Closed Bug 1879833 Opened 1 year ago Closed 11 months ago

Crash in [@ mozilla::SupportsThreadSafeWeakPtr<T>::refCount]

Categories

(Core :: Graphics, defect)

Product:
Core
Component:
Graphics
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
125 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox122 --- unaffected
firefox123 --- wontfix
firefox124 --- wontfix
firefox125 + fixed

People

(Reporter: aryx, Assigned: aosmond)

References

(Regression)

Details

(4 keywords, Whiteboard: [likely fixed by bug 1855742][adv-main125-])

Crash Data

8 crashes from 3+ Firefox installs, all with 123 beta or 124 Nightly builds on Linux or macOS

All reports have a use-after-address.

Crash report: https://crash-stats.mozilla.org/report/index/e1d23cab-d7e2-4f19-8a8e-6e3260240205

Reason: SIGSEGV / SI_KERNEL

Top 10 frames of crashing thread:

0  libxul.so  RefPtr<mozilla::detail::ThreadSafeWeakReference>::get const  mfbt/RefPtr.h:314
0  libxul.so  RefPtr<mozilla::detail::ThreadSafeWeakReference>::operator-> const  mfbt/RefPtr.h:344
0  libxul.so  mozilla::SupportsThreadSafeWeakPtr<mozilla::gfx::SourceSurface>::refCount const  mfbt/ThreadSafeWeakPtr.h:189
0  libxul.so  mozilla::SupportsThreadSafeWeakPtr<mozilla::gfx::SourceSurface>::hasOneRef const  mfbt/ThreadSafeWeakPtr.h:190
0  libxul.so  mozilla::gfx::DrawTargetSkia::MarkChanged  gfx/2d/DrawTargetSkia.cpp:2067
0  libxul.so  mozilla::gfx::DrawTargetSkia::DetachAllSnapshots  gfx/2d/DrawTargetSkia.h:141
1  libxul.so  mozilla::layers::TextureClient::Unlock  gfx/layers/client/TextureClient.cpp:811
2  libxul.so  mozilla::layers::TextureClientAutoLock::~TextureClientAutoLock  gfx/layers/client/TextureClient.h:834
2  libxul.so  mozilla::detail::MaybeStorage<mozilla::layers::TextureClientAutoLock, false>::~MaybeStorage  mfbt/Maybe.h:269
2  libxul.so  mozilla::layers::PersistentBufferProviderShared::BorrowDrawTarget  gfx/layers/PersistentBufferProvider.cpp:566

Stack is corrupted for every of the 8 crash reports.

Severity: -- → S2

Lee, this appears to be happening in Skia. Any insights you might be able to provide?

Flags: needinfo?(lsalzman)

Andrew, this looks like offscreen canvas is somehow dropping the DT while its still in use?

Flags: needinfo?(lsalzman) → needinfo?(aosmond)

So I think this must have been a regression from bug 1870488 given the PersistentBufferProviderShared implications, although to be honest, I'm entirely sure how it works. There definitely seems to be some thread unsafe assumptions, but how that maps to an invalid DrawTarget, I'm not sure since everything seems to hold strong pointers. We shouldn't hit any UAF conditions as a result of it, but maybe.

With that said, I believe I must have fixed this when I landed bug 1855742 part 1, where I changed how the snapshot path worked because recordings made it very complicated. Two things fixed this. 1) I only handled the Skia surface on the owning thread, and 2) I made a copy of it. I don't actually remember my motivation for 2), but I clearly must have been hitting issues in CI, and didn't make the connection that this would be a problem for the existing code.

I'm a little nervous about requesting a release uplift to 123/124, but it has soaked for some time at least....

Flags: needinfo?(aosmond)

Tentatively marking as fixed in 125. No crashes in 125 yet according to crash stats.

status-firefox125: --- → fixed
Depends on: 1855742

Let's mark this tracking for Fx125 as a reminder to check back on crash-stats to see if comment 5 continues to hold

tracking-firefox125: --- → +
Keywords: regression
Regressed by: 1870488
Whiteboard: [likely fixed by bug 1855742]
Group: gfx-core-security → core-security-release

Still looks fixed

Assignee: nobody → aosmond
Status: NEW → RESOLVED
Closed: 11 months ago
Resolution: --- → FIXED
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify-
Target Milestone: --- → 125 Branch
Whiteboard: [likely fixed by bug 1855742] → [likely fixed by bug 1855742][adv-main125-]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.