Intermittent PID 4148 | SUMMARY: ThreadSanitizer: data race /builds/worker/workspace/obj-build/dist/include/mozilla/StaticPtr.h:171:13 in AssignAssumingAddRef | After xpcshell return code: -6
Categories
(Core :: DOM: File, defect, P1)
Tracking
()
People
(Reporter: intermittent-bug-filer, Assigned: ssengupta)
References
(Blocks 1 open bug)
Details
(Keywords: csectype-race, intermittent-failure, sec-moderate, Whiteboard: [post-critsmash-triage][adv-main79+r][adv-ESR78.1+r] [adv-esr68.11+r])
Attachments
(6 files)
47 bytes,
text/x-phabricator-request
|
tjr
:
approval-mozilla-beta+
tjr
:
approval-mozilla-esr68+
tjr
:
approval-mozilla-esr78+
tjr
:
sec-approval+
|
Details | Review |
47 bytes,
text/x-phabricator-request
|
tjr
:
sec-approval+
|
Details | Review |
47 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-beta+
|
Details | Review |
47 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-beta+
|
Details | Review |
8.93 KB,
patch
|
RyanVM
:
approval-mozilla-esr68+
|
Details | Diff | Splinter Review |
11.74 KB,
patch
|
RyanVM
:
approval-mozilla-esr78+
|
Details | Diff | Splinter Review |
Filed by: nbeleuzu [at] mozilla.com
Parsed log: https://treeherder.mozilla.org/logviewer.html#?job_id=299839709&repo=autoland
Full log: https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/NXuwz04MTzGpuWJMXmLtOg/runs/0/artifacts/public/logs/live_backing.log
[task 2020-04-28T19:31:18.611Z] 19:31:18 INFO - PID 4148 | Write of size 8 at 0x7f2c1893cd18 by main thread:
[task 2020-04-28T19:31:18.611Z] 19:31:18 INFO - PID 4148 | #0 AssignAssumingAddRef /builds/worker/workspace/obj-build/dist/include/mozilla/StaticPtr.h:171:13 (libxul.so+0x3912542)
[task 2020-04-28T19:31:18.611Z] 19:31:18 INFO - PID 4148 | #1 AssignWithAddref /builds/worker/workspace/obj-build/dist/include/mozilla/StaticPtr.h:166:5 (libxul.so+0x3912542)
[task 2020-04-28T19:31:18.611Z] 19:31:18 INFO - PID 4148 | #2 operator= /builds/worker/workspace/obj-build/dist/include/mozilla/StaticPtr.h:120:5 (libxul.so+0x3912542)
[task 2020-04-28T19:31:18.612Z] 19:31:18 INFO - PID 4148 | #3 mozilla::dom::IPCBlobInputStreamStorage::Observe(nsISupports*, char const*, char16_t const*) /builds/worker/checkouts/gecko/dom/file/ipc/IPCBlobInputStreamStorage.cpp:64:14 (libxul.so+0x3912542)
[task 2020-04-28T19:31:18.612Z] 19:31:18 INFO - PID 4148 | #4 nsObserverList::NotifyObservers(nsISupports*, char const*, char16_t const*) /builds/worker/checkouts/gecko/xpcom/ds/nsObserverList.cpp:65:19 (libxul.so+0xa4dbd3)
[task 2020-04-28T19:31:18.612Z] 19:31:18 INFO - PID 4148 | #5 nsObserverService::NotifyObservers(nsISupports*, char const*, char16_t const*) /builds/worker/checkouts/gecko/xpcom/ds/nsObserverService.cpp:288:19 (libxul.so+0xa50a0c)
[task 2020-04-28T19:31:18.613Z] 19:31:18 INFO - PID 4148 | #6 mozilla::ShutdownXPCOM(nsIServiceManager*) /builds/worker/checkouts/gecko/xpcom/build/XPCOMInit.cpp:618:26 (libxul.so+0xb13c22)
[task 2020-04-28T19:31:18.613Z] 19:31:18 INFO - PID 4148 | #7 NS_ShutdownXPCOM /builds/worker/checkouts/gecko/xpcom/build/XPCOMInit.cpp:565:10 (libxul.so+0xb13ae5)
[task 2020-04-28T19:31:18.614Z] 19:31:18 INFO - PID 4148 | #8 XRE_XPCShellMain(int, char**, char**, XREShellData const*) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCShellImpl.cpp:1383:8 (libxul.so+0x1923f85)
[task 2020-04-28T19:31:18.614Z] 19:31:18 INFO - PID 4148 | #9 mozilla::BootstrapImpl::XRE_XPCShellMain(int, char**, char**, XREShellData const*) /builds/worker/checkouts/gecko/toolkit/xre/Bootstrap.cpp:54:12 (libxul.so+0x63a26ab)
[task 2020-04-28T19:31:18.614Z] 19:31:18 INFO - PID 4148 | #10 main /builds/worker/checkouts/gecko/js/xpconnect/shell/xpcshell.cpp:66:27 (xpcshell+0xc8b86)
[task 2020-04-28T19:31:18.648Z] 19:31:18 INFO - PID 4148 | #65 XRE_XPCShellMain(int, char**, char**, XREShellData const*) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCShellImpl.cpp:1353:14 (libxul.so+0x1924634)
[task 2020-04-28T19:31:18.649Z] 19:31:18 INFO - PID 4148 | #66 mozilla::BootstrapImpl::XRE_XPCShellMain(int, char**, char**, XREShellData const*) /builds/worker/checkouts/gecko/toolkit/xre/Bootstrap.cpp:54:12 (libxul.so+0x63a26ab)
[task 2020-04-28T19:31:18.649Z] 19:31:18 INFO - PID 4148 | #67 main /builds/worker/checkouts/gecko/js/xpconnect/shell/xpcshell.cpp:66:27 (xpcshell+0xc8b86)
[task 2020-04-28T19:31:18.649Z] 19:31:18 INFO - PID 4148 | SUMMARY: ThreadSanitizer: data race /builds/worker/workspace/obj-build/dist/include/mozilla/StaticPtr.h:171:13 in AssignAssumingAddRef
Comment 1•4 years ago
|
||
IPCBlobInputStreamStorage is at the top of the stack.
Comment 2•4 years ago
|
||
Looks like the reported write is gStorage getting set to null in IPCBlobInputStreamStorage::Observe() and that's racing with IPCBlobInputStreamParent::HasValidStream().
Comment hidden (Intermittent Failures Robot) |
Comment hidden (Intermittent Failures Robot) |
Comment hidden (Intermittent Failures Robot) |
Comment hidden (Intermittent Failures Robot) |
Comment hidden (Intermittent Failures Robot) |
Comment hidden (Intermittent Failures Robot) |
Comment hidden (Intermittent Failures Robot) |
Comment 10•4 years ago
|
||
So IPCBlobInputStreamStorage cleans up at "xpcom-shutdown" but PBackground where the storage can be used is alive until "xpcom-shutdown-threads", and StaticRefPtr doesn't do anything to be threadsafe on its own and IPCBlobInputStreamStorage doesn't do any kind of synchronization to protect its gStorage
StaticRefPtr.
The initial reporting test is an xpcshell test, which we expect to have less shutdown fidelity, but https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=306094025&repo=try&lineNumber=4671 is an example from comment 9 of a mochitest experiencing the failure. In that case, it's happening in PBackgroundParent::OnChannelError
which then tears down the actors. That seems like a very likely thing to happen in real world situations because the content processes should be gone by xpcom-shutdown, but there's no guarantee the IPC fallout of that has been handled.
Comment 11•4 years ago
|
||
And the race between IPCBlobInputStreamStorage::Get() and gStorage = nullptr; indicates potential for UAF, even if this is probably/hopefully only possible during shutdown.
So I see two things to do here:
- protect the gStorage pointer itself against concurrent access from multiple threads (it is the memory of the pointer on which we race, not the memory of the object)
- let IPCBlobInputStreamStorage::Get() return a StaticRefPtr, not a raw* in order to keep the object alife during usage even if gStorage is set to null
Subhamoy, you might want to take a look?
Updated•4 years ago
|
Comment 12•4 years ago
|
||
(In reply to Jens Stutte [:jstutte] from comment #11)
- let IPCBlobInputStreamStorage::Get() return a StaticRefPtr, not a raw* in order to keep the object alife during usage even if gStorage is set to null
Not a StaticRefPtr
, but rather a regular RefPtr
(or SafeRefPtr
), this one isn't static.
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Updated•4 years ago
|
Comment 13•4 years ago
|
||
Not a
StaticRefPtr
, but rather a regularRefPtr
(orSafeRefPtr
), this one isn't static.
The most important thing is to update the callers because, if ::Get() returns a nullptr (or a smart pointer with a nullptr value), the existing code paths must be updated. Almost all the uses of IPCBlobInputStreamStorage::Get() do not handle nullptr or failures.
Comment 15•4 years ago
|
||
Is there a reason to not keep IPCBlobInputStreamStorage alive until PBackground is fully shutdown or all of the PIPCBlobInputStream actors are shutdown and no new actors are allowed to be created? Which could also mean explicitly terminating the actors as part of an "xpcom-shutdown" shutdown blocker (or earlier)?
Adding the null-handling seems like adding new edge-cases that don't really need to exist given that there's no reason why any streams should be active post (or during) "xpcom-shutdown".
Comment 17•4 years ago
|
||
My first approach was to move the shutdown of IPCBlobInputStream a bit forward down the shutdown phases. But this still means that ::Get() could return nullptr and we do not support it. As a temporary solution, I'm OK with what you propose, but in general, I would like to have some better checks of the return value of ::Get().
Comment 18•4 years ago
|
||
Then it probably makes sense to do the get/null handling first as it's more uplift-able, etc.
Assignee | ||
Comment 19•4 years ago
|
||
Assignee | ||
Comment 20•4 years ago
|
||
Depends on D80540
Assignee | ||
Comment 21•4 years ago
|
||
Comment on attachment 9158336 [details]
Bug 1633880 - P1 - gStorage in RemoteLazyInputStreamStorage is protected by gMutex r=baku
Security Approval Request
- How easily could an exploit be constructed based on the patch?: An exploit is -- in my opinion -- not easy to construct.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
- Which older supported branches are affected by this flaw?: Added checks never existed before, so all of them
- If not all supported branches, which bug introduced the flaw?: N/A
- Do you have backports for the affected branches?: No
- If not, how different, hard to create, and risky will they be?: N/A
- How likely is this patch to cause regressions; how much testing does it need?: This patch is unlikely to cause regression.
Assignee | ||
Updated•4 years ago
|
Comment 22•4 years ago
|
||
Comment on attachment 9158336 [details]
Bug 1633880 - P1 - gStorage in RemoteLazyInputStreamStorage is protected by gMutex r=baku
Approved to land and uplift.
Updated•4 years ago
|
Comment 23•4 years ago
|
||
Changing the priority to p1 as the bug is tracked by a release manager for the current beta.
See What Do You Triage for more information
Updated•4 years ago
|
Updated•4 years ago
|
Updated•4 years ago
|
Updated•4 years ago
|
Comment 24•4 years ago
|
||
Sorry for the delay, haven't checked the security checkin-needed requests over the weekend:
https://hg.mozilla.org/integration/autoland/rev/ea3941b867cace40f8ac2576512dc17f1507d3e0
https://hg.mozilla.org/integration/autoland/rev/d0b1dc88e635ee849df2fef405d5dafb68ccba8c
Comment 25•4 years ago
|
||
Looks like these patches will need rebasing for uplift to all of the affected branches. Subhamoy, can you please attach those patches when you get a chance? Thanks!
Comment 26•4 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/ea3941b867ca
https://hg.mozilla.org/mozilla-central/rev/d0b1dc88e635
Comment 27•4 years ago
|
||
Hi Ryan, Subhamoy is on holiday this week. If it is more urgent, I can ask someone else to take it.
Assignee | ||
Comment 31•4 years ago
|
||
Assignee | ||
Comment 32•4 years ago
|
||
Depends on D83617
Updated•4 years ago
|
Updated•4 years ago
|
Assignee | ||
Comment 33•4 years ago
|
||
Comment on attachment 9163722 [details]
Bug 1633880 - P1 - gStorage in IPCBlobInputStreamStorage is protected by gMutex [beta] r=baku
Beta/Release Uplift Approval Request
- User impact if declined: Possible crashes due to data race.
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): It mutex-locks certain variable accesses and introduces more robust error checking for certain subroutines. I cannot determine any downside to introducing these changes.
- String changes made/needed:
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Comment 34•4 years ago
|
||
[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration:
User impact if declined: Possible crashes due to data race and/or null pointer return
Fix Landed on Version: 80
Risk to taking this patch (and alternatives if risky): None I can determine
Assignee | ||
Comment 35•4 years ago
|
||
[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration:
User impact if declined: Possible crashes due to data race and/or null pointer return
Fix Landed on Version: 80
Risk to taking this patch (and alternatives if risky): None I can determine
Comment 36•4 years ago
|
||
Comment on attachment 9163722 [details]
Bug 1633880 - P1 - gStorage in IPCBlobInputStreamStorage is protected by gMutex [beta] r=baku
Approved for 79.0b9, 78.1esr, and 68.11esr.
Updated•4 years ago
|
Updated•4 years ago
|
Updated•4 years ago
|
Comment 37•4 years ago
|
||
uplift |
Comment 38•4 years ago
|
||
uplift |
Comment 39•4 years ago
|
||
uplift |
Updated•4 years ago
|
Updated•4 years ago
|
Updated•4 years ago
|
Updated•4 years ago
|
Updated•3 years ago
|
Description
•