Closed Bug 1403818 Opened 2 years ago Closed 2 years ago

Hit MOZ_CRASH(MsgRouteError: PWebAuthnTransaction::Msg_ConfirmRegister Route error: message sent to unknown actor ID) at /builds/worker/workspace/build/src/ipc/glue/BackgroundChildImpl.cpp:152

Categories

(Core :: IPC, defect, P2)

defect

Tracking

()

RESOLVED FIXED
mozilla58
Tracking Status
firefox-esr52 --- unaffected
firefox56 --- disabled
firefox57 --- disabled
firefox58 --- fixed

People

(Reporter: jkratzer, Assigned: ttaubert)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, Whiteboard: [fuzzblocker])

Attachments

(3 files)

Attached file Minidump stack trace
Found while fuzzing mozilla-central rev a0eb21bf55e1.  Will update shortly with reduced testcase.
Whiteboard: [fuzzblocker]
This issue appears to have been remediated overnight.  I will continue monitoring to see if it occurs again but we can close this for the time being.
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → WORKSFORME
Apparently I spoke too soon.  Tes
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
Attached file trigger.html
Attached testcase requires the following prefs in order to reproduce:

user_pref("security.webauth.webauthn", true);
user_pref("security.webauth.webauthn_enable_softtoken", true);
user_pref("security.webauth.webauthn_enable_usbtoken", false);
user_pref("security.webauth.u2f", true);
user_pref("security.webauth.u2f_enable_softtoken", true);
user_pref("security.webauth.u2f_enable_usbtoken", false);
Tim, can you take a look at this? I'm guessing it's not actually the soft token, but probably something in WebAuthnManager.cpp. I don't mind putting the real fix together, but I won't have a chance to look at this for a few days.
Assignee: nobody → ttaubert
QA Contact: mwobensmith
I think this assert means that you are trying to send an IPC message to an actor that has already been destroyed.
Ok, so it seems that the problem is that we destroy the child actor while message from the main process are in flight. We can receive the following from the main process:

* ConfirmRegister
* ConfirmSign
* Cancel

When either of those is in-flight and we call WebAuthnManager::MaybeClearTransaction() we're also destroying `mChild`. `MaybeClearTransaction()` is called from a couple of places [1], however also by `Cancel()`, which is called from even more places [2], including `HandleEvent()`.

[1] https://searchfox.org/mozilla-central/search?q=symbol:_ZN7mozilla3dom15WebAuthnManager21MaybeClearTransactionEv&redirect=false
[2] https://searchfox.org/mozilla-central/search?q=symbol:_ZN7mozilla3dom15WebAuthnManager6CancelERK8nsresult&redirect=false
Another problem here is that the expectation around calling `Send__delete__()` seems to be that there are and will be no more messages from the parent actor. We could only call that after seeing some special message, other contracts seem to do this.
Has Regression Range: --- → no
Priority: -- → P3
Priority: P3 → P2
Blocks: 1406565
Comment on attachment 8920818 [details]
Bug 1403818 - Fix WebAuthn IPC crashes by keeping the child actor alive until process shutdown r=jcj

J.C. Jones [:jcj] has approved the revision.

https://phabricator.services.mozilla.com/D149#3681
Attachment #8920818 - Flags: review+
I'll have to revise that patch again. Bug 1408333 removed some code (yay) but lazily rebased and removed a few changes from prior patches (boo).
Comment on attachment 8920818 [details]
Bug 1403818 - Fix WebAuthn IPC crashes by keeping the child actor alive until process shutdown r=jcj

J.C. Jones [:jcj] has been removed from the revision.

https://phabricator.services.mozilla.com/D149#3753
Attachment #8920818 - Flags: review+
Comment on attachment 8920818 [details]
Bug 1403818 - Fix WebAuthn IPC crashes by keeping the child actor alive until process shutdown r=jcj

J.C. Jones [:jcj] has approved the revision.

https://phabricator.services.mozilla.com/D149#3837
Attachment #8920818 - Flags: review+
Comment on attachment 8920818 [details]
Bug 1403818 - Fix WebAuthn IPC crashes by keeping the child actor alive until process shutdown r=jcj

J.C. Jones [:jcj] has been removed from the revision.

https://phabricator.services.mozilla.com/D149#3842
Attachment #8920818 - Flags: review+
Comment on attachment 8920818 [details]
Bug 1403818 - Fix WebAuthn IPC crashes by keeping the child actor alive until process shutdown r=jcj

J.C. Jones [:jcj] has approved the revision.

https://phabricator.services.mozilla.com/D149#3849
Attachment #8920818 - Flags: review+
Pushed by ttaubert@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/71668e0aea8c
Fix WebAuthn IPC crashes by keeping the child actor alive until process shutdown r=jcj
https://hg.mozilla.org/mozilla-central/rev/71668e0aea8c
Status: REOPENED → RESOLVED
Closed: 2 years ago2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla58
Depends on: 1412408
You need to log in before you can comment on or make changes to this bug.