Closed Bug 1785050 Opened 2 years ago Closed 2 years ago

Hit MOZ_CRASH(nsWeakReference not thread-safe) at xpcom/base/nsISupportsImpl.cpp:43 through [@ mozilla::net::OutputStreamTunnel::~OutputStreamTunnel]

Categories

(Core :: Networking: HTTP, defect, P1)

x86_64
Linux
defect

Tracking

()

RESOLVED FIXED
105 Branch
Tracking Status
firefox-esr91 --- unaffected
firefox-esr102 --- unaffected
firefox103 --- unaffected
firefox104 --- unaffected
firefox105 + fixed

People

(Reporter: decoder, Assigned: kershaw)

References

(Regression)

Details

(6 keywords, Whiteboard: [necko-triaged][necko-priority-queue][post-critsmash-triage])

Attachments

(3 files)

The attached testcase crashes on mozilla-central revision 20220814-64a12fec281c (build with (metadatabuildFlags not available)).

For detailed crash information, see attachment.

To reproduce the issue, perform the following steps:

  1. Download the attached testcase, save as "test.bin".
    2a. Build with --enable-fuzzing (requires Clang and ASan, also build gtests using ./mach gtest dontruntests).
    2b. Alternatively you can download builds from TC using python -mfuzzfetch -a --fuzzing -n build --target firefox gtest (see https://github.com/MozillaSecurity/fuzzfetch).
  2. Run FUZZER=NetworkHttp2ProxyHttp2 build/firefox test.bin

Marking s-s as this could potentially be a security issue (e.g. use-after-free or double-free).

Attached file Testcase
Flags: needinfo?(dd.mozilla)
Priority: -- → P1
Regressed by: 1772205
Whiteboard: [necko-triaged]

Set release status flags based on info from the regressing bug 1772205

The bug is marked as tracked for firefox105 (nightly). We have limited time to fix this, the soft freeze is in a day. However, the bug still isn't assigned.

:ghess, could you please find an assignee for this tracked bug? Given that it is a regression and we know the cause, we could also simply backout the regressor. If you disagree with the tracking decision, please talk with the release managers.

For more information, please visit auto_nag documentation.

Flags: needinfo?(ghess)
Whiteboard: [necko-triaged] → [necko-triaged][necko-priority-queue]
Attached file Bug 1785050, r=#necko
Assignee: nobody → kershaw
Status: NEW → ASSIGNED

Kershaw, already has a fix for this.

Flags: needinfo?(dd.mozilla)
Flags: needinfo?(ghess)
Group: network-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 105 Branch
Flags: qe-verify-
Whiteboard: [necko-triaged][necko-priority-queue] → [necko-triaged][necko-priority-queue][post-critsmash-triage]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: