Closed Bug 1469486 Opened 6 years ago Closed 6 years ago

Intermittent: AddressSanitizer: heap-use-after-free z:\build\build\src\gfx\cairo\cairo\src\cairo-region.c:377 in _moz_cairo_region_destroy

Categories

(Core :: Graphics, defect)

Product:
Core
Component:
Graphics
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla64
Tracking Flags:
Tracking Status
firefox-esr60 63+ fixed
firefox62 --- wontfix
firefox63 + fixed
firefox64 + fixed

People

(Reporter: RaulG, Assigned: rhunt)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-uaf, intermittent-failure, sec-high, Whiteboard: [post-critsmash-triage][adv-main63+][adv-esr60.3+])

Attachments

(1 file)

Bug 1469486 - Protect main thread in-process access to WinCompositorWidget transparent surface. r?bas
46 bytes, text/x-phabricator-request
pascalc
: approval-mozilla-release+
RyanVM
: approval-mozilla-esr60+
Details | Review 
https://treeherder.mozilla.org/logviewer.html#?job_id=183705434&repo=mozilla-central&lineNumber=2615

23:11:07     INFO -  GECKO(2104) | MEMORY STAT | vsize 17303946MB | vsizeMaxContiguous 114169929MB | residentFast 1426MB
23:11:07     INFO -  777 INFO TEST-OK | browser/base/content/test/urlbar/browser_page_action_menu.js | took 21323ms
23:11:07     INFO -  778 INFO checking window state
23:11:07     INFO -  779 INFO TEST-START | browser/base/content/test/urlbar/browser_page_action_menu_add_search_engine.js
23:11:08     INFO -  GECKO(2104) | JavaScript error: resource:///modules/PageStyleHandler.jsm, line 55: NS_ERROR_FAILURE: Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIDocShell.tabChild]
23:11:12     INFO -  GECKO(2104) | JavaScript error: resource:///modules/PageStyleHandler.jsm, line 55: NS_ERROR_FAILURE: Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIDocShell.tabChild]
23:11:19     INFO -  GECKO(2104) | =================================================================
23:11:19    ERROR -  GECKO(2104) | ==2104==ERROR: AddressSanitizer: heap-use-after-free on address 0x129bc078f570 at pc 0x7ff985b16b08 bp 0x00ca939f8db0 sp 0x00ca939f8df8
Can't help but think that this is tied to bug 1467363.
Group: core-security → gfx-core-security
See Also: → 1467363
Yeah, the stack also has widget stuff in it.
This issue is still active in automation. Seen on autoland:

https://treeherder.mozilla.org/logviewer.html#?job_id=183705434&repo=mozilla-central&lineNumber=2615

23:11:07     INFO -  777 INFO TEST-OK | browser/base/content/test/urlbar/browser_page_action_menu.js | took 21323ms
23:11:07     INFO -  778 INFO checking window state
23:11:07     INFO -  779 INFO TEST-START | browser/base/content/test/urlbar/browser_page_action_menu_add_search_engine.js
23:11:08     INFO -  GECKO(2104) | JavaScript error: resource:///modules/PageStyleHandler.jsm, line 55: NS_ERROR_FAILURE: Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIDocShell.tabChild]
23:11:12     INFO -  GECKO(2104) | JavaScript error: resource:///modules/PageStyleHandler.jsm, line 55: NS_ERROR_FAILURE: Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIDocShell.tabChild]
23:11:19     INFO -  GECKO(2104) | =================================================================
23:11:19    ERROR -  GECKO(2104) | ==2104==ERROR: AddressSanitizer: heap-use-after-free on address 0x129bc078f570 at pc 0x7ff985b16b08 bp 0x00ca939f8db0 sp 0x00ca939f8df8
23:11:19     INFO -  GECKO(2104) | READ of size 4 at 0x129bc078f570 thread T0
23:11:19     INFO -  GECKO(2104) |     #0 0x7ff985b16b07 in _moz_cairo_region_destroy z:\build\build\src\gfx\cairo\cairo\src\cairo-region.c:377
23:11:19     INFO -  GECKO(2104) |     #1 0x7ff985a94784 in _cairo_win32_surface_fill_rectangles z:\build\build\src\gfx\cairo\cairo\src\cairo-win32-surface.c:1691
23:11:19     INFO -  GECKO(2104) |     #2 0x7ff985b40477 in _cairo_surface_fill_rectangles z:\build\build\src\gfx\cairo\cairo\src\cairo-surface.c:2045
23:11:19     INFO -  GECKO(2104) |     #3 0x7ff985b48331 in _cairo_surface_fill_region z:\build\build\src\gfx\cairo\cairo\src\cairo-surface.c:2002
23:11:19     INFO -  GECKO(2104) |     #4 0x7ff985a8c7d0 in _clip_and_composite_trapezoids z:\build\build\src\gfx\cairo\cairo\src\cairo-win32-surface.c:3260
23:11:19     INFO -  GECKO(2104) |     #5 0x7ff985a8b866 in _cairo_win32_surface_fallback_paint z:\build\build\src\gfx\cairo\cairo\src\cairo-win32-surface.c:3533
23:11:19     INFO -  GECKO(2104) |     #6 0x7ff985b3e62a in _cairo_surface_paint z:\build\build\src\gfx\cairo\cairo\src\cairo-surface.c:2110
23:11:19     INFO -  GECKO(2104) |     #7 0x7ff985ab71be in _cairo_gstate_fill z:\build\build\src\gfx\cairo\cairo\src\cairo-gstate.c:1285
23:11:19     INFO -  GECKO(2104) |     #8 0x7ff985b65be6 in _moz_cairo_fill z:\build\build\src\gfx\cairo\cairo\src\cairo.c:2449
23:11:19     INFO -  GECKO(2104) |     #9 0x7ff97cd09072 in mozilla::gfx::DrawTargetCairo::ClearRect(struct mozilla::gfx::RectTyped<struct mozilla::gfx::UnknownUnits,float> const &) z:\build\build\src\gfx\2d\DrawTargetCairo.cpp:1208
23:11:19     INFO -  GECKO(2104) |     #10 0x7ff98376324d in mozilla::widget::WinCompositorWidget::ClearTransparentWindow(void) z:\build\build\src\widget\windows\WinCompositorWidget.cpp:301
23:11:19     INFO -  GECKO(2104) |     #11 0x7ff9838bd46d in nsWindow::Show(bool) z:\build\build\src\widget\windows\nsWindow.cpp:1637
23:11:19     INFO -  GECKO(2104) |     #12 0x7ff9835caec1 in nsView::DoResetWidgetBounds(bool,bool) z:\build\build\src\view\nsView.cpp:342
23:11:19     INFO -  GECKO(2104) |     #13 0x7ff9835d88c7 in nsViewManager::ProcessPendingUpdatesForView(class nsView *,bool) z:\build\build\src\view\nsViewManager.cpp:399
23:11:19     INFO -  GECKO(2104) |     #14 0x7ff9835e0d86 in nsViewManager::UpdateWidgetGeometry(void) z:\build\build\src\view\nsViewManager.cpp:1117
23:11:19     INFO -  GECKO(2104) |     #15 0x7ff983ecb312 in mozilla::PresShell::DoFlushPendingNotifications(struct mozilla::ChangesToFlush) z:\build\build\src\layout\base\PresShell.cpp:4348
23:11:19     INFO -  GECKO(2104) |     #16 0x7ff983e4701e in nsRefreshDriver::Tick(__int64,class mozilla::TimeStamp) z:\build\build\src\layout\base\nsRefreshDriver.cpp:1923
23:11:19     INFO -  GECKO(2104) |     #17 0x7ff983e5a3ed in mozilla::RefreshDriverTimer::TickRefreshDrivers(__int64,class mozilla::TimeStamp,class nsTArray<class RefPtr<class nsRefreshDriver> > &) z:\build\build\src\layout\base\nsRefreshDriver.cpp:301
23:11:19     INFO -  GECKO(2104) |     #18 0x7ff983e59fdd in mozilla::RefreshDriverTimer::Tick(__int64,class mozilla::TimeStamp) z:\build\build\src\layout\base\nsRefreshDriver.cpp:320
23:11:19     INFO -  GECKO(2104) |     #19 0x7ff983e5e3a2 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(class mozilla::TimeStamp) z:\build\build\src\layout\base\nsRefreshDriver.cpp:760
23:11:19     INFO -  GECKO(2104) |     #20 0x7ff983e5d669 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(class mozilla::TimeStamp) z:\build\build\src\layout\base\nsRefreshDriver.cpp:673
23:11:19     INFO -  GECKO(2104) |     #21 0x7ff983e5da89 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::ParentProcessVsyncNotifier::Run(void) z:\build\build\src\layout\base\nsRefreshDriver.cpp:519
23:11:19     INFO -  GECKO(2104) |     #22 0x7ff97a8cb466 in nsThread::ProcessNextEvent(bool,bool *) z:\build\build\src\xpcom\threads\nsThread.cpp:1059
23:11:19     INFO -  GECKO(2104) |     #23 0x7ff97a8ed52a in NS_ProcessNextEvent(class nsIThread *,bool) z:\build\build\src\xpcom\threads\nsThreadUtils.cpp:519
23:11:19     INFO -  GECKO(2104) |     #24 0x7ff97b8c5426 in mozilla::ipc::MessagePump::Run(class base::MessagePump::Delegate *) z:\build\build\src\ipc\glue\MessagePump.cpp:125
23:11:19     INFO -  GECKO(2104) |     #25 0x7ff97b82872e in MessageLoop::RunHandler(void) z:\build\build\src\ipc\chromium\src\base\message_loop.cc:318
23:11:19     INFO -  GECKO(2104) |     #26 0x7ff97b8284b6 in MessageLoop::Run(void) z:\build\build\src\ipc\chromium\src\base\message_loop.cc:298
23:11:19     INFO -  GECKO(2104) |     #27 0x7ff9836bae1a in nsBaseAppShell::Run(void) z:\build\build\src\widget\nsBaseAppShell.cpp:157
23:11:19     INFO -  GECKO(2104) |     #28 0x7ff983841c87 in nsAppShell::Run(void) z:\build\build\src\widget\windows\nsAppShell.cpp:415
23:11:19     INFO -  GECKO(2104) |     #29 0x7ff987a478ee in nsAppStartup::Run(void) z:\build\build\src\toolkit\components\startup\nsAppStartup.cpp:290
23:11:19     INFO -  GECKO(2104) |     #30 0x7ff987cdafbc in XREMain::XRE_mainRun(void) z:\build\build\src\toolkit\xre\nsAppRunner.cpp:4746
23:11:19     INFO -  GECKO(2104) |     #31 0x7ff987ce06d4 in XREMain::XRE_main(int,char * * const,struct mozilla::BootstrapConfig const &) z:\build\build\src\toolkit\xre\nsAppRunner.cpp:4891
23:11:20     INFO -  GECKO(2104) |     #32 0x7ff987ce2be0 in XRE_main(int,char * * const,struct mozilla::BootstrapConfig const &) z:\build\build\src\toolkit\xre\nsAppRunner.cpp:4983
23:11:20     INFO -  GECKO(2104) |     #33 0x7ff771191e3d  (Z:\task_1529362687\build\application\firefox\firefox.exe+0x140001e3d)
23:11:20     INFO -  GECKO(2104) |     #34 0x7ff771191529  (Z:\task_1529362687\build\application\firefox\firefox.exe+0x140001529)
23:11:20     INFO -  GECKO(2104) |     #35 0x7ff77128ac87  (Z:\task_1529362687\build\application\firefox\firefox.exe+0x1400fac87)
23:11:20     INFO -  GECKO(2104) |     #36 0x7ff9af512773  (C:\Windows\System32\KERNEL32.DLL+0x180012773)
23:11:20     INFO -  GECKO(2104) |     #37 0x7ff9b1a40d60  (C:\Windows\SYSTEM32\ntdll.dll+0x180070d60)
23:11:20     INFO -  GECKO(2104) | 0x129bc078f570 is located 0 bytes inside of 32-byte region [0x129bc078f570,0x129bc078f590)
23:11:20     INFO -  GECKO(2104) | freed by thread T41 here:
23:11:20     INFO -  GECKO(2104) |     #0 0x7ff979cc2ce0  (Z:\task_1529362687\build\application\firefox\clang_rt.asan_dynamic-x86_64.dll+0x180032ce0)
23:11:20     INFO -  GECKO(2104) |     #1 0x7ff985a954a4 in _cairo_win32_surface_flush z:\build\build\src\gfx\cairo\cairo\src\cairo-win32-surface.c:1763
23:11:20     INFO -  GECKO(2104) |     #2 0x7ff985b46bc2 in _moz_cairo_surface_flush z:\build\build\src\gfx\cairo\cairo\src\cairo-surface.c:1117
23:11:20     INFO -  GECKO(2104) |     #3 0x7ff985b60ea2 in _moz_cairo_destroy z:\build\build\src\gfx\cairo\cairo\src\cairo.c:468
23:11:20     INFO -  GECKO(2104) |     #4 0x7ff97ccfd7a5 in mozilla::gfx::DrawTargetCairo::~DrawTargetCairo(void) z:\build\build\src\gfx\2d\DrawTargetCairo.cpp:615
23:11:20     INFO -  GECKO(2104) |     #5 0x7ff97cd9dfdf in mozilla::gfx::DrawTargetCairo::`scalar deleting destructor'(unsigned int) z:\build\build\src\gfx\2d\DrawTargetCairo.cpp:614
23:11:20     INFO -  GECKO(2104) |     #6 0x7ff97d464d99 in mozilla::layers::BasicCompositor::TryToEndRemoteDrawing(bool) z:\build\build\src\gfx\layers\basic\BasicCompositor.cpp:1060
23:11:20     INFO -  GECKO(2104) |     #7 0x7ff97d476c67 in mozilla::layers::BasicCompositor::EndFrame(void) z:\build\build\src\gfx\layers\basic\BasicCompositor.cpp:1015
23:11:20     INFO -  GECKO(2104) |     #8 0x7ff97d5c85b7 in mozilla::layers::LayerManagerComposite::Render(class mozilla::gfx::IntRegionTyped<struct mozilla::gfx::UnknownUnits> const &,class mozilla::gfx::IntRegionTyped<struct mozilla::gfx::UnknownUnits> const &) z:\build\build\src\gfx\layers\composite\LayerManagerComposite.cpp:995
23:11:20     INFO -  GECKO(2104) |     #9 0x7ff97d5c4c11 in mozilla::layers::LayerManagerComposite::UpdateAndRender(void) z:\build\build\src\gfx\layers\composite\LayerManagerComposite.cpp:534
23:11:20     INFO -  GECKO(2104) |     #10 0x7ff97d5c334c in mozilla::layers::LayerManagerComposite::EndTransaction(class mozilla::TimeStamp const &,enum mozilla::layers::LayerManager::EndTransactionFlags) z:\build\build\src\gfx\layers\composite\LayerManagerComposite.cpp:464
23:11:20     INFO -  GECKO(2104) |     #11 0x7ff97d67344f in mozilla::layers::CompositorBridgeParent::CompositeToTarget(class mozilla::gfx::DrawTarget *,struct mozilla::gfx::IntRectTyped<struct mozilla::gfx::UnknownUnits> const *) z:\build\build\src\gfx\layers\ipc\CompositorBridgeParent.cpp:1068
23:11:20     INFO -  GECKO(2104) |     #12 0x7ff97d68f179 in mozilla::layers::CompositorVsyncScheduler::Composite(class mozilla::TimeStamp) z:\build\build\src\gfx\layers\ipc\CompositorVsyncScheduler.cpp:243
23:11:20     INFO -  GECKO(2104) |     #13 0x7ff97d6bc6f1 in mozilla::detail::RunnableMethodImpl<class mozilla::layers::CompositorVsyncScheduler *,void ( mozilla::layers::CompositorVsyncScheduler::*)(class mozilla::TimeStamp),1,1,class mozilla::TimeStamp>::Run(void) z:\build\build\src\obj-firefox\dist\include\nsThreadUtils.h:1216
23:11:20     INFO -  GECKO(2104) |     #14 0x7ff97b829983 in ?DeferOrRunPendingTask@MessageLoop@@IEAA_N$$QEAUPendingTask@1@@Z z:\build\build\src\ipc\chromium\src\base\message_loop.cc:459
23:11:20     INFO -  GECKO(2104) |     #15 0x7ff97b82b16e in MessageLoop::DoWork(void) z:\build\build\src\ipc\chromium\src\base\message_loop.cc:534
23:11:20     INFO -  GECKO(2104) |     #16 0x7ff97b7fb752 in base::MessagePumpForUI::DoRunLoop(void) z:\build\build\src\ipc\chromium\src\base\message_pump_win.cc:210
23:11:20     INFO -  GECKO(2104) |     #17 0x7ff97b7fdba9 in base::MessagePumpWin::Run(class base::MessagePump::Delegate *) z:\build\build\src\ipc\chromium\src\base\message_pump_win.h:80
23:11:20     INFO -  GECKO(2104) |     #18 0x7ff97b82872e in MessageLoop::RunHandler(void) z:\build\build\src\ipc\chromium\src\base\message_loop.cc:318
23:11:20     INFO -  GECKO(2104) |     #19 0x7ff97b838f25 in base::Thread::ThreadMain(void) z:\build\build\src\ipc\chromium\src\base\thread.cc:181
23:11:20     INFO -  GECKO(2104) |     #20 0x7ff97b7ff5bf in `anonymous namespace'::ThreadFunc z:\build\build\src\ipc\chromium\src\base\platform_thread_win.cc:28
23:11:20     INFO -  GECKO(2104) |     #21 0x7ff979ccd0b8  (Z:\task_1529362687\build\application\firefox\clang_rt.asan_dynamic-x86_64.dll+0x18003d0b8)
23:11:20     INFO -  GECKO(2104) |     #22 0x7ff9af512773  (C:\Windows\System32\KERNEL32.DLL+0x180012773)
23:11:20     INFO -  GECKO(2104) |     #23 0x7ff99c4d5441 in patched_BaseThreadInitThunk z:\build\build\src\mozglue\build\WindowsDllBlocklist.cpp:622
23:11:20     INFO -  GECKO(2104) |     #24 0x7ff9b1a40d60  (C:\Windows\SYSTEM32\ntdll.dll+0x180070d60)
23:11:20     INFO -  GECKO(2104) | previously allocated by thread T41 here:
23:11:20     INFO -  GECKO(2104) |     #0 0x7ff979cc2dd0  (Z:\task_1529362687\build\application\firefox\clang_rt.asan_dynamic-x86_64.dll+0x180032dd0)
23:11:20     INFO -  GECKO(2104) |     #1 0x7ff985aefdab in _moz_cairo_region_create_rectangles z:\build\build\src\gfx\cairo\cairo\src\cairo-region.c:233
23:11:20     INFO -  GECKO(2104) |     #2 0x7ff985b5502f in _cairo_traps_extract_region z:\build\build\src\gfx\cairo\cairo\src\cairo-traps.c:551
23:11:20     INFO -  GECKO(2104) |     #3 0x7ff985a8c194 in _clip_and_composite_trapezoids z:\build\build\src\gfx\cairo\cairo\src\cairo-win32-surface.c:3231
23:11:20     INFO -  GECKO(2104) |     #4 0x7ff985a90392 in _cairo_win32_surface_fallback_fill z:\build\build\src\gfx\cairo\cairo\src\cairo-win32-surface.c:3841
23:11:20     INFO -  GECKO(2104) |     #5 0x7ff985b382e6 in _cairo_surface_fill z:\build\build\src\gfx\cairo\cairo\src\cairo-surface.c:2352
23:11:20     INFO -  GECKO(2104) |     #6 0x7ff985ab712d in _cairo_gstate_fill z:\build\build\src\gfx\cairo\cairo\src\cairo-gstate.c:1290
23:11:20     INFO -  GECKO(2104) |     #7 0x7ff985b65be6 in _moz_cairo_fill z:\build\build\src\gfx\cairo\cairo\src\cairo.c:2449
23:11:20     INFO -  GECKO(2104) |     #8 0x7ff97cd073ce in mozilla::gfx::DrawTargetCairo::CopySurfaceInternal(struct _cairo_surface *,struct mozilla::gfx::IntRectTyped<struct mozilla::gfx::UnknownUnits> const &,struct mozilla::gfx::IntPointTyped<struct mozilla::gfx::UnknownUnits> const &) z:\build\build\src\gfx\2d\DrawTargetCairo.cpp:1123
23:11:20     INFO -  GECKO(2104) |     #9 0x7ff97cd07a87 in mozilla::gfx::DrawTargetCairo::CopySurface(class mozilla::gfx::SourceSurface *,struct mozilla::gfx::IntRectTyped<struct mozilla::gfx::UnknownUnits> const &,struct mozilla::gfx::IntPointTyped<struct mozilla::gfx::UnknownUnits> const &) z:\build\build\src\gfx\2d\DrawTargetCairo.cpp:1149
23:11:20     INFO -  GECKO(2104) |     #10 0x7ff97d464927 in mozilla::layers::BasicCompositor::TryToEndRemoteDrawing(bool) z:\build\build\src\gfx\layers\basic\BasicCompositor.cpp:1050
23:11:20     INFO -  GECKO(2104) |     #11 0x7ff97d476c67 in mozilla::layers::BasicCompositor::EndFrame(void) z:\build\build\src\gfx\layers\basic\BasicCompositor.cpp:1015
23:11:20     INFO -  GECKO(2104) |     #12 0x7ff97d5c85b7 in mozilla::layers::LayerManagerComposite::Render(class mozilla::gfx::IntRegionTyped<struct mozilla::gfx::UnknownUnits> const &,class mozilla::gfx::IntRegionTyped<struct mozilla::gfx::UnknownUnits> const &) z:\build\build\src\gfx\layers\composite\LayerManagerComposite.cpp:995
23:11:20     INFO -  GECKO(2104) |     #13 0x7ff97d5c4c11 in mozilla::layers::LayerManagerComposite::UpdateAndRender(void) z:\build\build\src\gfx\layers\composite\LayerManagerComposite.cpp:534
23:11:20     INFO -  GECKO(2104) |     #14 0x7ff97d5c334c in mozilla::layers::LayerManagerComposite::EndTransaction(class mozilla::TimeStamp const &,enum mozilla::layers::LayerManager::EndTransactionFlags) z:\build\build\src\gfx\layers\composite\LayerManagerComposite.cpp:464
23:11:20     INFO -  GECKO(2104) |     #15 0x7ff97d67344f in mozilla::layers::CompositorBridgeParent::CompositeToTarget(class mozilla::gfx::DrawTarget *,struct mozilla::gfx::IntRectTyped<struct mozilla::gfx::UnknownUnits> const *) z:\build\build\src\gfx\layers\ipc\CompositorBridgeParent.cpp:1068
23:11:20     INFO -  GECKO(2104) |     #16 0x7ff97d68f179 in mozilla::layers::CompositorVsyncScheduler::Composite(class mozilla::TimeStamp) z:\build\build\src\gfx\layers\ipc\CompositorVsyncScheduler.cpp:243
23:11:20     INFO -  GECKO(2104) |     #17 0x7ff97d6bc6f1 in mozilla::detail::RunnableMethodImpl<class mozilla::layers::CompositorVsyncScheduler *,void ( mozilla::layers::CompositorVsyncScheduler::*)(class mozilla::TimeStamp),1,1,class mozilla::TimeStamp>::Run(void) z:\build\build\src\obj-firefox\dist\include\nsThreadUtils.h:1216
23:11:20     INFO -  GECKO(2104) |     #18 0x7ff97b829983 in ?DeferOrRunPendingTask@MessageLoop@@IEAA_N$$QEAUPendingTask@1@@Z z:\build\build\src\ipc\chromium\src\base\message_loop.cc:459
23:11:20     INFO -  GECKO(2104) |     #19 0x7ff97b82b16e in MessageLoop::DoWork(void) z:\build\build\src\ipc\chromium\src\base\message_loop.cc:534
23:11:20     INFO -  GECKO(2104) |     #20 0x7ff97b7fb752 in base::MessagePumpForUI::DoRunLoop(void) z:\build\build\src\ipc\chromium\src\base\message_pump_win.cc:210
23:11:20     INFO -  GECKO(2104) |     #21 0x7ff97b7fdba9 in base::MessagePumpWin::Run(class base::MessagePump::Delegate *) z:\build\build\src\ipc\chromium\src\base\message_pump_win.h:80
23:11:20     INFO -  GECKO(2104) |     #22 0x7ff97b82872e in MessageLoop::RunHandler(void) z:\build\build\src\ipc\chromium\src\base\message_loop.cc:318
23:11:20     INFO -  GECKO(2104) |     #23 0x7ff97b838f25 in base::Thread::ThreadMain(void) z:\build\build\src\ipc\chromium\src\base\thread.cc:181
23:11:20     INFO -  GECKO(2104) |     #24 0x7ff97b7ff5bf in `anonymous namespace'::ThreadFunc z:\build\build\src\ipc\chromium\src\base\platform_thread_win.cc:28
23:11:20     INFO -  GECKO(2104) |     #25 0x7ff979ccd0b8  (Z:\task_1529362687\build\application\firefox\clang_rt.asan_dynamic-x86_64.dll+0x18003d0b8)
23:11:20     INFO -  GECKO(2104) |     #26 0x7ff9af512773  (C:\Windows\System32\KERNEL32.DLL+0x180012773)
23:11:20     INFO -  GECKO(2104) |     #27 0x7ff99c4d5441 in patched_BaseThreadInitThunk z:\build\build\src\mozglue\build\WindowsDllBlocklist.cpp:622
23:11:20     INFO -  GECKO(2104) |     #28 0x7ff9b1a40d60  (C:\Windows\SYSTEM32\ntdll.dll+0x180070d60)
23:11:20     INFO -  GECKO(2104) | Thread T41 created by T0 here:
23:11:20     INFO -  GECKO(2104) |     #0 0x7ff979cce200  (Z:\task_1529362687\build\application\firefox\clang_rt.asan_dynamic-x86_64.dll+0x18003e200)
23:11:20     INFO -  GECKO(2104) |     #1 0x7ff97b7ff55f in PlatformThread::Create(unsigned __int64,class PlatformThread::Delegate *,void * *) z:\build\build\src\ipc\chromium\src\base\platform_thread_win.cc:86
23:11:20     INFO -  GECKO(2104) |     #2 0x7ff97b8387dc in base::Thread::StartWithOptions(struct base::Thread::Options const &) z:\build\build\src\ipc\chromium\src\base\thread.cc:99
23:11:20     INFO -  GECKO(2104) |     #3 0x7ff97d68d99c in mozilla::layers::CompositorThreadHolder::CompositorThreadHolder(void) z:\build\build\src\gfx\layers\ipc\CompositorThread.cpp:53
23:11:20     INFO -  GECKO(2104) |     #4 0x7ff97d68dcd0 in mozilla::layers::CompositorThreadHolder::Start(void) z:\build\build\src\gfx\layers\ipc\CompositorThread.cpp:124
23:11:20     INFO -  GECKO(2104) |     #5 0x7ff97d76e93b in gfxPlatform::Init(void) z:\build\build\src\gfx\thebes\gfxPlatform.cpp:777
23:11:20     INFO -  GECKO(2104) |     #6 0x7ff97d76b8e3 in gfxPlatform::GetPlatform(void) z:\build\build\src\gfx\thebes\gfxPlatform.cpp:534
23:11:20     INFO -  GECKO(2104) |     #7 0x7ff983e3e80f in nsRefreshDriver::ChooseTimer(void)const  z:\build\build\src\layout\base\nsRefreshDriver.cpp:1110
23:11:20     INFO -  GECKO(2104) |     #8 0x7ff983e422cb in nsRefreshDriver::EnsureTimerStarted(enum nsRefreshDriver::EnsureTimerStartedFlags) z:\build\build\src\layout\base\nsRefreshDriver.cpp:1360
23:11:20     INFO -  GECKO(2104) |     #9 0x7ff983eaba16 in nsRefreshDriver::AddStyleFlushObserver(class nsIPresShell *) z:\build\build\src\layout\base\nsRefreshDriver.h:188
23:11:20     INFO -  GECKO(2104) |     #10 0x7ff9840823c4 in nsPresContext::CompatibilityModeChanged(void) z:\build\build\src\layout\base\nsPresContext.cpp:1182
23:11:20     INFO -  GECKO(2104) |     #11 0x7ff983ea571d in mozilla::PresShell::Init(class nsIDocument *,class nsPresContext *,class nsViewManager *,class mozilla::UniquePtr<class mozilla::ServoStyleSet,class mozilla::DefaultDelete<class mozilla::ServoStyleSet> >) z:\build\build\src\layout\base\PresShell.cpp:951
23:11:20     INFO -  GECKO(2104) |     #12 0x7ff97e187391 in nsIDocument::CreateShell(class nsPresContext *,class nsViewManager *,class mozilla::UniquePtr<class mozilla::ServoStyleSet,class mozilla::DefaultDelete<class mozilla::ServoStyleSet> >) z:\build\build\src\dom\base\nsDocument.cpp:3782
23:11:20     INFO -  GECKO(2104) |     #13 0x7ff983fc82af in nsDocumentViewer::InitPresentationStuff(bool) z:\build\build\src\layout\base\nsDocumentViewer.cpp:794
23:11:20     INFO -  GECKO(2104) |     #14 0x7ff983fc75db in nsDocumentViewer::InitInternal(class nsIWidget *,class nsISupports *,struct mozilla::gfx::IntRectTyped<struct mozilla::gfx::UnknownUnits> const &,bool,bool,bool) z:\build\build\src\layout\base\nsDocumentViewer.cpp:1044
23:11:20     INFO -  GECKO(2104) |     #15 0x7ff983fc6760 in nsDocumentViewer::Init(class nsIWidget *,struct mozilla::gfx::IntRectTyped<struct mozilla::gfx::UnknownUnits> const &) z:\build\build\src\layout\base\nsDocumentViewer.cpp:769
23:11:20     INFO -  GECKO(2104) |     #16 0x7ff9870d4d87 in nsDocShell::SetupNewViewer(class nsIContentViewer *) z:\build\build\src\docshell\base\nsDocShell.cpp:8969
23:11:20     INFO -  GECKO(2104) |     #17 0x7ff9870d3782 in nsDocShell::Embed(class nsIContentViewer *,char const *,class nsISupports *) z:\build\build\src\docshell\base\nsDocShell.cpp:6779
23:11:20     INFO -  GECKO(2104) |     #18 0x7ff9870e4aca in nsDocShell::CreateAboutBlankContentViewer(class nsIPrincipal *,class nsIURI *,bool,bool) z:\build\build\src\docshell\base\nsDocShell.cpp:7658
23:11:20     INFO -  GECKO(2104) |     #19 0x7ff9870e619a in nsDocShell::CreateAboutBlankContentViewer(class nsIPrincipal *) z:\build\build\src\docshell\base\nsDocShell.cpp:7683
23:11:20     INFO -  GECKO(2104) |     #20 0x7ff987174c30 in nsWebShellWindow::Initialize(class nsIXULWindow *,class nsIXULWindow *,class nsIURI *,int,int,bool,class nsITabParent *,class mozIDOMWindowProxy *,struct nsWidgetInitData &) z:\build\build\src\xpfe\appshell\nsWebShellWindow.cpp:233
23:11:20     INFO -  GECKO(2104) |     #21 0x7ff98716eb18 in nsAppShellService::JustCreateTopWindow(class nsIXULWindow *,class nsIURI *,unsigned int,int,int,bool,class nsITabParent *,class mozIDOMWindowProxy *,class nsWebShellWindow * *) z:\build\build\src\xpfe\appshell\nsAppShellService.cpp:736
23:11:20     INFO -  GECKO(2104) |     #22 0x7ff987170cac in nsAppShellService::CreateTopLevelWindow(class nsIXULWindow *,class nsIURI *,unsigned int,int,int,class nsITabParent *,class mozIDOMWindowProxy *,class nsIXULWindow * *) z:\build\build\src\xpfe\appshell\nsAppShellService.cpp:200
23:11:20     INFO -  GECKO(2104) |     #23 0x7ff987a4a1ef in nsAppStartup::CreateChromeWindow2(class nsIWebBrowserChrome *,unsigned int,class nsITabParent *,class mozIDOMWindowProxy *,unsigned __int64,bool *,class nsIWebBrowserChrome * *) z:\build\build\src\toolkit\components\startup\nsAppStartup.cpp:680
23:11:20     INFO -  GECKO(2104) |     #24 0x7ff987c36254 in nsWindowWatcher::CreateChromeWindow(class nsTSubstring<char> const &,class nsIWebBrowserChrome *,unsigned int,class nsITabParent *,class mozIDOMWindowProxy *,unsigned __int64,class nsIWebBrowserChrome * *) z:\build\build\src\toolkit\components\windowwatcher\nsWindowWatcher.cpp:467
23:11:20     INFO -  GECKO(2104) |     #25 0x7ff987c30fe8 in nsWindowWatcher::OpenWindowInternal(class mozIDOMWindowProxy *,char const *,char const *,char const *,bool,bool,bool,class nsIArray *,bool,bool,class nsIDocShellLoadInfo *,class mozIDOMWindowProxy * *) z:\build\build\src\toolkit\components\windowwatcher\nsWindowWatcher.cpp:938
23:11:20     INFO -  GECKO(2104) |     #26 0x7ff987c2c704 in nsWindowWatcher::OpenWindow(class mozIDOMWindowProxy *,char const *,char const *,char const *,class nsISupports *,class mozIDOMWindowProxy * *) z:\build\build\src\toolkit\components\windowwatcher\nsWindowWatcher.cpp:327
23:11:20     INFO -  GECKO(2104) |     #27 0x7ff98a4afa41 in XPTC__InvokebyIndex z:\build\build\src\xpcom\reflect\xptcall\md\win32\xptcinvoke_asm_x86_64.asm:97
23:11:20     INFO -  GECKO(2104) |     #28 0x7ff97c450062 in XPCWrappedNative::CallMethod(class XPCCallContext &,enum XPCWrappedNative::CallMode) z:\build\build\src\js\xpconnect\src\XPCWrappedNative.cpp:1186
23:11:20     INFO -  GECKO(2104) |     #29 0x7ff97c457329 in XPC_WN_CallMethod(struct JSContext *,unsigned int,union JS::Value *) z:\build\build\src\js\xpconnect\src\XPCWrappedNativeJSOps.cpp:899
23:11:20     INFO -  GECKO(2104) |     #30 0x7ff9898549b2 in js::InternalCallOrConstruct(struct JSContext *,class JS::CallArgs const &,enum js::MaybeConstruct) z:\build\build\src\js\src\vm\Interpreter.cpp:471
23:11:20     INFO -  GECKO(2104) |     #31 0x7ff989856095 in InternalCall z:\build\build\src\js\src\vm\Interpreter.cpp:520
23:11:20     INFO -  GECKO(2104) |     #32 0x7ff989839667 in Interpret z:\build\build\src\js\src\vm\Interpreter.cpp:3122
23:11:20     INFO -  GECKO(2104) |     #33 0x7ff98981d850 in js::RunScript(struct JSContext *,class js::RunState &) z:\build\build\src\js\src\vm\Interpreter.cpp:421
23:11:20     INFO -  GECKO(2104) |     #34 0x7ff989854fb4 in js::InternalCallOrConstruct(struct JSContext *,class JS::CallArgs const &,enum js::MaybeConstruct) z:\build\build\src\js\src\vm\Interpreter.cpp:493
23:11:20     INFO -  GECKO(2104) |     #35 0x7ff989856095 in InternalCall z:\build\build\src\js\src\vm\Interpreter.cpp:520
23:11:20     INFO -  GECKO(2104) |     #36 0x7ff9898562c6 in js::Call(struct JSContext *,class JS::Handle<union JS::Value>,class JS::Handle<union JS::Value>,class js::AnyInvokeArgs const &,class JS::MutableHandle<union JS::Value>) z:\build\build\src\js\src\vm\Interpreter.cpp:539
23:11:20     INFO -  GECKO(2104) |     #37 0x7ff987ef361b in JS_CallFunctionValue(struct JSContext *,class JS::Handle<class JSObject *>,class JS::Handle<union JS::Value>,class JS::HandleValueArray const &,class JS::MutableHandle<union JS::Value>) z:\build\build\src\js\src\jsapi.cpp:2850
23:11:20     INFO -  GECKO(2104) |     #38 0x7ff97c43568f in nsXPCWrappedJSClass::CallMethod(class nsXPCWrappedJS *,unsigned short,struct nsXPTMethodInfo const *,struct nsXPTCMiniVariant *) z:\build\build\src\js\xpconnect\src\XPCWrappedJSClass.cpp:1123
23:11:20     INFO -  GECKO(2104) |     #39 0x7ff97c433323 in nsXPCWrappedJS::CallMethod(unsigned short,struct nsXPTMethodInfo const *,struct nsXPTCMiniVariant *) z:\build\build\src\js\xpconnect\src\XPCWrappedJS.cpp:611
23:11:20     INFO -  GECKO(2104) |     #40 0x7ff97a902e62 in PrepareAndDispatch z:\build\build\src\xpcom\reflect\xptcall\md\win32\xptcstubs_x86_64.cpp:173
23:11:20     INFO -  GECKO(2104) |     #41 0x7ff98a4afa98 in SharedStub z:\build\build\src\xpcom\reflect\xptcall\md\win32\xptcstubs_asm_x86_64.asm:57
23:11:20     INFO -  GECKO(2104) |     #42 0x7ff97a8677b7 in NS_CreateServicesFromCategory(char const *,class nsISupports *,char const *,UNKNOWN const *) z:\build\build\src\xpcom\components\nsCategoryManager.cpp:810
23:11:20     INFO -  GECKO(2104) |     #43 0x7ff987d11759 in nsXREDirProvider::DoStartup(void) z:\build\build\src\toolkit\xre\nsXREDirProvider.cpp:999
23:11:20     INFO -  GECKO(2104) |     #44 0x7ff987cda4cc in XREMain::XRE_mainRun(void) z:\build\build\src\toolkit\xre\nsAppRunner.cpp:4574
23:11:20     INFO -  GECKO(2104) |     #45 0x7ff987ce06d4 in XREMain::XRE_main(int,char * * const,struct mozilla::BootstrapConfig const &) z:\build\build\src\toolkit\xre\nsAppRunner.cpp:4891
23:11:20     INFO -  GECKO(2104) |     #46 0x7ff987ce2be0 in XRE_main(int,char * * const,struct mozilla::BootstrapConfig const &) z:\build\build\src\toolkit\xre\nsAppRunner.cpp:4983
23:11:20     INFO -  GECKO(2104) |     #47 0x7ff771191e3d  (Z:\task_1529362687\build\application\firefox\firefox.exe+0x140001e3d)
23:11:20     INFO -  GECKO(2104) |     #48 0x7ff771191529  (Z:\task_1529362687\build\application\firefox\firefox.exe+0x140001529)
23:11:20     INFO -  GECKO(2104) |     #49 0x7ff77128ac87  (Z:\task_1529362687\build\application\firefox\firefox.exe+0x1400fac87)
23:11:20     INFO -  GECKO(2104) |     #50 0x7ff9af512773  (C:\Windows\System32\KERNEL32.DLL+0x180012773)
23:11:20     INFO -  GECKO(2104) |     #51 0x7ff9b1a40d60  (C:\Windows\SYSTEM32\ntdll.dll+0x180070d60)
23:11:20     INFO -  GECKO(2104) | SUMMARY: AddressSanitizer: heap-use-after-free z:\build\build\src\gfx\cairo\cairo\src\cairo-region.c:377 in _moz_cairo_region_destroy
23:11:20     INFO -  GECKO(2104) | Shadow bytes around the buggy address:
23:11:20     INFO -  GECKO(2104) |   0x04e938171e50: fd fd fa fa 00 00 00 fa fa fa fd fd fd fa fa fa
23:11:20     INFO -  GECKO(2104) |   0x04e938171e60: 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00 00 00
23:11:20     INFO -  GECKO(2104) |   0x04e938171e70: fa fa fd fd fd fa fa fa 00 00 00 fa fa fa 00 00
23:11:20     INFO -  GECKO(2104) |   0x04e938171e80: 00 00 fa fa 00 00 00 fa fa fa 00 00 00 00 fa fa
23:11:20     INFO -  GECKO(2104) |   0x04e938171e90: 00 00 00 00 fa fa 00 00 00 fa fa fa 00 00 00 00
23:11:20     INFO -  GECKO(2104) | =>0x04e938171ea0: fa fa 00 00 00 fa fa fa fd fd fd fa fa fa[fd]fd
23:11:20     INFO -  GECKO(2104) |   0x04e938171eb0: fd fd fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
23:11:20     INFO -  GECKO(2104) |   0x04e938171ec0: fa fa fa fa fa fa fd fd fd fa fa fa 00 00 00 01
23:11:20     INFO -  GECKO(2104) |   0x04e938171ed0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
23:11:20     INFO -  GECKO(2104) |   0x04e938171ee0: fd fa fa fa fd fd fd fd fa fa 00 00 00 00 fa fa
23:11:20     INFO -  GECKO(2104) |   0x04e938171ef0: fd fd fd fd fa fa fa fa fa fa fa fa fd fd fd fd
23:11:20     INFO -  GECKO(2104) | Shadow byte legend (one shadow byte represents 8 application bytes):
23:11:20     INFO -  GECKO(2104) |   Addressable:           00
23:11:20     INFO -  GECKO(2104) |   Partially addressable: 01 02 03 04 05 06 07
23:11:20     INFO -  GECKO(2104) |   Heap left redzone:       fa
23:11:20     INFO -  GECKO(2104) |   Freed heap region:       fd
23:11:20     INFO -  GECKO(2104) |   Stack left redzone:      f1
23:11:20     INFO -  GECKO(2104) |   Stack mid redzone:       f2
23:11:20     INFO -  GECKO(2104) |   Stack right redzone:     f3
23:11:20     INFO -  GECKO(2104) |   Stack after return:      f5
23:11:20     INFO -  GECKO(2104) |   Stack use after scope:   f8
23:11:20     INFO -  GECKO(2104) |   Global redzone:          f9
23:11:20     INFO -  GECKO(2104) |   Global init order:       f6
23:11:20     INFO -  GECKO(2104) |   Poisoned by user:        f7
23:11:20     INFO -  GECKO(2104) |   Container overflow:      fc
23:11:20     INFO -  GECKO(2104) |   Array cookie:            ac
23:11:20     INFO -  GECKO(2104) |   Intra object redzone:    bb
23:11:20     INFO -  GECKO(2104) |   ASan internal:           fe
23:11:20     INFO -  GECKO(2104) |   Left alloca redzone:     ca
23:11:20     INFO -  GECKO(2104) |   Right alloca redzone:    cb
23:11:20     INFO -  GECKO(2104) |   Shadow gap:              cc
23:11:20     INFO -  GECKO(2104) | ==2104==ABORTING
Ryan any thoughts on next steps here?
Flags: needinfo?(rhunt)
Sorry for spam, meant that for Lee.
Flags: needinfo?(rhunt) → needinfo?(lsalzman)
It looks like we have a race on the cairo surface owned by WinCompositorWidget for transparent windows.

The transparent surface creation and destruction is protected by mTransparentSurfaceLock, but it's also handed out in a draw target to the compositor by StartRemoteDrawing [1]. The compositor itself doesn't hold the transparent surface lock, so it's able to be reacquired by the main thread which can then also access the transparent surface [2].

This issue only affects the in process compositor case. When we are using remote compositing, the transparency updates from the main thread are proxied to the compositor thread in the GPU process. The updates will then be on the same thread eliminating this race.

I think the easiest solution here is to use the present lock (which is held while compositing) in these transparency update messages when we have an in process compositor.

[1] https://searchfox.org/mozilla-central/rev/6d1ab84b4b39fbfb9505d4399857239bc15202ef/widget/windows/WinCompositorWidget.cpp#88
[2] https://searchfox.org/mozilla-central/rev/6d1ab84b4b39fbfb9505d4399857239bc15202ef/widget/windows/WinCompositorWidget.h#88
Flags: needinfo?(lsalzman)
Assignee: nobody → rhunt
https://hg.mozilla.org/integration/mozilla-inbound/rev/777ef3d920f01a85b677dea8914fc38df9135814
https://hg.mozilla.org/mozilla-central/rev/777ef3d920f0
Group: gfx-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox64: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla64
This was called a sec-high (which would necessitate sec-approval before landing), but we previously called bug 1467363 a sec-moderate. Dan, do you think the high rating is still appropriate given the analysis in comment 8?
status-firefox62: --- → wontfix
status-firefox63: --- → affected
status-firefox-esr60: --- → affected
tracking-firefox63: --- → ?
tracking-firefox-esr60: --- → ?
Flags: needinfo?(dveditz)
Oh, I had forgotten this was a security bug when landing things and it needed approval. Apologies!

For what it's worth, I consider this bug to come from the same root cause as bug 1467363, the patch there just didn't cover all the cases.
Should that patch be uplifted to beta now that it has landed on mozilla-central?
Comment on attachment 9012886 [details]
Bug 1469486 - Protect main thread in-process access to WinCompositorWidget transparent surface. r?bas

[Beta/Release Uplift Approval Request]

Feature/Bug causing the regression: Bug 1469486

User impact if declined: Intermittent UAF

Is this code covered by automated tests?: No

Has the fix been verified in Nightly?: No

Needs manual test from QE?: No

If yes, steps to reproduce: 

List of other uplifts needed: None

Risk to taking this patch: Low

Why is the change risky/not risky? (and alternatives if risky): This change has been in nightly and hasn't caused any regressions. The change acquires an existing lock over a vulnerable function call. The absolute worst case is that it's ineffective at solving the crash.

String changes made/needed:
Attachment #9012886 - Flags: approval-mozilla-beta?
Comment on attachment 9012886 [details]
Bug 1469486 - Protect main thread in-process access to WinCompositorWidget transparent surface. r?bas

[ESR Uplift Approval Request]

If this is not a sec:{high,crit} bug, please state case for ESR consideration: 

User impact if declined: Potential intermittent UAF

Fix Landed on Version: 64

Risk to taking this patch: Low

Why is the change risky/not risky? (and alternatives if risky): This change has been in nightly and hasn't caused any regressions. The change acquires an existing lock over a vulnerable function call. The absolute worst case is that it's ineffective at solving the crash.

String or UUID changes made by this patch:
Attachment #9012886 - Flags: approval-mozilla-esr60?
Comment on attachment 9012886 [details]
Bug 1469486 - Protect main thread in-process access to WinCompositorWidget transparent surface. r?bas

Crash & sec fix, on nightly for 3 days without reported regressions, small patch, approved for 63rc1, thanks.
Attachment #9012886 - Flags: approval-mozilla-beta? → approval-mozilla-release+
Comment on attachment 9012886 [details]
Bug 1469486 - Protect main thread in-process access to WinCompositorWidget transparent surface. r?bas

Approved for 60.3esr as well.
Attachment #9012886 - Flags: approval-mozilla-esr60? → approval-mozilla-esr60+
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main63+][adv-esr60.3+]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: