Closed Bug 1569594 Opened 6 years ago Closed 6 months ago

Crash [@ mozilla::net::nsHttpHandler::AsyncOnChannelRedirect]

Categories

(Core :: Networking: HTTP, defect, P2)

Product:
Core
Component:
Networking: HTTP
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox70 --- affected

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: crash, testcase, Whiteboard: [necko-triaged])

Crash Data

Attachments

(3 files)

Detailed Crash Information
4.34 KB, text/plain
Details
Testcase
628 bytes, application/octet-stream
Details
log-663df481fcbf.txt
29.76 KB, text/plain
Details

The attached testcase crashes on mozilla-central revision 20190729-50df4b75c9b6 (build with (buildFlags not available)).

For detailed crash information, see attachment.

To reproduce the issue, perform the following steps:

  1. Download the attached testcase, save as "test.bin".
    2a. Build with --enable-fuzzing (requires Clang and ASan, also build gtests using ./mach gtest dontruntests).
    2b. Alternatively you can download builds from TC using python -mfuzzfetch -a --fuzzing --tests gtest (see https://github.com/MozillaSecurity/fuzzfetch).
  2. Run MOZ_RUN_GTEST=1 LIBFUZZER=1 FUZZER=NetworkHttp objdir/dist/bin/firefox test.bin
Attached file Testcase
Type: -- → defect

Hello :decoder,
Did the crash happen on the non-debug build?
Looks like we have an assertion which is not triggered.

https://searchfox.org/mozilla-central/rev/1eb05019f47069172ba81a6c108a584a409a24ea/netwerk/protocol/http/nsHttpHandler.cpp#833-836

Flags: needinfo?(choller)

I can verify this crashes the parent process on a non-debug nightly build.
https://crash-stats.mozilla.org/report/index/4291f978-d810-4c32-8dc5-782040190801

Flags: needinfo?(choller)

(In reply to Junior [:junior] from comment #3)

Hello :decoder,
Did the crash happen on the non-debug build?
Looks like we have an assertion which is not triggered.

https://searchfox.org/mozilla-central/rev/1eb05019f47069172ba81a6c108a584a409a24ea/netwerk/protocol/http/nsHttpHandler.cpp#833-836

Correct, this fuzzing target is currently not running on debug builds. Builds are non-debug optimized ASan.

Cool. That makes senses.
Thanks, :decoder and :freddyb.

Well, the crashed object is only for telemetry.
I can do a null-check and leave the assertion since we're expecting we have one url.

Assignee: nobody → juhsu
Priority: -- → P3
Whiteboard: [necko-triaged]

I can make a patch for this that just null-checks newURI in nsHttpHandler::AsyncOnChannelRedirect. However, I would like to confirm that it is expected in this case that this function gets a channel that has no URI associated. If that isn't case, then there might be a bug deeper in the code somewhere.

:junior, can you answer this? If not, feel free to forward the needinfo to e.g. :dragana.

Flags: needinfo?(juhsu)

I would say it's not expected, but dragana might have some insight.

Flags: needinfo?(juhsu) → needinfo?(dd.mozilla)
Assignee: juhsu → nobody

We crash here: https://hg.mozilla.org/mozilla-central/file/50df4b75c9b6/netwerk/protocol/http/nsHttpHandler.cpp#l836

nsresult nsHttpHandler::AsyncOnChannelRedirect(
    nsIChannel* oldChan, nsIChannel* newChan, uint32_t flags,
    nsIEventTarget* mainThreadEventTarget) {
  MOZ_ASSERT(NS_IsMainThread() && (oldChan && newChan));

  nsCOMPtr<nsIURI> newURI;
  newChan->GetURI(getter_AddRefs(newURI));
  MOZ_ASSERT(newURI);

  nsAutoCString scheme;

  newURI->GetScheme(scheme);  <----

that is definitely very unexpected.

Attached file log-663df481fcbf.txt

I cannot reproduce this in local builds but it reproduces cleanly on TC builds. Here is the log, it looks like we do a redirect to a "view-source:" URI and then the new channel doesn't have a URI so newURI remains empty.

Since the newURI is only used to gather Telemetry on the redirect scheme, I can fix this crash by null-checking newURI and only send Telemetry if we actually have a new URI.

Honza, does that sound like the correct action here or do we expect the new channel to have the URI in any case, even for this weird "view-source:" redirect?

Flags: needinfo?(dd.mozilla) → needinfo?(honzab.moz)

P2 as this is reproducible and show a weakness. I don't understand why this is not deterministic. In the log I can see we don't correctly process the response in the transaction (logan doesn't see it, there are just sparse nsHttpTransaction::ParseLine calls). If the new channel doesn't have a URI (a totally unexpected thing) it means it has been ill-constructed and we are not properly checking all error results somewhere.

Assignee: nobody → honzab.moz
Flags: needinfo?(honzab.moz)
Priority: P3 → P2

(In reply to Christian Holler (:decoder) from comment #10)

Honza, does that sound like the correct action here or do we expect the new channel to have the URI in any case, even for this weird "view-source:" redirect?

Every channel must have a URI set.

Releasing back to the triage pool for now.

Assignee: honzab.moz → nobody
Severity: normal → S3

I think we no longer crash on this one, right?
We might still hit the assertion though.

Flags: needinfo?(moz.valentin)
Status: NEW → RESOLVED
Closed: 6 months ago
Flags: needinfo?(valentin.gosu)
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: