Intermittent AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/TypedEnumBits.h:79:1 in operator&<mozilla::detail::StringDataFlags>
Categories
(Core :: Networking: HTTP, defect, P1)
Tracking
()
People
(Reporter: apavel, Assigned: michal)
References
(Blocks 1 open bug, Regression)
Details
(4 keywords, Whiteboard: [necko-triaged][post-critsmash-triage][adv-main68+][adv-esr60.8+])
Attachments
(2 files)
|
47 bytes,
text/x-phabricator-request
|
ritu
:
approval-mozilla-beta+
abillings
:
sec-approval+
|
Details | Review |
|
15.62 KB,
patch
|
ritu
:
approval-mozilla-esr60+
|
Details | Diff | Splinter Review |
Treeherder link: https://treeherder.mozilla.org/#/jobs?repo=autoland&revision=ba5045bb007241381ffecfbdaf40496afececeea&selectedJob=242860878
Failure log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=242860878&repo=autoland&lineNumber=2483
[task 2019-04-26T12:42:36.323Z] 12:42:36 INFO - PID 11575 | SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/TypedEnumBits.h:79:1 in operator&<mozilla::detail::StringDataFlags>
[task 2019-04-26T12:42:36.324Z] 12:42:36 INFO - PID 11575 | Shadow bytes around the buggy address:
[task 2019-04-26T12:42:36.324Z] 12:42:36 INFO - PID 11575 | 0x0c287fffc420: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
[task 2019-04-26T12:42:36.325Z] 12:42:36 INFO - PID 11575 | 0x0c287fffc430: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
[task 2019-04-26T12:42:36.325Z] 12:42:36 INFO - PID 11575 | 0x0c287fffc440: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
[task 2019-04-26T12:42:36.326Z] 12:42:36 INFO - PID 11575 | 0x0c287fffc450: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
[task 2019-04-26T12:42:36.326Z] 12:42:36 INFO - PID 11575 | 0x0c287fffc460: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
[task 2019-04-26T12:42:36.327Z] 12:42:36 INFO - PID 11575 | =>0x0c287fffc470: fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fa
[task 2019-04-26T12:42:36.327Z] 12:42:36 INFO - PID 11575 | 0x0c287fffc480: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
[task 2019-04-26T12:42:36.328Z] 12:42:36 INFO - PID 11575 | 0x0c287fffc490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[task 2019-04-26T12:42:36.328Z] 12:42:36 INFO - PID 11575 | 0x0c287fffc4a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[task 2019-04-26T12:42:36.328Z] 12:42:36 INFO - PID 11575 | 0x0c287fffc4b0: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
[task 2019-04-26T12:42:36.329Z] 12:42:36 INFO - PID 11575 | 0x0c287fffc4c0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
[task 2019-04-26T12:42:36.329Z] 12:42:36 INFO - PID 11575 | Shadow byte legend (one shadow byte represents 8 application bytes):
[task 2019-04-26T12:42:36.330Z] 12:42:36 INFO - PID 11575 | Addressable: 00
[task 2019-04-26T12:42:36.330Z] 12:42:36 INFO - PID 11575 | Partially addressable: 01 02 03 04 05 06 07
[task 2019-04-26T12:42:36.331Z] 12:42:36 INFO - PID 11575 | Heap left redzone: fa
[task 2019-04-26T12:42:36.331Z] 12:42:36 INFO - PID 11575 | Freed heap region: fd
[task 2019-04-26T12:42:36.332Z] 12:42:36 INFO - PID 11575 | Stack left redzone: f1
[task 2019-04-26T12:42:36.332Z] 12:42:36 INFO - PID 11575 | Stack mid redzone: f2
[task 2019-04-26T12:42:36.333Z] 12:42:36 INFO - PID 11575 | Stack right redzone: f3
[task 2019-04-26T12:42:36.333Z] 12:42:36 INFO - PID 11575 | Stack after return: f5
[task 2019-04-26T12:42:36.334Z] 12:42:36 INFO - PID 11575 | Stack use after scope: f8
[task 2019-04-26T12:42:36.334Z] 12:42:36 INFO - PID 11575 | Global redzone: f9
[task 2019-04-26T12:42:36.335Z] 12:42:36 INFO - PID 11575 | Global init order: f6
[task 2019-04-26T12:42:36.335Z] 12:42:36 INFO - PID 11575 | Poisoned by user: f7
[task 2019-04-26T12:42:36.335Z] 12:42:36 INFO - PID 11575 | Container overflow: fc
[task 2019-04-26T12:42:36.336Z] 12:42:36 INFO - PID 11575 | Array cookie: ac
[task 2019-04-26T12:42:36.336Z] 12:42:36 INFO - PID 11575 | Intra object redzone: bb
[task 2019-04-26T12:42:36.337Z] 12:42:36 INFO - PID 11575 | ASan internal: fe
[task 2019-04-26T12:42:36.337Z] 12:42:36 INFO - PID 11575 | Left alloca redzone: ca
[task 2019-04-26T12:42:36.338Z] 12:42:36 INFO - PID 11575 | Right alloca redzone: cb
[task 2019-04-26T12:42:36.340Z] 12:42:36 INFO - PID 11575 | Shadow gap: cc
[task 2019-04-26T12:42:36.340Z] 12:42:36 INFO - PID 11575 | ==11575==ABORTING
[task 2019-04-26T12:42:36.341Z] 12:42:36 INFO - <<<<<<<
|
||
Comment 1•5 years ago
•
|
||
[task 2019-04-26T12:42:34.344Z] 12:42:34 INFO - TEST-START | netwerk/test/unit/test_esni_dns_fetch.js
[task 2019-04-26T12:42:36.188Z] 12:42:36 WARNING - TEST-UNEXPECTED-FAIL | netwerk/test/unit/test_esni_dns_fetch.js | xpcshell return code: 1
[task 2019-04-26T12:42:36.190Z] 12:42:36 INFO - TEST-INFO took 1871ms
[task 2019-04-26T12:42:36.191Z] 12:42:36 INFO - >>>>>>>
[task 2019-04-26T12:42:36.191Z] 12:42:36 INFO - (xpcshell/head.js) | test MAIN run_test pending (1)
[task 2019-04-26T12:42:36.191Z] 12:42:36 INFO - TEST-PASS | netwerk/test/unit/test_esni_dns_fetch.js | run_test - [run_test : 16] "43244" != null
[task 2019-04-26T12:42:36.192Z] 12:42:36 INFO - TEST-PASS | netwerk/test/unit/test_esni_dns_fetch.js | run_test - [run_test : 17] "43244" != ""
[task 2019-04-26T12:42:36.192Z] 12:42:36 INFO - (xpcshell/head.js) | test pending (2)
[task 2019-04-26T12:42:36.192Z] 12:42:36 INFO - PID 11575 | starting test 0
[task 2019-04-26T12:42:36.193Z] 12:42:36 INFO - (xpcshell/head.js) | test pending (3)
[task 2019-04-26T12:42:36.193Z] 12:42:36 INFO - (xpcshell/head.js) | test MAIN run_test finished (3)
[task 2019-04-26T12:42:36.193Z] 12:42:36 INFO - running event loop
[task 2019-04-26T12:42:36.193Z] 12:42:36 INFO - "CONSOLE_MESSAGE: (info) No chrome package registered for chrome://branding/locale/brand.properties"
[task 2019-04-26T12:42:36.195Z] 12:42:36 INFO - TEST-PASS | netwerk/test/unit/test_esni_dns_fetch.js | onLookupByTypeComplete - [onLookupByTypeComplete : 73] true == true
[task 2019-04-26T12:42:36.195Z] 12:42:36 INFO - TEST-PASS | netwerk/test/unit/test_esni_dns_fetch.js | onLookupByTypeComplete - [onLookupByTypeComplete : 75] "bXkgdm9pY2UgaXMgbXkgcGFzc3dvcmQ=" == "bXkgdm9pY2UgaXMgbXkgcGFzc3dvcmQ="
[task 2019-04-26T12:42:36.196Z] 12:42:36 INFO - (xpcshell/head.js) | test finished (2)
[task 2019-04-26T12:42:36.196Z] 12:42:36 INFO - PID 11575 | starting test 1
[task 2019-04-26T12:42:36.197Z] 12:42:36 INFO - (xpcshell/head.js) | test pending (2)
[task 2019-04-26T12:42:36.199Z] 12:42:36 INFO - TEST-PASS | netwerk/test/unit/test_esni_dns_fetch.js | onLookupComplete - [onLookupComplete : 93] true == true
[task 2019-04-26T12:42:36.199Z] 12:42:36 INFO - TEST-PASS | netwerk/test/unit/test_esni_dns_fetch.js | onLookupComplete - [onLookupComplete : 95] "127.0.0.1" == "127.0.0.1"
[task 2019-04-26T12:42:36.200Z] 12:42:36 INFO - (xpcshell/head.js) | test finished (2)
[task 2019-04-26T12:42:36.201Z] 12:42:36 INFO - PID 11575 | starting test 2
[task 2019-04-26T12:42:36.201Z] 12:42:36 INFO - (xpcshell/head.js) | test pending (2)
[task 2019-04-26T12:42:36.202Z] 12:42:36 INFO - TEST-PASS | netwerk/test/unit/test_esni_dns_fetch.js | onLookupByTypeComplete - [onLookupByTypeComplete : 73] true == true
[task 2019-04-26T12:42:36.206Z] 12:42:36 INFO - TEST-PASS | netwerk/test/unit/test_esni_dns_fetch.js | onLookupByTypeComplete - [onLookupByTypeComplete : 75] "bXkgdm9pY2UgaXMgbXkgcGFzc3dvcmQ=" == "bXkgdm9pY2UgaXMgbXkgcGFzc3dvcmQ="
[task 2019-04-26T12:42:36.206Z] 12:42:36 INFO - (xpcshell/head.js) | test finished (2)
[task 2019-04-26T12:42:36.207Z] 12:42:36 INFO - PID 11575 | starting test 3
[task 2019-04-26T12:42:36.207Z] 12:42:36 INFO - (xpcshell/head.js) | test pending (2)
[task 2019-04-26T12:42:36.208Z] 12:42:36 INFO - (xpcshell/head.js) | test finished (2)
[task 2019-04-26T12:42:36.208Z] 12:42:36 INFO - (xpcshell/head.js) | test finished (1)
[task 2019-04-26T12:42:36.209Z] 12:42:36 INFO - exiting test
[task 2019-04-26T12:42:36.209Z] 12:42:36 INFO - PID 11575 | =================================================================
[task 2019-04-26T12:42:36.210Z] 12:42:36 ERROR - PID 11575 | ==11575==ERROR: AddressSanitizer: heap-use-after-free on address 0x6140000223ec at pc 0x7fdf44b05775 bp 0x7ffe512576e0 sp 0x7ffe512576d8
[task 2019-04-26T12:42:36.210Z] 12:42:36 INFO - PID 11575 | READ of size 2 at 0x6140000223ec thread T0
[task 2019-04-26T12:42:36.211Z] 12:42:36 INFO - PID 11575 | #0 0x7fdf44b05774 in operator&<mozilla::detail::StringDataFlags> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/TypedEnumBits.h:79:1
[task 2019-04-26T12:42:36.211Z] 12:42:36 INFO - PID 11575 | #1 0x7fdf44b05774 in nsTSubstring<char>::EnsureMutable(unsigned int) /builds/worker/workspace/build/src/xpcom/string/nsTSubstring.cpp:344
[task 2019-04-26T12:42:36.212Z] 12:42:36 INFO - PID 11575 | #2 0x7fdf459c9812 in BeginWriting /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTSubstring.h:352:10
[task 2019-04-26T12:42:36.216Z] 12:42:36 INFO - PID 11575 | #3 0x7fdf459c9812 in mozilla::net::nsHttpChannel::OnPush(nsTSubstring<char> const&, mozilla::net::Http2PushedStream*) /builds/worker/workspace/build/src/netwerk/protocol/http/nsHttpChannel.cpp:9343
[task 2019-04-26T12:42:36.217Z] 12:42:36 INFO - PID 11575 | #4 0x7fdf4583554e in mozilla::net::CallChannelOnPush::Run() /builds/worker/workspace/build/src/netwerk/protocol/http/Http2Push.cpp:40:20
[task 2019-04-26T12:42:36.218Z] 12:42:36 INFO - PID 11575 | #5 0x7fdf44d45a61 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1180:14
[task 2019-04-26T12:42:36.220Z] 12:42:36 INFO - PID 11575 | #6 0x7fdf44d4bb78 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
[task 2019-04-26T12:42:36.221Z] 12:42:36 INFO - PID 11575 | #7 0x7fdf459f438d in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/netwerk/protocol/http/nsHttpConnectionMgr.cpp:241:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:348:25
[task 2019-04-26T12:42:36.222Z] 12:42:36 INFO - PID 11575 | #8 0x7fdf459f438d in mozilla::net::nsHttpConnectionMgr::Shutdown() /builds/worker/workspace/build/src/netwerk/protocol/http/nsHttpConnectionMgr.cpp:241
[task 2019-04-26T12:42:36.223Z] 12:42:36 INFO - PID 11575 | #9 0x7fdf457ac3b7 in ShutdownConnectionManager /builds/worker/workspace/build/src/netwerk/protocol/http/nsHttpHandler.cpp:2672:29
[task 2019-04-26T12:42:36.225Z] 12:42:36 INFO - PID 11575 | #10 0x7fdf457ac3b7 in mozilla::net::nsHttpHandler::Observe(nsISupports*, char const*, char16_t const*) /builds/worker/workspace/build/src/netwerk/protocol/http/nsHttpHandler.cpp:2207
[task 2019-04-26T12:42:36.226Z] 12:42:36 INFO - PID 11575 | #11 0x7fdf457ad94c in non-virtual thunk to mozilla::net::nsHttpHandler::Observe(nsISupports*, char const*, char16_t const*) /builds/worker/workspace/build/src/netwerk/protocol/http/nsHttpHandler.cpp
[task 2019-04-26T12:42:36.227Z] 12:42:36 INFO - PID 11575 | #12 0x7fdf44bfca31 in nsObserverList::NotifyObservers(nsISupports*, char const*, char16_t const*) /builds/worker/workspace/build/src/xpcom/ds/nsObserverList.cpp:66:19
[task 2019-04-26T12:42:36.228Z] 12:42:36 INFO - PID 11575 | #13 0x7fdf44c026ad in nsObserverService::NotifyObservers(nsISupports*, char const*, char16_t const*) /builds/worker/workspace/build/src/xpcom/ds/nsObserverService.cpp:295:19
[task 2019-04-26T12:42:36.229Z] 12:42:36 INFO - PID 11575 | #14 0x7fdf44d70ba1 in NS_InvokeByIndex /builds/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:106
[task 2019-04-26T12:42:36.230Z] 12:42:36 INFO - PID 11575 | #15 0x7fdf468ddd0f in Invoke /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1624:10
[task 2019-04-26T12:42:36.230Z] 12:42:36 INFO - PID 11575 | #16 0x7fdf468ddd0f in Call /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1171
[task 2019-04-26T12:42:36.231Z] 12:42:36 INFO - PID 11575 | #17 0x7fdf468ddd0f in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1137
[task 2019-04-26T12:42:36.232Z] 12:42:36 INFO - PID 11575 | #18 0x7fdf468e3e1d in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:943:10
[task 2019-04-26T12:42:36.232Z] 12:42:36 INFO - PID 11575 | #19 0x7fdf51066c50 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:443:13
[task 2019-04-26T12:42:36.233Z] 12:42:36 INFO - PID 11575 | #20 0x7fdf51066c50 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:535
[task 2019-04-26T12:42:36.233Z] 12:42:36 INFO - PID 11575 | #21 0x7fdf5225109a in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jit/BaselineIC.cpp:3896:10
[task 2019-04-26T12:42:36.234Z] 12:42:36 INFO - PID 11575 | #22 0x7fdeb26d68f7 (<unknown module>)
[task 2019-04-26T12:42:36.237Z] 12:42:36 INFO - PID 11575 | 0x6140000223ec is located 428 bytes inside of 440-byte region [0x614000022240,0x6140000223f8)
[task 2019-04-26T12:42:36.239Z] 12:42:36 INFO - PID 11575 | freed by thread T7 (Socket Thread) here:
[task 2019-04-26T12:42:36.243Z] 12:42:36 INFO - PID 11575 | #0 0x55ed1d979102 in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:124:3
[task 2019-04-26T12:42:36.244Z] 12:42:36 INFO - PID 11575 | #1 0x7fdf44bd873d in operator() /builds/worker/workspace/build/src/xpcom/ds/PLDHashTable.cpp:304:7
[task 2019-04-26T12:42:36.245Z] 12:42:36 INFO - PID 11575 | #2 0x7fdf44bd873d in ForEachSlot<(lambda at /builds/worker/workspace/build/src/xpcom/ds/PLDHashTable.cpp:302:51)> /builds/worker/workspace/build/src/obj-firefox/dist/include/PLDHashTable.h:359
[task 2019-04-26T12:42:36.246Z] 12:42:36 INFO - PID 11575 | #3 0x7fdf44bd873d in ForEachSlot<(lambda at /builds/worker/workspace/build/src/xpcom/ds/PLDHashTable.cpp:302:51)> /builds/worker/workspace/build/src/obj-firefox/dist/include/PLDHashTable.h:349
[task 2019-04-26T12:42:36.248Z] 12:42:36 INFO - PID 11575 | #4 0x7fdf44bd873d in ~PLDHashTable /builds/worker/workspace/build/src/xpcom/ds/PLDHashTable.cpp:302
[task 2019-04-26T12:42:36.249Z] 12:42:36 INFO - PID 11575 | #5 0x7fdf44bd873d in ClearAndPrepareForLength /builds/worker/workspace/build/src/xpcom/ds/PLDHashTable.cpp:318
[task 2019-04-26T12:42:36.256Z] 12:42:36 INFO - PID 11575 | #6 0x7fdf44bd873d in PLDHashTable::Clear() /builds/worker/workspace/build/src/xpcom/ds/PLDHashTable.cpp:322
[task 2019-04-26T12:42:36.257Z] 12:42:36 INFO - PID 11575 | #7 0x7fdf457f207b in Clear /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTHashtable.h:261:25
[task 2019-04-26T12:42:36.258Z] 12:42:36 INFO - PID 11575 | #8 0x7fdf457f207b in Clear /builds/worker/workspace/build/src/obj-firefox/dist/include/nsBaseHashtable.h:387
[task 2019-04-26T12:42:36.258Z] 12:42:36 INFO - PID 11575 | #9 0x7fdf457f207b in mozilla::net::Http2Session::Close(nsresult) /builds/worker/workspace/build/src/netwerk/protocol/http/Http2Session.cpp:3836
[task 2019-04-26T12:42:36.259Z] 12:42:36 INFO - PID 11575 | #10 0x7fdf459df1da in mozilla::net::nsHttpConnection::CloseTransaction(mozilla::net::nsAHttpTransaction*, nsresult, bool) /builds/worker/workspace/build/src/netwerk/protocol/http/nsHttpConnection.cpp:1817:19
[task 2019-04-26T12:42:36.260Z] 12:42:36 INFO - PID 11575 | #11 0x7fdf45a1c3b6 in mozilla::net::nsHttpConnectionMgr::AbortAndCloseAllConnections(int, mozilla::net::ARefBase*) /builds/worker/workspace/build/src/netwerk/protocol/http/nsHttpConnectionMgr.cpp:2241:13
[task 2019-04-26T12:42:36.261Z] 12:42:36 INFO - PID 11575 | #12 0x7fdf459f4c7e in mozilla::net::nsHttpConnectionMgr::OnMsgShutdown(int, mozilla::net::ARefBase*) /builds/worker/workspace/build/src/netwerk/protocol/http/nsHttpConnectionMgr.cpp:2295:3
[task 2019-04-26T12:42:36.262Z] 12:42:36 INFO - PID 11575 | #13 0x7fdf45a5ea22 in operator()<int &, RefPtr<mozilla::net::ARefBase> &> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:312:14
[task 2019-04-26T12:42:36.268Z] 12:42:36 INFO - PID 11575 | #14 0x7fdf45a5ea22 in mozilla::net::ConnEvent::Run() /builds/worker/workspace/build/src/netwerk/protocol/http/nsHttpConnectionMgr.cpp:257
[task 2019-04-26T12:42:36.269Z] 12:42:36 INFO - PID 11575 | #15 0x7fdf44d45a61 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1180:14
[task 2019-04-26T12:42:36.269Z] 12:42:36 INFO - PID 11575 | #16 0x7fdf44d4bb78 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
[task 2019-04-26T12:42:36.270Z] 12:42:36 INFO - PID 11575 | #17 0x7fdf44ff5c84 in mozilla::net::nsSocketTransportService::Run() /builds/worker/workspace/build/src/netwerk/base/nsSocketTransportService2.cpp:1013:11
[task 2019-04-26T12:42:36.271Z] 12:42:36 INFO - PID 11575 | #18 0x7fdf44ff7f2c in non-virtual thunk to mozilla::net::nsSocketTransportService::Run() /builds/worker/workspace/build/src/netwerk/base/nsSocketTransportService2.cpp
[task 2019-04-26T12:42:36.272Z] 12:42:36 INFO - PID 11575 | #19 0x7fdf44d45a61 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1180:14
[task 2019-04-26T12:42:36.273Z] 12:42:36 INFO - PID 11575 | #20 0x7fdf44d4bb78 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
[task 2019-04-26T12:42:36.273Z] 12:42:36 INFO - PID 11575 | #21 0x7fdf45d95eea in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:303:20
[task 2019-04-26T12:42:36.274Z] 12:42:36 INFO - PID 11575 | #22 0x7fdf45cc51e2 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
[task 2019-04-26T12:42:36.275Z] 12:42:36 INFO - PID 11575 | #23 0x7fdf45cc51e2 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
[task 2019-04-26T12:42:36.276Z] 12:42:36 INFO - PID 11575 | #24 0x7fdf45cc51e2 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
[task 2019-04-26T12:42:36.277Z] 12:42:36 INFO - PID 11575 | #25 0x7fdf44d3f9ba in nsThread::ThreadFunc(void*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:454:11
[task 2019-04-26T12:42:36.278Z] 12:42:36 INFO - PID 11575 | #26 0x7fdf5828705d in _pt_root /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:201:5
[task 2019-04-26T12:42:36.279Z] 12:42:36 INFO - PID 11575 | #27 0x7fdf57e996b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
[task 2019-04-26T12:42:36.280Z] 12:42:36 INFO - PID 11575 | previously allocated by thread T7 (Socket Thread) here:
[task 2019-04-26T12:42:36.280Z] 12:42:36 INFO - PID 11575 | #0 0x55ed1d979483 in __interceptor_malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3
[task 2019-04-26T12:42:36.281Z] 12:42:36 INFO - PID 11575 | #1 0x55ed1d9abf1d in moz_xmalloc /builds/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:68:15
[task 2019-04-26T12:42:36.282Z] 12:42:36 INFO - PID 11575 | #2 0x7fdf45804715 in operator new /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:131:10
[task 2019-04-26T12:42:36.283Z] 12:42:36 INFO - PID 11575 | #3 0x7fdf45804715 in mozilla::net::Http2Session::RecvPushPromise(mozilla::net::Http2Session*) /builds/worker/workspace/build/src/netwerk/protocol/http/Http2Session.cpp:1913
[task 2019-04-26T12:42:36.284Z] 12:42:36 INFO - PID 11575 | #4 0x7fdf4581a0c0 in mozilla::net::Http2Session::WriteSegmentsAgain(mozilla::net::nsAHttpSegmentWriter*, unsigned int, unsigned int*, bool*) /builds/worker/workspace/build/src/netwerk/protocol/http/Http2Session.cpp:3556:10
[task 2019-04-26T12:42:36.285Z] 12:42:36 INFO - PID 11575 | #5 0x7fdf459ea262 in mozilla::net::nsHttpConnection::OnSocketReadable() /builds/worker/workspace/build/src/netwerk/protocol/http/nsHttpConnection.cpp:2101:24
[task 2019-04-26T12:42:36.286Z] 12:42:36 INFO - PID 11575 | #6 0x7fdf459ed1a7 in mozilla::net::nsHttpConnection::OnInputStreamReady(nsIAsyncInputStream*) /builds/worker/workspace/build/src/netwerk/protocol/http/nsHttpConnection.cpp:2444:17
