Closed Bug 1836670 Opened 1 years ago Closed 1 year ago

Intermittent application crashed [@ arena_dalloc] when running test_parser_diagnostics_unprintables.html on opt builds | single tracking bug

Categories

(Core :: CSS Parsing and Computation, defect)

Product:
Core
Component:
CSS Parsing and Computation
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
116 Branch
Tracking Flags:
Tracking Status
firefox-esr102 115+ fixed
firefox114 --- unaffected
firefox115 + fixed
firefox116 + fixed

People

(Reporter: intermittent-bug-filer, Assigned: emilio)

References

(Regression)

Details

(4 keywords, Whiteboard: [adv-esr102.13-])

Attachments

(2 files, 1 obsolete file)

Bug 1836670 - Use NonNull in cssparser::CowRcStr. r=#layout,#style
48 bytes, text/x-phabricator-request
dmeehan
: approval-mozilla-beta+
tjr
: sec-approval+
Details | Review
Bug 1836670 - ESR patch.
48 bytes, text/x-phabricator-request
dmeehan
: approval-mozilla-esr102+
Details | Review

Filed by: ealvarez [at] mozilla.com
Parsed log: https://treeherder.mozilla.org/logviewer?job_id=418052311&repo=autoland
Full log: https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/HmN7Ha1cQIKUunmqlsUUpg/runs/0/artifacts/public/logs/live_backing.log

The test changes from https://hg.mozilla.org/integration/autoland/rev/7c8f755bb185b66dbaf3d2f61f4702ea28a300fd unveil this crash on shippable builds only.

I believe might be rust UB.
Group: core-security → layout-core-security

:emilio, since you are the author of the regressor, bug 1835066, could you take a look? Also, could you set the severity field?

For more information, please visit BugBot documentation.

Flags: needinfo?(emilio)

This prevents the compiler from misoptimizing this code due to undefined
behavior.

Upstream PR: https://github.com/servo/rust-cssparser/pull/345

Assignee: nobody → emilio
Status: NEW → ASSIGNED
Flags: needinfo?(emilio)

Comment on attachment 9337424 [details]
Bug 1836670 - Use NonNull in cssparser::CowRcStr. r=#layout,#style

Beta/Release Uplift Approval Request

  • User impact if declined: Crashes in some cases (with CSS error reporting enabled, which is a devtools feature, but maybe others)
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: none
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Simple refactoring.
  • String changes made/needed: none
  • Is Android affected?: Yes
Attachment #9337424 - Flags: approval-mozilla-beta?

Comment on attachment 9337424 [details]
Bug 1836670 - Use NonNull in cssparser::CowRcStr. r=#layout,#style

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: not trivially, I believe. This mostly happens with error reporting enabled and it's a miscompilation / compiler abusing UB issue.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
  • Which older supported branches are affected by this flaw?: all, potentially
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: Yes
  • If not, how different, hard to create, and risky will they be?: Should apply cleanly to all supported branches (maybe needing an extra cargo.toml tweak for ESR).
  • How likely is this patch to cause regressions; how much testing does it need?: not likely, it's a very self-contained refactoring to a well-exercised codepath.
  • Is Android affected?: Yes
Attachment #9337424 - Flags: sec-approval?

Note this may not affect our builds of esr102, because we're not using LLVM 16 there. I suspect LLVM 16 needs to be involved to make things possibly bad (and rust 1.70, itself using LLVM 16 made things worse, triggering bug 1836885, which is, in fact, the same underlying bug). We've been using LLVM 16 since 114. We'll still want this on esr102, though, because downstreams may be using LLVM 16 (we know some are).

Set release status flags based on info from the regressing bug 1835066

status-firefox114: --- → unaffected
status-firefox115: --- → affected
status-firefox116: --- → affected
status-firefox-esr102: --- → unaffected
Attached file WIP: Bug 1836670 - ESR patch. (obsolete) —
Attachment #9337822 - Attachment is obsolete: true

Comment on attachment 9337823 [details]
Bug 1836670 - ESR patch.

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: see above
  • User impact if declined: crashes
  • Fix Landed on Version:
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Simple / well-scoped patch.
Attachment #9337823 - Flags: approval-mozilla-esr102?

Comment on attachment 9337424 [details]
Bug 1836670 - Use NonNull in cssparser::CowRcStr. r=#layout,#style

Approved to land and uplift

Attachment #9337424 - Flags: sec-approval? → sec-approval+

https://hg.mozilla.org/mozilla-central/rev/951284fe622c

Group: layout-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
status-firefox116: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 116 Branch

Comment on attachment 9337424 [details]
Bug 1836670 - Use NonNull in cssparser::CowRcStr. r=#layout,#style

Approved for 115.0b5.

Attachment #9337424 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

Comment on attachment 9337823 [details]
Bug 1836670 - ESR patch.

Approved for 102.13esr.

Attachment #9337823 - Flags: approval-mozilla-esr102? → approval-mozilla-esr102+
Whiteboard: [adv-esr102.13+r]
Whiteboard: [adv-esr102.13+r] → [adv-esr102.13-]
QA Whiteboard: [post-critsmash-triage]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: