Closed Bug 1743821 Opened 3 years ago Closed 3 years ago

Intermittent SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/checkouts/gecko/widget/gtk/nsShmImage.cpp:235:7 in nsShmImage::DestroyImage()

Categories

(Core :: Widget: Gtk, defect)

Product:
Core
Component:
Widget: Gtk
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
98 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- unaffected
firefox95 --- wontfix
firefox96 --- wontfix
firefox97 + fixed
firefox98 + fixed

People

(Reporter: intermittent-bug-filer, Assigned: stransky)

References

(Regression)

Details

(4 keywords, Whiteboard: [sec-survey][post-critsmash-triage][adv-main97+r])

Attachments

(1 file, 1 obsolete file)

Bug 1743821 [Linux] Sychronize mWindowSurface release r?lsalzman
(deleted), text/x-phabricator-request
tjr
: approval-mozilla-beta+
tjr
: sec-approval+
Details

Filed by: smolnar [at] mozilla.com
Parsed log: https://treeherder.mozilla.org/logviewer?job_id=359829989&repo=autoland
Full log: https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/JITw1MGjTX-h5Kt8esY-xw/runs/0/artifacts/public/logs/live_backing.log

ERROR - GECKO(1572) | ==1572==ERROR: AddressSanitizer: heap-use-after-free on address 0x608000591be0 at pc 0x7ff9c92d264b bp 0x7ff9ab89c200 sp 0x7ff9ab89c1f8
[task 2021-12-01T13:41:56.365Z] 13:41:56     INFO - GECKO(1572) | READ of size 4 at 0x608000591be0 thread T37 (Renderer)
[task 2021-12-01T13:41:57.701Z] 13:41:57     INFO - GECKO(1572) |     #0 0x7ff9c92d264a in nsShmImage::DestroyImage() /builds/worker/checkouts/gecko/widget/gtk/nsShmImage.cpp:235:7
[task 2021-12-01T13:41:57.702Z] 13:41:57     INFO - GECKO(1572) |     #1 0x7ff9c92d305e in nsShmImage::CreateImage(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&) /builds/worker/checkouts/gecko/widget/gtk/nsShmImage.cpp:211:5
[task 2021-12-01T13:41:57.702Z] 13:41:57     INFO - GECKO(1572) |     #2 0x7ff9c92d368d in nsShmImage::CreateDrawTarget(mozilla::gfx::IntRegionTyped<mozilla::LayoutDevicePixel> const&) /builds/worker/checkouts/gecko/widget/gtk/nsShmImage.cpp:279:10
[task 2021-12-01T13:41:57.703Z] 13:41:57     INFO - GECKO(1572) |     #3 0x7ff9c924fc04 in mozilla::widget::WindowSurfaceProvider::StartRemoteDrawingInRegion(mozilla::gfx::IntRegionTyped<mozilla::LayoutDevicePixel> const&, mozilla::layers::BufferMode*) /builds/worker/checkouts/gecko/widget/gtk/WindowSurfaceProvider.cpp:135:48
[task 2021-12-01T13:41:57.704Z] 13:41:57     INFO - GECKO(1572) |     #4 0x7ff9c47c861b in mozilla::wr::RenderCompositorSWGL::AllocateMappedBuffer(mozilla::wr::Box2D<int, mozilla::wr::DevicePixel> const*, unsigned long) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderCompositorSWGL.cpp:73:18
[task 2021-12-01T13:41:57.706Z] 13:41:57     INFO - GECKO(1572) |     #5 0x7ff9c47ca7ee in mozilla::wr::RenderCompositorSWGL::StartCompositing(mozilla::wr::ColorF, mozilla::wr::Box2D<int, mozilla::wr::DevicePixel> const*, unsigned long, mozilla::wr::Box2D<int, mozilla::wr::DevicePixel> const*, unsigned long) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderCompositorSWGL.cpp:186:8
[task 2021-12-01T13:41:57.707Z] 13:41:57     INFO - GECKO(1572) |     #6 0x7ff9d15dd7c9 in _$LT$webrender..compositor..sw_compositor..SwCompositor$u20$as$u20$webrender..composite..Compositor$GT$::start_compositing::h5c0c32f122f4cce1 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/compositor/sw_compositor.rs:1404:9
[task 2021-12-01T13:41:57.709Z] 13:41:57     INFO - GECKO(1572) |     #7 0x7ff9d16b9d96 in webrender::renderer::_$LT$impl$u20$webrender..composite..CompositeState$GT$::composite_native::he91b464d8d82acb9 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:6228:9
[task 2021-12-01T13:41:57.709Z] 13:41:57     INFO - GECKO(1572) |     #8 0x7ff9d16b9d96 in webrender::renderer::Renderer::draw_frame::hd86b31efa2cf819e /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:4623:17
[task 2021-12-01T13:41:57.717Z] 13:41:57     INFO - GECKO(1572) |     #9 0x7ff9d1686783 in webrender::renderer::Renderer::render_impl::h2df9dc3eaf5f1505 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:2002:17
[task 2021-12-01T13:41:57.717Z] 13:41:57     INFO - GECKO(1572) |     #10 0x7ff9d170bf8f in webrender::renderer::Renderer::render::he51ccb6945f30078 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:1724:30
[task 2021-12-01T13:41:57.717Z] 13:41:57     INFO - GECKO(1572) |     #11 0x7ff9d180641e in wr_renderer_render /builds/worker/checkouts/gecko/gfx/webrender_bindings/src/bindings.rs:622:11
[task 2021-12-01T13:41:57.717Z] 13:41:57     INFO - GECKO(1572) |     #12 0x7ff9c47d95de in mozilla::wr::RendererOGL::UpdateAndRender(mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*, mozilla::wr::RendererStats*) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RendererOGL.cpp:185:8
[task 2021-12-01T13:41:57.718Z] 13:41:57     INFO - GECKO(1572) |     #13 0x7ff9c47d7ae9 in mozilla::wr::RenderThread::UpdateAndRender(mozilla::wr::WrWindowId, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp const&, bool, mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:516:31
[task 2021-12-01T13:41:57.719Z] 13:41:57     INFO - GECKO(1572) |     #14 0x7ff9c47d6d01 in mozilla::wr::RenderThread::HandleFrameOneDoc(mozilla::wr::WrWindowId, bool) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:368:3
[task 2021-12-01T13:41:57.719Z] 13:41:57     INFO - GECKO(1572) |     #15 0x7ff9c47f00f6 in applyImpl<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByConstLRef<bool> , 0UL, 1UL> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1147:12
[task 2021-12-01T13:41:57.720Z] 13:41:57     INFO - GECKO(1572) |     #16 0x7ff9c47f00f6 in apply<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1153:12
[task 2021-12-01T13:41:57.721Z] 13:41:57     INFO - GECKO(1572) |     #17 0x7ff9c47f00f6 in mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), true, (mozilla::RunnableKind)0, mozilla::wr::WrWindowId, bool>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1200:13
[task 2021-12-01T13:41:57.722Z] 13:41:57     INFO - GECKO(1572) |     #18 0x7ff9c1fac3fb in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1177:16
[task 2021-12-01T13:41:57.722Z] 13:41:57     INFO - GECKO(1572) |     #19 0x7ff9c1fb6ffc in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:467:10
[task 2021-12-01T13:41:57.723Z] 13:41:57     INFO - GECKO(1572) |     #20 0x7ff9c3142728 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300:20
[task 2021-12-01T13:41:57.724Z] 13:41:57     INFO - GECKO(1572) |     #21 0x7ff9c304dbf1 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331:10
[task 2021-12-01T13:41:57.724Z] 13:41:57     INFO - GECKO(1572) |     #22 0x7ff9c304dbf1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324:3
[task 2021-12-01T13:41:57.725Z] 13:41:57     INFO - GECKO(1572) |     #23 0x7ff9c304dbf1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306:3
[task 2021-12-01T13:41:57.725Z] 13:41:57     INFO - GECKO(1572) |     #24 0x7ff9c1fa4b19 in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:391:10
[task 2021-12-01T13:41:57.726Z] 13:41:57     INFO - GECKO(1572) |     #25 0x7ff9e36d8ade in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
[task 2021-12-01T13:41:57.726Z] 13:41:57     INFO - GECKO(1572) |     #26 0x7ff9e55006da in start_thread /tmp/glibc/nptl/pthread_create.c:463
[task 2021-12-01T13:41:57.727Z] 13:41:57     INFO - GECKO(1572) |     #27 0x7ff9e44dea3e in __clone /tmp/glibc/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
[task 2021-12-01T13:41:57.728Z] 13:41:57     INFO - GECKO(1572) | 0x608000591be0 is located 64 bytes inside of 96-byte region [0x608000591ba0,0x608000591c00)
[task 2021-12-01T13:41:57.728Z] 13:41:57     INFO - GECKO(1572) | freed by thread T0 (GeckoMain) here:
[task 2021-12-01T13:41:57.779Z] 13:41:57     INFO - GECKO(1572) |     #0 0x55e2dc163b22 in __interceptor_free /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:111:3
[task 2021-12-01T13:41:57.781Z] 13:41:57     INFO - GECKO(1572) |     #1 0x7ff9c9280c7e in operator delete /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:51:10
[task 2021-12-01T13:41:57.782Z] 13:41:57     INFO - GECKO(1572) |     #2 0x7ff9c9280c7e in Release /builds/worker/checkouts/gecko/widget/gtk/nsShmImage.h:27:3
[task 2021-12-01T13:41:57.784Z] 13:41:57     INFO - GECKO(1572) |     #3 0x7ff9c9280c7e in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:50:40
[task 2021-12-01T13:41:57.785Z] 13:41:57     INFO - GECKO(1572) |     #4 0x7ff9c9280c7e in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:381:36
[task 2021-12-01T13:41:57.787Z] 13:41:57     INFO - GECKO(1572) |     #5 0x7ff9c9280c7e in ~RefPtr /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:81:7
[task 2021-12-01T13:41:57.788Z] 13:41:57     INFO - GECKO(1572) |     #6 0x7ff9c9280c7e in mozilla::widget::WindowSurfaceX11SHM::~WindowSurfaceX11SHM() /builds/worker/checkouts/gecko/widget/gtk/WindowSurfaceX11SHM.h:18:7
[task 2021-12-01T13:41:57.789Z] 13:41:57     INFO - GECKO(1572) |     #7 0x7ff9c9280cfd in mozilla::widget::WindowSurfaceX11SHM::~WindowSurfaceX11SHM() /builds/worker/checkouts/gecko/widget/gtk/WindowSurfaceX11SHM.h:18:7
[task 2021-12-01T13:41:57.794Z] 13:41:57     INFO - GECKO(1572) |     #8 0x7ff9c924ecbb in Release /builds/worker/workspace/obj-build/dist/include/mozilla/widget/WindowSurface.h:19:3
[task 2021-12-01T13:41:57.795Z] 13:41:57     INFO - GECKO(1572) |     #9 0x7ff9c924ecbb in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:50:40
[task 2021-12-01T13:41:57.796Z] 13:41:57     INFO - GECKO(1572) |     #10 0x7ff9c924ecbb in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:381:36
[task 2021-12-01T13:41:57.797Z] 13:41:57     INFO - GECKO(1572) |     #11 0x7ff9c924ecbb in assign_assuming_AddRef /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:69:7
[task 2021-12-01T13:41:57.798Z] 13:41:57     INFO - GECKO(1572) |     #12 0x7ff9c924ecbb in operator= /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:168:5
[task 2021-12-01T13:41:57.798Z] 13:41:57     INFO - GECKO(1572) |     #13 0x7ff9c924ecbb in mozilla::widget::WindowSurfaceProvider::CleanupResources() /builds/worker/checkouts/gecko/widget/gtk/WindowSurfaceProvider.cpp:72:18
[task 2021-12-01T13:41:57.799Z] 13:41:57     INFO - GECKO(1572) |     #14 0x7ff9c91f6812 in mozilla::widget::GtkCompositorWidget::DisableRendering() /builds/worker/checkouts/gecko/widget/gtk/GtkCompositorWidget.cpp:159:13
[task 2021-12-01T13:41:57.800Z] 13:41:57     INFO - GECKO(1572) |     #15 0x7ff9c91994c2 in nsWindow::DisableRenderingToWindow() /builds/worker/checkouts/gecko/widget/gtk/nsWindow.cpp:5159:32
[task 2021-12-01T13:41:57.801Z] 13:41:57     INFO - GECKO(1572) |     #16 0x7ff9c91ebc98 in nsWindow::SetCompositorWidgetDelegate(mozilla::widget::CompositorWidgetDelegate*) /builds/worker/checkouts/gecko/widget/gtk/nsWindow.cpp:8301:5
[task 2021-12-01T13:41:57.802Z] 13:41:57     INFO - GECKO(1572) |     #17 0x7ff9c9076ed9 in nsBaseWidget::DestroyCompositor() /builds/worker/checkouts/gecko/widget/nsBaseWidget.cpp:359:5
[task 2021-12-01T13:41:57.803Z] 13:41:57     INFO - GECKO(1572) |     #18 0x7ff9c9197cc3 in nsWindow::Destroy() /builds/worker/checkouts/gecko/widget/gtk/nsWindow.cpp:671:3
[task 2021-12-01T13:41:57.804Z] 13:41:57     INFO - GECKO(1572) |     #19 0x7ff9cc8e221b in mozilla::AppWindow::Destroy() /builds/worker/checkouts/gecko/xpfe/appshell/AppWindow.cpp:653:14
[task 2021-12-01T13:41:57.804Z] 13:41:57     INFO - GECKO(1572) |     #20 0x7ff9cc90a4e4 in Destroy /builds/worker/checkouts/gecko/xpfe/appshell/nsChromeTreeOwner.cpp:255:22
[task 2021-12-01T13:41:57.805Z] 13:41:57     INFO - GECKO(1572) |     #21 0x7ff9cc90a4e4 in non-virtual thunk to nsChromeTreeOwner::Destroy() /builds/worker/checkouts/gecko/xpfe/appshell/nsChromeTreeOwner.cpp
[task 2021-12-01T13:41:57.806Z] 13:41:57     INFO - GECKO(1572) |     #22 0x7ff9c4b6b1ee in nsGlobalWindowOuter::ReallyCloseWindow() /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowOuter.cpp:6354:19
[task 2021-12-01T13:41:57.806Z] 13:41:57     INFO - GECKO(1572) |     #23 0x7ff9c4b738a2 in nsCloseEvent::Run() /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowOuter.cpp:6155:16
[task 2021-12-01T13:41:57.807Z] 13:41:57     INFO - GECKO(1572) |     #24 0x7ff9c1fc5402 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:468:16
[task 2021-12-01T13:41:57.808Z] 13:41:57     INFO - GECKO(1572) |     #25 0x7ff9c1f8c11d in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:771:26
[task 2021-12-01T13:41:57.809Z] 13:41:57     INFO - GECKO(1572) |     #26 0x7ff9c1f899d8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:607:15
[task 2021-12-01T13:41:57.809Z] 13:41:57     INFO - GECKO(1572) |     #27 0x7ff9c1f8a0e9 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:391:36
