Android Crash in [@ style::values::generics::calc::GenericCalcNode<T>::resolve_internal]
Categories
(Core :: Audio/Video: cubeb, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr102 | --- | unaffected |
| firefox-esr115 | --- | unaffected |
| firefox117 | --- | wontfix |
| firefox118 | --- | wontfix |
| firefox119 | --- | fixed |
| firefox120 | --- | fixed |
| firefox121 | --- | fixed |
People
(Reporter: aryx, Assigned: padenot)
References
Details
(Keywords: crash, csectype-wildptr, sec-high)
Crash Data
220+ crashes on 180+ Android devices with Firefox 117, no crashes for v116. 40+% of crashes during the first minute after launch, many reports for Android APIs 31 and 33.
Crash report: https://crash-stats.mozilla.org/report/index/1bbb0912-d8ae-421e-8fbd-d6f940230907
Reason: SIGSEGV / SEGV_MAPERR
Top 10 frames of crashing thread:
0 libxul.so style::values::generics::calc::GenericCalcNode<L>::resolve_internal servo/components/style/values/generics/calc.rs:758
1 libxul.so style::values::generics::calc::GenericCalcNode<L>::resolve_map servo/components/style/values/generics/calc.rs:751
1 libxul.so style::values::computed::length_percentage::CalcLengthPercentage::resolve servo/components/style/values/computed/length_percentage.rs:799
1 libxul.so Servo_ResolveCalcLengthPercentage servo/ports/geckolib/glue.rs:7127
2 libxul.so mozilla::StyleCalcLengthPercentage::ResolveToCSSPixels const layout/style/ServoStyleConstsInlines.h:684
2 libxul.so mozilla::StyleLengthPercentageUnion::ResolveToCSSPixels const layout/style/ServoStyleConstsInlines.h:697
2 libxul.so mozilla::StyleLengthPercentageUnion::ResolveToCSSPixelsWith<nsStyleTransformMatrix::Convert2DPosition const layout/style/ServoStyleConstsInlines.h:707
2 libxul.so nsStyleTransformMatrix::Convert2DPosition layout/style/nsStyleTransformMatrix.cpp:584
3 libxul.so mozilla::MotionPathUtils::ResolveMotionPath layout/base/MotionPathUtils.cpp:476
4 libxul.so mozilla::nsDisplayTransform::FrameTransformProperties::FrameTransformProperties layout/painting/nsDisplayList.cpp:6163
|
||
Comment 1•9 months ago
|
||
This is basically bug 1628644 / bug 1849200, just with a different signature... The android spike mentioned there seems untouched, and seems ResolveMotionPath is still commonly involved here...
Have fuzzers seen anything like this by any chance? I see a bunch of the reports have accessibility active, that might be another clue...
|
|
||
Updated•9 months ago
|
|
||
Comment 3•9 months ago
|
||
I hit a few instances of this on Android trying to set up a video call desktop<->android on discord.com (android was in desktop mode), as I was trying to reproduce bug 1796564. I see the crash report in comment 0 has NativeAudioCall(back) as its most recent thread too. Paul, do you know anything that went into 117 that could affect this?
Marking as a security bug as it seems fishy if something in the audio stack could affect css.
|
|
||
Comment 4•9 months ago
|
||
(In reply to Andreas Pehrson [:pehrsons] from comment #3)
Marking as a security bug as it seems fishy if something in the audio stack could affect css.
Thanks, that's very useful info. Andreas, do you know if we have Android ASAN / TSAN builds? The only way something like that should happen is if the audio code was corrupting heap memory allocated by CSS somehow.
|
||
Updated•9 months ago
|
|
|
||
Comment 5•9 months ago
|
||
Not that I have used it but I see an asan mozconfig for x64 android on central.
|
|
||
Comment 6•9 months ago
|
||
I see this happening only on Android 31 and above. That correlates with the aaudio cubeb backend, which, as a sidenote, had some crash fix uplifts into 117. I think this is evidence enough that this is a cubeb issue.
|
|
||
Updated•9 months ago
|
|
|
||
Comment 7•9 months ago
|
||
I had to re-check and will note that out of 4 crashes, 3 were this bug and 1 was in MediaTrackGraph.
|
||
Updated•9 months ago
|
|
||
Comment 8•9 months ago
|
||
The two bugs in comment 1 were duped to bug 1842404, which was fixed in Fx 117. The crash graph for those spiked in the previous release and then was indeed quelled in Fx 117. This one, however, seems to have started in fx 117.
Is it a regression from that one? Is it in fact the other one wasn't fixed but that change moved the signature slightly?
|
|
||
Comment 9•9 months ago
|
||
It's not a regression from that one but a signature change, yeah. Our guess in those other bugs were bit flips, but given comment 6 and previous it is probably more like another part of Gecko stomping on our memory.
|
|
||
Comment 10•8 months ago
|
||
Per :dbaker it seems like using a bluetooth audioinput with the aaudio cubeb backend is needed to trigger weird crashes (or perhaps it makes it much more likely), and not necessarily with the stack reported here.
|
||
Comment 11•8 months ago
|
||
It does seem like this is only reproducible using a bluetooth audioinput with the aaudio cubeb backend. I attempted to use an ASAN build for Android but was unsuccessful in getting one to build and run. If anyone has suggestions for an ASAN build I can reproduce this crash easily using my Pixel 6 Pro.
|
||
Comment 12•8 months ago
|
||
There is a "working" android-x86_64 asan build config here: https://searchfox.org/mozilla-central/source/mobile/android/config/mozconfigs/android-x86_64/nightly-fuzzing-asan
There's an unresolved startup crash though: https://bugzilla.mozilla.org/show_bug.cgi?id=1658818
|
|
||
Comment 13•8 months ago
|
||
The spike seems to have died down a bit, though the levels are still higher than they were before the spike.
I'm not sure what to do about the rating for this. I guess I'll mark it sec-high because there's some vague hint that this could be due to cubeb, but maybe it could be related to a hardware issue like the previous CSS thing? I guess somebody would have to look at what devices are hitting this to look into the latter problem.
|
|
||
Comment 14•8 months ago
|
||
Note I see a crash-report without the aaudio backend (using opensl). Here's also another without an audio thread listed. Not sure what to make of it, but the correlation still seems pretty strong, especially when you consider the timing in those cases we've been able to reproduce ourselves (time of crash correlates pretty closely with start of audio capture).
|
Assignee | |
Comment 15•8 months ago
|
||
I have a patch in bug 1860423 that might address this. The input side of a cubeb stream was zeroing memory a bit past its buffer in some cases, :dbaker found the offending code.
This is upliftable as far as needed because it's very simple.
|
||
Comment 16•7 months ago
|
||
Parent is fixed up to 120.
|
|
||
Updated•7 months ago
|
|
||
Comment 18•7 months ago
|
||
Copying crash signatures from duplicate bugs.
|
|
||
Updated•7 months ago
|
|
||
Comment 19•7 months ago
|
||
Since the bug is closed, the stalled keyword is now meaningless.
For more information, please visit BugBot documentation.
|
||
Updated•7 months ago
|
|
||
Updated•7 months ago
|
|
|
||
Updated•2 months ago
|
|
|
||
Updated•2 months ago
|
Description
•