1400940 - Deadlock after tab switch during verification process

Status: RESOLVED FIXED

(Core :: DOM: Device Interfaces, defect, P2)

Description

[Matt Wobensmith [:mwobensmith][:matt:]]

On Ubuntu 16.04 with USB token inserted:

1. Go to WebAuthN test site [1].
2. Click "Create Credentials" but don't perform USB verification.
3. Create new tab.
4. Return to original tab. 
5. Confirm abort message.
6. Return to new tab and try to navigate to a new URL.

Result:
Browser is unresponsive.

7. Close new tab.

Result:
Eventually you will get a crash [2].


[1]
https://webauthn.bin.coffee/
[2]
https://crash-stats.mozilla.com/report/index/0908f79a-c425-4829-af50-7b3060170918

Comment 1

[Tim Taubert [:ttaubert] (inactive)]

Ok so what's happening here is that U2FTokenManager::Cancel() sends a Cancel request and then destroys the U2FHIDTokenManager. rust_u2f_mgr_free() waits for the work queue thread in manager.rs to be joined. While waiting it holds the gInstanceMutex. Now the runloop in PlatformManager::sign() will terminate and call the callback, that however will acquire gInstanceMutex again and we have a deadlock.

Comment 2

[Tim Taubert [:ttaubert] (inactive)]

Stealing :)

Comment 4

[Pulsebot]

Pushed by ttaubert@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/efa6750d4e13
Fix WebAuthn deadlock when cancelling a request on tab switch r=jcj

Comment 5

[Wes Kocher (:KWierso) (Not reading bugmail; email directly if needed)]

https://hg.mozilla.org/mozilla-central/rev/efa6750d4e13

Comment 6

[Phabricator Automation]

Comment on attachment 8909442 [details]
Bug 1400940 - Fix WebAuthn deadlock when cancelling a request on tab switch r=jcj

J.C. Jones [:jcj] has approved the revision.

https://phabricator.services.mozilla.com/D67