[task 2021-12-01T13:41:57.810Z] 13:41:57     INFO - GECKO(1572) |     #28 0x7ff9c1fceca1 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:124:37
[task 2021-12-01T13:41:57.811Z] 13:41:57     INFO - GECKO(1572) |     #29 0x7ff9c1fceca1 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:531:5
[task 2021-12-01T13:41:57.811Z] 13:41:57     INFO - GECKO(1572) |     #30 0x7ff9c1fabbc7 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1183:16
[task 2021-12-01T13:41:57.812Z] 13:41:57     INFO - GECKO(1572) |     #31 0x7ff9c1fb6ffc in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:467:10
[task 2021-12-01T13:41:57.813Z] 13:41:57     INFO - GECKO(1572) |     #32 0x7ff9c3141788 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
[task 2021-12-01T13:41:57.814Z] 13:41:57     INFO - GECKO(1572) |     #33 0x7ff9c304dbf1 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331:10
[task 2021-12-01T13:41:57.814Z] 13:41:57     INFO - GECKO(1572) |     #34 0x7ff9c304dbf1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324:3
[task 2021-12-01T13:41:57.815Z] 13:41:57     INFO - GECKO(1572) |     #35 0x7ff9c304dbf1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306:3
[task 2021-12-01T13:41:57.816Z] 13:41:57     INFO - GECKO(1572) |     #36 0x7ff9c911aa77 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
[task 2021-12-01T13:41:57.816Z] 13:41:57     INFO - GECKO(1572) |     #37 0x7ff9cd055ab7 in nsAppStartup::Run() /builds/worker/checkouts/gecko/toolkit/components/startup/nsAppStartup.cpp:295:30
[task 2021-12-01T13:41:57.817Z] 13:41:57     INFO - GECKO(1572) |     #38 0x7ff9cd25d188 in XREMain::XRE_mainRun() /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5310:22
[task 2021-12-01T13:41:57.818Z] 13:41:57     INFO - GECKO(1572) |     #39 0x7ff9cd25f569 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5495:8
[task 2021-12-01T13:41:57.818Z] 13:41:57     INFO - GECKO(1572) |     #40 0x7ff9cd2602a3 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5554:21
[task 2021-12-01T13:41:57.819Z] 13:41:57     INFO - GECKO(1572) |     #41 0x55e2dc19904c in do_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:225:22
[task 2021-12-01T13:41:57.820Z] 13:41:57     INFO - GECKO(1572) |     #42 0x55e2dc19904c in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:395:16
[task 2021-12-01T13:41:57.820Z] 13:41:57     INFO - GECKO(1572) |     #43 0x7ff9e43deb96 in __libc_start_main /tmp/glibc/csu/../csu/libc-start.c:310
[task 2021-12-01T13:41:57.821Z] 13:41:57     INFO - GECKO(1572) | previously allocated by thread T37 (Renderer) here:
[task 2021-12-01T13:41:57.822Z] 13:41:57     INFO - GECKO(1572) |     #0 0x55e2dc163d8d in malloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:129:3
[task 2021-12-01T13:41:57.822Z] 13:41:57     INFO - GECKO(1572) |     #1 0x55e2dc19ec6d in moz_xmalloc /builds/worker/checkouts/gecko/memory/mozalloc/mozalloc.cpp:52:15
[task 2021-12-01T13:41:57.823Z] 13:41:57     INFO - GECKO(1572) |     #2 0x7ff9c9255936 in operator new /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:33:10
[task 2021-12-01T13:41:57.824Z] 13:41:57     INFO - GECKO(1572) |     #3 0x7ff9c9255936 in mozilla::widget::WindowSurfaceX11SHM::WindowSurfaceX11SHM(_XDisplay*, unsigned long, Visual*, unsigned int) /builds/worker/checkouts/gecko/widget/gtk/WindowSurfaceX11SHM.cpp:13:17
[task 2021-12-01T13:41:57.825Z] 13:41:57     INFO - GECKO(1572) |     #4 0x7ff9c924f613 in RefPtr<mozilla::widget::WindowSurfaceX11SHM> mozilla::MakeRefPtr<mozilla::widget::WindowSurfaceX11SHM, _XDisplay*, unsigned long&, Visual*&, int&>(_XDisplay*&&, unsigned long&, Visual*&, int&) /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:603:19
[task 2021-12-01T13:41:57.826Z] 13:41:57     INFO - GECKO(1572) |     #5 0x7ff9c924f204 in mozilla::widget::WindowSurfaceProvider::CreateWindowSurface() /builds/worker/checkouts/gecko/widget/gtk/WindowSurfaceProvider.cpp:106:14
[task 2021-12-01T13:41:57.826Z] 13:41:57     INFO - GECKO(1572) |     #6 0x7ff9c924faf4 in mozilla::widget::WindowSurfaceProvider::StartRemoteDrawingInRegion(mozilla::gfx::IntRegionTyped<mozilla::LayoutDevicePixel> const&, mozilla::layers::BufferMode*) /builds/worker/checkouts/gecko/widget/gtk/WindowSurfaceProvider.cpp:128:22
