Closed Bug 1503201 Opened 11 months ago Closed 11 months ago

Crash in mozilla::net::nsHttpChannelAuthProvider::GetCredentialsForChallenge

Categories

(Core :: Networking, defect, critical)

defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla65
Tracking Status
firefox-esr60 --- unaffected
firefox63 --- unaffected
firefox64 --- unaffected
firefox65 blocking verified

People

(Reporter: calixte, Assigned: ehsan)

References

(Blocks 1 open bug)

Details

(Keywords: crash, regression, Whiteboard: [necko-triaged])

Crash Data

Attachments

(1 file)

This bug was filed from the Socorro interface and is
report bp-6a28cd6e-b913-452a-ba28-372480181030.
=============================================================

Top 10 frames of crashing thread:

0 xul.dll nsresult mozilla::net::nsHttpChannelAuthProvider::GetCredentialsForChallenge netwerk/protocol/http/nsHttpChannelAuthProvider.cpp:701
1 xul.dll nsresult mozilla::net::nsHttpChannelAuthProvider::GetCredentials netwerk/protocol/http/nsHttpChannelAuthProvider.cpp:612
2 xul.dll mozilla::net::nsHttpChannelAuthProvider::ProcessAuthentication netwerk/protocol/http/nsHttpChannelAuthProvider.cpp:194
3 xul.dll nsresult mozilla::net::nsHttpChannel::ContinueProcessResponse2 netwerk/protocol/http/nsHttpChannel.cpp:2667
4 xul.dll nsresult mozilla::net::nsHttpChannel::ContinueProcessResponse1 netwerk/protocol/http/nsHttpChannel.cpp:2540
5 xul.dll void mozilla::net::nsHttpChannel::AsyncContinueProcessResponse netwerk/protocol/http/nsHttpChannel.cpp:2448
6 xul.dll nsresult mozilla::detail::RunnableMethodImpl<mozilla::net::HttpChannelChild*, nsresult  xpcom/threads/nsThreadUtils.h:1242
7 xul.dll static void mozilla::net::nsHttpChannel::ResumeInternal::<unnamed-tag>::operator netwerk/protocol/http/nsHttpChannel.cpp:9223
8 xul.dll nsresult mozilla::detail::RunnableFunction<`lambda at z:/build/build/src/netwerk/protocol/http/nsHttpChannel.cpp:9222:21'>::Run xpcom/threads/nsThreadUtils.h:577
9 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:1245

=============================================================

There are 427 crashes (from 145 installations) in nightly 65 with buildid 20181029230149. In analyzing the backtrace, the regression may have been introduced by patch [1] to fix bug 1502774.

[1] https://hg.mozilla.org/mozilla-central/rev?node=32a581482291
Flags: needinfo?(ehsan)
Crash Signature: [@ mozilla::net::nsHttpChannelAuthProvider::GetCredentialsForChallenge] → [@ mozilla::net::nsHttpChannelAuthProvider::GetCredentialsForChallenge] [@ mozilla::net::nsHttpChannelAuthProvider::GetCredentials]
Duplicate of this bug: 1503186
Happens all the time with the latest build (on Linux) when trying to authenticate with google (see bp-67ab93cf-413a-4680-a4e6-f95790181030).
ASAN is not very helpful.
OS: Windows 7 → All
Hardware: Unspecified → All
I can't reproduce this with Nightly ASan on Fedora 28 but a clean profile on Windows 10 crashes every time I visit https://www.chromium.org/developers/testing/addresssanitizer with this stack:

==2880==ERROR: AddressSanitizer: access-violation on unknown address 0x000000000000 (pc 0x7ffd5f179931 bp 0x00bd045fcab0 sp 0x00bd045fc5c0 T0)
==2880==The signal is caused by a READ memory access.
==2880==Hint: address points to the zero page.
    #0 0x7ffd5f179930 in mozilla::net::nsHttpChannelAuthProvider::GetCredentialsForChallenge(char const *,char const *,bool,class nsIHttpAuthenticator *,class nsTString<char> &) z:\build\build\src\netwerk\protocol\http\nsHttpChannelAuthProvider.cpp:701
    #1 0x7ffd5f172ea8 in mozilla::net::nsHttpChannelAuthProvider::GetCredentials(char const *,bool,class nsTString<char> &) z:\build\build\src\netwerk\protocol\http\nsHttpChannelAuthProvider.cpp:612
    #2 0x7ffd5f17170f in mozilla::net::nsHttpChannelAuthProvider::ProcessAuthentication(unsigned int,bool) z:\build\build\src\netwerk\protocol\http\nsHttpChannelAuthProvider.cpp:194
    #3 0x7ffd5f343755 in mozilla::net::nsHttpChannel::ContinueProcessResponse2(enum nsresult) z:\build\build\src\netwerk\protocol\http\nsHttpChannel.cpp:2667
    #4 0x7ffd5f34253f in mozilla::net::nsHttpChannel::ContinueProcessResponse1(void) z:\build\build\src\netwerk\protocol\http\nsHttpChannel.cpp:2540
    #5 0x7ffd5f341b00 in mozilla::net::nsHttpChannel::ProcessResponse(void) z:\build\build\src\netwerk\protocol\http\nsHttpChannel.cpp:2441
    #6 0x7ffd5f380a61 in mozilla::net::nsHttpChannel::OnStartRequest(class nsIRequest *,class nsISupports *) z:\build\build\src\netwerk\protocol\http\nsHttpChannel.cpp:7395
    #7 0x7ffd5e921dda in nsInputStreamPump::OnStateStart(void) z:\build\build\src\netwerk\base\nsInputStreamPump.cpp:524
    #8 0x7ffd5e92129a in nsInputStreamPump::OnInputStreamReady(class nsIAsyncInputStream *) z:\build\build\src\netwerk\base\nsInputStreamPump.cpp:429
    #9 0x7ffd5e654a4f in nsInputStreamReadyEvent::Run(void) z:\build\build\src\xpcom\io\nsStreamUtils.cpp:102
    #10 0x7ffd5e6c810a in nsThread::ProcessNextEvent(bool,bool *) z:\build\build\src\xpcom\threads\nsThread.cpp:1245
    #11 0x7ffd5e6d0958 in NS_ProcessNextEvent(class nsIThread *,bool) z:\build\build\src\xpcom\threads\nsThreadUtils.cpp:530
    #12 0x7ffd5f758436 in mozilla::ipc::MessagePump::Run(class base::MessagePump::Delegate *) z:\build\build\src\ipc\glue\MessagePump.cpp:125
    #13 0x7ffd5f6be2ae in MessageLoop::RunHandler(void) z:\build\build\src\ipc\chromium\src\base\message_loop.cc:318
    #14 0x7ffd5f6be036 in MessageLoop::Run(void) z:\build\build\src\ipc\chromium\src\base\message_loop.cc:298
    #15 0x7ffd6857313a in nsBaseAppShell::Run(void) z:\build\build\src\widget\nsBaseAppShell.cpp:158
    #16 0x7ffd687011b7 in nsAppShell::Run(void) z:\build\build\src\widget\windows\nsAppShell.cpp:420
    #17 0x7ffd6c6920ce in nsAppStartup::Run(void) z:\build\build\src\toolkit\components\startup\nsAppStartup.cpp:290
    #18 0x7ffd6c934cb7 in XREMain::XRE_mainRun(void) z:\build\build\src\toolkit\xre\nsAppRunner.cpp:4777
    #19 0x7ffd6c93944e in XREMain::XRE_main(int,char * * const,struct mozilla::BootstrapConfig const &) z:\build\build\src\toolkit\xre\nsAppRunner.cpp:4922
    #20 0x7ffd6c93b89e in XRE_main(int,char * * const,struct mozilla::BootstrapConfig const &) z:\build\build\src\toolkit\xre\nsAppRunner.cpp:5014
    #21 0x7ff6e2391ceb  (C:\Program Files\Firefox Nightly\firefox.exe+0x140001ceb)
    #22 0x7ff6e23914a1  (C:\Program Files\Firefox Nightly\firefox.exe+0x1400014a1)
    #23 0x7ff6e239ebdb  (C:\Program Files\Firefox Nightly\firefox.exe+0x14000ebdb)
    #24 0x7ffda95c3033  (C:\Windows\System32\KERNEL32.DLL+0x180013033)
    #25 0x7ffdaa8d1460  (C:\Windows\SYSTEM32\ntdll.dll+0x180071460)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: access-violation z:\build\build\src\netwerk\protocol\http\nsHttpChannelAuthProvider.cpp:701 in mozilla::net::nsHttpChannelAuthProvider::GetCredentialsForChallenge(char const *,char const *,bool,class nsIHttpAuthenticator *,class nsTString<char> &)
==2880==ABORTING
¡Hola!

Yup! Firefox Nightly is crash happy here too as well.

Here are my crashes from today FWIW:

bp-fb941280-a0cd-4b20-a80c-be67a0181030 	30/10/2018 10:23 a. m. 	
bp-65dfcd9a-61ea-415c-b5fe-0d97b0181030 	30/10/2018 10:13 a. m. 	
bp-9dc26bef-7b74-4dbb-a30d-ec03f0181030 	30/10/2018 10:09 a. m. 	
bp-509b9dbe-980b-48c9-816c-9844b0181030 	30/10/2018 09:04 a. m. 	
bp-f71f6c17-fa16-45d1-80e2-b54050181030 	30/10/2018 09:04 a. m. 	

Hope a fix is promptly made available.

¡Gracias!
Alex
¡Hola!

FWIW https://support.cloudflare.com/hc/en-us/articles/200170216 instacrashes today's Nightly for me.

¡Gracias!
Alex
Bisected:

2018-10-30T19:42:32: DEBUG : Using url: https://hg.mozilla.org/integration/autoland/json-pushes?changeset=6b821f5b12ae5c9520a0d1da2575094b5a532899&full=1
2018-10-30T19:42:33: DEBUG : Found commit message:
Bug 1502774 - Part 3: Remove nsAuthModule r=valentin

Depends on D10026

Differential Revision: https://phabricator.services.mozilla.com/D10027

2018-10-30T19:42:33: INFO : The bisection is done.
This was fixed by backout. Nightlies with buildid 201810302200 or newer should have the fix.

https://hg.mozilla.org/mozilla-central/rev/c2b537178ae9cb4ee0c8afbc1504f97159a7aed5
Assignee: nobody → ehsan
Status: NEW → RESOLVED
Closed: 11 months ago
Flags: needinfo?(ehsan)
Resolution: --- → FIXED
Target Milestone: --- → mozilla65
Reopening so that I can add a crash test for this.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Whiteboard: [necko-triaged]
Pushed by eakhgari@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/1ff1e5e3c60a
Add a crash test for fetching a subresource served with an invalid authentication realm r=valentin
https://hg.mozilla.org/mozilla-central/rev/1ff1e5e3c60a
Status: REOPENED → RESOLVED
Closed: 11 months ago11 months ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.