GPU process renders garbled text or crashes with USER_LIMITED access token level
Categories
(Core :: Security: Process Sandboxing, defect, P1)
Tracking
()
People
(Reporter: amy, Assigned: bobowen)
References
Details
(Keywords: regression)
Attachments
(3 files)
Example garbled text
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140.0) Gecko/20100101 Firefox/140.0
Steps to reproduce:
Tried opening https://crash-stats.mozilla.org/report/index/f475359d-dc89-4d6c-b3c1-774180250517 for a crash I just had. Also tried opening the Bitwarden extension.
Actual results:
I get garbled text on the screen. In certain cases, the browser tab just crashes.
Expected results:
Text should be correctly rendered.
|
||
Comment 1•1 year ago
|
||
The Bugbug bot thinks this bug should belong to the 'WebExtensions::Untriaged' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
These are the crashes I got: https://crash-stats.mozilla.org/report/index/d70baf42-db65-4fe8-9a03-44a8d0250517 and https://crash-stats.mozilla.org/report/index/f475359d-dc89-4d6c-b3c1-774180250517
Tried tracking down the topmost frame function, but the page https://hg-edge.mozilla.org/mozilla-central/file/61e8f954db8a1c59290a5763d09dc43e17d6c2f9/gfx/thebes/gfxPlatform.cpp#l387 renders as total garbage characters. From the looks of it, monospace fonts are destroyed, and serif fonts are rendered at least ignoring ligatures.
|
||
Comment 3•1 year ago
|
||
Based on the crashes, looks like the signature matches bug 1967071.
Workaround: setting security.sandbox.gpu.level back to 1 is enough to make the browser usable again.
|
||
Updated•1 year ago
|
|
Assignee | |
Comment 5•1 year ago
|
||
This is down to the having user installed fonts.
We need a policy rule to give access to these.
|
|
||
Comment 6•1 year ago
|
||
The severity field is not set for this bug.
:gcp, could you have a look please?
For more information, please visit BugBot documentation.
|
|
Assignee | |
Comment 7•1 year ago
|
||
Marking as enhancement as this is caused by non-standard pref setting that will be fixed prior to re-landing.
|
|
Assignee | |
Comment 8•1 year ago
|
||
|
||
Updated•1 year ago
|
|
||
Comment 10•1 year ago
|
||
| bugherder | ||
|
|
||
Comment 11•1 year ago
|
||
Set release status flags based on info from the regressing bug 1966716
|
||
Comment 12•1 year ago
|
||
140 was fixed by backout of bug 1966716
|
|
Assignee | |
Comment 13•1 year ago
|
||
(In reply to Mathew Hodson from comment #12)
140 was fixed by backout of bug 1966716
That removed the regression, but the actual issue was fixed (hopefully) by the patch in this bug in 141.
|
||
Comment 14•11 months ago
|
||
Thunderbird ESR 140 experiences a regression (bug 1970126) that can be fixed by applying the patches from this bug plus another bug to mozilla-esr140 (bug 1967046 and bug 1967485).
Could you please uplift the patches to mozilla-esr140 ?
In case it is helpful, I have prepared uplift patches for the https://phabricator.services.mozilla.com/source/firefox-esr140/ GIT repo, they are attached to bug 1970126.
|
|
Assignee | |
Comment 15•11 months ago
|
||
Original Revision: https://phabricator.services.mozilla.com/D252467
|
|
||
Updated•11 months ago
|
|
||
Comment 16•11 months ago
|
||
(In reply to Mathew Hodson from comment #12)
140 was fixed by backout of bug 1966716
That backout that landed in both 140 and 140esr doesn't fix your issue?
|
|
||
Updated•11 months ago
|
|
||
Updated•11 months ago
|
|
||
Comment 17•11 months ago
|
||
| uplift | ||
|
||
Updated•11 months ago
|
|
|
||
Comment 18•10 months ago
|
||
(In reply to Pascal Chevrel:pascalc from comment #16)
(In reply to Mathew Hodson from comment #12)
140 was fixed by backout of bug 1966716
That backout that landed in both 140 and 140esr doesn't fix your issue?
We didn't need the backout. We rather need the patch to be present.
In the meantime it was landed, comment 17, and I believe that helped us.
Thanks
|
|
||
Updated•10 months ago
|
Description
•