Closed Bug 1010784 Opened 10 years ago Closed 10 years ago

Assertion failure when reusing sync XHR in worker.

Categories

(Core :: DOM: Workers, defect)

Product:
Core
Component:
DOM: Workers
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla32
Tracking Flags:
Tracking Status
firefox30 --- fixed
firefox31 --- fixed
firefox32 --- fixed
b2g-v1.4 --- fixed
b2g-v2.0 --- fixed

People

(Reporter: swu, Assigned: swu)

References

Details

Attachments

(1 file, 2 obsolete files)

Patch (as landed)
4.11 KB, patch
khuey
: review+
lsblakk
: approval-mozilla-aurora+
lsblakk
: approval-mozilla-beta+
Details | Diff | Splinter Review 
+++ This bug was initially created as a clone of Bug #1008126 +++

  When resuing sync XHR and calling open/send again in worker, we got assertion failure followed by SIGSEGV.  The XHR reuse test case in bug 1008126 can be used to reproduce this issue.

Log:

Assertion failure: !mProxy->mSyncLoopTarget, at /home/sywu/work/mozilla-central/dom/workers/XMLHttpRequest.cpp:1488
UNKNOWN [/home/sywu/work/mozilla-central/obj-x86_64-debug/dist/bin/libxul.so +0x0195629A]
UNKNOWN [/home/sywu/work/mozilla-central/obj-x86_64-debug/dist/bin/libxul.so +0x00A3A6DA]
UNKNOWN [/home/sywu/work/mozilla-central/obj-x86_64-debug/dist/bin/libxul.so +0x009CF1B8]
UNKNOWN [/home/sywu/work/mozilla-central/obj-x86_64-debug/dist/bin/libxul.so +0x00CC54B6]
UNKNOWN [/home/sywu/work/mozilla-central/obj-x86_64-debug/dist/bin/libxul.so +0x00CA2780]
UNKNOWN [/home/sywu/work/mozilla-central/obj-x86_64-debug/dist/bin/libxul.so +0x00CA27F4]
UNKNOWN [/home/sywu/work/mozilla-central/obj-x86_64-debug/dist/bin/libxul.so +0x0166B809]
UNKNOWN [/home/sywu/work/mozilla-central/obj-x86_64-debug/dist/bin/libxul.so +0x0237095C]
UNKNOWN [/home/sywu/work/mozilla-central/obj-x86_64-debug/dist/bin/libxul.so +0x022F0E4D]
UNKNOWN [/home/sywu/work/mozilla-central/obj-x86_64-debug/dist/bin/libxul.so +0x022F10F4]
XRE_main+0x000000DD [/home/sywu/work/mozilla-central/obj-x86_64-debug/dist/bin/libxul.so +0x022F136D]
UNKNOWN [/home/sywu/work/mozilla-central/obj-x86_64-debug/dist/bin/firefox +0x00003D4B]
UNKNOWN [/home/sywu/work/mozilla-central/obj-x86_64-debug/dist/bin/firefox +0x0000420C]
__libc_start_main+0x000000ED [/lib/x86_64-linux-gnu/libc.so.6 +0x0002176D]
UNKNOWN [/home/sywu/work/mozilla-central/obj-x86_64-debug/dist/bin/firefox +0x00003709]

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff207f058 in (anonymous namespace)::SendRunnable::MainThreadRun (this=0x7fffb9743400)
    at /home/sywu/work/mozilla-central/dom/workers/XMLHttpRequest.cpp:1479
1479	      MOZ_ASSERT(false, "This should never fail!");
(gdb) bt
#0  0x00007ffff207f058 in (anonymous namespace)::SendRunnable::MainThreadRun (this=0x7fffb9743400)
    at /home/sywu/work/mozilla-central/dom/workers/XMLHttpRequest.cpp:1479
#1  0x00007ffff207c29a in (anonymous namespace)::WorkerThreadProxySyncRunnable::Run (this=0x7fffb9743400)
    at /home/sywu/work/mozilla-central/dom/workers/XMLHttpRequest.cpp:1368
#2  0x00007ffff11606da in ProcessNextEvent (result=0x7fffffffc2df, mayWait=true, this=0x7ffff6a641a0)
    at /home/sywu/work/mozilla-central/xpcom/threads/nsThread.cpp:715
#3  nsThread::ProcessNextEvent (this=0x7ffff6a641a0, mayWait=true, result=0x7fffffffc2df)
    at /home/sywu/work/mozilla-central/xpcom/threads/nsThread.cpp:639
#4  0x00007ffff10f51b8 in NS_ProcessNextEvent (thread=<optimized out>, mayWait=true)
    at /home/sywu/work/mozilla-central/xpcom/glue/nsThreadUtils.cpp:263
#5  0x00007ffff13eb4b6 in mozilla::ipc::MessagePump::Run (this=0x7fffe6b8fd00, aDelegate=0x7fffe6b6c840)
    at /home/sywu/work/mozilla-central/ipc/glue/MessagePump.cpp:136
#6  0x00007ffff13c8780 in MessageLoop::RunInternal (this=0x7fffe6b6c840)
    at /home/sywu/work/mozilla-central/ipc/chromium/src/base/message_loop.cc:229
#7  0x00007ffff13c87f4 in RunHandler (this=0x7fffe6b6c840)
    at /home/sywu/work/mozilla-central/ipc/chromium/src/base/message_loop.cc:222
#8  MessageLoop::Run (this=0x7fffe6b6c840)
    at /home/sywu/work/mozilla-central/ipc/chromium/src/base/message_loop.cc:196
#9  0x00007ffff1d91809 in nsBaseAppShell::Run (this=0x7fffdfa527f0)
    at /home/sywu/work/mozilla-central/widget/xpwidgets/nsBaseAppShell.cpp:164
#10 0x00007ffff2a9695c in nsAppStartup::Run (this=0x7fffdfa32240)
    at /home/sywu/work/mozilla-central/toolkit/components/startup/nsAppStartup.cpp:278
#11 0x00007ffff2a16e4d in XREMain::XRE_mainRun (this=0x7fffffffc740)
    at /home/sywu/work/mozilla-central/toolkit/xre/nsAppRunner.cpp:4023
#12 0x00007ffff2a170f4 in XREMain::XRE_main (this=0x7fffffffc740, argc=5, argv=<optimized out>, aAppData=
---Type <return> to continue, or q <return> to quit---
    0x7fffffffc8f0) at /home/sywu/work/mozilla-central/toolkit/xre/nsAppRunner.cpp:4092
#13 0x00007ffff2a1736d in XRE_main (argc=5, argv=0x7fffffffdc58, aAppData=0x7fffffffc8f0, aFlags=<optimized out>)
    at /home/sywu/work/mozilla-central/toolkit/xre/nsAppRunner.cpp:4304
#14 0x0000000000403d4b in do_main (argc=5, argv=0x7fffffffdc58, xreDirectory=0x7ffff6a2d3c0)
    at /home/sywu/work/mozilla-central/browser/app/nsBrowserApp.cpp:282
#15 0x000000000040420c in main (argc=5, argv=0x7fffffffdc58)
    at /home/sywu/work/mozilla-central/browser/app/nsBrowserApp.cpp:643
(gdb)
Could you upload a minimal testcase.
Group: dom-core-security, core-security
oops, I missed the comment about testcase.
Why is this security sensitive?  It's just a null deref, no?
Either the variant is not writable (not sure if that's possible) or we're OOM here.
In any case this isn't s-s since we're just sending empty data rather than the correct data.
Group: dom-core-security, core-security
Summary: Crash when reusing sync XHR in worker. → Assertion failure when reusing sync XHR in worker.
khuey points out that there are two assertion failures listed in comment 0. Not sure what's going on here.
(In reply to Kyle Huey [:khuey] (khuey@mozilla.com) from comment #3)
> Why is this security sensitive?  It's just a null deref, no?
Just because I'm not familiar with that code and thread handling related assertions looked suspicious.
But good if not sec-sensitive.
Attached patch Test case. (obsolete) — Splinter Review 
This is a minimal test case to reproduce.
Set mSyncLoopTarget to nullptr after done sending.

Could you review this patch?
Assignee: nobody → swu
Attachment #8424710 - Flags: review?(bent.mozilla)
(In reply to <vacation until may 27> from comment #6)
> khuey points out that there are two assertion failures listed in comment 0.
> Not sure what's going on here.

There was actually only one assertion failure at MOZ_ASSERT(!mProxy->mSyncLoopTarget).  The 2nd assertion failure shown in backtrace should be false information caused by compiler optimization.
Comment on attachment 8424710 [details] [diff] [review]
Patch: Set mSyncLoopTarget to nullptr after done sending.

Review of attachment 8424710 [details] [diff] [review]:
-----------------------------------------------------------------

r=me

This turned out to be really helpful in fixing bug 965309 because it showed me where to look.  Thanks for the patch Shian-Yow.

https://hg.mozilla.org/integration/mozilla-inbound/rev/05ec9bfe2eaa
Attachment #8424710 - Flags: review?(bent.mozilla) → review+
https://hg.mozilla.org/mozilla-central/rev/05ec9bfe2eaa
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla32

        Attachment #8423860 -
        Attachment is obsolete: true

        Attachment #8424710 -
        Attachment is obsolete: true

        Attachment #8430903 -
        Flags: review+

    
    

    
  
Comment on attachment 8430903 [details] [diff] [review]
Patch (as landed)

[Approval Request Comment]
See https://bugzilla.mozilla.org/show_bug.cgi?id=965309#c42

        Attachment #8430903 -
        Flags: approval-mozilla-beta?

        Attachment #8430903 -
        Flags: approval-mozilla-aurora?

        Attachment #8430903 -
        Flags: approval-mozilla-beta?

        Attachment #8430903 -
        Flags: approval-mozilla-beta+

        Attachment #8430903 -
        Flags: approval-mozilla-aurora?

        Attachment #8430903 -
        Flags: approval-mozilla-aurora+

    
    

    
  
(In reply to Kyle Huey [:khuey] (khuey@mozilla.com) from comment #11)
> Comment on attachment 8424710 [details] [diff] [review]
> Patch: Set mSyncLoopTarget to nullptr after done sending.
> 
> Review of attachment 8424710 [details] [diff] [review]:
> -----------------------------------------------------------------
> 
> r=me
> 
> This turned out to be really helpful in fixing bug 965309 because it showed
> me where to look.  Thanks for the patch Shian-Yow.
> 
> https://hg.mozilla.org/integration/mozilla-inbound/rev/05ec9bfe2eaa

Thanks, good to know that!

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: