Closed
Bug 1374916
Opened 7 years ago
Closed 7 years ago
Intermittent /service-workers/service-worker/xhr.https.html | application crashed [@ mozilla::dom::FetchBodyConsumer<mozilla::dom::Response>::BeginConsumeBodyMainThread()]
Categories
(Core :: DOM: Service Workers, defect)
Core
DOM: Service Workers
Tracking
()
RESOLVED
DUPLICATE
of bug 1374922
People
(Reporter: intermittent-bug-filer, Unassigned)
References
Details
(Keywords: crash, intermittent-failure)
Crash Data
Attachments
(1 obsolete file)
Filed by: philringnalda [at] gmail.com https://treeherder.mozilla.org/logviewer.html#?job_id=108718369&repo=mozilla-central https://archive.mozilla.org/pub/firefox/tinderbox-builds/mozilla-central-win64-debug/1498008325/mozilla-central_win8_64-debug_test-web-platform-tests-9-bm126-tests1-windows-build8.txt.gz
Comment hidden (obsolete) |
Updated•7 years ago
|
Assignee: nobody → bugmail
Status: NEW → ASSIGNED
Comment hidden (obsolete) |
Comment 4•7 years ago
|
||
The crash report addresses look like UAF, setting security bit. And indeed, it looks like BeginConsumeBodyRunnable's held `FetchBody<Derived>* mFetchBody;` which is explicitly not refcounted is already freed. The lifecycle depends on FetchBody<Derived>::BeginConsumeBody() to AddRef and FetchBody<Derived>::ContinueConsumeBody to ReleaseObject. Unfortunately, the FetchbodyWorkerHolder looks deficient. It synchronously invokes ContinueConsumeBody and makes no attempt to cancel the (non-cancelable) BeginConsumeBodyRunnable (that no one holds a reference to). :bkelly, thoughts?
Assignee: bugmail → nobody
Group: core-security
Status: ASSIGNED → NEW
Crash Signature: [@ mozilla::dom::FetchBodyConsumer<mozilla::dom::Response>::BeginConsumeBodyMainThread()] → [@ mozilla::dom::FetchBody<T>::BeginConsumeBodyMainThread]
[@ mozilla::dom::FetchBodyConsumer<mozilla::dom::Response>::BeginConsumeBodyMainThread()]
Flags: needinfo?(bkelly)
Comment 5•7 years ago
|
||
Andrea, is this the thing you just fixed?
Flags: needinfo?(bkelly) → needinfo?(amarchesini)
Comment 6•7 years ago
|
||
The refcounting part yes. It's already in central. The rest, see bug 1374922.
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(amarchesini)
Resolution: --- → DUPLICATE
Updated•4 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•