[task 2021-12-01T13:41:57.827Z] 13:41:57     INFO - GECKO(1572) |     #7 0x7ff9c47c861b in mozilla::wr::RenderCompositorSWGL::AllocateMappedBuffer(mozilla::wr::Box2D<int, mozilla::wr::DevicePixel> const*, unsigned long) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderCompositorSWGL.cpp:73:18
[task 2021-12-01T13:41:57.828Z] 13:41:57     INFO - GECKO(1572) |     #8 0x7ff9c47ca7ee in mozilla::wr::RenderCompositorSWGL::StartCompositing(mozilla::wr::ColorF, mozilla::wr::Box2D<int, mozilla::wr::DevicePixel> const*, unsigned long, mozilla::wr::Box2D<int, mozilla::wr::DevicePixel> const*, unsigned long) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderCompositorSWGL.cpp:186:8
[task 2021-12-01T13:41:57.829Z] 13:41:57     INFO - GECKO(1572) |     #9 0x7ff9d15dd7c9 in _$LT$webrender..compositor..sw_compositor..SwCompositor$u20$as$u20$webrender..composite..Compositor$GT$::start_compositing::h5c0c32f122f4cce1 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/compositor/sw_compositor.rs:1404:9
[task 2021-12-01T13:41:57.830Z] 13:41:57     INFO - GECKO(1572) |     #10 0x7ff9d16b9d96 in webrender::renderer::_$LT$impl$u20$webrender..composite..CompositeState$GT$::composite_native::he91b464d8d82acb9 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:6228:9
[task 2021-12-01T13:41:57.831Z] 13:41:57     INFO - GECKO(1572) |     #11 0x7ff9d16b9d96 in webrender::renderer::Renderer::draw_frame::hd86b31efa2cf819e /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:4623:17
[task 2021-12-01T13:41:57.831Z] 13:41:57     INFO - GECKO(1572) |     #12 0x7ff9d1686783 in webrender::renderer::Renderer::render_impl::h2df9dc3eaf5f1505 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:2002:17
[task 2021-12-01T13:41:57.832Z] 13:41:57     INFO - GECKO(1572) |     #13 0x7ff9d170bf8f in webrender::renderer::Renderer::render::he51ccb6945f30078 /builds/worker/checkouts/gecko/gfx/wr/webrender/src/renderer/mod.rs:1724:30
[task 2021-12-01T13:41:57.833Z] 13:41:57     INFO - GECKO(1572) |     #14 0x7ff9d180641e in wr_renderer_render /builds/worker/checkouts/gecko/gfx/webrender_bindings/src/bindings.rs:622:11
[task 2021-12-01T13:41:57.834Z] 13:41:57     INFO - GECKO(1572) |     #15 0x7ff9c47d95de in mozilla::wr::RendererOGL::UpdateAndRender(mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*, mozilla::wr::RendererStats*) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RendererOGL.cpp:185:8
[task 2021-12-01T13:41:57.835Z] 13:41:57     INFO - GECKO(1572) |     #16 0x7ff9c47d7ae9 in mozilla::wr::RenderThread::UpdateAndRender(mozilla::wr::WrWindowId, mozilla::layers::BaseTransactionId<mozilla::VsyncIdType> const&, mozilla::TimeStamp const&, bool, mozilla::Maybe<mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> > const&, mozilla::Maybe<mozilla::wr::ImageFormat> const&, mozilla::Maybe<mozilla::Range<unsigned char> > const&, bool*) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:516:31
[task 2021-12-01T13:41:57.836Z] 13:41:57     INFO - GECKO(1572) |     #17 0x7ff9c47d6d01 in mozilla::wr::RenderThread::HandleFrameOneDoc(mozilla::wr::WrWindowId, bool) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:368:3
[task 2021-12-01T13:41:57.836Z] 13:41:57     INFO - GECKO(1572) |     #18 0x7ff9c47f00f6 in applyImpl<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByConstLRef<bool> , 0UL, 1UL> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1147:12
[task 2021-12-01T13:41:57.837Z] 13:41:57     INFO - GECKO(1572) |     #19 0x7ff9c47f00f6 in apply<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1153:12
[task 2021-12-01T13:41:57.838Z] 13:41:57     INFO - GECKO(1572) |     #20 0x7ff9c47f00f6 in mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, bool), true, (mozilla::RunnableKind)0, mozilla::wr::WrWindowId, bool>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1200:13
[task 2021-12-01T13:41:57.839Z] 13:41:57     INFO - GECKO(1572) |     #21 0x7ff9c1fac3fb in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1177:16
[task 2021-12-01T13:41:57.840Z] 13:41:57     INFO - GECKO(1572) |     #22 0x7ff9c1fb6ffc in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:467:10
[task 2021-12-01T13:41:57.840Z] 13:41:57     INFO - GECKO(1572) |     #23 0x7ff9c3142728 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300:20
[task 2021-12-01T13:41:57.841Z] 13:41:57     INFO - GECKO(1572) |     #24 0x7ff9c304dbf1 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331:10
[task 2021-12-01T13:41:57.842Z] 13:41:57     INFO - GECKO(1572) |     #25 0x7ff9c304dbf1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324:3
[task 2021-12-01T13:41:57.843Z] 13:41:57     INFO - GECKO(1572) |     #26 0x7ff9c304dbf1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306:3
[task 2021-12-01T13:41:57.843Z] 13:41:57     INFO - GECKO(1572) |     #27 0x7ff9c1fa4b19 in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:391:10
[task 2021-12-01T13:41:57.844Z] 13:41:57     INFO - GECKO(1572) |     #28 0x7ff9e36d8ade in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
[task 2021-12-01T13:41:57.845Z] 13:41:57     INFO - GECKO(1572) |     #29 0x7ff9e55006da in start_thread /tmp/glibc/nptl/pthread_create.c:463
[task 2021-12-01T13:41:57.845Z] 13:41:57     INFO - GECKO(1572) | Thread T37 (Renderer) created by T0 (GeckoMain) here:
[task 2021-12-01T13:41:57.921Z] 13:41:57     INFO - GECKO(1572) |     #0 0x55e2dc14e48c in __interceptor_pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cpp:207:3
[task 2021-12-01T13:41:57.921Z] 13:41:57     INFO - GECKO(1572) |     #1 0x7ff9e36c8b74 in _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:458:14
[task 2021-12-01T13:41:57.921Z] 13:41:57     INFO - GECKO(1572) |     #2 0x7ff9e36b9e1e in PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:533:12
[task 2021-12-01T13:41:57.921Z] 13:41:57     INFO - GECKO(1572) |     #3 0x7ff9c1fa7e45 in nsThread::Init(nsTSubstring<char> const&) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:615:18
[task 2021-12-01T13:41:57.921Z] 13:41:57     INFO - GECKO(1572) |     #4 0x7ff9c1fb4ddf in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadManager.cpp:581:12
[task 2021-12-01T13:41:57.922Z] 13:41:57     INFO - GECKO(1572) |     #5 0x7ff9c1fc0311 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:163:57
[task 2021-12-01T13:41:57.923Z] 13:41:57     INFO - GECKO(1572) |     #6 0x7ff9c47d3171 in NS_NewNamedThread<9UL> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:74:10
[task 2021-12-01T13:41:57.926Z] 13:41:57     INFO - GECKO(1572) |     #7 0x7ff9c47d3171 in mozilla::wr::RenderThread::Start() /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:92:17
[task 2021-12-01T13:41:57.927Z] 13:41:57     INFO - GECKO(1572) |     #8 0x7ff9c45a87cb in InitLayersIPC /builds/worker/checkouts/gecko/gfx/thebes/gfxPlatform.cpp:1293:7
[task 2021-12-01T13:41:57.927Z] 13:41:57     INFO - GECKO(1572) |     #9 0x7ff9c45a87cb in gfxPlatform::Init() /builds/worker/checkouts/gecko/gfx/thebes/gfxPlatform.cpp:959:3
[task 2021-12-01T13:41:57.928Z] 13:41:57     INFO - GECKO(1572) |     #10 0x7ff9c45a71ab in gfxPlatform::GetPlatform() /builds/worker/checkouts/gecko/gfx/thebes/gfxPlatform.cpp:466:5
[task 2021-12-01T13:41:57.928Z] 13:41:57     INFO - GECKO(1572) |     #11 0x7ff9c90ca8fc in mozilla::widget::GfxInfoBase::GetContentBackend(nsTSubstring<char16_t>&) /builds/worker/checkouts/gecko/widget/GfxInfoBase.cpp:1812:25
[task 2021-12-01T13:41:57.933Z] 13:41:57     INFO - GECKO(1572) |     #12 0x7ff9c1ffab75 in NS_InvokeByIndex /builds/worker/checkouts/gecko/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:101
[task 2021-12-01T13:41:57.936Z] 13:41:57     INFO - GECKO(1572) |     #13 0x7ff9c3bad85e in Invoke /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNative.cpp:1631:10
[task 2021-12-01T13:41:57.936Z] 13:41:57     INFO - GECKO(1572) |     #14 0x7ff9c3bad85e in Call /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNative.cpp:1184:19
[task 2021-12-01T13:41:57.936Z] 13:41:57     INFO - GECKO(1572) |     #15 0x7ff9c3bad85e in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNative.cpp:1130:23
[task 2021-12-01T13:41:57.936Z] 13:41:57     INFO - GECKO(1572) |     #16 0x7ff9c3bb2dc0 in GetAttribute /builds/worker/checkouts/gecko/js/xpconnect/src/xpcprivate.h:1465:12
[task 2021-12-01T13:41:57.936Z] 13:41:57     INFO - GECKO(1572) |     #17 0x7ff9c3bb2dc0 in XPC_WN_GetterSetter(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:961:10
[task 2021-12-01T13:41:57.936Z] 13:41:57     INFO - GECKO(1572) |     #18 0x7ff9cd49cd14 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:388:13
[task 2021-12-01T13:41:57.936Z] 13:41:57     INFO - GECKO(1572) |     #19 0x7ff9cd49cd14 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:475:12
[task 2021-12-01T13:41:57.940Z] 13:41:57     INFO - GECKO(1572) |     #20 0x7ff9cd49ef9b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:552:8
[task 2021-12-01T13:41:57.940Z] 13:41:57     INFO - GECKO(1572) |     #21 0x7ff9cd4a052b in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:678:10
[task 2021-12-01T13:41:57.940Z] 13:41:57     INFO - GECKO(1572) |     #22 0x7ff9cd941332 in CallGetter /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:1942:12
[task 2021-12-01T13:41:57.940Z] 13:41:57     INFO - GECKO(1572) |     #23 0x7ff9cd941332 in GetExistingProperty<js::CanGC> /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:1970:12
[task 2021-12-01T13:41:57.940Z] 13:41:57     INFO - GECKO(1572) |     #24 0x7ff9cd941332 in NativeGetPropertyInline<js::CanGC> /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2116:14
[task 2021-12-01T13:41:57.940Z] 13:41:57     INFO - GECKO(1572) |     #25 0x7ff9cd941332 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2147:10
[task 2021-12-01T13:41:57.941Z] 13:41:57     INFO - GECKO(1572) |     #26 0x7ff9cd48b46c in GetProperty /builds/worker/checkouts/gecko/js/src/vm/ObjectOperations-inl.h:115:10
[task 2021-12-01T13:41:57.941Z] 13:41:57     INFO - GECKO(1572) |     #27 0x7ff9cd48b46c in GetObjectElementOperation /builds/worker/checkouts/gecko/js/src/vm/Interpreter-inl.h:413:10
[task 2021-12-01T13:41:57.944Z] 13:41:57     INFO - GECKO(1572) |     #28 0x7ff9cd48b46c in GetElementOperationWithStackIndex /builds/worker/checkouts/gecko/js/src/vm/Interpreter-inl.h:497:10
[task 2021-12-01T13:41:57.944Z] 13:41:57     INFO - GECKO(1572) |     #29 0x7ff9cd48b46c in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3042:12
[task 2021-12-01T13:41:57.944Z] 13:41:57     INFO - GECKO(1572) |     #30 0x7ff9cd46e0e1 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:357:13
[task 2021-12-01T13:41:57.944Z] 13:41:57     INFO - GECKO(1572) |     #31 0x7ff9cd49ce4f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:507:13
[task 2021-12-01T13:41:57.945Z] 13:41:57     INFO - GECKO(1572) |     #32 0x7ff9cd49ef9b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:552:8
[task 2021-12-01T13:41:57.948Z] 13:41:57     INFO - GECKO(1572) |     #33 0x7ff9cd6b8e9c in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:53:10
[task 2021-12-01T13:41:57.948Z] 13:41:57     INFO - GECKO(1572) |     #34 0x7ff9c3b9ee28 in nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedJSClass.cpp:973:17
[task 2021-12-01T13:41:57.948Z] 13:41:57     INFO - GECKO(1572) |     #35 0x7ff9c1ffc512 in PrepareAndDispatch /builds/worker/checkouts/gecko/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:115:37
[task 2021-12-01T13:41:57.948Z] 13:41:57     INFO - GECKO(1572) |     #36 0x7ff9c1ffb29a in SharedStub xptcstubs_x86_64_linux.cpp
[task 2021-12-01T13:41:57.951Z] 13:41:57     INFO - GECKO(1572) |     #37 0x7ff9c1f52ba2 in NS_CreateServicesFromCategory(char const*, nsISupports*, char const*, char16_t const*) /builds/worker/checkouts/gecko/xpcom/components/nsCategoryManager.cpp:687:19
[task 2021-12-01T13:41:57.951Z] 13:41:57     INFO - GECKO(1572) |     #38 0x7ff9cd27ff79 in nsXREDirProvider::DoStartup() /builds/worker/checkouts/gecko/toolkit/xre/nsXREDirProvider.cpp:976:11
[task 2021-12-01T13:41:57.951Z] 13:41:57     INFO - GECKO(1572) |     #39 0x7ff9cd25c263 in XREMain::XRE_mainRun() /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5045:18
[task 2021-12-01T13:41:57.951Z] 13:41:57     INFO - GECKO(1572) |     #40 0x7ff9cd25f569 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5495:8
[task 2021-12-01T13:41:57.951Z] 13:41:57     INFO - GECKO(1572) |     #41 0x7ff9cd2602a3 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5554:21
[task 2021-12-01T13:41:57.951Z] 13:41:57     INFO - GECKO(1572) |     #42 0x55e2dc19904c in do_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:225:22
[task 2021-12-01T13:41:57.952Z] 13:41:57     INFO - GECKO(1572) |     #43 0x55e2dc19904c in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:395:16
[task 2021-12-01T13:41:57.955Z] 13:41:57     INFO - GECKO(1572) |     #44 0x7ff9e43deb96 in __libc_start_main /tmp/glibc/csu/../csu/libc-start.c:310

Sotaro, do you know who would be a good person to look into this?

Group: firefox-core-security → gfx-core-security
Severity: S4 → --
Component: Tabbed Browser → Widget: Gtk
Flags: needinfo?(sotaro.ikeda.g)
Priority: P5 → --
Product: Firefox → Core

That's but in widget code, will look at it.

Flags: needinfo?(sotaro.ikeda.g)
Assignee: nobody → stransky
Regressed by: 1737068
No longer regressed by: 1737068

Regressed by Bug 1737068.

When nsWindow is closed don't release mWindowSurface immediately but wait until next rendering cycle or when WindowSurfaceProvider is released.

Attachment #9255038 - Attachment is obsolete: true
Group: gfx-core-security → dom-core-security

Daniel, what's protocol of landing this one?

Flags: needinfo?(dveditz)

(In reply to Martin Stránský [:stransky] (ni? me) from comment #4)

Regressed by Bug 1737068.

I'm confused: you added this comment at the same time you removed bug 1737068 from the regression list? I'm assuming the removal was a mistake and putting it back. Please fix if that's wrong.

(In reply to Martin Stránský [:stransky] (ni? me) from comment #6)

Daniel, what's protocol of landing this one?

The "sec-approval required..." warning message just below the attachments above is a link to the general process. Adding the request (in the "Details" link on the attachment here, not in phabricator) populates a bunch of questions about risk vs. severity. Then you'd ask for beta uplift the same way, with a bunch of questions similarly trying to get at risk.

According to https://fx-trains.herokuapp.com/release/?version=beta the last beta build accepting uplifts is tomorrow, which means landing today (or maybe morning Dec 23 Europe time). The timing is tight, considering the two main approvers (Tom and I) are PTO now.

What are the consequences of letting this wait until Firefox 97? If it needs to ship in 96 and is a low-risk patch (looks it, mostly a bunch of cleanup that wasn't done before?) we could get it into the RC. We'd need to get approval from release managment, and Dianna is handing 96.

status-firefox95: --- → wontfix
status-firefox-esr91: --- → unaffected
tracking-firefox97: --- → +
Flags: needinfo?(dveditz) → needinfo?(dsmith)
Regressed by: 1737068
Has Regression Range: --- → yes
Keywords: regression

(In reply to Daniel Veditz [:dveditz] Out until January from comment #7)

(In reply to Martin Stránský [:stransky] (ni? me) from comment #4)

Regressed by Bug 1737068.

I'm confused: you added this comment at the same time you removed bug 1737068 from the regression list? I'm assuming the removal was a mistake and putting it back. Please fix if that's wrong.

That's correct, but I went through https://firefox-source-docs.mozilla.org/bug-mgmt/processes/security-approval.html and there's request to don't link it with non-security bugs so I removed it.

(In reply to Martin Stránský [:stransky] (ni? me) from comment #6)

Daniel, what's protocol of landing this one?

The "sec-approval required..." warning message just below the attachments above is a link to the general process. Adding the request (in the "Details" link on the attachment here, not in phabricator) populates a bunch of questions about risk vs. severity. Then you'd ask for beta uplift the same way, with a bunch of questions similarly trying to get at risk.

Okay, I'll file the sec-approval form. I didn't get that from the doc.

According to https://fx-trains.herokuapp.com/release/?version=beta the last beta build accepting uplifts is tomorrow, which means landing today (or maybe morning Dec 23 Europe time). The timing is tight, considering the two main approvers (Tom and I) are PTO now.

What are the consequences of letting this wait until Firefox 97? If it needs to ship in 96 and is a low-risk patch (looks it, mostly a bunch of cleanup that wasn't done before?) we could get it into the RC. We'd need to get approval from release managment, and Dianna is handing 96.

It's use after free, no idea how that can be exploitable, at least I don't have a reproducer for that. Will file the form.

Comment on attachment 9255208 [details]
Bug 1743821 [Linux] Sychronize mWindowSurface release r?lsalzman

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: Not easily. It requires knowledge about Linux rendering architecture / components. It's not obvious what causes the crash from the patch.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
  • Which older supported branches are affected by this flaw?:
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: No
  • If not, how different, hard to create, and risky will they be?:
  • How likely is this patch to cause regressions; how much testing does it need?: This patch will be tested in our testsuite when we close any window. We don't have any special test / exploit for it.
Attachment #9255208 - Flags: sec-approval?

When we fix similar patch in the past (various nsWindow/wayland crashes etc.) we didn't do backports to beta.

Also I haven't seen such crash in our testsuite (it may happen when you close a window while WebRender tries to paint to it) so I think the chance to see it/exploit is low. We explicitly disable WebRender rendering during window close by nsBaseWidget::RevokeTransactionIdAllocator and we do that before we release underlying resources.

The sec-approval would have to be accepted as a low risk bug and it would have to land today in order to make it to beta. What are the consequences of letting this ride in 97?

Flags: needinfo?(dsmith) → needinfo?(stransky)

(In reply to Dianna Smith [:diannaS] from comment #11)

The sec-approval would have to be accepted as a low risk bug and it would have to land today in order to make it to beta. What are the consequences of letting this ride in 97?

I don't see any consequences if we commit to 97 only as this one should not be exploitable.

Flags: needinfo?(stransky)

Comment on attachment 9255208 [details]
Bug 1743821 [Linux] Sychronize mWindowSurface release r?lsalzman

Approved to land and uplift

Attachment #9255208 - Flags: sec-approval?
Attachment #9255208 - Flags: sec-approval+
Attachment #9255208 - Flags: approval-mozilla-beta+

[Linux] Sychronize mWindowSurface release r=lsalzman
https://hg.mozilla.org/integration/autoland/rev/841415a89add828287f52888deab7c107316f095
https://hg.mozilla.org/mozilla-central/rev/841415a89add

Status: NEW → RESOLVED
Closed: 3 years ago
status-firefox98: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 98 Branch

As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.

Please visit this google form to reply.

Flags: needinfo?(stransky)
Whiteboard: [sec-survey]

Landed for 97.0b3
https://hg.mozilla.org/releases/mozilla-beta/rev/3cadb45e1301

status-firefox97: affectedfixed
tracking-firefox98: --- → +
Group: dom-core-security → core-security-release
Regressions: 1750017
Flags: qe-verify-
Whiteboard: [sec-survey] → [sec-survey][post-critsmash-triage]
Flags: needinfo?(stransky)
Whiteboard: [sec-survey][post-critsmash-triage] → [sec-survey][post-critsmash-triage][adv-main97+r]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: