Closed Bug 1713447 Opened 6 months ago Closed 1 month ago

Crash in [@ mozilla::DataChannelConnection::SctpDtlsOutput] from MOZ_DIAGNOSTIC_ASSERT(!mShutdown)

Categories

(Core :: WebRTC: Networking, defect, P2)

defect

Tracking

()

RESOLVED FIXED
95 Branch
Tracking Status
firefox-esr78 --- wontfix
firefox-esr91 --- wontfix
firefox88 --- wontfix
firefox89 --- wontfix
firefox90 --- wontfix
firefox93 --- wontfix
firefox94 --- wontfix
firefox95 --- fixed

People

(Reporter: aryx, Assigned: jesup)

References

Details

(Keywords: crash)

Crash Data

Attachments

(1 file)

Not a new signature, 10-20 crashes per Nightly development cycle

Crash report: https://crash-stats.mozilla.org/report/index/8c4c09e0-8cf7-47d9-9b45-a983d0210529

MOZ_CRASH Reason: MOZ_DIAGNOSTIC_ASSERT(!mShutdown)

Top 10 frames of crashing thread:

0 xul.dll mozilla::DataChannelConnection::SctpDtlsOutput netwerk/sctp/datachannel/DataChannel.cpp:968
1 xul.dll static mozilla::DataChannelRegistry::SctpDtlsOutput netwerk/sctp/datachannel/DataChannel.cpp:221
2 xul.dll sctp_lowlevel_chunk_output netwerk/sctp/src/netinet/sctp_output.c:5053
3 xul.dll sctp_send_abort_tcb netwerk/sctp/src/netinet/sctp_output.c:11577
4 xul.dll sctp_inpcb_free netwerk/sctp/src/netinet/sctp_pcb.c:4068
5 xul.dll sctp_close netwerk/sctp/src/netinet/sctp_usrreq.c:842
6 xul.dll sofree netwerk/sctp/src/user_socket.c:287
7 xul.dll sctp_timeout_handler netwerk/sctp/src/netinet/sctputil.c:2216
8 xul.dll sctp_handle_tick netwerk/sctp/src/netinet/sctp_callout.c:172
9 xul.dll user_sctp_timer_iterate netwerk/sctp/src/netinet/sctp_callout.c:214
Severity: -- → S2
Priority: -- → P2

Looks like libusrsctp's timer thread can cause callbacks after usrsctp_close and usrsctp_deregister_address have been called.

I suspected that libusrsctp was racy in this way (in bug 1645219), and now we have confirmation. DataChannelRegistry protects us from UAF here by intercepting libusrsctp's callbacks, so we (thankfully) don't have a sec bug here.

I think at this point, we start doing the DataChannelRegistry::Deregister sooner, first thing in Destroy, and remove the assertions that were meant to catch libusrsctp doing this racy stuff.

Assignee: nobody → rjesup
Duplicate of this bug: 1736219
Crash Signature: [@ mozilla::DataChannelConnection::SctpDtlsOutput] → [@ mozilla::DataChannelConnection::SctpDtlsOutput] [@ mozilla::DataChannelConnection::~DataChannelConnection ]
Pushed by rjesup@wgate.com:
https://hg.mozilla.org/integration/autoland/rev/f02d7e733e4d
the sctp library will call us back after usrsctp_close(), so handle and ignore r=bwc
Status: NEW → RESOLVED
Closed: 1 month ago
Resolution: --- → FIXED
Target Milestone: --- → 95 Branch
You need to log in before you can comment on or make changes to this bug.