Crash in [@ gdk_window_get_frame_clock]
Categories
(Core :: Widget: Gtk, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr115 | --- | unaffected |
firefox120 | --- | unaffected |
firefox121 | --- | unaffected |
firefox122 | --- | fixed |
People
(Reporter: release-mgmt-account-bot, Assigned: stransky)
References
(Blocks 1 open bug, Regression)
Details
(4 keywords, Whiteboard: [non default configuration])
Crash Data
Attachments
(1 file)
Crash report: https://crash-stats.mozilla.org/report/index/fb40388c-ab12-436d-8ee4-1a5bf0231127
Reason: SIGSEGV / SI_KERNEL
Top 10 frames of crashing thread:
0 libgdk-3.so.0 gdk_window_get_frame_clock gdk/gdkwindow.c:11810
1 libxul.so mozilla::layers::NativeLayerRootWayland::~NativeLayerRootWayland gfx/layers/NativeLayerWayland.cpp:82
2 libxul.so mozilla::layers::NativeLayerRootWayland::~NativeLayerRootWayland gfx/layers/NativeLayerWayland.cpp:79
3 libxul.so mozilla::layers::NativeLayerRoot::Release gfx/layers/NativeLayer.h:47
3 libxul.so mozilla::RefPtrTraits<mozilla::layers::NativeLayerRootWayland>::Release mfbt/RefPtr.h:54
3 libxul.so RefPtr<mozilla::layers::NativeLayerRootWayland>::ConstRemovingRefPtrTraits<mozilla::layers::NativeLayerRootWayland>::Release mfbt/RefPtr.h:420
3 libxul.so RefPtr<mozilla::layers::NativeLayerRootWayland>::~RefPtr mfbt/RefPtr.h:85
3 libxul.so mozilla::layers::NativeLayerRootWayland::CommitToScreen gfx/layers/NativeLayerWayland.cpp:157
3 libxul.so std::_Function_base::_Base_manager<mozilla::layers::NativeLayerRootWayland::CommitToScreen /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/include/c++/8/bits/std_function.h:188
3 libxul.so std::_Function_base::_Base_manager<mozilla::layers::NativeLayerRootWayland::CommitToScreen /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/include/c++/8/bits/std_function.h:212
By querying Nightly crashes reported within the last 2 months, here are some insights about the signature:
- First crash report: 2023-11-27
- Process type: Parent
- Is startup crash: No
- Has user comments: No
- Is null crash: No
- Is use after free crash: Yes - 9 out of 10 crashes happened on or near an allocator poison value
By analyzing the backtrace, the regression may have been introduced by a patch [1] to fix Bug 1864382.
[1] https://hg.mozilla.org/mozilla-central/rev?node=103edea66a48
:stransky, since you are the author of the potential regressor, could you please take a look?
Assignee | ||
Comment 1•6 months ago
|
||
NativeLayerRootWayland is experimental wayland backend used for wayland compositor benchmarking and it's disabled by default. Also it's known to be broken. We don't fix bugs there.
Assignee | ||
Updated•6 months ago
|
Updated•6 months ago
|
Updated•6 months ago
|
Assignee | ||
Comment 3•6 months ago
|
||
Will look at it, we use GdkWindow after free.
Assignee | ||
Comment 4•6 months ago
|
||
Assignee | ||
Updated•6 months ago
|
Reporter | ||
Comment 5•6 months ago
|
||
Copying crash signatures from duplicate bugs.
Assignee | ||
Comment 6•6 months ago
|
||
Comment on attachment 9367018 [details]
Bug 1868038 [Linux] Clean up GdkWindow at moz_container_unrealize() r?emilio
Security Approval Request
- How easily could an exploit be constructed based on the patch?: Requires knowledge of Gtk3 internals. Also it affects wayland-compositor only which is disabled by default and used for experimental benchmarking of Wayland compositors. So low risk.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
- Which older supported branches are affected by this flaw?: none
- If not all supported branches, which bug introduced the flaw?: None
- Do you have backports for the affected branches?: No
- If not, how different, hard to create, and risky will they be?:
- How likely is this patch to cause regressions; how much testing does it need?: not likely, we clear up released pointer.
- Is Android affected?: No
Comment 7•6 months ago
|
||
Comment on attachment 9367018 [details]
Bug 1868038 [Linux] Clean up GdkWindow at moz_container_unrealize() r?emilio
If this only affects m-c, it doesn't need sec-approval to land.
Updated•6 months ago
|
Pushed by rvandermeulen@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/e841ad55e443 [Linux] Clean up GdkWindow at moz_container_unrealize() r=emilio
Comment 9•6 months ago
|
||
Updated•5 months ago
|
Updated•5 months ago
|
Description
•