Closed Bug 1793379 Opened 2 years ago Closed 2 years ago

AddressSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3 in MOZ_Crash (via FontFaceImpl::SetDescriptor on worker thread)

Categories

(Core :: Layout: Text and Fonts, defect)

Product:
Core
Component:
Layout: Text and Fonts
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
108 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox105 --- wontfix
firefox106 --- wontfix
firefox107 + verified
firefox108 + verified

People

(Reporter: arminius, Assigned: aosmond)

References

(Regression)

Details

(4 keywords, Whiteboard: [post-critsmash-triage][adv-main107-])

Crash Data

Attachments

(3 files)

testcase.html
(deleted), text/html
Details
testcase 2 (warning: crashes content process when loaded)
(deleted), text/html
Details
Bug 1793379.
(deleted), text/x-phabricator-request
dmeehan
: approval-mozilla-beta+
tjr
: sec-approval+
Details
Attached file testcase.html (deleted) —

Testcase

<script>
const code = `
  this.onmessage = () => { 
    new FontFace("foo", "url('bar')");
  }
`;
const url  = URL.createObjectURL(new Blob([code], {type: "text/javascript"}));
const w1 = new Worker(url);
const w2 = new Worker(url);
function go() {
  w1.postMessage(1);
  w2.postMessage(1);
}
</script>
<button onclick="go()">go</button>

(Doesn't necessarily need two workers to crash.)

Crash 1

AFAIU this is roughly what happens:

==1441165==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7f0c7bb11691 bp 0x7f0c591f0a30 sp 0x7f0c591f0a30 T14)
==1441165==The signal is caused by a WRITE memory access.
==1441165==Hint: address points to the zero page.
    #0 0x7f0c7bb11691 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3
    #1 0x7f0c7bb11691 in RustMozCrash /builds/worker/checkouts/gecko/mozglue/static/rust/wrappers.cpp:18:3
    #2 0x7f0c78c6a489 in mozglue_static::panic_hook::h5e6e941c0b6f7b06 /builds/worker/checkouts/gecko/mozglue/static/rust/lib.rs:91:9
    #3 0x7f0c78c6a225 in core::ops::function::Fn::call::hd40b7d5858ce3fbf /builds/worker/fetches/rust/library/core/src/ops/function.rs:77:5
    #4 0x7f0c7961079c in std::panicking::rust_panic_with_hook::hf741e7da97ac32b1 gkrust.370d48c8-cgu.0
    #5 0x7f0c796235c1 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h9699bbb97ca082c0 gkrust.370d48c8-cgu.0
    #6 0x7f0c79623535 in std::sys_common::backtrace::__rust_end_short_backtrace::hd983e22c717e2a19 gkrust.370d48c8-cgu.0
    #7 0x7f0c79610261 in rust_begin_unwind gkrust.370d48c8-cgu.0
    #8 0x7f0c681751b1 in core::panicking::panic_fmt::hfaf555757b631db9 gkrust.370d48c8-cgu.0
    #9 0x7f0c79b083e5 in core::panicking::panic_display::hb8adc992209306e2 /builds/worker/fetches/rust/library/core/src/panicking.rs:72:5
    #10 0x7f0c79db56e2 in atomic_refcell::AtomicRefCell$LT$T$GT$::borrow_mut::h6483bfcf0b9b7aac /builds/worker/checkouts/gecko/third_party/rust/atomic_refcell/src/lib.rs:151:23
    #11 0x7f0c79db56e2 in style::shared_lock::SharedRwLock::write::ha6246510b7ebe5f3 /builds/worker/checkouts/gecko/servo/components/style/shared_lock.rs:137:32
    #12 0x7f0c78738565 in geckoservo::glue::write_locked_arc::hdb0372424bb6ee8f /builds/worker/checkouts/gecko/servo/ports/geckolib/glue.rs:2099:21
    #13 0x7f0c78738565 in Servo_FontFaceRule_SetDescriptor /builds/worker/checkouts/gecko/servo/ports/geckolib/glue.rs:3373:5
    #14 0x7f0c717c8a92 in mozilla::dom::FontFaceImpl::SetDescriptor(nsCSSFontDesc, nsTSubstring<char> const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/layout/style/FontFaceImpl.cpp:415:8
    #15 0x7f0c717c6108 in operator() /builds/worker/checkouts/gecko/layout/style/FontFaceImpl.cpp:442:5
    #16 0x7f0c717c6108 in mozilla::dom::FontFaceImpl::SetDescriptors(nsTSubstring<char> const&, mozilla::dom::FontFaceDescriptors const&) /builds/worker/checkouts/gecko/layout/style/FontFaceImpl.cpp:448:8
    #17 0x7f0c717c5bab in mozilla::dom::FontFace::Constructor(mozilla::dom::GlobalObject const&, nsTSubstring<char> const&, mozilla::dom::UTF8StringOrArrayBufferOrArrayBufferView const&, mozilla::dom::FontFaceDescriptors const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/layout/style/FontFace.cpp:123:20
    #18 0x7f0c6dc7bd4e in mozilla::dom::FontFace_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/obj-build/dom/bindings/FontFaceBinding.cpp:2268:54
    #19 0x7f0c77cb7307 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:459:13
    #20 0x7f0c77cb7307 in CallJSNativeConstructor /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:475:8
    #21 0x7f0c77cb7307 in InternalConstruct(JSContext*, js::AnyConstructArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:694:10
    #22 0x7f0c77ca336e in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3360:16
    #23 0x7f0c77c889ce in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:431:13
    #24 0x7f0c77cb4b35 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:579:13
    #25 0x7f0c77cb65de in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:614:10
    #26 0x7f0c77cb65de in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:646:8
    #27 0x7f0c766051c5 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:117:10
    #28 0x7f0c6db41cef in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:65:37
    #29 0x7f0c6e945d53 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget> >(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:82:12
    #30 0x7f0c6e9442c8 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/events/JSEventHandler.cpp:201:12
    #31 0x7f0c6e90b1a8 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1316:22
    #32 0x7f0c6e90c712 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1506:17
    #33 0x7f0c6e8fa87e in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:348:17
    #34 0x7f0c6e8f90e1 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:550:16
    #35 0x7f0c6e8fd2c5 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1119:11
    #36 0x7f0c6e902c11 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp
    #37 0x7f0c6e8abf1d in mozilla::DOMEventTargetHelper::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/events/DOMEventTargetHelper.cpp:176:17
    #38 0x7f0c6e919a83 in mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&) /builds/worker/checkouts/gecko/dom/events/EventTarget.cpp:180:13
    #39 0x7f0c709bfe3c in mozilla::dom::MessageEventRunnable::DispatchDOMEvent(JSContext*, mozilla::dom::WorkerPrivate*, mozilla::DOMEventTargetHelper*, bool) /builds/worker/checkouts/gecko/dom/workers/MessageEventRunnable.cpp:104:12
    #40 0x7f0c70a2ac4e in mozilla::dom::WorkerRunnable::Run() /builds/worker/checkouts/gecko/dom/workers/WorkerRunnable.cpp:377:12
    #41 0x7f0c69210a6e in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16
    #42 0x7f0c6921a6c4 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:465:10
    #43 0x7f0c70a12cac in mozilla::dom::WorkerPrivate::DoRunLoop(JSContext*) /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:3205:7
    #44 0x7f0c709e993e in mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:2042:42
    #45 0x7f0c69210a6e in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16
    #46 0x7f0c6921a6c4 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:465:10
    #47 0x7f0c6a827be8 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300:20
    #48 0x7f0c6a6c42a1 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
    #49 0x7f0c6a6c42a1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
    #50 0x7f0c6a6c42a1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
    #51 0x7f0c69207bc4 in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:384:10
    #52 0x7f0c8acd7c0e in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #53 0x7f0c8b47f74c  (/usr/lib/libc.so.6+0x8674c) (BuildId: 26c81e7e05ebaf40bac3523b7d76be0cd71fad82)
    #54 0x7f0c8b5016ff  (/usr/lib/libc.so.6+0x1086ff) (BuildId: 26c81e7e05ebaf40bac3523b7d76be0cd71fad82)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3 in MOZ_Crash
Thread T14 created by T0 (Isolated Web Co) here:
    #0 0x55a7aaedd6fc in __interceptor_pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:208:3
    #1 0x7f0c8acc7cbc in _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:458:14
    #2 0x7f0c8acb905e in PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:533:12
    #3 0x7f0c6920ab45 in nsThread::Init(nsTSubstring<char> const&) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:618:18
    #4 0x7f0c70a395fa in mozilla::dom::WorkerThread::Create(mozilla::dom::WorkerThreadFriendKey const&) /builds/worker/checkouts/gecko/dom/workers/WorkerThread.cpp:102:7
    #5 0x7f0c709c4a65 in mozilla::dom::workerinternals::RuntimeService::ScheduleWorker(mozilla::dom::WorkerPrivate&) /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:1323:37
    #6 0x7f0c709c3b8e in mozilla::dom::workerinternals::RuntimeService::RegisterWorker(mozilla::dom::WorkerPrivate&) /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:1205:19
    #7 0x7f0c70a0d117 in mozilla::dom::WorkerPrivate::Constructor(JSContext*, nsTSubstring<char16_t> const&, bool, mozilla::dom::WorkerKind, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, mozilla::dom::WorkerLoadInfo*, mozilla::ErrorResult&, nsTString<char16_t>) /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:2588:24
    #8 0x7f0c709d40e5 in mozilla::dom::Worker::Constructor(mozilla::dom::GlobalObject const&, nsTSubstring<char16_t> const&, mozilla::dom::WorkerOptions const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/workers/Worker.cpp:43:41
    #9 0x7f0c6d7a4124 in mozilla::dom::Worker_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/obj-build/dom/bindings/WorkerBinding.cpp:1107:52
    #10 0x7f0c77cb7307 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:459:13
    #11 0x7f0c77cb7307 in CallJSNativeConstructor /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:475:8
    #12 0x7f0c77cb7307 in InternalConstruct(JSContext*, js::AnyConstructArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:694:10
    #13 0x7f0c77ca336e in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3360:16
    #14 0x7f0c77c889ce in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:431:13
    #15 0x7f0c77cb8695 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:825:13
    #16 0x7f0c766343f3 in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CompilationAndEvaluation.cpp:467:10
    #17 0x7f0c766346fd in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) /builds/worker/checkouts/gecko/js/src/vm/CompilationAndEvaluation.cpp:491:10
    #18 0x7f0c6c0c0a8a in mozilla::dom::JSExecutionContext::ExecScript() /builds/worker/checkouts/gecko/dom/base/JSExecutionContext.cpp:241:8
    #19 0x7f0c70e93487 in mozilla::dom::ExecuteCompiledScript(JSContext*, mozilla::dom::JSExecutionContext&, JS::loader::ClassicScript*) /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:2136:16
    #20 0x7f0c70e9169e in mozilla::dom::ScriptLoader::EvaluateScript(nsIGlobalObject*, JS::loader::ScriptLoadRequest*) /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:2401:12
    #21 0x7f0c70e8ffbf in mozilla::dom::ScriptLoader::EvaluateScriptElement(JS::loader::ScriptLoadRequest*) /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:2205:10
    #22 0x7f0c70e89eb5 in mozilla::dom::ScriptLoader::ProcessRequest(JS::loader::ScriptLoadRequest*) /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:1855:10
    #23 0x7f0c70e87282 in mozilla::dom::ScriptLoader::ProcessInlineScript(nsIScriptElement*, JS::loader::ScriptKind) /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:1261:10
    #24 0x7f0c70e78a2c in mozilla::dom::ScriptLoader::ProcessScriptElement(nsIScriptElement*) /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:902:10
    #25 0x7f0c70e780ea in mozilla::dom::ScriptElement::MaybeProcessScript() /builds/worker/checkouts/gecko/dom/script/ScriptElement.cpp:118:18
    #26 0x7f0c6afb816e in nsIScriptElement::AttemptToExecute() /builds/worker/workspace/obj-build/dist/include/nsIScriptElement.h:221:18
    #27 0x7f0c6afb6fd1 in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /builds/worker/checkouts/gecko/parser/html/nsHtml5TreeOpExecutor.cpp:942:22
    #28 0x7f0c6afb616a in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/worker/checkouts/gecko/parser/html/nsHtml5TreeOpExecutor.cpp:733:7
    #29 0x7f0c6afbd157 in nsHtml5ExecutorFlusher::Run() /builds/worker/checkouts/gecko/parser/html/nsHtml5StreamParser.cpp:174:18
    #30 0x7f0c691db51f in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:140:20
    #31 0x7f0c6922e7e2 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:538:16
    #32 0x7f0c691eeeed in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:851:26
    #33 0x7f0c691ec058 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:683:15
    #34 0x7f0c691ec780 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:461:36
    #35 0x7f0c69237811 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:187:37
    #36 0x7f0c69237811 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
    #37 0x7f0c69210247 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1205:16
    #38 0x7f0c6921a6c4 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:465:10
    #39 0x7f0c6a826a38 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
    #40 0x7f0c6a6c42a1 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
    #41 0x7f0c6a6c42a1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
    #42 0x7f0c6a6c42a1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
    #43 0x7f0c7130d887 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:150:27
    #44 0x7f0c76196c37 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:880:20
    #45 0x7f0c6a6c42a1 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
    #46 0x7f0c6a6c42a1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
    #47 0x7f0c6a6c42a1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
    #48 0x7f0c76195b5c in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:739:34
    #49 0x55a7aaf31825 in content_process_main(mozilla::Bootstrap*, int, char**) /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #50 0x55a7aaf31c77 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:359:18
    #51 0x7f0c8b41c28f  (/usr/lib/libc.so.6+0x2328f) (BuildId: 26c81e7e05ebaf40bac3523b7d76be0cd71fad82)

==1441165==ABORTING

Crash 2

The crash may also happen when Servo_TraverseSubtree fails to acquire the lock here.

==1460746==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7f5bfef11691 bp 0x7ffea8323890 sp 0x7ffea8323890 T0)
==1460746==The signal is caused by a WRITE memory access.
==1460746==Hint: address points to the zero page.
    #0 0x7f5bfef11691 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3
    #1 0x7f5bfef11691 in RustMozCrash /builds/worker/checkouts/gecko/mozglue/static/rust/wrappers.cpp:18:3
    #2 0x7f5bfc06a489 in mozglue_static::panic_hook::h5e6e941c0b6f7b06 /builds/worker/checkouts/gecko/mozglue/static/rust/lib.rs:91:9
    #3 0x7f5bfc06a225 in core::ops::function::Fn::call::hd40b7d5858ce3fbf /builds/worker/fetches/rust/library/core/src/ops/function.rs:77:5
    #4 0x7f5bfca1079c in std::panicking::rust_panic_with_hook::hf741e7da97ac32b1 gkrust.370d48c8-cgu.0
    #5 0x7f5bfca235c1 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::h9699bbb97ca082c0 gkrust.370d48c8-cgu.0
    #6 0x7f5bfca23535 in std::sys_common::backtrace::__rust_end_short_backtrace::hd983e22c717e2a19 gkrust.370d48c8-cgu.0
    #7 0x7f5bfca10261 in rust_begin_unwind gkrust.370d48c8-cgu.0
    #8 0x7f5beb5751b1 in core::panicking::panic_fmt::hfaf555757b631db9 gkrust.370d48c8-cgu.0
    #9 0x7f5bfcf083e5 in core::panicking::panic_display::hb8adc992209306e2 /builds/worker/fetches/rust/library/core/src/panicking.rs:72:5
    #10 0x7f5bfd1b5509 in atomic_refcell::AtomicRefCell$LT$T$GT$::borrow::h150b37351ff04c53 /builds/worker/checkouts/gecko/third_party/rust/atomic_refcell/src/lib.rs:126:23
    #11 0x7f5bfd1b5509 in style::shared_lock::SharedRwLock::read::_$u7b$$u7b$closure$u7d$$u7d$::h1ef21b88aea1cc01 /builds/worker/checkouts/gecko/servo/components/style/shared_lock.rs:124:61
    #12 0x7f5bfd1b5509 in core::option::Option$LT$T$GT$::map::ha895be4ef34ad6dd /builds/worker/fetches/rust/library/core/src/option.rs:929:29
    #13 0x7f5bfd1b5509 in style::shared_lock::SharedRwLock::read::h4d482f6f6dad4a8f /builds/worker/checkouts/gecko/servo/components/style/shared_lock.rs:124:31
    #14 0x7f5bfb9a1381 in Servo_TraverseSubtree /builds/worker/checkouts/gecko/servo/ports/geckolib/glue.rs:315:17
    #15 0x7f5bf4c501cf in mozilla::ServoStyleSet::StyleDocument(mozilla::ServoTraversalFlags) /builds/worker/checkouts/gecko/layout/style/ServoStyleSet.cpp:774:9
    #16 0x7f5bf4dac4eb in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3108:20
    #17 0x7f5bf4d74086 in mozilla::RestyleManager::ProcessPendingRestyles() /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3245:3
    #18 0x7f5bf4d72bef in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4380:39
    #19 0x7f5bf4cf96d2 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2563:22
    #20 0x7f5bf4d1b645 in operator() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:1769:25
    #21 0x7f5bf4d1b645 in mozilla::detail::RunnableFunction<nsRefreshDriver::EnsureTimerStarted(nsRefreshDriver::EnsureTimerStartedFlags)::$_1>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
    #22 0x7f5bec62e7e2 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:538:16
    #23 0x7f5bec5eeeed in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:851:26
    #24 0x7f5bec5ec058 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:683:15
    #25 0x7f5bec5ec780 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:461:36
    #26 0x7f5bec637811 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:187:37
    #27 0x7f5bec637811 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
    #28 0x7f5bec610247 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1205:16
    #29 0x7f5bec61a6c4 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:465:10
    #30 0x7f5bedc26a38 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
    #31 0x7f5bedac42a1 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
    #32 0x7f5bedac42a1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
    #33 0x7f5bedac42a1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
    #34 0x7f5bf470d887 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:150:27
    #35 0x7f5bf9596c37 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:880:20
    #36 0x7f5bedac42a1 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
    #37 0x7f5bedac42a1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
    #38 0x7f5bedac42a1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
    #39 0x7f5bf9595b5c in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:739:34
    #40 0x55e391944825 in content_process_main(mozilla::Bootstrap*, int, char**) /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #41 0x55e391944c77 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:359:18
    #42 0x7f5c0e63c28f  (/usr/lib/libc.so.6+0x2328f) (BuildId: 26c81e7e05ebaf40bac3523b7d76be0cd71fad82)
    #43 0x7f5c0e63c349 in __libc_start_main (/usr/lib/libc.so.6+0x23349) (BuildId: 26c81e7e05ebaf40bac3523b7d76be0cd71fad82)
    #44 0x55e391884c80 in _start (/m-c-20220930214439-asan-opt/firefox+0x75c80) (BuildId: 299d2569dc538e4ecc6eab756f7d0eca461536c7)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:261:3 in MOZ_Crash
==1460746==ABORTING
Flags: sec-bounty?

Crashes in opt builds, too (as expected: it's not really an ASAN crash, ASAN is detecting a Rust panic)
bp-c1ce121b-2a04-49a0-b281-add530221003

Group: core-security → layout-core-security
Crash Signature: [@ atomic_refcell::AtomicRefCell<T>::borrow_mut ]
Keywords: crash, testcase

Crash reason for the crash in comment 1 is "already mutably borrowed". I saw a similar looking crash on beta.

It sounds like this is Rust's safety kicking in and doing what it is supposed to do, so I'll mark it sec-other, but leave it hidden because it sounds like a manifestation of other font worker UAFs we have.

Keywords: sec-other

I found some similar-looking crashes on 105 with a slightly different signature. bp-245cc126-c40f-46fe-a355-1da440220928

Crash Signature: [@ atomic_refcell::AtomicRefCell<T>::borrow_mut ] → [@ atomic_refcell::AtomicRefCell<T>::borrow_mut ] [@ style::shared_lock::SharedRwLock::write ]
status-firefox107: --- → affected

I can reproduce this crash with the attached testcase back as far as layout.css.font-loading-api.workers.enabled has been default-enabled, and a few days earlier if I explicitly enable that pref. I can repro a crash in regular mozregression-launched Nightly (no ASAN needed), including today's Nightly, 107.0a1 (2022-10-06).

I used mozregression to get a regression range (with the aforementioned pref explicitly enabled). The range just has the commits for Bug 1072107:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=ed78195edff98cf3f3c691f891ef3e744e5e6112&tochange=7eecad7fdee1d234f2d4d77e4b7cedfbe62ed7c6

"Part 9. Expose FontFaceSet on workers" is probably the relevant change that makes this testable, given that this is what the testcase is using (FontFace on Workers). Before this regression range, the testcase just throws JS error ReferenceError: FontFace is not defined.

So: this seems to have been broken when the relevant feature (FontFace access on workers) was added in bug 1072107.

aosmond, do you have cycles to take a look?

Flags: needinfo?(aosmond)

Here's a variant on the testcase, with the two workers getting slightly-different code & with some logging added, in case it makes it slightly easier to follow what's going on when debugging.

This doesn't crash 100% of the time in a debug build, but it often does (potentially after a bit of a wait; it uses setInterval to try again until we crash). I captured a crash with this testcase in rr and am submitting it to pernosco.

More specifically -- here's that pernosco trace, seeked to the moment that we print Hit MOZ_CRASH(already mutably borrowed) which I think is the relevant fatal thing here:
https://pernos.co/debug/lyaC-EBVo6jUoeuqzR_XlA/index.html#f{m[BViB,AA_,t[xw,ApL+_,f{e[BViA,BUqH_,s{af+UxmWAA,bCxs,uHxADYA,oHxALVg___/

Setting Regressed by field after analyzing regression range found by mozregression in comment #5.

Keywords: regression
Regressed by: 1072107

Set release status flags based on info from the regressing bug 1072107

status-firefox-esr102: --- → unaffected
Flags: needinfo?(emilio)

This is happening because I clearly did not understand the thread safety guarantees of:
https://searchfox.org/mozilla-central/rev/e94c6cb9649bfe4e6a3888460f41bcd4fe30a6ca/servo/ports/geckolib/glue.rs#2096

Presumably because of main thread / servo thread interaction guarantees, we were able to get away with Arc<AtomicRefCell>> when we probably need something like Arc<RwLock>> in conjunction with workers. It works most of the time, because most of the time we aren't doing a lot of simultaneous font interaction on workers in the same content process.

Emilio, what are our options here? Can we switch to RwLock without a punishing amount of overhead? Alternatively, can the worker thread synchronize another way to provide the same guarantees that exist today?

Set release status flags based on info from the regressing bug 1072107

status-firefox108: --- → affected

Emilio and I discussed this offline. I'll put together a patch to fix this.

Assignee: nobody → aosmond
Flags: needinfo?(emilio)
Flags: needinfo?(aosmond)
Attached file Bug 1793379. (deleted) —

Comment on attachment 9299133 [details]
Bug 1793379.

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: I believe with great difficulty, if at all. The problem itself should be obvious based on the patch, but it panics if there is a thread conflict, so I'm not sure it is exploitable.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Yes
  • Which older supported branches are affected by this flaw?:
  • If not all supported branches, which bug introduced the flaw?: Bug 1779009
  • Do you have backports for the affected branches?: No
  • If not, how different, hard to create, and risky will they be?: It should apply cleanly.
  • How likely is this patch to cause regressions; how much testing does it need?: Unlikely to cause regressions, it is a very surgical change. It does require bug 1793127 to land with it.
  • Is Android affected?: Yes
Attachment #9299133 - Flags: sec-approval?

Comment on attachment 9299133 [details]
Bug 1793379.

Approved to land and request uplift

Attachment #9299133 - Flags: sec-approval? → sec-approval+
Regressed by: 1779009
No longer regressed by: 1072107
Crash Signature: [@ atomic_refcell::AtomicRefCell<T>::borrow_mut ] [@ style::shared_lock::SharedRwLock::write ] → [@ atomic_refcell::AtomicRefCell<T>::borrow_mut ] [@ atomic_refcell::AtomicRefCell<T>::borrow ] [@ style::shared_lock::SharedRwLock::write ] [@ style::shared_lock::SharedRwLock::read ]
Blocks: 1793127
Flags: sec-bounty? → sec-bounty-

r=emilio
https://hg.mozilla.org/integration/autoland/rev/f6af8bfd2b2d8e1c871ceea80c96d90357512665
https://hg.mozilla.org/mozilla-central/rev/f6af8bfd2b2d

Group: layout-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox108: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 108 Branch

The patch landed in nightly and beta is affected.
:aosmond, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox107 to wontfix.

For more information, please visit auto_nag documentation.

Flags: needinfo?(aosmond)
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Flags: qe-verify- → qe-verify+

Comment on attachment 9299133 [details]
Bug 1793379.

Beta/Release Uplift Approval Request

  • User impact if declined: Low volume crash, sec issue
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: Bug 1793127
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Unlikely to cause regressions, it is a very surgical change.
  • String changes made/needed:
  • Is Android affected?: Yes
Flags: needinfo?(aosmond)
Attachment #9299133 - Flags: approval-mozilla-beta?

Reproduced the issue on 107.0b7 using the 2 attached TestCases.

Issue is verified fixed on 108.0a1 from 1st of November 2022.

status-firefox107: affectedverified

Comment on attachment 9299133 [details]
Bug 1793379.

Approved for 107.0b8.

Attachment #9299133 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

Confirmed verified fixed in 107.0b8.

Status: RESOLVED → VERIFIED
status-firefox107: fixedverified
status-firefox108: fixedverified
Flags: qe-verify+
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main107-]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: