Closed Bug 1671787 Opened 5 years ago Closed 5 years ago

SEGV in mozilla::css::StreamLoader::~StreamLoader() (StreamLoader.cpp:27:3)

Categories

(Core :: Networking, defect, P2)

Product:
Core
Component:
Networking
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
84 Branch
Tracking Flags:
Tracking Status
firefox83 --- wontfix
firefox84 --- fixed

People

(Reporter: hanno, Assigned: kershaw)

Details

(Whiteboard: [necko-triaged])

Attachments

(2 files)

asan-segv-css-streamloader.txt
4.78 KB, text/plain
Details
Bug 1671787 - Don't release the listeners if the redirected cahnnel is not opened sucesfully
47 bytes, text/x-phabricator-request
Details | Review

I got a SEGV with asan builds in mozilla::css::StreamLoader::~StreamLoader(). Unfortunately doesn't seem to be reproducible.

The code looks like this is triggered by an assert, however only enabled in nightly builds:
https://searchfox.org/mozilla-central/source/layout/style/StreamLoader.cpp#27

So this might have further consequences if it happens in a non-nightly build.

Stack trace attacked.

Component: General → CSS Parsing and Computation
Product: Firefox → Core

The assert means that Necko didn't notify us properly. We have wallpapers in place for this so it's not a security issue, but is a correctness issue.

Hanno, do you have some add-ons installed? (I believe service workers or add-ons are what cause InterceptedHttpChannel). If you could share the list that may help reproducing.

Thanks for filing!

Component: CSS Parsing and Computation → Networking

No addons, just a plain asan build.

Looking at the stack trace, I think we can't call ReleaseListeners() if rv is an error.
In the case that rv is an error, the mListener is not assigned to the redirected channel and calling ReleaseListeners() will cause this bug.

Assignee: nobody → kershaw
Severity: -- → S3
Priority: -- → P2
Whiteboard: [necko-triaged]

What notifies the listeners of the error then? That's the last reference to the stream loader, and it hasn't been notified by then which is sketchy.

The listener is notified when Cancel() is called, but it's called asynchronously here.

Pushed by kjang@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/fb689a88ea88 Don't release the listeners if the redirected cahnnel is not opened sucesfully r=necko-reviewers,dragana

https://hg.mozilla.org/mozilla-central/rev/fb689a88ea88

Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox84: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 84 Branch

The patch landed in nightly and beta is affected.
:kershaw, is this bug important enough to require an uplift?
If not please set status_beta to wontfix.

For more information, please visit auto_nag documentation.

Flags: needinfo?(kershaw)

I think this is no need to uplift, since this assertion is nightly only.

status-firefox83: affectedwontfix
Flags: needinfo?(kershaw)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: