1011928 - [AppCache] Shutdown use after free [@ nsCacheService::DeactivateEntry ]

Status: RESOLVED INACTIVE

(Core :: Networking: Cache, defect, P3)

Description

[Honza Bambas (:mayhemer)]

STR (unreliable):
- desktop firefox
- install a web app with offline cache
- let the "launch_path" be 404
- shutdown


>	xul.dll!nsCacheService::DeactivateEntry(0x1ab30950) Line 2793	C++
 	xul.dll!nsCacheService::ClearDoomList() Line 2941	C++
 	xul.dll!nsCacheService::OnProfileShutdown(false) Line 2392	C++
 	xul.dll!nsCacheProfilePrefObserver::Observe(0x00000000, 0x07e3524c, 0x07e3a41c) Line 407	C++
 	xul.dll!nsObserverList::NotifyObservers(0x00000000, 0x07e3524c, 0x07e3a41c) Line 97	C++
 	xul.dll!nsObserverService::NotifyObservers(0x00000000, 0x07e3524c, 0x07e3a41c) Line 305	C++
 	xul.dll!nsXREDirProvider::DoShutdown() Line 871	C++
 	xul.dll!ScopedXPCOMStartup::~ScopedXPCOMStartup() Line 1198	C++
 	xul.dll!ScopedXPCOMStartup::`scalar deleting destructor'()	C++
 	xul.dll!XREMain::XRE_main(4, 0x0050c038, 0x001cf7a4) Line 4117	C++
 	xul.dll!XRE_main(4, 0x0050c038, 0x001cf7a4, 0) Line 4304	C++
 	firefox.exe!do_main(4, 0x0050c038, 0x0052a348) Line 282	C++

Local vars:
-		entry	0x1ab30950 nsCacheEntry *
+		mCacheDevice	0x1aa0c910 {...}	nsCacheDevice *
+		mCustomDevice	0x1aa0c910 {...}	nsCacheDevice *


The device is already freed (bad pointer).  Probably nsCacheEntry needs to keep an nsRefPtr to the device and not just a pure ptr.  Still we can then crash at nsOfflineCacheDevice::UpdateEntry since db statements are freed by that time.  Horrible code this is...

This code is planned in short/mid term for rewrite (will somewhat migrate to the new HTTP cache and these troubling parts should go away.)

Rather hiding.

Comment 1

[Daniel Veditz [:dveditz]]

calling sec-moderate for now because it's unreliable and at shutdown, but could be worse if we lost the objects at other times.

Comment 2

[Valentin Gosu [:valentin] (he/him)]

Will wait for bug 1694662 to land before closing.