Crashes on mozilla::dom::WebSocketImpl::OnAcknowledge
Categories
(Core :: Networking: WebSockets, defect, P2)
Tracking
()
Tracking | Status | |
---|---|---|
firefox78 | --- | fixed |
People
(Reporter: vlader101, Assigned: baku)
Details
(Whiteboard: [necko-triaged])
Attachments
(1 file)
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.122 Safari/537.36
Steps to reproduce:
Crash Report
https://crash-stats.mozilla.org/report/index/a6c6ecb2-ca4a-4665-a0c6-5efcb0200425
- Create a web worker script.
- Pass the files property from a file input to the web worker/
- Take the first file element.
- Buffer the file and send it through websockets using the code below:
let size = file.size;
let blockSize = BLOCK_SIZE;
let start = 0;
while (size != 0)
{
if (size < blockSize)
blockSize = size;
let slice = file.slice(start, start + blockSize);
webSocket.send(slice);
size -= blockSize;
start += blockSize;
}
Actual results:
Firefox crashed rather than finishing it's task where as Chrome. and Safari don't crash.
Expected results:
Not crash and complete its task.
Hi,
I don't have the technical knowledge to confirm this issue but I'll add product and component so the team can make some research on it. Hopefully, someone with a more deep understanding of this matter can help. Feel free to route this ticket to the corresponding team.
Regards,
Jerónimo.
I must add, this crash occurs if the file is larger or equal to 5gb.
Updated•4 years ago
|
Comment 5•4 years ago
|
||
(In reply to vlader101 from comment #3)
I must add, this crash occurs if the file is larger or equal to 5gb.
This fails here
MOZ_RELEASE_ASSERT(mWebSocket->mOutgoingBufferedAmount.isValid());
mOutgoingBufferedAmount is a CheckedUint32 - so most likely it just overflows - 5GB doesn't fit in 32bit 🙂
I see us either using a CheckedUint64
or simply returning an error code if it's not valid.
Which one do you think is better here?
Assignee | ||
Comment 7•4 years ago
|
||
Updated•4 years ago
|
Assignee | ||
Comment 8•4 years ago
|
||
The question is: why the value is invalid at the point? We must keep it valid all the time.
And yes, mOutgoingBufferedAmount is accessible via JS in read-only mode.
The bug here is that sending the big blob makes mOutgoingBuferredAmount invalid. At the next check, we crash.
Updated•4 years ago
|
Just to confirm, I added the code below in the while loop and it does prevent Firefox from crashing. (I choose a conservative number).
while (webSocket.bufferedAmount > 3000000000) {}
Updated•4 years ago
|
Comment 10•4 years ago
|
||
Pushed by amarchesini@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/d6f05f371456 WebSocket bufferedAmount must be unsigned long long (uint64_t), r=valentin
Comment 11•4 years ago
|
||
bugherder |
Description
•