mozilla::net::NullHttpTransaction supporting weak reference but used on multiple threads

RESOLVED WORKSFORME

Status

()

defect
--
critical
RESOLVED WORKSFORME
3 years ago
a year ago

People

(Reporter: mayhemer, Unassigned)

Tracking

(Depends on 1 bug, {sec-audit})

Trunk
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [necko-active])

(Reporter)

Description

3 years ago
m-c with bug 956338 patch v1.1 (soon will be updated with a less strict patch), tho, still worth reporting to at least think about it.

Socket thread:

 	xul.dll!nsSupportsWeakReference::~nsSupportsWeakReference() Line 63	C++
>	xul.dll!mozilla::net::NullHttpTransaction::`scalar deleting destructor'()	C++
 	xul.dll!nsExtProtocolChannel::Release() Line 77	C++
 	xul.dll!mozilla::net::nsHttpConnectionMgr::nsHalfOpenSocket::~nsHalfOpenSocket() Line 2992	C++
 	xul.dll!mozilla::net::nsHttpConnectionMgr::nsHalfOpenSocket::Release() Line 2957	C++
 	xul.dll!mozilla::net::nsSocketOutputStream::OnSocketReady(NS_OK) Line 553	C++
 	xul.dll!mozilla::net::nsSocketTransport::OnSocketReady(0x0fa57480, ) Line 1964	C++
 	xul.dll!mozilla::net::nsSocketTransportService::DoPollIteration() Line 1082	C++
 	xul.dll!mozilla::net::nsSocketTransportService::Run() Line 867	C++
 	xul.dll!nsThread::ProcessNextEvent(true, 0x0663fa3f) Line 1058	C++
 	xul.dll!NS_ProcessNextEvent(, true) Line 290	C++


but was created on the main thread.  There was tho no weakprt proxy created for it.
Flags: needinfo?
Group: core-security → network-core-security
Flags: needinfo?
(Reporter)

Updated

3 years ago
No longer blocks: 956338
Keywords: sec-audit
(Reporter)

Comment 1

3 years ago
Note, that on try or locally I was not able to hit multi-thread usage of the _weak proxy_ object (the latest version of the assertion patch from bug 956338).  But that doesn't mean there isn't a code path allowing the concurrent access.
(Reporter)

Updated

3 years ago
Blocks: 378637
(Reporter)

Comment 2

3 years ago
Patrick, I'll need some help to find steps how to trigger the h2/https proxy tunneling.  I've set up an https proxy (squid) via PAC, checked it's working, but can't trigger the code that does actual do_QueryReferent on the transaction (In/OutputStreamShim).
I don't believe squid does https over h2 - which you probably need for that code (it does https over h1/https) to trigger.

nghttp is my goto h2 proxy of choice.
(Reporter)

Updated

3 years ago
Assignee: nobody → honzab.moz
(Reporter)

Updated

3 years ago
Depends on: 1295612
(Reporter)

Updated

3 years ago
Whiteboard: [necko-active]
(Reporter)

Comment 4

3 years ago
Seems like there are no crashes captured by crash-stats nor we was able to reproduce locally.
Assignee: honzab.moz → nobody
Status: UNCONFIRMED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → WORKSFORME
Group: network-core-security
You need to log in before you can comment on or make changes to this bug.