Closed
Bug 1498510
Opened 6 years ago
Closed 6 years ago
Crash in arena_t::DallocSmall | BaseAllocator::free | je_free | mozilla::dom::WorkerCSPEventListener::Release
Categories
(Core :: DOM: Security, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla65
Tracking | Status | |
---|---|---|
firefox-esr60 | --- | unaffected |
firefox62 | --- | unaffected |
firefox63 | + | fixed |
firefox64 | + | fixed |
firefox65 | + | fixed |
People
(Reporter: calixte, Assigned: baku)
References
(Blocks 1 open bug)
Details
(Keywords: crash, regression, Whiteboard: [domsecurity-active])
Crash Data
Attachments
(2 files, 1 obsolete file)
69.30 KB,
patch
|
ckerschb
:
review+
RyanVM
:
approval-mozilla-beta+
pascalc
:
approval-mozilla-release+
|
Details | Diff | Splinter Review |
67.74 KB,
patch
|
Details | Diff | Splinter Review |
This bug was filed from the Socorro interface and is
report bp-2ef1eaf2-e2a1-4230-b37c-10a7a0181011.
=============================================================
Top 10 frames of crashing thread:
0 mozglue.dll arena_t::DallocSmall memory/build/mozjemalloc.cpp:3450
1 mozglue.dll BaseAllocator::free memory/build/mozjemalloc.cpp:4264
2 mozglue.dll je_free memory/build/malloc_decls.h:40
3 xul.dll mozilla::dom::WorkerCSPEventListener::Release dom/workers/WorkerCSPEventListener.cpp:51
4 xul.dll mozilla::net::InterceptedHttpChannel::SetReleaseHandle netwerk/protocol/http/InterceptedHttpChannel.cpp:1036
5 xul.dll bool mozilla::dom::WorkerPrivate::EnsureCSPEventListener dom/workers/WorkerPrivate.cpp:3456
6 xul.dll ?WorkerRun@CompileScriptRunnable@?A0x30C6BC27@dom@mozilla@@EEAA_NPEAUJSContext@@PEAVWorkerPrivate@23@@Z$c9819905468e1c5f2eb55f63ab0ae971 dom/workers/WorkerPrivate.cpp:361
7 xul.dll mozilla::dom::WorkerRunnable::Run dom/workers/WorkerRunnable.cpp:380
8 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:1161
9 xul.dll NS_ProcessNextEvent xpcom/threads/nsThreadUtils.cpp:519
=============================================================
There are 7 crashes (from 7 installations) in 63.0b13 with buildid 20181008155858. In analyzing the backtrace, the regression may have been introduced by patch [1] to fix bug 1493629.
[1] https://hg.mozilla.org/releases/mozilla-beta/rev?node=be85aa71510b
Flags: needinfo?(amarchesini)
Reporter | ||
Updated•6 years ago
|
Crash Signature: [@ arena_t::DallocSmall | BaseAllocator::free | je_free | mozilla::dom::WorkerCSPEventListener::Release] → [@ arena_t::DallocSmall | BaseAllocator::free | je_free | mozilla::dom::WorkerCSPEventListener::Release]
[@ arena_t::DallocSmall | ?arena_dalloc@@YAXPEAX_KPEAUarena_t@@@Z.llvm.7638920929817888580]
Updated•6 years ago
|
tracking-firefox63:
--- → +
Updated•6 years ago
|
Group: core-security-release → dom-core-security
status-firefox64:
--- → affected
status-firefox-esr60:
--- → unaffected
tracking-firefox64:
--- → +
Comment 1•6 years ago
|
||
Hey :baku, I am assigning this one to you since this is going to hit release soon. Worst case we have to pref it off. Could you please take a look?
Assignee: nobody → amarchesini
Status: NEW → ASSIGNED
Priority: -- → P1
Updated•6 years ago
|
Whiteboard: [domsecurity-active]
Assignee | ||
Comment 2•6 years ago
|
||
I've already started working on it. I hope to have a quick solution soon.
Comment 3•6 years ago
|
||
(In reply to Christoph Kerschbaumer [:ckerschb] from comment #1)
> Worst case we have to pref it off.
Pref what off?
Assignee | ||
Comment 4•6 years ago
|
||
This is not a small patch. Just because CSP objects are reused by nested workers, I need to have a different way to pass nsICSPEventListener from WorkerPrivate to the necko world and, from there, to the CSP violation code.
This code will be removed when CSP will be moved/changed to clientInfo.
Flags: needinfo?(amarchesini)
Attachment #9018805 -
Flags: review?(ckerschb)
Comment 5•6 years ago
|
||
Comment on attachment 9018805 [details] [diff] [review]
csp2.patch
Review of attachment 9018805 [details] [diff] [review]:
-----------------------------------------------------------------
As discussed on slack it probably makes sense to move the CSPEventListener into the client instead of the loadInfo which will make the patch way smaller. Additionally ClientInfo will be a better fit because it's propagated correctly through all the API layers (e.g. fetch). I haven't seen anything else that I wouldn't accept. Thanks for fixing!
Attachment #9018805 -
Flags: review?(ckerschb)
Assignee | ||
Comment 6•6 years ago
|
||
Comment on attachment 9018805 [details] [diff] [review]
csp2.patch
Here the comment improved as discussed on slack:
+ * The object in charged to receive CSP violation events. It can be null.
+ * This attribute will be merged into the CSP object eventually.
+ * See bug 1500908.
+ */
+ attribute nsICSPEventListener cspEventListener;
Attachment #9018805 -
Flags: review?(ckerschb)
Comment 7•6 years ago
|
||
Comment on attachment 9018805 [details] [diff] [review]
csp2.patch
Review of attachment 9018805 [details] [diff] [review]:
-----------------------------------------------------------------
Baku, I would prefer if we would not touch the LoadInfo constructor and also not change the NS_NewChannel* helpers. Can't we just use the getter/setter on the loadinfo to propagate the listener where needed?
Attachment #9018805 -
Flags: review?(ckerschb)
Assignee | ||
Comment 8•6 years ago
|
||
Attachment #9018805 -
Attachment is obsolete: true
Attachment #9019042 -
Flags: review?(ckerschb)
Comment 9•6 years ago
|
||
Comment on attachment 9019042 [details] [diff] [review]
csp3.patch
Review of attachment 9019042 [details] [diff] [review]:
-----------------------------------------------------------------
Thanks baku for incorporating my suggestion.
Attachment #9019042 -
Flags: review?(ckerschb) → review+
![]() |
||
Comment 10•6 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/29f0a8f38d05b8d0d7ad63aebe715590f9813e02
https://hg.mozilla.org/mozilla-central/rev/29f0a8f38d05
Group: dom-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
status-firefox65:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla65
Comment 12•6 years ago
|
||
Given that we only ever saw crash reports for this bug from Beta users, I think we should proceed with a Beta uplift request soonish?
Flags: needinfo?(amarchesini)
Assignee | ||
Comment 13•6 years ago
|
||
Comment on attachment 9019042 [details] [diff] [review]
csp3.patch
[Beta/Release Uplift Approval Request]
Feature/Bug causing the regression: Bug 1472927
User impact if declined: A crash can occur
Is this code covered by automated tests?: No
Has the fix been verified in Nightly?: No
Needs manual test from QE?: No
If yes, steps to reproduce: race condition
List of other uplifts needed: None
Risk to taking this patch: Medium
Why is the change risky/not risky? (and alternatives if risky): This patch moves nsICSPEventListener out of CSP object. The patch is not trivial, but it's big. medium complexity seems the right choice.
String changes made/needed: none
Flags: needinfo?(amarchesini)
Attachment #9019042 -
Flags: approval-mozilla-beta?
Comment 14•6 years ago
|
||
Comment on attachment 9019042 [details] [diff] [review]
csp3.patch
It's a bit scary, but it's also a crash we don't want in 64 and may want to keep on the 63 dot release radar too. Approved for 64.0b4 so we can get feedback ASAP on the impact it has.
Attachment #9019042 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
Comment 15•6 years ago
|
||
uplift |
tracking-firefox65:
--- → +
Comment 16•6 years ago
|
||
Looks like this patch was effective based on the results from 64.0b4 and 64.0b5. Crash volume on release is significant enough that I think we should get this nominated for release approval as a possible ride-along for the next dot release.
Flags: needinfo?(amarchesini)
Assignee | ||
Comment 17•6 years ago
|
||
Comment on attachment 9019042 [details] [diff] [review]
csp3.patch
[Beta/Release Uplift Approval Request]
Feature/Bug causing the regression: Bug 1472927
User impact if declined: A crash can be triggered by nested workers
Is this code covered by automated tests?: No
Has the fix been verified in Nightly?: Yes
Needs manual test from QE?: No
If yes, steps to reproduce:
List of other uplifts needed: None
Risk to taking this patch: Low
Why is the change risky/not risky? (and alternatives if risky): Stable on beta
String changes made/needed: none
Flags: needinfo?(amarchesini)
Attachment #9019042 -
Flags: approval-mozilla-release?
Comment 18•6 years ago
|
||
Comment on attachment 9019042 [details] [diff] [review]
csp3.patch
Crash fix that was effective on beta, approved for 63.0.3, thanks.
Attachment #9019042 -
Flags: approval-mozilla-release? → approval-mozilla-release+
Comment 19•6 years ago
|
||
This needs a rebased patch for m-r. And it looks like at least dom/base/nsJSTimeoutHandler.cpp also needs some changes along the same lines.
Flags: needinfo?(amarchesini)
Assignee | ||
Comment 20•6 years ago
|
||
Flags: needinfo?(amarchesini)
Comment 21•6 years ago
|
||
Aryx, could you land the updated patch to mozilla-release? Thanks
Flags: needinfo?(aryx.bugmail)
![]() |
||
Comment 22•6 years ago
|
||
uplift |
Flags: needinfo?(aryx.bugmail)
Updated•6 years ago
|
Flags: qe-verify-
Comment 23•6 years ago
|
||
Just ran into this code for something not really related. This hunk - https://hg.mozilla.org/mozilla-central/rev/29f0a8f38d05#l15.73 - looks wrong. CSPService::AsyncOnChannelRedirect
now looks like:
nsCOMPtr<nsILoadInfo> loadInfo = oldChannel->GetLoadInfo();
nsCOMPtr<nsICSPEventListener> cspEventListener;
rv = loadInfo->GetCspEventListener(getter_AddRefs(cspEventListener));
NS_ENSURE_SUCCESS(rv, rv);
// if no loadInfo on the channel, nothing for us to do
if (!loadInfo) {
return NS_OK;
}
(The middle block was added in this bug.)
Either the nullcheck should be removed or it needs to move above the use of loadInfo
to avoid crashes. Are there warnings we can enable as errors for this type of thing? Am I misreading something?
Flags: needinfo?(amarchesini)
Assignee | ||
Comment 24•6 years ago
|
||
I filed bug 1518948 to fix this issue.
Flags: needinfo?(amarchesini)
Updated•6 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•