Compartment mismatch in DebuggerImmediateRunnable::WorkerRun()
Categories
(Core :: DOM: Workers, defect, P2)
Tracking
()
People
(Reporter: mccr8, Assigned: edenchuang)
References
Details
(Keywords: crash, csectype-uaf, sec-moderate, Whiteboard: [adv-main120+r])
Crash Data
Attachments
(1 file)
48 bytes,
text/x-phabricator-request
|
pascalc
:
approval-mozilla-beta+
|
Details | Review |
Crash report: https://crash-stats.mozilla.org/report/index/77a92730-e35e-4f11-a477-c70cb0230817
MOZ_CRASH Reason: *** Compartment mismatch 7f2b5f088790 vs. 7f2b69e184c0 at argument 1
Top 10 frames of crashing thread:
0 libxul.so MOZ_Crash mfbt/Assertions.h:281
0 libxul.so js::ContextChecks::fail js/src/vm/JSContext-inl.h:54
0 libxul.so js::ContextChecks::check js/src/vm/JSContext-inl.h:70
0 libxul.so js::ContextChecks::check js/src/vm/JSContext-inl.h:83
0 libxul.so js::ContextChecks::check js/src/vm/JSContext-inl.h:124
1 libxul.so JSContext::checkImpl<JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray> js/src/vm/JSContext-inl.h:206
1 libxul.so JSContext::check<JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray> js/src/vm/JSContext-inl.h:213
1 libxul.so JS_CallFunctionValue js/src/vm/CallAndConstruct.cpp:47
2 libxul.so mozilla::dom::(anonymous namespace)::DebuggerImmediateRunnable::WorkerRun(JSContext*, mozilla::dom::WorkerPrivate*) dom/workers/WorkerPrivate.cpp:665
3 libxul.so mozilla::dom::WorkerRunnable::Run dom/workers/WorkerRunnable.cpp:372
I found this crash on crash-stats. I'm marking it sec-moderate because it seems to require the debugger.
Comment 1•9 months ago
|
||
Hi Eden, would you mind to take a look and triage? Thanks!
Assignee | ||
Updated•8 months ago
|
Comment 2•8 months ago
|
||
IIUC those checks are active only in nightly. Do we know what the consequences are if this happens in release builds?
Comment 3•8 months ago
|
||
FWIW I checked on crash-stats, it seems there are ten out of 52 reports that do not have DebuggerImmediateRunnable
in the proto signature and crash on the main thread, not the worker one. Not sure if those would be equally concerning, at least they do not seem to have a clear pattern like the debugger one here.
Reporter | ||
Comment 4•8 months ago
|
||
(In reply to Jens Stutte [:jstutte] from comment #2)
IIUC those checks are active only in nightly. Do we know what the consequences are if this happens in release builds?
It can potentially cause a use-after-free crash, because it indicates that a cross compartment reference is not properly going through a cross compartment wrapper, so the GC might fail to trace a compartment.
Assignee | ||
Updated•8 months ago
|
Assignee | ||
Comment 5•7 months ago
|
||
Assignee | ||
Comment 6•7 months ago
|
||
https://treeherder.mozilla.org/logviewer?job_id=433125137&repo=try&lineNumber=110685. A similar issue is on WorkerGlobalScope.
Updated•7 months ago
|
Pushed by echuang@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/3a6678776d36 P1 Synchronize WorkerPrivate::mParentStatus with mStatus while entering Killing status. r=asuth
Comment 8•7 months ago
|
||
Backed out for causing asan failures on browser_localStorage_snapshotting.js:
https://hg.mozilla.org/integration/autoland/rev/aa1add343b69110ec5bba9727bbd680112e68e4f
Push with failures
Failure log
==14232==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x55add29ad952 bp 0x7fff97974190 sp 0x7fff97974170 T0)
==14232==ERROR: AddressSanitizer: out of memory: failed to allocate 0x1000 (4096) bytes of ReadFileToBuffer (error code: 12)
==14306==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x556a5566f952 bp 0x7fff73c71350 sp 0x7fff73c71330 T0)
==14230==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x555f6aae4952 bp 0x7ffff34f3310 sp 0x7ffff34f32f0 T0)
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:281:3 in MOZ_Crash
TEST-UNEXPECTED-FAIL | dom/tests/browser/browser_localStorage_snapshotting.js | Test timed out -
...
Pushed by smolnar@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/99883f337579 P1 Synchronize WorkerPrivate::mParentStatus with mStatus while entering Killing status. r=asuth
Comment 10•6 months ago
|
||
Updated•6 months ago
|
Comment 11•6 months ago
|
||
Please nominate this for Beta and ESR115 approval.
Assignee | ||
Comment 12•6 months ago
|
||
Comment on attachment 9359777 [details]
Bug 1849265 - P1 Synchronize WorkerPrivate::mParentStatus with mStatus while entering Killing status. r=#dom-worker-reviewers
Beta/Release Uplift Approval Request
- User impact if declined: Users could meet the content process crash or unexpected behavior when the website uses Worker/ServiceWorker/SharedWorker, especially when Worker/ServiceWorker/SharedWorker is shutting down.
- Is this code covered by automated tests?: No
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): The patch synchronizes the WorkerPrivate::mParentStatus with WorkerPrivate::mStatus when the Worker enters the "Killing" status.
I think it is a low risk. Although the patch changes the runnable dispatching logic, it makes the runnable dispatching do the right thing. - String changes made/needed: No
- Is Android affected?: Yes
Assignee | ||
Comment 13•6 months ago
|
||
I think we don't need to uplift this patch to ESR since this bug seems to be a regression of bug 1800659, and 1800659 was fixed on 116, but was not uplifted to ESR115.
Comment 14•6 months ago
|
||
Comment on attachment 9359777 [details]
Bug 1849265 - P1 Synchronize WorkerPrivate::mParentStatus with mStatus while entering Killing status. r=#dom-worker-reviewers
Approved for our last 120 beta, thanks.
Comment 15•6 months ago
|
||
uplift |
https://hg.mozilla.org/releases/mozilla-beta/rev/c9cafe134648
Updated•6 months ago
|
Updated•6 months ago
|
Updated•6 months ago
|
Updated•6 months ago
|
Updated•6 months ago
|
Comment 16•22 days ago
|
||
Bulk-unhiding security bugs fixed in Firefox 119-121 (Fall 2023). Use "moo-doctrine-subsidy" to filter
Description
•