Closed Bug 1496050 Opened 6 years ago Closed 6 years ago

Nightly went into infinite process creation loop after launcher process is enabled

Categories

(Core :: Widget: Win32, defect)

Product:
Core
Component:
Widget: Win32
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla64
Tracking Flags:
Tracking Status
firefox64 --- fixed

People

(Reporter: emk, Assigned: emk)

References

Details

Attachments

(2 files, 1 obsolete file)

Fallback to GetFileInformationByHandle if GetFileInformationByHandleEx failed
1.28 KB, patch
molly
: review+
Details | Diff | Splinter Review
Make IsSameBinaryAsParentProcess more robust
3.84 KB, patch
molly
: review+
Details | Diff | Splinter Review
I had to sign out to stop spawning firefox.exe processes. The current launcher process design is too danger without some safeguard IMO. Also, I had to specify "ac_add_options --disable-launcher-process" to test my patch. Hopeflly this critical bug is fixed until the release...
Since some filesystems do not support FileIdInfo, we can't assume that it will succeed even on Windows 8 or later.
Attachment #9014068 - Flags: review?(mhowell)
Assignee: nobody → VYV03354
Status: NEW → ASSIGNED
We should not go into infinite process creation loop when we are unsure if Firefox is the child of itself.
Attachment #9014069 - Flags: review?(mhowell)
Attachment #9014068 - Flags: review?(mhowell) → review+
Pushed by VYV03354@nifty.ne.jp: https://hg.mozilla.org/integration/mozilla-inbound/rev/831c1cae9dde Fallback to GetFileInformationByHandle if GetFileInformationByHandleEx failed. r=mhowell
Keywords: leave-open
Comment on attachment 9014069 [details] [diff] [review] Make IsSameBinaryAsParentProcess more robust Review of attachment 9014069 [details] [diff] [review]: ----------------------------------------------------------------- I don't feel great about this patch. Since the launcher process is largely a security feature, disabling it as an error handling strategy makes me a little uneasy. I think it's more likely that one of these functions would fail as a result of some action taken by an attacker in order to intentionally disable the launcher process than for any of them to fail for legitimate reasons (unless of course that's what you were seeing on your system; I'm making the assumption that the other patch addresses the problem you were running into). But I do agree that trying again and therefore getting into an infinite loop isn't the right thing to do; you're right that these kinds of failures are not likely to be transient. I think I'd prefer to just abort and refuse to continue starting the browser at all. What do you think?
Attachment #9014069 - Flags: review?(mhowell) → review-
Component: General → Widget: Win32
Product: Firefox → Core
Yes, bypassing the launcher process completely defeats the purpose of having it in the first place. Do we know what the GetLastError code was from GetFileInformationByHandleEx?
(In reply to Matt Howell [:mhowell] from comment #4) > I don't feel great about this patch. Since the launcher process is largely a > security feature, disabling it as an error handling strategy makes me a > little uneasy. I think it's more likely that one of these functions would > fail as a result of some action taken by an attacker in order to > intentionally disable the launcher process than for any of them to fail for > legitimate reasons (unless of course that's what you were seeing on your > system; I'm making the assumption that the other patch addresses the problem > you were running into). > > But I do agree that trying again and therefore getting into an infinite loop > isn't the right thing to do; you're right that these kinds of failures are > not likely to be transient. I think I'd prefer to just abort and refuse to > continue starting the browser at all. What do you think? Makes sense. I'll change failure returns to MOZ_CRASH. (In reply to (PTO Oct 2 - Oct 9) Aaron Klotz [:aklotz] from comment #5) > Yes, bypassing the launcher process completely defeats the purpose of having > it in the first place. > > Do we know what the GetLastError code was from GetFileInformationByHandleEx? The error was 87(ERROR_INVALID_PARAMETER) because FileIdInfo is not a valid function for exFAT (and probably FAT16/FAT32).
We should not go into infinite process creation loop when we are unsure if Firefox is a child of itself.
Attachment #9014220 - Flags: review?(mhowell)
Attachment #9014069 - Attachment is obsolete: true
Comment on attachment 9014220 [details] [diff] [review] Make IsSameBinaryAsParentProcess more robust Review of attachment 9014220 [details] [diff] [review]: ----------------------------------------------------------------- This version of the patch generates a crash report instead of continuing on, which I think is fine. Thanks!
Attachment #9014220 - Flags: review?(mhowell) → review+
Pushed by VYV03354@nifty.ne.jp: https://hg.mozilla.org/integration/mozilla-inbound/rev/6af3691ec0d1 Make IsSameBinaryAsParentProcess more robust. r=mhowell
Keywords: leave-open
https://hg.mozilla.org/mozilla-central/rev/6af3691ec0d1
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
status-firefox64: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla64
(In reply to Matt Howell [:mhowell] from comment #8) ------------------------------------------------------------ > > This version of the patch generates a crash report instead of continuing on, > which I think is fine. Thanks! We won't get a breakpad crash report, we'll get a WER report, because our crash reporter is not initialized in the launcher process. This is fine for now. We can follow up with more robust reporting in bug 1460433.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: