Closed Bug 1505834 Opened 6 years ago Closed 5 years ago

Crash in mozilla::net::nsHttpConnection::OnInputStreamReady

Categories

(Core :: Networking: HTTP, defect, P2)

Product:
Core
Component:
Networking: HTTP
Platform:
Unspecified
Windows 10
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1451293
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox63 --- unaffected
firefox64 --- unaffected
firefox65 --- affected
firefox66 --- affected

People

(Reporter: calixte, Assigned: kershaw)

References

(Blocks 1 open bug)

Details

(Keywords: crash, csectype-wildptr, sec-high, Whiteboard: [necko-triaged])

Crash Data

This bug was filed from the Socorro interface and is
report bp-45c683d9-4dd0-4558-a691-e871c0181108.
=============================================================

Top 10 frames of crashing thread:

0 xul.dll mozilla::net::nsHttpConnection::OnInputStreamReady netwerk/protocol/http/nsHttpConnection.cpp:2422
1 xul.dll void mozilla::net::SpdyConnectTransaction::CreateShimError netwerk/protocol/http/TunnelUtils.cpp:1322
2 xul.dll nsresult mozilla::net::SpdyConnectTransaction::WriteDataToBuffer netwerk/protocol/http/TunnelUtils.cpp:1346
3 xul.dll mozilla::net::SpdyConnectTransaction::WriteSegments netwerk/protocol/http/TunnelUtils.cpp:1376
4 xul.dll mozilla::net::Http2Stream::WriteSegments netwerk/protocol/http/Http2Stream.cpp:319
5 xul.dll mozilla::net::Http2Session::WriteSegmentsAgain netwerk/protocol/http/Http2Session.cpp:3387
6 xul.dll mozilla::net::nsHttpConnection::OnInputStreamReady netwerk/protocol/http/nsHttpConnection.cpp:2422
7 xul.dll void mozilla::net::nsSocketInputStream::OnSocketReady netwerk/base/nsSocketTransport2.cpp:293
8 xul.dll mozilla::net::nsSocketTransport::OnSocketReady netwerk/base/nsSocketTransport2.cpp:2317
9 xul.dll mozilla::net::nsSocketTransportService::Run netwerk/base/nsSocketTransportService2.cpp:1040

=============================================================

There is 1 crash in nightly 65 with buildid 20181108100100. In analyzing the backtrace, the regression may have been introduced by patch [1] to fix bug 1434137.

[1] https://hg.mozilla.org/mozilla-central/rev?node=31c304e56e00
Flags: needinfo?(hurley)
Hrm, this one is a bit trickier than the previous fallout crash from h2ws, but it does appear at first glance to be related to my refactoring for the websockets. Not sure yet how I changed the semantics of the code (since this isn't in websocket-related code, it's in code that should be the same as in previous versions, just a little refactored - obviously I messed that up somewhere along the line).

Taking a deeper look to see how I may have subtly changed expectations.
Flags: needinfo?(hurley)
So after taking a look at this pretty thoroughly yesterday, I'm no longer convinced that this is related to bug 1434137. I can't find any change in semantics for the code leading up to this point, plus this crash happens mid-method, on a line that calls another method on the same object: https://hg.mozilla.org/mozilla-central/annotate/b3da3f53f8042d6e2e8f90cd0086e354d96ba2fc/netwerk/protocol/http/nsHttpConnection.cpp#l2422. Very strange. This happens after other members of the object have already been accessed in that method, so it's possible that the object is being freed while the method is running. It wouldn't be the first time we've seen this kind of behaviour with nsHttpConnection (see https://bugzilla.mozilla.org/show_bug.cgi?id=1451293)

There are other crashes with the same signature (https://crash-stats.mozilla.com/report/index/784379b4-534c-4e9d-bb1f-c54d30181106 is an example) which happen on exactly the same line, but don't have the tunnel code on the stack.

However, I would like to get a second pair of eyes on this before claiming my code refactoring isn't at fault - it's certainly possible that I missed something by being too close to what's going on.

Honza, you were the one who commented in 1451293 about improper ref-counting of nsHttpTransaction, could you also take a look, and let me know if you see something I missed? Thanks.
Flags: needinfo?(honzab.moz)
(In reply to Nicholas Hurley [:nwgh][:hurley] (he/him) from comment #2)
> Honza, you were the one who commented in 1451293 about improper ref-counting
> of nsHttpTransaction

Whoops, that's supposed to be nsHttpConnection.
Note that these crashes go a LONG ways back (many in thunderbird), at least to 51 and probably 45 (view 6 months of crashes).  Also most of these have security signatures - wildptrs, exec of wildptrs.  Some (but not all) are marked as being from LOG() source lines, also OnSocketReady().

Not likely to be a recent rewrite unless that made this more frequent.
Group: core-security
Keywords: regressioncsectype-wildptr, sec-high
I won't get to this soon enough, but this should be taken care of with a P1 treatment.  We are currently a bit short of developers in the networking team.

Putting back to the triage pool.
Priority: -- → P1
Whiteboard: [necko-triaged]
Group: core-security → network-core-security

There is no assignee and no activity for 7 days?.
:selenamarie, should we change the priority to P2?

Flags: needinfo?(sdeckelmann)

Kershaw -- could you have a look here?

Flags: needinfo?(sdeckelmann) → needinfo?(kershaw)
Priority: P1 → P2
Assignee: nobody → kershaw
Flags: needinfo?(kershaw)

I've landed the patch in bug 1451293 which avoids accessing http connection from main thread directly.
Let's see if that patch can also fix this crash.

Flags: needinfo?(honzab.moz)

The last crash on Nightly is [1] which doesn't have the fix for bug 1451293. The frequency is low, so I'd let it bake longer.

Thanks Karshaw!

[1] https://crash-stats.mozilla.com/report/index/17aec7d3-fa9a-4009-ad63-a65a80190109

Can we recheck?

Flags: needinfo?(honzab.moz)

Confirming this crash is gone.

Status: NEW → RESOLVED
Closed: 5 years ago
Flags: needinfo?(honzab.moz)
Resolution: --- → DUPLICATE

Removing employee no longer with company from CC list of private bugs.

Group: network-core-security
You need to log in before you can comment on or make changes to this bug.