ignoring message 'EVENT_MESSAGE' to unknown peer 254CB52223948247.70FD630D961C290C: file /builds/worker/checkouts/gecko/ipc/glue/NodeController.cpp:344
#13: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x26896602]
[Parent 57791, IPC I/O Parent] WARNING: [1.1]: Ignoring message 'EVENT_MESSAGE' to unknown peer 254CB52223948247.70FD630D961C290C: file /builds/worker/checkouts/gecko/ipc/glue/NodeController.cpp:344
[Parent 57791, IPC I/O Parent] WARNING: [1.1]: Ignoring message 'EVENT_MESSAGE' to unknown peer 254CB52223948247.70FD630D961C290C: file /builds/worker/checkouts/gecko/ipc/glue/NodeController.cpp:344
#14: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x26874e16]
[Parent 57791, IPC I/O Parent] WARNING: [1.1]: Ignoring message 'EVENT_MESSAGE' to unknown peer 254CB52223948247.70FD630D961C290C: file /builds/worker/checkouts/gecko/ipc/glue/NodeController.cpp:344
#15: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x268571db]
[Parent 57791, IPC I/O Parent] WARNING: [1.1]: Ignoring message 'EVENT_MESSAGE' to unknown peer 254CB52223948247.70FD630D961C290C: file /builds/worker/checkouts/gecko/ipc/glue/NodeController.cpp:344
[Parent 57791, IPC I/O Parent] WARNING: [1.1]: Ignoring message 'EVENT_MESSAGE' to unknown peer 254CB52223948247.70FD630D961C290C: file /builds/worker/checkouts/gecko/ipc/glue/NodeController.cpp:344
#16: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x26896633]
[Parent 57791, IPC I/O Parent] WARNING: [1.1]: Ignoring message 'EVENT_MESSAGE' to unknown peer 254CB52223948247.70FD630D961C290C: file /builds/worker/checkouts/gecko/ipc/glue/NodeController.cpp:344
#17: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x2689a1b2]
#18: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x26acf279]
#19: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x19cfdde4]
#20: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x1b799588]
#21: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x1b7969ea]
#22: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x1b73432b]
#23: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x1b73686e]
#24: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x1b713a3e]
#25: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x1b71117c]
#26: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x1b7190b1]
#27: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x1b72300d]
#28: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x1b699c6a]
#29: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x1b74bf1c]
#30: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x1f360281]
#31: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x1f35edcb]
#32: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x11872452]
#33: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x118670d1]
#34: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x1c6ed958]
#35: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x1c6ee5e1]
#36: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x1c2a92d9]
#37: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x1c2ac3c6]
#38: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x1c4094c0]
#39: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x11872452]
#40: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x11885d4a]
#41: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x1398ff61]
#42: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x137385a4]
#43: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x13738207]
#44: ???[/home/dohyun/Desktop/debug_firefox/libxul.so +0x118648d5]
#45: ???[/home/dohyun/Desktop/debug_firefox/libnspr4.so +0x9e388]
#46: ???[/lib/x86_64-linux-gnu/libpthread.so.0 +0x8609]
#47: clone[/lib/x86_64-linux-gnu/libc.so.6 +0x11f133]
#48: ??? (???:???)
Sleeping for 300 seconds.
Type 'gdb /home/dohyun/Desktop/debug_firefox/firefox 58153' to attach your debugger to this thread.
[Parent 57791, Main Thread] WARNING: IPC Connection Error: [Parent][PContentParent] RunMessage(msgname=PExtensions::Msg_DocumentChange) Channel error: cannot send/recv: file /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1927
[Parent 57791, Main Thread] WARNING: IPC Connection Error: [Parent][PContentParent] RunMessage(msgname=PBrowser::Msg_OnProgressChange) Channel error: cannot send/recv: file /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1927
[Parent 57791, Main Thread] WARNING: IPC Connection Error: [Parent][PContentParent] RunMessage(msgname=PContent::Msg_ScriptError) Channel error: cannot send/recv: file /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1927
[Parent 57791, Main Thread] WARNING: IPC Connection Error: [Parent][PContentParent] RunMessage(msgname=PContent::Msg_StoreAndBroadcastBlobURLRegistration) Channel error: cannot send/recv: file /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1927
Proof-of-Concept
- Please check the attached file!
Reproduce
- open a poc.html in Firefox
- Wait a few seconds.
Actual results:
.
Expected results:
.
|
Reporter | |
Comment 1•2 years ago
|
||
Summary modify
- A Memory Corruption exists in the CanvasRenderingContext2D
- The Renderer process crashes when triggering this bug.
|
||
Comment 2•2 years ago
|
||
It looks like the stack you are giving is for a thread safety assertion, not memory corruption. It is possible that a thread safety issue could lead to other issues, of course.
If you could symbolicate this stack then it would be easier to triage the issue.
The test case involves both audio worklets and offscreen canvas.
Group: firefox-core-security → gfx-core-security
Component: Untriaged → Graphics: Canvas2D
Product: Firefox → Core
|
||
Comment 3•2 years ago
|
||
This is the stack I get locally when loading the attachment.
|
|
||
Comment 4•2 years ago
|
||
I think we'll hit a release assert in nsObserverService::AddObserver() (via EnsureValidCall()) so I'm not sure how much of a security issue this is. Calling GetObserverService() could technically race if the observer service is starting up or shutting down but I think in practice it should always be running by this point. It still seems potentially bad if we're creating an offscreen canvas from an unexpected thread.
|
|
||
Updated•2 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: Memory Corruption in CanvasRenderingContext2D → Assertion from creating a OffscreenCanvas on a media track graph thread
|
||
Comment 5•2 years ago
|
||
Memory Corruption in CanvasRenderingContext2D
There doesn't seem to be any memory corruption. A release assertion will kill the browser, but in a non-exploitable way (to prevent potential future problems caused by thread-unsafe code).
Release firefox crashes the child process and looks like bp-ef12d643-42c4-4630-ac51-6ce8a0230419
Group: gfx-core-security
Keywords: crash,
csectype-dos
|
||
Comment 6•1 year ago
|
||
The severity field is not set for this bug.
:lsalzman, could you have a look please?
For more information, please visit BugBot documentation.
Flags: needinfo?(lsalzman)
|
||
Comment 7•1 year ago
|
||
OffscreenCanvas was designed to be used from the main thread, or a worker thread. These is an audio worklet, slightly different context and it appears we don't get a full blown worker context for shutdown events. I will look into how to best handle this.
Assignee: nobody → aosmond
Flags: needinfo?(lsalzman) → needinfo?(aosmond)
|
|
||
Updated•1 year ago
|
Severity: -- → S2
status-firefox112:
--- → affected
status-firefox113:
--- → affected
status-firefox114:
--- → affected
status-firefox-esr102:
--- → affected
|
|
||
Comment 8•1 year ago
|
||
Emilio, should OffscreenCanvas exposed on worklet threads? I see we are following the specification (Worker instead of DedicatedWorker).
Flags: needinfo?(emilio)
|
||
Comment 9•1 year ago
|
||
I don't think so... Worklet doesn't implement Worker afaict? So Exposed=Worker shouldn't expose stuff to audio worklets. I think this might be a bindings bug?
Flags: needinfo?(peterv)
Flags: needinfo?(emilio)
Flags: needinfo?(echen)
|
||
Comment 10•1 year ago
|
||
Comment 9 is correct, Worklet has nothing to do with Worker, this shouldn't be exposed.
|
Assignee | |
Comment 11•1 year ago
|
||
I don't think this is a bindings bug as such, it's a bug in our structured handling code (https://searchfox.org/mozilla-central/source/dom/base/StructuredCloneHolder.cpp#1200-1217). We're missing step 3.4.2 from https://html.spec.whatwg.org/multipage/structured-data.html#structureddeserializewithtransfer. I thought we had an existing bug for that, but I can't find it right now.
Assignee: aosmond → peterv
Status: NEW → ASSIGNED
Flags: needinfo?(peterv)
Flags: needinfo?(echen)
Flags: needinfo?(aosmond)
|
|
||
Updated•1 year ago
|
Component: Graphics: Canvas2D → DOM: Core & HTML
|
|
Assignee | |
Comment 12•1 year ago
|
||
|
||
Updated•1 year ago
|
Attachment #9333897 -
Attachment description: WIP: Bug 1828264 - Assertion from creating a OffscreenCanvas on a media track graph thread. r?farre! → Bug 1828264 - Assertion from creating a OffscreenCanvas on a media track graph thread. r?farre!
|
|
Assignee | |
Comment 13•1 year ago
|
||
Depends on D178173
|
|
Assignee | |
Comment 14•1 year ago
|
||
|
||
Comment 15•1 year ago
|
||
Pushed by pvanderbeken@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/18efba6ba1de
Assertion from creating a OffscreenCanvas on a media track graph thread. r=farre
https://hg.mozilla.org/integration/autoland/rev/6f8b0b36ee84
Testcase. r=farre
|
|
Reporter | |
Updated•1 year ago
|
Flags: sec-bounty?
|
||
Comment 16•1 year ago
•
|
||
Backed out for causing multiple failures
Push with failures - mochitest 9
Push with failures - xpcshell
Push with failures - mochitest 1
Push with failures - mochitest 4
Push with failures - xpcshell X6
Failure log - mochitest 9 // Failure log - xpcshell // Failure log - mochitest 1 // Failure log - mochitest 4 // Failure log - xpcshell X6
Flags: needinfo?(peterv)
|
|
||
Comment 17•1 year ago
|
||
Pushed by pvanderbeken@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/81e8bc2a7253
Assertion from creating a OffscreenCanvas on a media track graph thread. r=farre
https://hg.mozilla.org/integration/autoland/rev/8c256ebacc5a
Testcase. r=farre
|
||
Comment 18•1 year ago
|
||
Backed out for causing xpcshell and mochitest plain failures on test_upgrade_add_index.js.
Failure logs:
- https://treeherder.mozilla.org/logviewer?job_id=417680878&repo=autoland
- https://treeherder.mozilla.org/logviewer?job_id=417677090&repo=autoland
Backout link: https://hg.mozilla.org/integration/autoland/rev/53a982946d27bebb5fd73b96a7ff71672afde9ac
|
|
||
Comment 19•1 year ago
|
||
Pushed by pvanderbeken@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/47f66db5a370
Assertion from creating a OffscreenCanvas on a media track graph thread. r=farre
https://hg.mozilla.org/integration/autoland/rev/599e77c29bb6
Testcase. r=farre
|
|
||
Comment 20•1 year ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/47f66db5a370
https://hg.mozilla.org/mozilla-central/rev/599e77c29bb6
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
status-firefox116:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 116 Branch
|
|
||
Comment 21•1 year ago
|
||
Since nightly and release are affected, beta will likely be affected too.
For more information, please visit BugBot documentation.
status-firefox115:
--- → affected
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
Flags: sec-bounty? → sec-bounty-
|
||
Updated•1 year ago
|
Flags: qe-verify+
|
||
Comment 22•1 year ago
|
||
I was able to reproduce the issue on Win10x64 using FF build 114.0a1(20230415205259)(tab crashed when open poc.html from description).
Verified as fixed on Win10x64/Ubuntu 20.04 using FF build 116.0(20230724170120) and 117.0a1. (tab did not crashed anymore).
|
|
Assignee | |
Updated•1 year ago
|
Flags: needinfo?(peterv)
|
||
Updated•4 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•