Closed Bug 1699112 Opened 4 years ago Closed 4 years ago

SIGSEGV on read of response body in onExternalResponse

Tracking

(Not tracked)

Status:

RESOLVED INVALID

People

(Reporter: wicher, Unassigned)

Details

Attachments

(1 file)

tombstone_07 4 years ago Wicher Minnaard 1.58 MB, text/x-patch		Details

Wicher Minnaard

Reporter

Description

•

4 years ago

Attached file tombstone_07 — Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0

Steps to reproduce:

This is with GeckoView 87.0.20210315170302 on the Android emulator (API 26, x86_64, no Play services).

I have an onExternalResponse handler, simplified demo case (Kotlin):

fun onExternalResponse(session: GeckoSession, response: WebResponse) {
        val responsebytes = response.body?.use {
            it.readBytes()
        }

This is the crash demo case; of course I do not intend to read the whole response body into memory, and in production code processing the response body would happen on a separate thread.

I'm testing this with a 8809232 byte response body. About halfway into reading in this response (varies from test run to test run) my application segfaults.

Actual results:

Crash report from logcat below, tombstone is attached to this bug.

--------- beginning of crash
03-17 13:15:10.739  9377  9377 F libc    : Fatal signal 11 (SIGSEGV), code 1, fault addr 0x0 in tid 9377 (AndroidUI)
03-17 13:15:10.784  9530  9530 I crash_dump64: obtaining output fd from tombstoned
03-17 13:15:10.785  1509  1509 I /system/bin/tombstoned: received crash request for pid 9377
03-17 13:15:10.785  9530  9530 I crash_dump64: performing dump of process 9377 (target tid = 9377)
03-17 13:15:10.786  9530  9530 F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
03-17 13:15:10.787  9530  9530 F DEBUG   : Build fingerprint: 'Android/sdk_phone_x86_64/generic_x86_64:8.0.0/OSR1.180418.004/4931640:userdebug/test-keys'
03-17 13:15:10.787  9530  9530 F DEBUG   : Revision: '0'
03-17 13:15:10.787  9530  9530 F DEBUG   : ABI: 'x86_64'
03-17 13:15:10.787  9530  9530 F DEBUG   : pid: 9377, tid: 9377, name: AndroidUI  >>> something.something.something <<<
03-17 13:15:10.787  9530  9530 F DEBUG   : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0
03-17 13:15:10.787  9530  9530 F DEBUG   : Cause: null pointer dereference
03-17 13:15:10.787  9530  9530 F DEBUG   :     rax 0000000000000000  rbx 00007c99978aed70  rcx ffffffffffffffff  rdx 000000000000000b
03-17 13:15:10.787  9530  9530 F DEBUG   :     rsi 00000000000024a1  rdi 00000000000024a1
03-17 13:15:10.787  9530  9530 F DEBUG   :     r8  00007c9997a02c60  r9  00007c9997a02c60  r10 00007c99978aed70  r11 0000000000000246
03-17 13:15:10.787  9530  9530 F DEBUG   :     r12 0000000000000016  r13 00007c99978aed70  r14 00007c99979f9ab0  r15 000000000000000b
03-17 13:15:10.787  9530  9530 F DEBUG   :     cs  0000000000000033  ss  000000000000002b
03-17 13:15:10.787  9530  9530 F DEBUG   :     rip 00007c9997966ed8  rbp 00000000000024a1  rsp 00007c99978ae998  eflags 0000000000000246
03-17 13:15:10.787  9530  9530 F DEBUG   : 
03-17 13:15:10.787  9530  9530 F DEBUG   : backtrace:
03-17 13:15:10.787  9530  9530 F DEBUG   :     #00 pc 00000000000b1ed8  /system/bin/linker64 (__dl_syscall+24)
03-17 13:15:10.787  9530  9530 F DEBUG   :     #01 pc 000000000002e6f8  /system/bin/linker64 (__dl__ZL13resend_signalP7siginfob+80)
03-17 13:15:10.787  9530  9530 F DEBUG   :     #02 pc 000000000002e589  /system/bin/linker64 (__dl__ZL24debuggerd_signal_handleriP7siginfoPv+1231)
03-17 13:15:10.787  9530  9530 F DEBUG   :     #03 pc 0000000002666443  /data/app/somedomain.somecorp.someproduct.somebuildvariant-ZwUGG-ZjPfaTvXRnAtTHpA==/lib/x86_64/libxul.so (offset 0x171000)
03-17 13:15:11.341  1509  1509 E /system/bin/tombstoned: Tombstone written to: /data/tombstones//tombstone_07

Expected results:

The response body should have been read without segfaulting. And if there is something going on making that impossible, it should throw an exception.

Note that the crash also happens when spooling the body to disk using a 4KB transfer buffer.
Note that the crash happens much sooner (after about 32K read) when I wrap the response reading in a thread, but still, some data is read before crashing.

[ex-Mozilla] Agi Sferro | :agi

Comment 1

•

4 years ago

Could you provide a minimal testcase app with the latest nightly geckoview build that reproduces this problem?

Flags: needinfo?(wicher)

Emily Toop (:fluffyemily)

Updated

•

4 years ago

Severity: -- → S4

Priority: -- → P3

Wicher Minnaard

Reporter

Comment 2

•

4 years ago

(In reply to Agi Sferro | :agi | ni? for questions | ⏰ PST | he/him from comment #1)

Could you provide a minimal testcase app with the latest nightly geckoview build that reproduces this problem?

Sure. I suppose then that Geckoview should not take offense at the way I'm trying to read the response body?

Wicher Minnaard

Reporter

Comment 3

•

4 years ago

With Geckoview v89, this problem does not occur anymore (for me).

Status: UNCONFIRMED → RESOLVED

Closed: 4 years ago

Flags: needinfo?(wicher)

Resolution: --- → INVALID

You need to log in before you can comment on or make changes to this bug.

Bugzilla

SIGSEGV on read of response body in onExternalResponse

Categories

(GeckoView :: General, defect, P3)

Tracking

(Not tracked)

People

(Reporter: wicher, Unassigned)

References

Details

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Comment 1

Updated

Comment 2

Comment 3

Attachment

General

Description

File Name

Content Type