Closed Bug 1713447 Opened 4 years ago Closed 4 years ago

Crash in [@ mozilla::DataChannelConnection::SctpDtlsOutput] from MOZ_DIAGNOSTIC_ASSERT(!mShutdown)

Categories

(Core :: WebRTC: Networking, defect, P2)

Product:
Core
Component:
WebRTC: Networking
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
95 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- wontfix
firefox-esr91 --- wontfix
firefox88 --- wontfix
firefox89 --- wontfix
firefox90 --- wontfix
firefox93 --- wontfix
firefox94 --- wontfix
firefox95 --- fixed

People

(Reporter: aryx, Assigned: jesup)

References

Details

(Keywords: crash)

Crash Data

Attachments

(1 file)

Bug 1713447: the sctp library will call us back after usrsctp_close(), so handle and ignore r=bwc
48 bytes, text/x-phabricator-request
Details

Not a new signature, 10-20 crashes per Nightly development cycle

Crash report: https://crash-stats.mozilla.org/report/index/8c4c09e0-8cf7-47d9-9b45-a983d0210529

MOZ_CRASH Reason: MOZ_DIAGNOSTIC_ASSERT(!mShutdown)

Top 10 frames of crashing thread:

0 xul.dll mozilla::DataChannelConnection::SctpDtlsOutput netwerk/sctp/datachannel/DataChannel.cpp:968
1 xul.dll static mozilla::DataChannelRegistry::SctpDtlsOutput netwerk/sctp/datachannel/DataChannel.cpp:221
2 xul.dll sctp_lowlevel_chunk_output netwerk/sctp/src/netinet/sctp_output.c:5053
3 xul.dll sctp_send_abort_tcb netwerk/sctp/src/netinet/sctp_output.c:11577
4 xul.dll sctp_inpcb_free netwerk/sctp/src/netinet/sctp_pcb.c:4068
5 xul.dll sctp_close netwerk/sctp/src/netinet/sctp_usrreq.c:842
6 xul.dll sofree netwerk/sctp/src/user_socket.c:287
7 xul.dll sctp_timeout_handler netwerk/sctp/src/netinet/sctputil.c:2216
8 xul.dll sctp_handle_tick netwerk/sctp/src/netinet/sctp_callout.c:172
9 xul.dll user_sctp_timer_iterate netwerk/sctp/src/netinet/sctp_callout.c:214
Severity: -- → S2
Priority: -- → P2

Looks like libusrsctp's timer thread can cause callbacks after usrsctp_close and usrsctp_deregister_address have been called.

I suspected that libusrsctp was racy in this way (in bug 1645219), and now we have confirmation. DataChannelRegistry protects us from UAF here by intercepting libusrsctp's callbacks, so we (thankfully) don't have a sec bug here.

I think at this point, we start doing the DataChannelRegistry::Deregister sooner, first thing in Destroy, and remove the assertions that were meant to catch libusrsctp doing this racy stuff.

Assignee: nobody → rjesup
Crash Signature: [@ mozilla::DataChannelConnection::SctpDtlsOutput] → [@ mozilla::DataChannelConnection::SctpDtlsOutput] [@ mozilla::DataChannelConnection::~DataChannelConnection ]
Pushed by rjesup@wgate.com: https://hg.mozilla.org/integration/autoland/rev/f02d7e733e4d the sctp library will call us back after usrsctp_close(), so handle and ignore r=bwc

https://hg.mozilla.org/mozilla-central/rev/f02d7e733e4d

Status: NEW → RESOLVED
Closed: 4 years ago
status-firefox95: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 95 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: