Closed
Bug 1829861
Opened 2 years ago
Closed 1 year ago
Intermittent pid: <bound method FirefoxBrowser.pid of <wptrunner.browsers.firefox.FirefoxBrowser object at 0x7fd61e848ad0>> | application crashed [@ __GI_getenv]
Categories
(Core :: Graphics, defect)
Core
Graphics
Tracking
()
RESOLVED
INCOMPLETE
People
(Reporter: intermittent-bug-filer, Unassigned)
Details
(Keywords: crash, csectype-uaf, intermittent-failure)
Crash Data
Filed by: nfay [at] mozilla.com
Parsed log: https://treeherder.mozilla.org/logviewer?job_id=413704927&repo=mozilla-central
Full log: https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/BM1GH84yTKqO-NskzS4hfg/runs/0/artifacts/public/logs/live_backing.log
[task 2023-04-25T12:27:22.602Z] 12:27:22 INFO - TEST-START | /document-policy/reporting/lossy-images-max-bpp-reporting-tentative.html
[task 2023-04-25T12:27:22.608Z] 12:27:22 INFO - Closing window 647f6aa8-deec-40b8-b6ec-4eee38732316
[task 2023-04-25T12:27:22.661Z] 12:27:22 INFO - mozcrash Copy/paste: /builds/worker/fetches/minidump-stackwalk/minidump-stackwalk --symbols-url=https://symbols.mozilla.org/ --cyborg=/tmp/tmpw1feg__j/59a63b85-3b62-ad2e-0e2a-634de1a42a42.trace /tmp/tmpf_nnff6n/minidumps/59a63b85-3b62-ad2e-0e2a-634de1a42a42.dmp /tmp/tmp7x2r___r
[task 2023-04-25T12:27:26.982Z] 12:27:26 INFO - PID 10613 | console.error: (new Error("Polling for changes failed: Unexpected content-type \"text/plain;charset=US-ASCII\".", "resource://services-settings/remote-settings.sys.mjs", 324))
[task 2023-04-25T12:27:28.036Z] 12:27:28 INFO - mozcrash Saved minidump as /builds/worker/workspace/build/blobber_upload_dir/59a63b85-3b62-ad2e-0e2a-634de1a42a42.dmp
[task 2023-04-25T12:27:28.037Z] 12:27:28 INFO - mozcrash Saved app info as /builds/worker/workspace/build/blobber_upload_dir/59a63b85-3b62-ad2e-0e2a-634de1a42a42.extra
[task 2023-04-25T12:27:28.197Z] 12:27:28 INFO - PROCESS-CRASH | pid: <bound method FirefoxBrowser.pid of <wptrunner.browsers.firefox.FirefoxBrowser object at 0x7fd61e848ad0>> | application crashed [@ __GI_getenv]
[task 2023-04-25T12:27:28.197Z] 12:27:28 INFO - Crash dump filename: /tmp/tmpf_nnff6n/minidumps/59a63b85-3b62-ad2e-0e2a-634de1a42a42.dmp
[task 2023-04-25T12:27:28.197Z] 12:27:28 INFO - Operating system: Linux
[task 2023-04-25T12:27:28.197Z] 12:27:28 INFO - 4.4.0-1014-aws #14taskcluster1-Ubuntu SMP Tue Apr 3 10:27:00 UTC 2018
[task 2023-04-25T12:27:28.197Z] 12:27:28 INFO - CPU: amd64
[task 2023-04-25T12:27:28.197Z] 12:27:28 INFO - family 6 model 85 stepping 7
[task 2023-04-25T12:27:28.197Z] 12:27:28 INFO - 4 CPUs
[task 2023-04-25T12:27:28.197Z] 12:27:28 INFO - Linux Ubuntu 18.04 - bionic (Ubuntu 18.04.6 LTS)
[task 2023-04-25T12:27:28.197Z] 12:27:28 INFO -
[task 2023-04-25T12:27:28.197Z] 12:27:28 INFO - Crash reason: SIGSEGV / SI_KERNEL
[task 2023-04-25T12:27:28.197Z] 12:27:28 INFO - Crash address: 0xe5e5e5e5e5e5e5e5
[task 2023-04-25T12:27:28.197Z] 12:27:28 INFO - Crashing instruction: `cmp r12w, word [rbx]`
[task 2023-04-25T12:27:28.197Z] 12:27:28 INFO - Memory accessed by instruction:
[task 2023-04-25T12:27:28.197Z] 12:27:28 INFO - 0. Address: 0xe5e5e5e5e5e5e5e5
[task 2023-04-25T12:27:28.197Z] 12:27:28 INFO - Size: 2
[task 2023-04-25T12:27:28.198Z] 12:27:28 INFO - Process uptime: not available
[task 2023-04-25T12:27:28.198Z] 12:27:28 INFO -
[task 2023-04-25T12:27:28.198Z] 12:27:28 INFO - Thread 33 Renderer (crashed)
[task 2023-04-25T12:27:28.198Z] 12:27:28 INFO - 0 libc.so.6!__GI_getenv [getenv.c : 84 + 0x0]
[task 2023-04-25T12:27:28.198Z] 12:27:28 INFO - rax = 0x0000000000000050 rdx = 0x00007f40da5693b8
[task 2023-04-25T12:27:28.198Z] 12:27:28 INFO - rcx = 0x0000000000000018 rbx = 0xe5e5e5e5e5e5e5e5
[task 2023-04-25T12:27:28.198Z] 12:27:28 INFO - rsi = 0x0000000000000000 rdi = 0x00007f40da5693c0
[task 2023-04-25T12:27:28.198Z] 12:27:28 INFO - rbp = 0x00007f4101922af8 rsp = 0x00007f40d027fe70
[task 2023-04-25T12:27:28.198Z] 12:27:28 INFO - r8 = 0x0000000000000000 r9 = 0x0000000000000000
[task 2023-04-25T12:27:28.198Z] 12:27:28 INFO - r10 = 0x0800000000000000 r11 = 0x0000000400000000
[task 2023-04-25T12:27:28.198Z] 12:27:28 INFO - r12 = 0x0000000000005050 r13 = 0x00007f40da5693ba
[task 2023-04-25T12:27:28.198Z] 12:27:28 INFO - r14 = 0x0000000000000008 r15 = 0x0000000000000006
[task 2023-04-25T12:27:28.198Z] 12:27:28 INFO - rip = 0x00007f4101bd3835
[task 2023-04-25T12:27:28.199Z] 12:27:28 INFO - Found by: given as instruction pointer in context
[task 2023-04-25T12:27:28.199Z] 12:27:28 INFO - 1 libgallium_dri.so + 0x46ddb7
[task 2023-04-25T12:27:28.199Z] 12:27:28 INFO - rbx = 0x0000000000000000 rbp = 0x00007f40eac88d58
[task 2023-04-25T12:27:28.199Z] 12:27:28 INFO - rsp = 0x00007f40d027feb0 r12 = 0x00007f40de4a9000
[task 2023-04-25T12:27:28.199Z] 12:27:28 INFO - r13 = 0x00007f40ca09e000 r14 = 0x00007f40daaa4440
[task 2023-04-25T12:27:28.199Z] 12:27:28 INFO - r15 = 0x00007f40de5a8880 rip = 0x00007f40d9b0cdb8
[task 2023-04-25T12:27:28.199Z] 12:27:28 INFO - Found by: call frame info
[task 2023-04-25T12:27:28.199Z] 12:27:28 INFO - 2 libgallium_dri.so + 0xeca427
[task 2023-04-25T12:27:28.199Z] 12:27:28 INFO - rsp = 0x00007f40d027feb8 rip = 0x00007f40da569428
[task 2023-04-25T12:27:28.200Z] 12:27:28 INFO - Found by: stack scanning
[task 2023-04-25T12:27:28.200Z] 12:27:28 INFO - 3 libgallium_dri.so + 0x63d2dc
[task 2023-04-25T12:27:28.200Z] 12:27:28 INFO - rsp = 0x00007f40d027fec0 rip = 0x00007f40d9cdc2dd
[task 2023-04-25T12:27:28.200Z] 12:27:28 INFO - Found by: stack scanning
[task 2023-04-25T12:27:28.200Z] 12:27:28 INFO - 4 libgallium_dri.so + 0x63d576
[task 2023-04-25T12:27:28.200Z] 12:27:28 INFO - rsp = 0x00007f40d027ffa0 rip = 0x00007f40d9cdc577
[task 2023-04-25T12:27:28.201Z] 12:27:28 INFO - Found by: stack scanning
[task 2023-04-25T12:27:28.201Z] 12:27:28 INFO - 5 libgallium_dri.so + 0x140543f
[task 2023-04-25T12:27:28.201Z] 12:27:28 INFO - rsp = 0x00007f40d027fff0 rip = 0x00007f40daaa4440
[task 2023-04-25T12:27:28.201Z] 12:27:28 INFO - Found by: stack scanning
[task 2023-04-25T12:27:28.201Z] 12:27:28 INFO - 6 libgallium_dri.so + 0xfd1f9
[task 2023-04-25T12:27:28.201Z] 12:27:28 INFO - rsp = 0x00007f40d0280000 rip = 0x00007f40d979c1fa
[task 2023-04-25T12:27:28.201Z] 12:27:28 INFO - Found by: stack scanning
[task 2023-04-25T12:27:28.201Z] 12:27:28 INFO - 7 libgallium_dri.so + 0x61264b
[task 2023-04-25T12:27:28.202Z] 12:27:28 INFO - rsp = 0x00007f40d02800f0 rip = 0x00007f40d9cb164c
[task 2023-04-25T12:27:28.202Z] 12:27:28 INFO - Found by: stack scanning
[task 2023-04-25T12:27:28.202Z] 12:27:28 INFO - 8 firefox-bin!Mutex::Unlock() [Mutex.h:a5a273e3b1fdbeb8890d8bdd48d56cdee6ddbcb3 : 133]
[task 2023-04-25T12:27:28.202Z] 12:27:28 INFO - Found by: inlining
[task 2023-04-25T12:27:28.202Z] 12:27:28 INFO - 9 firefox-bin!AutoLock<Mutex>::~AutoLock() [Mutex.h:a5a273e3b1fdbeb8890d8bdd48d56cdee6ddbcb3 : 186]
[task 2023-04-25T12:27:28.202Z] 12:27:28 INFO - Found by: inlining
[task 2023-04-25T12:27:28.203Z] 12:27:28 INFO - 10 firefox-bin!arena_dalloc(void*, unsigned long, arena_t*) [mozjemalloc.cpp:a5a273e3b1fdbeb8890d8bdd48d56cdee6ddbcb3 : 3759]
[task 2023-04-25T12:27:28.203Z] 12:27:28 INFO - Found by: inlining
[task 2023-04-25T12:27:28.203Z] 12:27:28 INFO - 11 firefox-bin!BaseAllocator::free(void*) [mozjemalloc.cpp:a5a273e3b1fdbeb8890d8bdd48d56cdee6ddbcb3 : 4547]
[task 2023-04-25T12:27:28.203Z] 12:27:28 INFO - Found by: inlining
[task 2023-04-25T12:27:28.203Z] 12:27:28 INFO - 12 firefox-bin!Allocator<MozJemallocBase>::free(void*) [malloc_decls.h:a5a273e3b1fdbeb8890d8bdd48d56cdee6ddbcb3 : 54]
[task 2023-04-25T12:27:28.203Z] 12:27:28 INFO - Found by: inlining
[task 2023-04-25T12:27:28.203Z] 12:27:28 INFO - 13 firefox-bin!PageFree(mozilla::Maybe<unsigned long> const&, void*) [PHC.cpp:a5a273e3b1fdbeb8890d8bdd48d56cdee6ddbcb3 : 1350]
[task 2023-04-25T12:27:28.203Z] 12:27:28 INFO - Found by: inlining
[task 2023-04-25T12:27:28.203Z] 12:27:28 INFO - 14 firefox-bin!replace_free(void*) [PHC.cpp:a5a273e3b1fdbeb8890d8bdd48d56cdee6ddbcb3 : 1389]
[task 2023-04-25T12:27:28.203Z] 12:27:28 INFO - Found by: inlining
[task 2023-04-25T12:27:28.204Z] 12:27:28 INFO - 15 firefox-bin!Allocator<ReplaceMallocBase>::free(void*) [malloc_decls.h:a5a273e3b1fdbeb8890d8bdd48d56cdee6ddbcb3 : 54]
[task 2023-04-25T12:27:28.204Z] 12:27:28 INFO - Found by: inlining
[task 2023-04-25T12:27:28.204Z] 12:27:28 INFO - 16 firefox-bin!free [malloc_decls.h:a5a273e3b1fdbeb8890d8bdd48d56cdee6ddbcb3 : 54 + 0x1df]
[task 2023-04-25T12:27:28.204Z] 12:27:28 INFO - rsp = 0x00007f40d0280140 rip = 0x0000561af413bd94
[task 2023-04-25T12:27:28.204Z] 12:27:28 INFO - Found by: stack scanning
[task 2023-04-25T12:27:28.204Z] 12:27:28 INFO - 17 libEGL_mesa.so.0 + 0x1a999
[task 2023-04-25T12:27:28.204Z] 12:27:28 INFO - rsp = 0x00007f40d0280190 rip = 0x00007f40ce3c699a
[task 2023-04-25T12:27:28.204Z] 12:27:28 INFO - Found by: stack scanning
[task 2023-04-25T12:27:28.204Z] 12:27:28 INFO - 18 libEGL.so.1!_fini + 0x205e77
[task 2023-04-25T12:27:28.205Z] 12:27:28 INFO - rsp = 0x00007f40d02801c0 rip = 0x00007f40ce7ff4e0
[task 2023-04-25T12:27:28.205Z] 12:27:28 INFO - Found by: stack scanning
[task 2023-04-25T12:27:28.205Z] 12:27:28 INFO - 19 libEGL.so.1!_fini + 0x205e77
[task 2023-04-25T12:27:28.205Z] 12:27:28 INFO - rsp = 0x00007f40d02801d8 rip = 0x00007f40ce7ff4e0
[task 2023-04-25T12:27:28.205Z] 12:27:28 INFO - Found by: stack scanning
[task 2023-04-25T12:27:28.206Z] 12:27:28 INFO - 20 libEGL_mesa.so.0 + 0x119da
[task 2023-04-25T12:27:28.206Z] 12:27:28 INFO - rsp = 0x00007f40d0280240 rip = 0x00007f40ce3bd9db
[task 2023-04-25T12:27:28.206Z] 12:27:28 INFO - Found by: stack scanning
[task 2023-04-25T12:27:28.206Z] 12:27:28 INFO - 21 libxul.so!mozilla::gl::GLLibraryEGL::fCreateContext(void*, void*, void*, int const*) const [GLLibraryEGL.h:a5a273e3b1fdbeb8890d8bdd48d56cdee6ddbcb3 : 307]
[task 2023-04-25T12:27:28.207Z] 12:27:28 INFO - Found by: inlining
[task 2023-04-25T12:27:28.207Z] 12:27:28 INFO - 22 libxul.so!mozilla::gl::EglDisplay::fCreateContext(void*, void*, int const*) const [GLLibraryEGL.h:a5a273e3b1fdbeb8890d8bdd48d56cdee6ddbcb3 : 755]
[task 2023-04-25T12:27:28.207Z] 12:27:28 INFO - Found by: inlining
[task 2023-04-25T12:27:28.207Z] 12:27:28 INFO - 23 libxul.so!mozilla::gl::GLContextEGL::CreateGLContext(std::shared_ptr<mozilla::gl::EglDisplay>, mozilla::gl::GLContextDesc const&, void*, void*, bool, void*, nsTSubstring<char>*)::$_0::operator()(std::vector<int, std::allocator<int> > const&) const [GLContextProviderEGL.cpp:a5a273e3b1fdbeb8890d8bdd48d56cdee6ddbcb3 : 718]
[task 2023-04-25T12:27:28.207Z] 12:27:28 INFO - Found by: inlining
[task 2023-04-25T12:27:28.207Z] 12:27:28 INFO - 24 libxul.so!mozilla::gl::GLContextEGL::CreateGLContext(std::shared_ptr<mozilla::gl::EglDisplay>, mozilla::gl::GLContextDesc const&, void*, void*, bool, void*, nsTSubstring<char>*) [GLContextProviderEGL.cpp:a5a273e3b1fdbeb8890d8bdd48d56cdee6ddbcb3 : 748 + 0xf4]
[task 2023-04-25T12:27:28.208Z] 12:27:28 INFO - rsp = 0x00007f40d0280290 rip = 0x00007f40ed17a1c0
[task 2023-04-25T12:27:28.208Z] 12:27:28 INFO - Found by: stack scanning
[task 2023-04-25T12:27:28.208Z] 12:27:28 INFO - 25 libxul.so!_fini + 0x1ec71c
[task 2023-04-25T12:27:28.208Z] 12:27:28 INFO - rsp = 0x00007f40d02802c0 rip = 0x00007f40f2e490f5
[task 2023-04-25T12:27:28.208Z] 12:27:28 INFO - Found by: stack scanning
[task 2023-04-25T12:27:28.208Z] 12:27:28 INFO - 26 libxul.so!mozilla::gl::GLContextEGLFactory::CreateImpl(void*, bool, bool) [GLContextProviderEGL.cpp:a5a273e3b1fdbeb8890d8bdd48d56cdee6ddbcb3 : 293 + 0x1c]
[task 2023-04-25T12:27:28.209Z] 12:27:28 INFO - rsp = 0x00007f40d02803d0 rip = 0x00007f40ed179625
[task 2023-04-25T12:27:28.209Z] 12:27:28 INFO - Found by: stack scanning
[task 2023-04-25T12:27:28.209Z] 12:27:28 INFO - 27 libxul.so!_fini + 0x18fa5
[task 2023-04-25T12:27:28.209Z] 12:27:28 INFO - rsp = 0x00007f40d0280428 rip = 0x00007f40f2c7597e
[task 2023-04-25T12:27:28.210Z] 12:27:28 INFO - Found by: stack scanning
[task 2023-04-25T12:27:28.210Z] 12:27:28 INFO - 28 libnspr4.so!_fini + 0x3310
[task 2023-04-25T12:27:28.210Z] 12:27:28 INFO - rsp = 0x00007f40d0280460 rip = 0x00007f4102ed87d1
[task 2023-04-25T12:27:28.210Z] 12:27:28 INFO - Found by: stack scanning
[task 2023-04-25T12:27:28.211Z] 12:27:28 INFO - 29 ld-linux-x86-64.so.2!_dl_lookup_symbol_x [dl-lookup.c : 813 + 0x2a]
[task 2023-04-25T12:27:28.212Z] 12:27:28 INFO - rsp = 0x00007f40d0280500 rip = 0x00007f4102cef23f
[task 2023-04-25T12:27:28.212Z] 12:27:28 INFO - Found by: stack scanning
[task 2023-04-25T12:27:28.212Z] 12:27:28 INFO - 30 0x7f40e9a1601f
[task 2023-04-25T12:27:28.212Z] 12:27:28 INFO - rbx = 0x0000000000000000 rbp = 0x0000000000000001
[task 2023-04-25T12:27:28.212Z] 12:27:28 INFO - rsp = 0x00007f40d0280600 r12 = 0x00000000ffffff00
[task 2023-04-25T12:27:28.212Z] 12:27:28 INFO - r13 = 0x00007f40d0280610 r14 = 0x00007f40ed17ae9b
[task 2023-04-25T12:27:28.212Z] 12:27:28 INFO - r15 = 0x00007f40de532000 rip = 0x00007f40e9a16020
[task 2023-04-25T12:27:28.212Z] 12:27:28 INFO - Found by: call frame info
[task 2023-04-25T12:27:28.212Z] 12:27:28 INFO - 31 libxul.so!CreateGLContextEGL() [RenderThread.cpp:a5a273e3b1fdbeb8890d8bdd48d56cdee6ddbcb3 : 1549]
[task 2023-04-25T12:27:28.212Z] 12:27:28 INFO - Found by: inlining
[task 2023-04-25T12:27:28.213Z] 12:27:28 INFO - 32 libxul.so!CreateGLContext(nsTSubstring<char>&) [RenderThread.cpp:a5a273e3b1fdbeb8890d8bdd48d56cdee6ddbcb3 : 1581]
[task 2023-04-25T12:27:28.213Z] 12:27:28 INFO - Found by: inlining
[task 2023-04-25T12:27:28.213Z] 12:27:28 INFO - 33 libxul.so!mozilla::wr::RenderThread::CreateSingletonGL(nsTSubstring<char>&) [RenderThread.cpp:a5a273e3b1fdbeb8890d8bdd48d56cdee6ddbcb3 : 1327 + 0x2f]
[task 2023-04-25T12:27:28.213Z] 12:27:28 INFO - rsp = 0x00007f40d0280620 rip = 0x00007f40ed2fde53
[task 2023-04-25T12:27:28.213Z] 12:27:28 INFO - Found by: stack scanning
[task 2023-04-25T12:27:28.213Z] 12:27:28 INFO - 34 firefox-bin!PageMalloc(mozilla::Maybe<unsigned long> const&, unsigned long) [PHC.cpp:a5a273e3b1fdbeb8890d8bdd48d56cdee6ddbcb3 : 1192]
[task 2023-04-25T12:27:28.213Z] 12:27:28 INFO - Found by: inlining
[task 2023-04-25T12:27:28.213Z] 12:27:28 INFO - 35 firefox-bin!replace_malloc(unsigned long) [PHC.cpp:a5a273e3b1fdbeb8890d8bdd48d56cdee6ddbcb3 : 1196 + 0x22]
[task 2023-04-25T12:27:28.213Z] 12:27:28 INFO - rsp = 0x00007f40d0280660 rip = 0x0000561af4148007
[task 2023-04-25T12:27:28.214Z] 12:27:28 INFO - Found by: stack scanning
[task 2023-04-25T12:27:28.214Z] 12:27:28 INFO - 36 libxul.so!_fini + 0x21f7c8
[task 2023-04-25T12:27:28.214Z] 12:27:28 INFO - rsp = 0x00007f40d0280678 rip = 0x00007f40f2e7c1a1
[task 2023-04-25T12:27:28.214Z] 12:27:28 INFO - Found by: stack scanning
[task 2023-04-25T12:27:28.214Z] 12:27:28 INFO - 37 firefox-bin!PageMalloc(mozilla::Maybe<unsigned long> const&, unsigned long) [PHC.cpp:a5a273e3b1fdbeb8890d8bdd48d56cdee6ddbcb3 : 1192]
[task 2023-04-25T12:27:28.214Z] 12:27:28 INFO - Found by: inlining
[task 2023-04-25T12:27:28.215Z] 12:27:28 INFO - 38 firefox-bin!replace_malloc(unsigned long) [PHC.cpp:a5a273e3b1fdbeb8890d8bdd48d56cdee6ddbcb3 : 1196]
[task 2023-04-25T12:27:28.215Z] 12:27:28 INFO - Found by: inlining
[task 2023-04-25T12:27:28.215Z] 12:27:28 INFO - 39 firefox-bin!Allocator<ReplaceMallocBase>::malloc(unsigned long) [malloc_decls.h:a5a273e3b1fdbeb8890d8bdd48d56cdee6ddbcb3 : 51]
[task 2023-04-25T12:27:28.216Z] 12:27:28 INFO - Found by: inlining
[task 2023-04-25T12:27:28.216Z] 12:27:28 INFO - 40 firefox-bin!malloc [malloc_decls.h:a5a273e3b1fdbeb8890d8bdd48d56cdee6ddbcb3 : 51]
[task 2023-04-25T12:27:28.216Z] 12:27:28 INFO - Found by: inlining
[task 2023-04-25T12:27:28.216Z] 12:27:28 INFO - 41 firefox-bin!moz_xmalloc [mozalloc.cpp:a5a273e3b1fdbeb8890d8bdd48d56cdee6ddbcb3 : 52 + 0x4c]
[task 2023-04-25T12:27:28.216Z] 12:27:28 INFO - rsp = 0x00007f40d0280690 rip = 0x0000561af414a671
[task 2023-04-25T12:27:28.216Z] 12:27:28 INFO - Found by: stack scanning
[task 2023-04-25T12:27:28.216Z] 12:27:28 INFO - 42 libc.so.6!__clock_gettime [clock_gettime.c : 115 + 0x13]
[task 2023-04-25T12:27:28.217Z] 12:27:28 INFO - rsp = 0x00007f40d02806a0 rip = 0x00007f4101cc2056
[task 2023-04-25T12:27:28.217Z] 12:27:28 INFO - Found by: stack scanning
[task 2023-04-25T12:27:28.217Z] 12:27:28 INFO - 43 firefox-bin!ClockTimeNs() [TimeStamp_posix.cpp:a5a273e3b1fdbeb8890d8bdd48d56cdee6ddbcb3 : 79]
[task 2023-04-25T12:27:28.217Z] 12:27:28 INFO - Found by: inlining
[task 2023-04-25T12:27:28.217Z] 12:27:28 INFO - 44 firefox-bin!mozilla::TimeStamp::Now(bool) [TimeStamp_posix.cpp:a5a273e3b1fdbeb8890d8bdd48d56cdee6ddbcb3 : 191 + 0x9]
[task 2023-04-25T12:27:28.217Z] 12:27:28 INFO - rbx = 0x00007f40de56e8b0 rbp = 0x00007f40d02806e0
[task 2023-04-25T12:27:28.217Z] 12:27:28 INFO - rsp = 0x00007f40d02806c0 rip = 0x0000561af414f753
[task 2023-04-25T12:27:28.218Z] 12:27:28 INFO - Found by: call frame info
[task 2023-04-25T12:27:28.218Z] 12:27:28 INFO - 45 libxul.so!mozilla::TimeStamp::Now() [TimeStamp.h:a5a273e3b1fdbeb8890d8bdd48d56cdee6ddbcb3 : 419]
[task 2023-04-25T12:27:28.218Z] 12:27:28 INFO - Found by: inlining
[task 2023-04-25T12:27:28.218Z] 12:27:28 INFO - 46 libxul.so!nsTimerImpl::InitCommon(mozilla::BaseTimeDuration<mozilla::TimeDurationValueCalculator> const&, unsigned int, mozilla::Variant<nsTimerImpl::UnknownCallback, nsCOMPtr<nsITimerCallback>, nsCOMPtr<nsIObserver>, nsTimerImpl::FuncCallback, nsTimerImpl::ClosureCallback>&&, mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) [nsTimerImpl.cpp:a5a273e3b1fdbeb8890d8bdd48d56cdee6ddbcb3 : 423 + 0x9]
[task 2023-04-25T12:27:28.218Z] 12:27:28 INFO - rbx = 0x00007f40de56e8b0 rbp = 0x00007f40d0280780
[task 2023-04-25T12:27:28.218Z] 12:27:28 INFO - rsp = 0x00007f40d02806f0 rip = 0x00007f40f157ef6f
[task 2023-04-25T12:27:28.218Z] 12:27:28 INFO - Found by: call frame info
[task 2023-04-25T12:27:28.219Z] 12:27:28 INFO - 47 0x7f4181205f27
[task 2023-04-25T12:27:28.219Z] 12:27:28 INFO - rbx = 0x00007f4101939980 rbp = 0x0000000000000000
[task 2023-04-25T12:27:28.219Z] 12:27:28 INFO - rsp = 0x00007f40d0280790 r12 = 0x00007f40d02807d0
[task 2023-04-25T12:27:28.219Z] 12:27:28 INFO - r13 = 0x00007f40f15277ab r14 = 0x00007f41019399a8
[task 2023-04-25T12:27:28.219Z] 12:27:28 INFO - r15 = 0x81205f28eac723a0 rip = 0x00007f4181205f28
[task 2023-04-25T12:27:28.220Z] 12:27:28 INFO - Found by: call frame info
[task 2023-04-25T12:27:28.220Z] 12:27:28 INFO - 48 libxul.so!mozilla::wr::RenderThread::InitDeviceTask() [RenderThread.cpp:a5a273e3b1fdbeb8890d8bdd48d56cdee6ddbcb3 : 1158 + 0x7]
[task 2023-04-25T12:27:28.220Z] 12:27:28 INFO - rsp = 0x00007f40d02807e0 rip = 0x00007f40ed2fc451
[task 2023-04-25T12:27:28.220Z] 12:27:28 INFO - Found by: stack scanning
[task 2023-04-25T12:27:28.220Z] 12:27:28 INFO - 49 libxul.so!_fini + 0x705f8d
[task 2023-04-25T12:27:28.221Z] 12:27:28 INFO - rsp = 0x00007f40d0280838 rip = 0x00007f40f3362966
[task 2023-04-25T12:27:28.221Z] 12:27:28 INFO - Found by: stack scanning
[task 2023-04-25T12:27:28.221Z] 12:27:28 INFO - 50 libxul.so!mozilla::detail::runnable_args_base<(mozilla::detail::RunnableResult)0>::Run() [runnable_utils.h:a5a273e3b1fdbeb8890d8bdd48d56cdee6ddbcb3 : 41 + 0x5]
[task 2023-04-25T12:27:28.221Z] 12:27:28 INFO - rsp = 0x00007f40d0280870 rip = 0x00007f40f17716ca
[task 2023-04-25T12:27:28.222Z] 12:27:28 INFO - Found by: stack scanning
[task 2023-04-25T12:27:28.222Z] 12:27:28 INFO - 51 libxul.so!nsThread::ProcessNextEvent(bool, bool*) [nsThread.cpp:a5a273e3b1fdbeb8890d8bdd48d56cdee6ddbcb3 : 1233 + 0x5]
[task 2023-04-25T12:27:28.222Z] 12:27:28 INFO - rsp = 0x00007f40d0280880 rip = 0x00007f40f0b9f187
[task 2023-04-25T12:27:28.222Z] 12:27:28 INFO - Found by: stack scanning
[task 2023-04-25T12:27:28.222Z] 12:27:28 INFO - 52 firefox-bin!arena_t::MallocSmall(unsigned long, bool)
[task 2023-04-25T12:27:28.223Z] 12:27:28 INFO - Found by: inlining
[task 2023-04-25T12:27:28.223Z] 12:27:28 INFO - 53 firefox-bin!arena_t::Malloc(unsigned long, bool) [mozjemalloc.cpp:a5a273e3b1fdbeb8890d8bdd48d56cdee6ddbcb3 : 3272]
[task 2023-04-25T12:27:28.223Z] 12:27:28 INFO - Found by: inlining
[task 2023-04-25T12:27:28.223Z] 12:27:28 INFO - 54 firefox-bin!BaseAllocator::malloc(unsigned long) [mozjemalloc.cpp:a5a273e3b1fdbeb8890d8bdd48d56cdee6ddbcb3 : 4459]
[task 2023-04-25T12:27:28.223Z] 12:27:28 INFO - Found by: inlining
[task 2023-04-25T12:27:28.223Z] 12:27:28 INFO - 55 firefox-bin!Allocator<MozJemallocBase>::malloc(unsigned long) [malloc_decls.h:a5a273e3b1fdbeb8890d8bdd48d56cdee6ddbcb3 : 51 + 0x9b]
[task 2023-04-25T12:27:28.223Z] 12:27:28 INFO - rsp = 0x00007f40d02808a0 rip = 0x0000561af40d5b00
[task 2023-04-25T12:27:28.223Z] 12:27:28 INFO - Found by: stack scanning
[task 2023-04-25T12:27:28.223Z] 12:27:28 INFO - 56 firefox-bin!arena_t::Malloc(unsigned long, bool)
[task 2023-04-25T12:27:28.224Z] 12:27:28 INFO - Found by: inlining
[task 2023-04-25T12:27:28.224Z] 12:27:28 INFO - 57 firefox-bin!BaseAllocator::malloc(unsigned long) [mozjemalloc.cpp:a5a273e3b1fdbeb8890d8bdd48d56cdee6ddbcb3 : 4459]
[task 2023-04-25T12:27:28.224Z] 12:27:28 INFO - Found by: inlining
[task 2023-04-25T12:27:28.224Z] 12:27:28 INFO - 58 firefox-bin!Allocator<MozJemallocBase>::malloc(unsigned long) [malloc_decls.h:a5a273e3b1fdbeb8890d8bdd48d56cdee6ddbcb3 : 51 + 0x157]
[task 2023-04-25T12:27:28.224Z] 12:27:28 INFO - rsp = 0x00007f40d02808f0 rip = 0x0000561af40d5bbc
[task 2023-04-25T12:27:28.224Z] 12:27:28 INFO - Found by: stack scanning
[task 2023-04-25T12:27:28.225Z] 12:27:28 INFO - 59 firefox-bin!Mutex::Unlock() [Mutex.h:a5a273e3b1fdbeb8890d8bdd48d56cdee6ddbcb3 : 133]
[task 2023-04-25T12:27:28.225Z] 12:27:28 INFO - Found by: inlining
[task 2023-04-25T12:27:28.225Z] 12:27:28 INFO - 60 firefox-bin!AutoLock<Mutex>::~AutoLock() [Mutex.h:a5a273e3b1fdbeb8890d8bdd48d56cdee6ddbcb3 : 186]
[task 2023-04-25T12:27:28.225Z] 12:27:28 INFO - Found by: inlining
[task 2023-04-25T12:27:28.225Z] 12:27:28 INFO - 61 firefox-bin!arena_dalloc(void*, unsigned long, arena_t*) [mozjemalloc.cpp:a5a273e3b1fdbeb8890d8bdd48d56cdee6ddbcb3 : 3759]
[task 2023-04-25T12:27:28.225Z] 12:27:28 INFO - Found by: inlining
[task 2023-04-25T12:27:28.226Z] 12:27:28 INFO - 62 firefox-bin!BaseAllocator::free(void*) [mozjemalloc.cpp:a5a273e3b1fdbeb8890d8bdd48d56cdee6ddbcb3 : 4547]
[task 2023-04-25T12:27:28.226Z] 12:27:28 INFO - Found by: inlining
[task 2023-04-25T12:27:28.226Z] 12:27:28 INFO - 63 firefox-bin!Allocator<MozJemallocBase>::free(void*) [malloc_decls.h:a5a273e3b1fdbeb8890d8bdd48d56cdee6ddbcb3 : 54]
[task 2023-04-25T12:27:28.226Z] 12:27:28 INFO - Found by: inlining
[task 2023-04-25T12:27:28.226Z] 12:27:28 INFO - 64 firefox-bin!PageFree(mozilla::Maybe<unsigned long> const&, void*) [PHC.cpp:a5a273e3b1fdbeb8890d8bdd48d56cdee6ddbcb3 : 1350]
[task 2023-04-25T12:27:28.227Z] 12:27:28 INFO - Found by: inlining
[task 2023-04-25T12:27:28.227Z] 12:27:28 INFO - 65 firefox-bin!replace_free(void*) [PHC.cpp:a5a273e3b1fdbeb8890d8bdd48d56cdee6ddbcb3 : 1389]
[task 2023-04-25T12:27:28.227Z] 12:27:28 INFO - Found by: inlining
[task 2023-04-25T12:27:28.227Z] 12:27:28 INFO - 66 firefox-bin!Allocator<ReplaceMallocBase>::free(void*) [malloc_decls.h:a5a273e3b1fdbeb8890d8bdd48d56cdee6ddbcb3 : 54]
[task 2023-04-25T12:27:28.227Z] 12:27:28 INFO - Found by: inlining
[task 2023-04-25T12:27:28.228Z] 12:27:28 INFO - 67 firefox-bin!free [malloc_decls.h:a5a273e3b1fdbeb8890d8bdd48d56cdee6ddbcb3 : 54 + 0x1df]
[task 2023-04-25T12:27:28.228Z] 12:27:28 INFO - rsp = 0x00007f40d0280900 rip = 0x0000561af413bd94
[task 2023-04-25T12:27:28.228Z] 12:27:28 INFO - Found by: stack scanning
[task 2023-04-25T12:27:28.228Z] 12:27:28 INFO - 68 firefox-bin!arena_t::Malloc(unsigned long, bool)
[task 2023-04-25T12:27:28.228Z] 12:27:28 INFO - Found by: inlining
[task 2023-04-25T12:27:28.228Z] 12:27:28 INFO - 69 firefox-bin!BaseAllocator::malloc(unsigned long) [mozjemalloc.cpp:a5a273e3b1fdbeb8890d8bdd48d56cdee6ddbcb3 : 4459]
[task 2023-04-25T12:27:28.229Z] 12:27:28 INFO - Found by: inlining
[task 2023-04-25T12:27:28.229Z] 12:27:28 INFO - 70 firefox-bin!Allocator<MozJemallocBase>::malloc(unsigned long) [malloc_decls.h:a5a273e3b1fdbeb8890d8bdd48d56cdee6ddbcb3 : 51 + 0x157]
[task 2023-04-25T12:27:28.229Z] 12:27:28 INFO - rsp = 0x00007f40d0280920 rip = 0x0000561af40d5bbc
[task 2023-04-25T12:27:28.229Z] 12:27:28 INFO - Found by: stack scanning
[task 2023-04-25T12:27:28.229Z] 12:27:28 INFO - 71 firefox-bin!mozilla::detail::MutexImpl::unlock() [Mutex_posix.cpp:a5a273e3b1fdbeb8890d8bdd48d56cdee6ddbcb3 : 121 + 0x4]
[task 2023-04-25T12:27:28.229Z] 12:27:28 INFO - rsp = 0x00007f40d0280930 rip = 0x0000561af414cccb
[task 2023-04-25T12:27:28.230Z] 12:27:28 INFO - Found by: stack scanning
[task 2023-04-25T12:27:28.230Z] 12:27:28 INFO - 72 libxul.so!mozilla::OffTheBooksMutex::Unlock() [Mutex.h:a5a273e3b1fdbeb8890d8bdd48d56cdee6ddbcb3 : 75]
[task 2023-04-25T12:27:28.230Z] 12:27:28 INFO - Found by: inlining
[task 2023-04-25T12:27:28.230Z] 12:27:28 INFO - 73 libxul.so!mozilla::detail::BaseAutoLock<mozilla::Mutex&>::~BaseAutoLock() [Mutex.h:a5a273e3b1fdbeb8890d8bdd48d56cdee6ddbcb3 : 239]
[task 2023-04-25T12:27:28.230Z] 12:27:28 INFO - Found by: inlining
[task 2023-04-25T12:27:28.230Z] 12:27:28 INFO - 74 libxul.so!nsTimerImpl::CancelImpl(bool) [nsTimerImpl.cpp:a5a273e3b1fdbeb8890d8bdd48d56cdee6ddbcb3 : 521]
[task 2023-04-25T12:27:28.231Z] 12:27:28 INFO - Found by: inlining
[task 2023-04-25T12:27:28.231Z] 12:27:28 INFO - 75 libxul.so!nsTimerImpl::Cancel() [nsTimerImpl.cpp:a5a273e3b1fdbeb8890d8bdd48d56cdee6ddbcb3 : 495]
[task 2023-04-25T12:27:28.231Z] 12:27:28 INFO - Found by: inlining
[task 2023-04-25T12:27:28.231Z] 12:27:28 INFO - 76 libxul.so!nsTimer::Cancel() [nsTimerImpl.h:a5a273e3b1fdbeb8890d8bdd48d56cdee6ddbcb3 : 199 + 0xb3]
[task 2023-04-25T12:27:28.231Z] 12:27:28 INFO - rsp = 0x00007f40d0280950 rip = 0x00007f40f0ba3d12
[task 2023-04-25T12:27:28.231Z] 12:27:28 INFO - Found by: stack scanning
[task 2023-04-25T12:27:28.232Z] 12:27:28 INFO - 77 libdl.so.2!_dlerror_run [dlerror.c : 162 + 0x16]
[task 2023-04-25T12:27:28.232Z] 12:27:28 INFO - rsp = 0x00007f40d0280980 rip = 0x00007f41028c2745
[task 2023-04-25T12:27:28.232Z] 12:27:28 INFO - Found by: stack scanning
[task 2023-04-25T12:27:28.232Z] 12:27:28 INFO -
[task 2023-04-25T12:27:28.232Z] 12:27:28 INFO - Thread 0 firefox-bin
|
||
Comment 1•2 years ago
|
||
This stack looks bizarre.
We're crashing on a poison value, inside getenv getting called from a graphics driver?
Group: core-security-release → gfx-core-security
Component: web-platform-tests → Graphics
Product: Testing → Core
|
||
Comment 2•2 years ago
|
||
It doesn't make sense for firefox-bin!free to be calling the libgallium code in the first place!
Group: gfx-core-security
Keywords: csectype-uaf
|
||
Comment 3•2 years ago
|
||
likely related: bug 1794309 comment 3 / bug 1784813 / (I can't access this:) bug 1752703
|
||
Comment 4•2 years ago
|
||
Is this a possible tail call optimization (i.e. something calling gallium as the second to last call in a function, then a free call after that, the call stack would then point to the free call rather than the return of the function as it was optimized away)?
Regarding the poison value crashing in getenv, is the process exiting? Bad interactions between atexit handlers and gallium where the environment variable storage was freed seems plausible on some level.
|
|
||
Updated•2 years ago
|
Blocks: gfx-triage
|
|
||
Comment 5•2 years ago
|
||
We discussed this in our gfx-triage meeting and concluded that a lot of the stack is unreliable due to stack scanning (e.g. the supposed call to free may just be a local variable holding the address of the free function, for example if libEGL thought "I'd better note down which free function to call when disposing of this resource" and stored that in a variable). It's reasonable that libEGL_mesa.so is calling libgallium_dri.so (Mesa backend for accelerated rendering) which is calling getenv to check if a debug env variable is set on whether to emit an error message or something of that nature, but getenv is an extremely unsafe function to be calling in a threaded context, so the better question may be whether we're creating the context on the main thread (where getenv has some certainty of working) or from another thread (which would likely go badly, as seen here), it's also possible libgallium might be registering a signal handler that calls it which would be extra bad and would be a bug in Mesa (libgallium).
I'm inclined to believe we either found a libgallium (Mesa) bug or we are holding it wrong.
Do we have other examples of similar bugs that tell a story or is this one-off noise that we will tolerate?
No longer blocks: gfx-triage
|
|
||
Updated•2 years ago
|
Severity: -- → S4
|
||
Comment 6•2 years ago
•
|
||
Tail calls, per se, wouldn't account for this stack. When A tail calls B, that changes the stack "Q called A" into "Q called B", but every frame that can ever appear as the 'callee' of Q must lie within A's callee tree. It seems very unlikely that libgallium_dri.so is within Mutex::Unlock's callee tree.
However, note that frames 8 through 15 are all inline frames: they're actually code that was inlined into frame 16, firefox-bin!free, at pc 0x0000561af413bd94. That pc was recovered by stack scanning: the unwinder has given up on CFI and frame pointers, and is simply guessing that any block of bytes that happens to form a code address might be a return address, and reporting it as a frame. It could be just garbage left on the stack from prior calls. That would account for frames 8 through 16.
Then, having frame 17 in libEGL_mesa.so.0 call frame 7 in libgallium_dri.so is less surprising.
|
|
||
Comment 7•2 years ago
|
||
... so yeah, what Ashley said.
| Comment hidden (Intermittent Failures Robot) |
| Comment hidden (Intermittent Failures Robot) |
| Comment hidden (Intermittent Failures Robot) |
|
||
Comment 11•1 year ago
|
||
https://wiki.mozilla.org/Bug_Triage#Intermittent_Test_Failure_Cleanup
For more information, please visit BugBot documentation.
Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → INCOMPLETE
You need to log in
before you can comment on or make changes to this bug.
Description
•