Closed Bug 1224096 Opened 4 years ago Closed 4 years ago

Crash [@ arena_dalloc_small | idalloc ]

Categories

(Core :: Networking: Cache, defect, critical)

41 Branch
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 1154124

People

(Reporter: bc, Assigned: mayhemer)

References

(Blocks 1 open bug, )

Details

(Keywords: crash)

Crash Data

Attachments

(2 files)

1. https://www.bagas31.com/2011/03/coreldraw-graphic-suite-x5-full.html

Can't guarantee the safety of the link. It has the appearance of pages I have found problematic in the past. Be Safe out there.

2. Reload if necessary.

3. Crash EXCEPTION_STACK_OVERFLOW

Windows 7 41.0.1 release bp-1edf7b35-5316-46be-b5e1-791b92151112
[@ je_malloc ] (actually ntdll.dll@0x47858 at the top)

Windows 7 42 release bp-339813ed-5824-43fc-b9db-f4df72151112
[@ nsACString_internal::Assign | nsACString_internal::Assign | nsPromiseFlatCString::Init ]

Windows 7 45 Nightly opt bp-28d3da27-7e23-4cdd-9c46-c22d42151112
[@ arena_dalloc_small | idalloc ]

Note automation shows a number of arena/allocation related stacks on Windows, shutdown crashes on Linux and an asan crash on Linux. One of the Windows Nightly debug crashes had an exploitablity rating of medium -> S-S.
Crash Signature: [@ je_malloc ] [@ nsACString_internal::Assign | nsACString_internal::Assign | nsPromiseFlatCString::Init ] [@ arena_dalloc_small | idalloc ]
Why is that one crash rated higher than the others? EXCEPTION_STACK_OVERFLOW usually isn't, we've just recursed too deep.
Group: core-security → core-security-release
Flags: needinfo?(bob)
Looking at the code in https://chromium.googlesource.com/breakpad/breakpad/+/master/src/processor/exploitability_win.cc I would hazard a guess that it got a medium from 

https://chromium.googlesource.com/breakpad/breakpad/+/master/src/processor/exploitability_win.cc#122
and
https://chromium.googlesource.com/breakpad/breakpad/+/master/src/processor/exploitability_win.cc#127

Looking around, I think the idea is that the stack overflow isn't a get of hell free card, but that if we are executing on the stack and there is some ability to overwrite the stack you may be susceptible to an exploit. I found a high level view at http://www.microsoft.com/en-us/download/details.aspx?id=4537
Flags: needinfo?(bob)
probably worth jumping on - honza, michal wdyt?
Flags: needinfo?(michal.novotny)
True... our usual reason for stack overflow is too deep recursion (benign) and this doesn't look like that case.
Attached file nspr log
The stack overflows because there is too many handles for one cache entry. The entry is opened over and over again. Nick, could you please have a look into the log to check why is the entry cdf31920 opened so many times by predictor? Search "CacheEntry::AsyncOpen [this=cdf31920" in the log and look few lines above it.
Flags: needinfo?(michal.novotny) → needinfo?(hurley)
I turned the predictor off but the problem remains, it seems that predictor just does his job. URL https://www.bagas31.com/2011/03/coreldraw-graphic-suite-x5-full.html?cf_action=sync_comments&post_id=1811 is loaded over and over again and the call comes from:

#9  0xffffffff in mozilla::net::nsHttpChannel::AsyncOpen(nsIStreamListener*, nsISupports*) (this=0xd6fea800, listener=0xd06a0880, context=0x0) at /opt/moz/hg-inbound/netwerk/protocol/http/nsHttpChannel.cpp:5055
#10 0xffffffff in mozilla::net::nsHttpChannel::AsyncOpen2(nsIStreamListener*) (this=0xd6fea800, aListener=0xd06a0880)
    at /opt/moz/hg-inbound/netwerk/protocol/http/nsHttpChannel.cpp:5071
#11 0xffffffff in nsScriptLoader::StartLoad(nsScriptLoadRequest*, nsAString_internal const&, bool) (this=0xcf95d470, aRequest=0xcf74d080, aType=..., aScriptFromHead=false) at /opt/moz/hg-inbound/dom/base/nsScriptLoader.cpp:398
#12 0xffffffff in nsScriptLoader::ProcessScriptElement(nsIScriptElement*) (this=0xcf95d470, aElement=0xc8b193a0)
    at /opt/moz/hg-inbound/dom/base/nsScriptLoader.cpp:598
#13 0xffffffff in nsScriptElement::MaybeProcessScript() (this=0xc8b193a0)
    at /opt/moz/hg-inbound/dom/base/nsScriptElement.cpp:142
#14 0xffffffff in mozilla::dom::HTMLScriptElement::BindToTree(nsIDocument*, nsIContent*, nsIContent*, bool) (this=0xc8b19350, aDocument=0xcffb6000, aParent=0xcf57f220, aBindingParent=0x0, aCompileEventHandlers=true)
    at /opt/moz/hg-inbound/dom/html/HTMLScriptElement.cpp:66
#15 0xffffffff in nsINode::doInsertChildAt(nsIContent*, unsigned int, bool, nsAttrAndChildArray&) (this=0xcf57f220, aKid=0xc8b19350, aIndex=89, aNotify=true, aChildArray=...) at /opt/moz/hg-inbound/dom/base/nsINode.cpp:1583
#16 0xffffffff in mozilla::dom::FragmentOrElement::InsertChildAt(nsIContent*, unsigned int, bool) (this=0xcf57f220, aKid=0xc8b19350, aIndex=89, aNotify=true) at /opt/moz/hg-inbound/dom/base/FragmentOrElement.cpp:1144
#17 0xffffffff in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) (this=0xcf57f220, aReplace=false, aNewChild=0xc8b19350, aRefChild=0xc8b19270, aError=...) at /opt/moz/hg-inbound/dom/base/nsINode.cpp:2297
#18 0xffffffff in nsINode::InsertBefore(nsINode&, nsINode*, mozilla::ErrorResult&) (this=0xcf57f220, aNode=..., aChild=0xc8b19270, aError=...) at /opt/moz/hg-inbound/dom/base/nsINode.h:1751
#19 0xffffffff in mozilla::dom::NodeBinding::insertBefore(JSContext*, JS::Handle<JSObject*>, nsINode*, JSJitMethodCallArgs const&) (cx=0xd94a6160, obj=..., self=0xcf57f220, args=...)
    at /opt/moz/hg-inbound/_obj-browser-release-tb-fp-dbg/dom/bindings/NodeBinding.cpp:569
#20 0xffffffff in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) (cx=0xd94a6160, argc=2, vp=0xff8451d0) at /opt/moz/hg-inbound/dom/bindings/BindingUtils.cpp:2651
#21 0xffffffff in  ()
#22 0xffffffff in  ()
#23 0xffffffff in  ()
#24 0xffffffff in EnterBaseline(JSContext*, js::jit::EnterJitData&) (cx=0xd94a6160, data=...)
    at /opt/moz/hg-inbound/js/src/jit/BaselineJIT.cpp:127
#25 0xffffffff in js::jit::EnterBaselineMethod(JSContext*, js::RunState&) (cx=0xd94a6160, state=...)
    at /opt/moz/hg-inbound/js/src/jit/BaselineJIT.cpp:161
#26 0xffffffff in js::RunScript(JSContext*, js::RunState&) (cx=0xd94a6160, state=...)
    at /opt/moz/hg-inbound/js/src/vm/Interpreter.cpp:331


javascript stack is:

0 disqus_config/<([object Object], [object Object]) ["https://www.bagas31.com/2011/03/coreldraw-graphic-suite-x5-full.html":283]
    this = [object Object]
1 c</h(a = [object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object ++DOCSHELL 0xcfad2400 == 14 [pid = 21595] [id = 19]


I don't understand what disqus_config function should do so I can't say whether there is some bug or whether it is correct behavior that we open the channel for this URL so many times.
Flags: needinfo?(hurley)
It looks to me like this site just has a large amount (1055) of resources on it, so for each one, the predictor is told to learn about it, which causes the predictor to open the cache entry to update information. The predictor doesn't hold onto any nsICacheEntry references for very long, and there's no explicit way to close a handle, so the predictor relies on the cache doing the Right Thing when it releases references to the entries.

Honza and I didn't think it necessary for the predictor to keep its own cache of nsICacheEntry references at the time of the rewrite, though perhaps this is an argument in favor of doing that (to prevent the predictor from opening a bunch of references like this). However, I think it's also reasonable to expect that the cache wouldn't overflow the stack in situations like this :) Michal, what do you think?
Sure, we should break the cycle by posting the event at some point. There isn't 1055 resources on this page. The URL mentioned in comment #6 is opened 1006 times in this log which also triggers the predictor. This number would grow "indefinitely" if I wouldn't stop the process in debugger.

I think it would be good if predictor would keep a references to all nsICacheEntry instances that are in use by predictor so it could reuse the handles. OTOH, normally this isn't necessary and I have no idea what performance benefit would this bring.
Isn't this a dup of bug 1154124?  Yes, I had to fix that one a long ago.  Bad Honza.
Assignee: nobody → honzab.moz
Group: network-core-security
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1154124
Group: network-core-security, core-security-release
You need to log in before you can comment on or make changes to this bug.