Closed
Bug 1010784
Opened 10 years ago
Closed 10 years ago
Assertion failure when reusing sync XHR in worker.
Categories
(Core :: DOM: Workers, defect)
Core
DOM: Workers
Tracking
()
RESOLVED
FIXED
mozilla32
People
(Reporter: swu, Assigned: swu)
References
Details
Attachments
(1 file, 2 obsolete files)
4.11 KB,
patch
|
khuey
:
review+
lsblakk
:
approval-mozilla-aurora+
lsblakk
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
+++ This bug was initially created as a clone of Bug #1008126 +++ When resuing sync XHR and calling open/send again in worker, we got assertion failure followed by SIGSEGV. The XHR reuse test case in bug 1008126 can be used to reproduce this issue. Log: Assertion failure: !mProxy->mSyncLoopTarget, at /home/sywu/work/mozilla-central/dom/workers/XMLHttpRequest.cpp:1488 UNKNOWN [/home/sywu/work/mozilla-central/obj-x86_64-debug/dist/bin/libxul.so +0x0195629A] UNKNOWN [/home/sywu/work/mozilla-central/obj-x86_64-debug/dist/bin/libxul.so +0x00A3A6DA] UNKNOWN [/home/sywu/work/mozilla-central/obj-x86_64-debug/dist/bin/libxul.so +0x009CF1B8] UNKNOWN [/home/sywu/work/mozilla-central/obj-x86_64-debug/dist/bin/libxul.so +0x00CC54B6] UNKNOWN [/home/sywu/work/mozilla-central/obj-x86_64-debug/dist/bin/libxul.so +0x00CA2780] UNKNOWN [/home/sywu/work/mozilla-central/obj-x86_64-debug/dist/bin/libxul.so +0x00CA27F4] UNKNOWN [/home/sywu/work/mozilla-central/obj-x86_64-debug/dist/bin/libxul.so +0x0166B809] UNKNOWN [/home/sywu/work/mozilla-central/obj-x86_64-debug/dist/bin/libxul.so +0x0237095C] UNKNOWN [/home/sywu/work/mozilla-central/obj-x86_64-debug/dist/bin/libxul.so +0x022F0E4D] UNKNOWN [/home/sywu/work/mozilla-central/obj-x86_64-debug/dist/bin/libxul.so +0x022F10F4] XRE_main+0x000000DD [/home/sywu/work/mozilla-central/obj-x86_64-debug/dist/bin/libxul.so +0x022F136D] UNKNOWN [/home/sywu/work/mozilla-central/obj-x86_64-debug/dist/bin/firefox +0x00003D4B] UNKNOWN [/home/sywu/work/mozilla-central/obj-x86_64-debug/dist/bin/firefox +0x0000420C] __libc_start_main+0x000000ED [/lib/x86_64-linux-gnu/libc.so.6 +0x0002176D] UNKNOWN [/home/sywu/work/mozilla-central/obj-x86_64-debug/dist/bin/firefox +0x00003709] Program received signal SIGSEGV, Segmentation fault. 0x00007ffff207f058 in (anonymous namespace)::SendRunnable::MainThreadRun (this=0x7fffb9743400) at /home/sywu/work/mozilla-central/dom/workers/XMLHttpRequest.cpp:1479 1479 MOZ_ASSERT(false, "This should never fail!"); (gdb) bt #0 0x00007ffff207f058 in (anonymous namespace)::SendRunnable::MainThreadRun (this=0x7fffb9743400) at /home/sywu/work/mozilla-central/dom/workers/XMLHttpRequest.cpp:1479 #1 0x00007ffff207c29a in (anonymous namespace)::WorkerThreadProxySyncRunnable::Run (this=0x7fffb9743400) at /home/sywu/work/mozilla-central/dom/workers/XMLHttpRequest.cpp:1368 #2 0x00007ffff11606da in ProcessNextEvent (result=0x7fffffffc2df, mayWait=true, this=0x7ffff6a641a0) at /home/sywu/work/mozilla-central/xpcom/threads/nsThread.cpp:715 #3 nsThread::ProcessNextEvent (this=0x7ffff6a641a0, mayWait=true, result=0x7fffffffc2df) at /home/sywu/work/mozilla-central/xpcom/threads/nsThread.cpp:639 #4 0x00007ffff10f51b8 in NS_ProcessNextEvent (thread=<optimized out>, mayWait=true) at /home/sywu/work/mozilla-central/xpcom/glue/nsThreadUtils.cpp:263 #5 0x00007ffff13eb4b6 in mozilla::ipc::MessagePump::Run (this=0x7fffe6b8fd00, aDelegate=0x7fffe6b6c840) at /home/sywu/work/mozilla-central/ipc/glue/MessagePump.cpp:136 #6 0x00007ffff13c8780 in MessageLoop::RunInternal (this=0x7fffe6b6c840) at /home/sywu/work/mozilla-central/ipc/chromium/src/base/message_loop.cc:229 #7 0x00007ffff13c87f4 in RunHandler (this=0x7fffe6b6c840) at /home/sywu/work/mozilla-central/ipc/chromium/src/base/message_loop.cc:222 #8 MessageLoop::Run (this=0x7fffe6b6c840) at /home/sywu/work/mozilla-central/ipc/chromium/src/base/message_loop.cc:196 #9 0x00007ffff1d91809 in nsBaseAppShell::Run (this=0x7fffdfa527f0) at /home/sywu/work/mozilla-central/widget/xpwidgets/nsBaseAppShell.cpp:164 #10 0x00007ffff2a9695c in nsAppStartup::Run (this=0x7fffdfa32240) at /home/sywu/work/mozilla-central/toolkit/components/startup/nsAppStartup.cpp:278 #11 0x00007ffff2a16e4d in XREMain::XRE_mainRun (this=0x7fffffffc740) at /home/sywu/work/mozilla-central/toolkit/xre/nsAppRunner.cpp:4023 #12 0x00007ffff2a170f4 in XREMain::XRE_main (this=0x7fffffffc740, argc=5, argv=<optimized out>, aAppData= ---Type <return> to continue, or q <return> to quit--- 0x7fffffffc8f0) at /home/sywu/work/mozilla-central/toolkit/xre/nsAppRunner.cpp:4092 #13 0x00007ffff2a1736d in XRE_main (argc=5, argv=0x7fffffffdc58, aAppData=0x7fffffffc8f0, aFlags=<optimized out>) at /home/sywu/work/mozilla-central/toolkit/xre/nsAppRunner.cpp:4304 #14 0x0000000000403d4b in do_main (argc=5, argv=0x7fffffffdc58, xreDirectory=0x7ffff6a2d3c0) at /home/sywu/work/mozilla-central/browser/app/nsBrowserApp.cpp:282 #15 0x000000000040420c in main (argc=5, argv=0x7fffffffdc58) at /home/sywu/work/mozilla-central/browser/app/nsBrowserApp.cpp:643 (gdb)
Comment 1•10 years ago
|
||
Could you upload a minimal testcase.
Updated•10 years ago
|
Group: dom-core-security, core-security
Comment 2•10 years ago
|
||
oops, I missed the comment about testcase.
Why is this security sensitive? It's just a null deref, no?
Either the variant is not writable (not sure if that's possible) or we're OOM here.
In any case this isn't s-s since we're just sending empty data rather than the correct data.
Group: dom-core-security, core-security
Updated•10 years ago
|
Summary: Crash when reusing sync XHR in worker. → Assertion failure when reusing sync XHR in worker.
khuey points out that there are two assertion failures listed in comment 0. Not sure what's going on here.
Comment 7•10 years ago
|
||
(In reply to Kyle Huey [:khuey] (khuey@mozilla.com) from comment #3) > Why is this security sensitive? It's just a null deref, no? Just because I'm not familiar with that code and thread handling related assertions looked suspicious. But good if not sec-sensitive.
Assignee | ||
Comment 8•10 years ago
|
||
This is a minimal test case to reproduce.
Assignee | ||
Comment 9•10 years ago
|
||
Set mSyncLoopTarget to nullptr after done sending. Could you review this patch?
Assignee: nobody → swu
Attachment #8424710 -
Flags: review?(bent.mozilla)
Assignee | ||
Comment 10•10 years ago
|
||
(In reply to <vacation until may 27> from comment #6) > khuey points out that there are two assertion failures listed in comment 0. > Not sure what's going on here. There was actually only one assertion failure at MOZ_ASSERT(!mProxy->mSyncLoopTarget). The 2nd assertion failure shown in backtrace should be false information caused by compiler optimization.
Comment on attachment 8424710 [details] [diff] [review] Patch: Set mSyncLoopTarget to nullptr after done sending. Review of attachment 8424710 [details] [diff] [review]: ----------------------------------------------------------------- r=me This turned out to be really helpful in fixing bug 965309 because it showed me where to look. Thanks for the patch Shian-Yow. https://hg.mozilla.org/integration/mozilla-inbound/rev/05ec9bfe2eaa
Attachment #8424710 -
Flags: review?(bent.mozilla) → review+
Blocks: 965309
Comment 12•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/05ec9bfe2eaa
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla32
Attachment #8423860 -
Attachment is obsolete: true
Attachment #8424710 -
Attachment is obsolete: true
Attachment #8430903 -
Flags: review+
Comment on attachment 8430903 [details] [diff] [review] Patch (as landed) [Approval Request Comment] See https://bugzilla.mozilla.org/show_bug.cgi?id=965309#c42
Attachment #8430903 -
Flags: approval-mozilla-beta?
Attachment #8430903 -
Flags: approval-mozilla-aurora?
Updated•10 years ago
|
Attachment #8430903 -
Flags: approval-mozilla-beta?
Attachment #8430903 -
Flags: approval-mozilla-beta+
Attachment #8430903 -
Flags: approval-mozilla-aurora?
Attachment #8430903 -
Flags: approval-mozilla-aurora+
Comment 15•10 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/30ac291a7ed6 https://hg.mozilla.org/releases/mozilla-beta/rev/f2a2af61e05d
Comment 16•10 years ago
|
||
https://hg.mozilla.org/releases/mozilla-b2g30_v1_4/rev/f2a2af61e05d
Flags: in-testsuite+
Updated•10 years ago
|
status-b2g-v1.4:
--- → fixed
status-b2g-v2.0:
--- → fixed
Assignee | ||
Comment 17•10 years ago
|
||
(In reply to Kyle Huey [:khuey] (khuey@mozilla.com) from comment #11) > Comment on attachment 8424710 [details] [diff] [review] > Patch: Set mSyncLoopTarget to nullptr after done sending. > > Review of attachment 8424710 [details] [diff] [review]: > ----------------------------------------------------------------- > > r=me > > This turned out to be really helpful in fixing bug 965309 because it showed > me where to look. Thanks for the patch Shian-Yow. > > https://hg.mozilla.org/integration/mozilla-inbound/rev/05ec9bfe2eaa Thanks, good to know that!
You need to log in
before you can comment on or make changes to this bug.
Description
•