[task 2019-04-26T12:42:36.287Z] 12:42:36 INFO - PID 11575 | #7 0x7fdf459ed97c in non-virtual thunk to mozilla::net::nsHttpConnection::OnInputStreamReady(nsIAsyncInputStream*) /builds/worker/workspace/build/src/netwerk/protocol/http/nsHttpConnection.cpp
[task 2019-04-26T12:42:36.288Z] 12:42:36 INFO - PID 11575 | #8 0x7fdf44fd6463 in mozilla::net::nsSocketInputStream::OnSocketReady(nsresult) /builds/worker/workspace/build/src/netwerk/base/nsSocketTransport2.cpp:282:27
[task 2019-04-26T12:42:36.289Z] 12:42:36 INFO - PID 11575 | #9 0x7fdf44fe6593 in mozilla::net::nsSocketTransport::OnSocketReady(PRFileDesc*, short) /builds/worker/workspace/build/src/netwerk/base/nsSocketTransport2.cpp:2202:14
[task 2019-04-26T12:42:36.289Z] 12:42:36 INFO - PID 11575 | #10 0x7fdf44ff778c in mozilla::net::nsSocketTransportService::DoPollIteration(mozilla::BaseTimeDuration<mozilla::TimeDurationValueCalculator>*) /builds/worker/workspace/build/src/netwerk/base/nsSocketTransportService2.cpp
[task 2019-04-26T12:42:36.290Z] 12:42:36 INFO - PID 11575 | #11 0x7fdf44ff5945 in mozilla::net::nsSocketTransportService::Run() /builds/worker/workspace/build/src/netwerk/base/nsSocketTransportService2.cpp:973:7
[task 2019-04-26T12:42:36.291Z] 12:42:36 INFO - PID 11575 | #12 0x7fdf44ff7f2c in non-virtual thunk to mozilla::net::nsSocketTransportService::Run() /builds/worker/workspace/build/src/netwerk/base/nsSocketTransportService2.cpp
[task 2019-04-26T12:42:36.291Z] 12:42:36 INFO - PID 11575 | #13 0x7fdf44d45a61 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1180:14
[task 2019-04-26T12:42:36.292Z] 12:42:36 INFO - PID 11575 | #14 0x7fdf44d4bb78 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
[task 2019-04-26T12:42:36.292Z] 12:42:36 INFO - PID 11575 | #15 0x7fdf45d95eea in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:303:20
[task 2019-04-26T12:42:36.293Z] 12:42:36 INFO - PID 11575 | #16 0x7fdf45cc51e2 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
[task 2019-04-26T12:42:36.294Z] 12:42:36 INFO - PID 11575 | #17 0x7fdf45cc51e2 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
[task 2019-04-26T12:42:36.294Z] 12:42:36 INFO - PID 11575 | #18 0x7fdf45cc51e2 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
[task 2019-04-26T12:42:36.295Z] 12:42:36 INFO - PID 11575 | #19 0x7fdf44d3f9ba in nsThread::ThreadFunc(void*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:454:11
[task 2019-04-26T12:42:36.295Z] 12:42:36 INFO - PID 11575 | #20 0x7fdf5828705d in _pt_root /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:201:5
[task 2019-04-26T12:42:36.296Z] 12:42:36 INFO - PID 11575 | #21 0x7fdf57e996b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
[task 2019-04-26T12:42:36.296Z] 12:42:36 INFO - PID 11575 | Thread T7 (Socket Thread) created by T0 here:
[task 2019-04-26T12:42:36.297Z] 12:42:36 INFO - PID 11575 | #0 0x55ed1d961a5d in pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:210:3
[task 2019-04-26T12:42:36.298Z] 12:42:36 INFO - PID 11575 | #1 0x7fdf58279158 in _PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:433:14
[task 2019-04-26T12:42:36.298Z] 12:42:36 INFO - PID 11575 | #2 0x7fdf58262d3e in PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:518:12
[task 2019-04-26T12:42:36.299Z] 12:42:36 INFO - PID 11575 | #3 0x7fdf44d41cc9 in nsThread::Init(nsTSubstring<char> const&) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:661:8
[task 2019-04-26T12:42:36.299Z] 12:42:36 INFO - PID 11575 | #4 0x7fdf44d4acc0 in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /builds/worker/workspace/build/src/xpcom/threads/nsThreadManager.cpp:416:12
[task 2019-04-26T12:42:36.300Z] 12:42:36 INFO - PID 11575 | #5 0x7fdf44d4eada in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, nsIRunnable*, unsigned int) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:139:57
[task 2019-04-26T12:42:36.301Z] 12:42:36 INFO - PID 11575 | #6 0x7fdf44ff360c in NS_NewNamedThread<14> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:71:10
[task 2019-04-26T12:42:36.302Z] 12:42:36 INFO - PID 11575 | #7 0x7fdf44ff360c in mozilla::net::nsSocketTransportService::Init() /builds/worker/workspace/build/src/netwerk/base/nsSocketTransportService2.cpp:609
[task 2019-04-26T12:42:36.303Z] 12:42:36 INFO - PID 11575 | #8 0x7fdf44cc378b in mozilla::xpcom::CreateInstanceImpl(mozilla::xpcom::ModuleID, nsISupports*, nsID const&, void**) /builds/worker/workspace/build/src/obj-firefox/xpcom/components/StaticComponents.cpp:8791:7
[task 2019-04-26T12:42:36.303Z] 12:42:36 INFO - PID 11575 | #9 0x7fdf44cfafeb in CreateInstance /builds/worker/workspace/build/src/xpcom/components/nsComponentManager.cpp:224:46
[task 2019-04-26T12:42:36.304Z] 12:42:36 INFO - PID 11575 | #10 0x7fdf44cfafeb in nsComponentManagerImpl::GetServiceLocked((anonymous namespace)::MutexLock&, (anonymous namespace)::EntryWrapper&, nsID const&, void**) /builds/worker/workspace/build/src/xpcom/components/nsComponentManager.cpp:1387
[task 2019-04-26T12:42:36.305Z] 12:42:36 INFO - PID 11575 | #11 0x7fdf44cef6ab in nsComponentManagerImpl::GetServiceByContractID(char const*, nsID const&, void**) /builds/worker/workspace/build/src/xpcom/components/nsComponentManager.cpp:1574:10
[task 2019-04-26T12:42:36.306Z] 12:42:36 INFO - PID 11575 | #12 0x7fdf44d042e2 in CallGetService /builds/worker/workspace/build/src/xpcom/components/nsComponentManagerUtils.cpp:61:43
[task 2019-04-26T12:42:36.306Z] 12:42:36 INFO - PID 11575 | #13 0x7fdf44d042e2 in nsGetServiceByContractIDWithError::operator()(nsID const&, void**) const /builds/worker/workspace/build/src/xpcom/components/nsComponentManagerUtils.cpp:253
[task 2019-04-26T12:42:36.307Z] 12:42:36 INFO - PID 11575 | #14 0x7fdf44b71fde in nsCOMPtr_base::assign_from_gs_contractid_with_error(nsGetServiceByContractIDWithError const&, nsID const&) /builds/worker/workspace/build/src/xpcom/base/nsCOMPtr.cpp:91:7
[task 2019-04-26T12:42:36.308Z] 12:42:36 INFO - PID 11575 | #15 0x7fdf44f3b78d in operator= /builds/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:746:5
[task 2019-04-26T12:42:36.309Z] 12:42:36 INFO - PID 11575 | #16 0x7fdf44f3b78d in InitializeSocketTransportService /builds/worker/workspace/build/src/netwerk/base/nsIOService.cpp:306
[task 2019-04-26T12:42:36.310Z] 12:42:36 INFO - PID 11575 | #17 0x7fdf44f3b78d in mozilla::net::nsIOService::SetOffline(bool) /builds/worker/workspace/build/src/netwerk/base/nsIOService.cpp:1115
[task 2019-04-26T12:42:36.310Z] 12:42:36 INFO - PID 11575 | #18 0x7fdf44f3a30a in mozilla::net::nsIOService::Init() /builds/worker/workspace/build/src/netwerk/base/nsIOService.cpp:271:3
[task 2019-04-26T12:42:36.311Z] 12:42:36 INFO - PID 11575 | #19 0x7fdf44f3d71e in mozilla::net::nsIOService::GetInstance() /builds/worker/workspace/build/src/netwerk/base/nsIOService.cpp:362:9
[task 2019-04-26T12:42:36.312Z] 12:42:36 INFO - PID 11575 | #20 0x7fdf44cd1c08 in mozilla::xpcom::CreateInstanceImpl(mozilla::xpcom::ModuleID, nsISupports*, nsID const&, void**) /builds/worker/workspace/build/src/obj-firefox/xpcom/components/StaticComponents.cpp:10178:48
[task 2019-04-26T12:42:36.313Z] 12:42:36 INFO - PID 11575 | #21 0x7fdf44cfafeb in CreateInstance /builds/worker/workspace/build/src/xpcom/components/nsComponentManager.cpp:224:46
[task 2019-04-26T12:42:36.313Z] 12:42:36 INFO - PID 11575 | #22 0x7fdf44cfafeb in nsComponentManagerImpl::GetServiceLocked((anonymous namespace)::MutexLock&, (anonymous namespace)::EntryWrapper&, nsID const&, void**) /builds/worker/workspace/build/src/xpcom/components/nsComponentManager.cpp:1387
[task 2019-04-26T12:42:36.314Z] 12:42:36 INFO - PID 11575 | #23 0x7fdf44cef6ab in nsComponentManagerImpl::GetServiceByContractID(char const*, nsID const&, void**) /builds/worker/workspace/build/src/xpcom/components/nsComponentManager.cpp:1574:10
[task 2019-04-26T12:42:36.315Z] 12:42:36 INFO - PID 11575 | #24 0x7fdf46f62526 in CallGetService<nsIIOService> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsServiceManagerUtils.h:73:10
[task 2019-04-26T12:42:36.316Z] 12:42:36 INFO - PID 11575 | #25 0x7fdf46f62526 in nsScriptSecurityManager::Init() /builds/worker/workspace/build/src/caps/nsScriptSecurityManager.cpp:1415
[task 2019-04-26T12:42:36.316Z] 12:42:36 INFO - PID 11575 | #26 0x7fdf46f631fc in nsScriptSecurityManager::InitStatics() /builds/worker/workspace/build/src/caps/nsScriptSecurityManager.cpp:1476:28
[task 2019-04-26T12:42:36.317Z] 12:42:36 INFO - PID 11575 | #27 0x7fdf468f7ca8 in nsXPConnect::InitStatics() /builds/worker/workspace/build/src/js/xpconnect/src/nsXPConnect.cpp:135:3
[task 2019-04-26T12:42:36.318Z] 12:42:36 INFO - PID 11575 | #28 0x7fdf468905a8 in xpcModuleCtor() /builds/worker/workspace/build/src/js/xpconnect/src/XPCModule.cpp:11:3
[task 2019-04-26T12:42:36.319Z] 12:42:36 INFO - PID 11575 | #29 0x7fdf4e28f298 in nsLayoutModuleInitialize() /builds/worker/workspace/build/src/layout/build/nsLayoutModule.cpp:108:7
[task 2019-04-26T12:42:36.319Z] 12:42:36 INFO - PID 11575 | #30 0x7fdf44cf088e in nsComponentManagerImpl::Init() /builds/worker/workspace/build/src/xpcom/components/nsComponentManager.cpp:493:5
[task 2019-04-26T12:42:36.320Z] 12:42:36 INFO - PID 11575 | #31 0x7fdf44d9abf9 in NS_InitXPCOM /builds/worker/workspace/build/src/xpcom/build/XPCOMInit.cpp:446:51
[task 2019-04-26T12:42:36.321Z] 12:42:36 INFO - PID 11575 | #32 0x7fdf468b0c15 in XRE_XPCShellMain(int, char**, char**, XREShellData const*) /builds/worker/workspace/build/src/js/xpconnect/src/XPCShellImpl.cpp:1248:10
[task 2019-04-26T12:42:36.322Z] 12:42:36 INFO - PID 11575 | #33 0x55ed1d9abb2b in main /builds/worker/workspace/build/src/js/xpconnect/shell/xpcshell.cpp:65:27
[task 2019-04-26T12:42:36.322Z] 12:42:36 INFO - PID 11575 | #34 0x7fdf3f70682f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
[task 2019-04-26T12:42:36.323Z] 12:42:36 INFO - PID 11575 | SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/TypedEnumBits.h:79:1 in operator&<mozilla::detail::StringDataFlags>
[task 2019-04-26T12:42:36.324Z] 12:42:36 INFO - PID 11575 | Shadow bytes around the buggy address:
[task 2019-04-26T12:42:36.324Z] 12:42:36 INFO - PID 11575 | 0x0c287fffc420: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
[task 2019-04-26T12:42:36.325Z] 12:42:36 INFO - PID 11575 | 0x0c287fffc430: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
[task 2019-04-26T12:42:36.325Z] 12:42:36 INFO - PID 11575 | 0x0c287fffc440: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
[task 2019-04-26T12:42:36.326Z] 12:42:36 INFO - PID 11575 | 0x0c287fffc450: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
[task 2019-04-26T12:42:36.326Z] 12:42:36 INFO - PID 11575 | 0x0c287fffc460: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
[task 2019-04-26T12:42:36.327Z] 12:42:36 INFO - PID 11575 | =>0x0c287fffc470: fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fa
[task 2019-04-26T12:42:36.327Z] 12:42:36 INFO - PID 11575 | 0x0c287fffc480: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
[task 2019-04-26T12:42:36.328Z] 12:42:36 INFO - PID 11575 | 0x0c287fffc490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[task 2019-04-26T12:42:36.328Z] 12:42:36 INFO - PID 11575 | 0x0c287fffc4a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[task 2019-04-26T12:42:36.328Z] 12:42:36 INFO - PID 11575 | 0x0c287fffc4b0: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
[task 2019-04-26T12:42:36.329Z] 12:42:36 INFO - PID 11575 | 0x0c287fffc4c0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
[task 2019-04-26T12:42:36.329Z] 12:42:36 INFO - PID 11575 | Shadow byte legend (one shadow byte represents 8 application bytes):
[task 2019-04-26T12:42:36.330Z] 12:42:36 INFO - PID 11575 | Addressable: 00
[task 2019-04-26T12:42:36.330Z] 12:42:36 INFO - PID 11575 | Partially addressable: 01 02 03 04 05 06 07
[task 2019-04-26T12:42:36.331Z] 12:42:36 INFO - PID 11575 | Heap left redzone: fa
[task 2019-04-26T12:42:36.331Z] 12:42:36 INFO - PID 11575 | Freed heap region: fd
[task 2019-04-26T12:42:36.332Z] 12:42:36 INFO - PID 11575 | Stack left redzone: f1
[task 2019-04-26T12:42:36.332Z] 12:42:36 INFO - PID 11575 | Stack mid redzone: f2
[task 2019-04-26T12:42:36.333Z] 12:42:36 INFO - PID 11575 | Stack right redzone: f3
[task 2019-04-26T12:42:36.333Z] 12:42:36 INFO - PID 11575 | Stack after return: f5
[task 2019-04-26T12:42:36.334Z] 12:42:36 INFO - PID 11575 | Stack use after scope: f8
[task 2019-04-26T12:42:36.334Z] 12:42:36 INFO - PID 11575 | Global redzone: f9
[task 2019-04-26T12:42:36.335Z] 12:42:36 INFO - PID 11575 | Global init order: f6
[task 2019-04-26T12:42:36.335Z] 12:42:36 INFO - PID 11575 | Poisoned by user: f7
[task 2019-04-26T12:42:36.335Z] 12:42:36 INFO - PID 11575 | Container overflow: fc
[task 2019-04-26T12:42:36.336Z] 12:42:36 INFO - PID 11575 | Array cookie: ac
[task 2019-04-26T12:42:36.336Z] 12:42:36 INFO - PID 11575 | Intra object redzone: bb
[task 2019-04-26T12:42:36.337Z] 12:42:36 INFO - PID 11575 | ASan internal: fe
[task 2019-04-26T12:42:36.337Z] 12:42:36 INFO - PID 11575 | Left alloca redzone: ca
[task 2019-04-26T12:42:36.338Z] 12:42:36 INFO - PID 11575 | Right alloca redzone: cb
[task 2019-04-26T12:42:36.340Z] 12:42:36 INFO - PID 11575 | Shadow gap: cc
[task 2019-04-26T12:42:36.340Z] 12:42:36 INFO - PID 11575 | ==11575==ABORTING
|
|
||
Updated•5 years ago
|
|
||
Comment 3•5 years ago
|
||
It looks like Http2Session clears mStreamTransactionHash which destroys Http2Stream on the socket thread, then later on the main thread CallChannelOnPush::Run() runs and tries to do something with that stream. The socket thread stack is under OnMsgShutdown() and the main thread stack is under ShutdownConnectionManager() so maybe there's some kind of shutdown race?
|
|
||
Updated•5 years ago
|
|
|
||
Comment 4•5 years ago
|
||
Dragana, do you know who know this code? Giving P1 to look at this soon.
|
|
||
Comment 5•5 years ago
|
||
Crashing at [1]. Would fixing [2] to use refptr be enough?
[1] https://hg.mozilla.org/integration/autoland/file/ba5045bb007241381ffecfbdaf40496afececeea/netwerk/protocol/http/nsHttpChannel.cpp#l9343
[2] https://searchfox.org/mozilla-central/rev/7944190ad1668a94223b950a19f1fffe8662d6b8/netwerk/protocol/http/Http2Push.cpp#52
|
|
||
Comment 6•5 years ago
|
||
Http2PushedStream (derived only from Http2Stream) is not refcountable, nice architectural decision...
Dragana, could we turn Http2Stream to be refcountable? Or do you see any simple(r) way of fixing this?
I also think there are more problems with this code. We create the pushed stream object, which in its ctor assigns it self as a member at [1] on the associate stream, and then we may happily delete the pushed stream few lines below, see [2]. there is no disassignment in the dtor or anything that would again remove the now deleted raw ptr reference.
I think this needs a larger overhaul.
[1] https://searchfox.org/mozilla-central/rev/99a2a5a955960b0e58ceade1db1f7652d9db4ba1/netwerk/protocol/http/Http2Session.cpp#1913-1927
[2] https://searchfox.org/mozilla-central/rev/99a2a5a955960b0e58ceade1db1f7652d9db4ba1/netwerk/protocol/http/Http2Session.cpp#1913,1924,1933
|
||
Comment 8•5 years ago
|
||
Let's talk today on the meeting.
Someone needs to audit this code.
|
Assignee | |
Updated•5 years ago
|
|
||
Updated•5 years ago
|
|
|
Assignee | |
Comment 9•5 years ago
|
||
(In reply to Honza Bambas (:mayhemer) from comment #6)
Http2PushedStream (derived only from Http2Stream) is not refcountable, nice architectural decision...
Dragana, could we turn Http2Stream to be refcountable? Or do you see any simple(r) way of fixing this?
I also think there are more problems with this code. We create the pushed stream object, which in its ctor assigns it self as a member at [1] on the associate stream, and then we may happily delete the pushed stream few lines below, see [2]. there is no disassignment in the dtor or anything that would again remove the now deleted raw ptr reference.
I think this needs a larger overhaul.
[1] https://searchfox.org/mozilla-central/rev/99a2a5a955960b0e58ceade1db1f7652d9db4ba1/netwerk/protocol/http/Http2Session.cpp#1913-1927
[2] https://searchfox.org/mozilla-central/rev/99a2a5a955960b0e58ceade1db1f7652d9db4ba1/netwerk/protocol/http/Http2Session.cpp#1913,1924,1933
Although this looks scary it's probably OK because if something goes wrong and Http2PushedStream is deleted transactionBuffer isn't used and is destroyed.
The problem is that Http2PushedStream is passed to nsHttpChannel (via CallChannelOnPush) then to nsHttpTransaction and finally to Http2Stream. During this transition some methods are or can be called on the main thread, but Http2PushedStream isn't thread safe. Also it's not guaranteed that the object won't be deleted. There is a flag mDeferCleanupOnPush which should ensure the stream isn't closed in the meantime, but Http2Session::Close ignores it completely, which is what happens in this crash. Http2Session::Close is called on socket thread and Http2PushedStream is destroyed, later CallChannelOnPush::Run is called on the main thread and freed object is accessed.
I wanted to add refcounting to Http2Stream and Http2PushedStream but I'm afraid of reference cycles and it won't solve the problem that the code isn't thread safe. So instead of this I created a refcounted wrapper with a weak pointer. The wrapper ensures that all calls are dispatched to socket thread and also that the weak pointer is created/used/destroyed only on socket thread.
|
|
Assignee | |
Comment 10•5 years ago
|
||
Raw pointer to Http2PushedStream is passed to nsHttpChannel and nsHttpTransaction to get it back to a new Http2Stream in the Http2Session. As a result Http2PushedStream's methods can be called on a wrong thread and possibly on already freed object. This patch uses Http2PushedStreamWrapper instead, which takes care about thread safety and checks if the object is still alive.
|
|
Assignee | |
Comment 11•5 years ago
|
||
Comment on attachment 9069390 [details]
Bug 1547266 - Make sure Http2PushedStream is used only on socket thread, r=dragana
Security Approval Request
- How easily could an exploit be constructed based on the patch?: Not easy. First, it requires an exact timing to hit the race condition between socket thread and main thread. Second, this bug is reproducible only for pushed resources when the associated channel implements nsIHttpPushListener, which is now implemented only by TRR and TRR is turned off by default.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Yes
- Which older supported branches are affected by this flaw?: Probably all, because the bug is there for a long time.
- If not all supported branches, which bug introduced the flaw?: Bug 1024730
- Do you have backports for the affected branches?: No
- If not, how different, hard to create, and risky will they be?: If the patch isn't applicable as is, it should be easy to modify it for other branches.
- How likely is this patch to cause regressions; how much testing does it need?: Low, the change is straightforward and doesn't make the code more complex. The existing test should be enough.
|
||
Comment 12•5 years ago
|
||
sec-approval+ for trunk. We'll want beta and ESR60 patches made and nominated as well, to land after it is on mozilla-central.
|
|
||
Updated•5 years ago
|
|
||
Comment 13•5 years ago
•
|
||
Hi Michal, I tried to autoland this patch but got Lando errors. Can you please try rebasing and landing this? Thanks!
|
|
Assignee | |
Comment 14•5 years ago
|
||
Comment on attachment 9069390 [details]
Bug 1547266 - Make sure Http2PushedStream is used only on socket thread, r=dragana
Beta/Release Uplift Approval Request
- User impact if declined: use after free
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): at this moment this code is used only by trr which is prefed off by default
- String changes made/needed: none
|
|
Assignee | |
Comment 15•5 years ago
|
||
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration:
- User impact if declined: use after free
- Fix Landed on Version:
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): at this moment this code is used only by trr which is prefed off by default
- String or UUID changes made by this patch: none
Comment on attachment 9069390 [details]
Bug 1547266 - Make sure Http2PushedStream is used only on socket thread, r=dragana
Sec-high, Beta68+
Comment on attachment 9073306 [details] [diff] [review] patch for esr60 Sec-high, ESR60+
|
||
Comment 18•5 years ago
|
||
|
|
||
Comment 19•5 years ago
|
||
| uplift | ||
|
|
||
Comment 20•5 years ago
|
||
| uplift | ||
|
||
Updated•5 years ago
|
|
|
||
Updated•5 years ago
|
|
||
Updated•4 years ago
|
|
||
Updated•4 years ago
|
|
||
Updated•2 years ago
|
Description
•