Closed Bug 1785050 Opened 2 years ago Closed 2 years ago

Hit MOZ_CRASH(nsWeakReference not thread-safe) at xpcom/base/nsISupportsImpl.cpp:43 through [@ mozilla::net::OutputStreamTunnel::~OutputStreamTunnel]

Categories

(Core :: Networking: HTTP, defect, P1)

Product:
Core
Component:
Networking: HTTP
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
105 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- unaffected
firefox-esr102 --- unaffected
firefox103 --- unaffected
firefox104 --- unaffected
firefox105 + fixed

People

(Reporter: decoder, Assigned: kershaw)

References

(Regression)

Details

(6 keywords, Whiteboard: [necko-triaged][necko-priority-queue][post-critsmash-triage])

Attachments

(3 files)

Detailed Crash Information
5.80 KB, text/plain
Details
Testcase
1.18 KB, application/octet-stream
Details
Bug 1785050, r=#necko
48 bytes, text/x-phabricator-request
Details | Review

The attached testcase crashes on mozilla-central revision 20220814-64a12fec281c (build with (metadatabuildFlags not available)).

For detailed crash information, see attachment.

To reproduce the issue, perform the following steps:

  1. Download the attached testcase, save as "test.bin".
    2a. Build with --enable-fuzzing (requires Clang and ASan, also build gtests using ./mach gtest dontruntests).
    2b. Alternatively you can download builds from TC using python -mfuzzfetch -a --fuzzing -n build --target firefox gtest (see https://github.com/MozillaSecurity/fuzzfetch).
  2. Run FUZZER=NetworkHttp2ProxyHttp2 build/firefox test.bin

Marking s-s as this could potentially be a security issue (e.g. use-after-free or double-free).

Attached file Testcase 
Flags: needinfo?(dd.mozilla)
Priority: -- → P1
Regressed by: 1772205
Whiteboard: [necko-triaged]

    
    

    
  
Set release status flags based on info from the regressing bug 1772205



          status-firefox103:
          --- → unaffected

          status-firefox104:
          --- → unaffected

          status-firefox-esr102:
          --- → unaffected

          status-firefox-esr91:
          --- → unaffected

    
    

    
  
The bug is marked as tracked for firefox105 (nightly). We have limited time to fix this, the soft freeze is in a day. However, the bug still isn't assigned.


:ghess, could you please find an assignee for this tracked bug? Given that it is a regression and we know the cause, we could also simply backout the regressor. If you disagree with the tracking decision, please talk with the release managers.


For more information, please visit auto_nag documentation.


Flags: needinfo?(ghess)
Whiteboard: [necko-triaged] → [necko-triaged][necko-priority-queue]

    
    

    
  

      
      
      
      

        Attached file
          
        Bug 1785050, r=#necko
      

    


  
Assignee: nobody → kershaw
Status: NEW → ASSIGNED

    
    

    
  
Kershaw, already has a fix for this.


Flags: needinfo?(dd.mozilla)

    
  
Flags: needinfo?(ghess)

    
    

    
  
r=necko-reviewers,dragana

https://hg.mozilla.org/integration/autoland/rev/c411e9e310525c57013267913fdffc2e457e3656

https://hg.mozilla.org/mozilla-central/rev/c411e9e31052


Group: network-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 2 years ago

          status-firefox105:
          affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 105 Branch
Flags: qe-verify-
Whiteboard: [necko-triaged][necko-priority-queue] → [necko-triaged][necko-priority-queue][post-critsmash-triage]
Group: core-security-release

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: