Closed Bug 1811047 Opened 2 years ago Closed 2 years ago

Intermittent headless-spi SUMMARY: ThreadSanitizer: data race /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:51:10 in operator delete

Categories

(Core :: Networking: WebSockets, defect, P2)

Product:
Core
Component:
Networking: WebSockets
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
112 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- disabled
firefox110 --- disabled
firefox111 --- disabled
firefox112 --- fixed

People

(Reporter: intermittent-bug-filer, Assigned: kershaw)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-race, intermittent-failure, sec-moderate, Whiteboard: [necko-triaged][post-critsmash-triage])

Attachments

(2 files)

tsan log
16.31 KB, text/plain
Details
Bug 1811047, r=#necko
48 bytes, text/x-phabricator-request
Details | Review

This is encountered with pretty low-frequency (~5% of the time) when running mochitest-plain in headless-spi (socketprocess) mode (--headless --setpref=network.process.enabled=true --setpref=network.http.network_access_on_socket_process.enabled=true) under TSAN. Seems to hit consistently when running dom/websocket/tests/test_websocket_no_duplicate_packet.html. This isn't currently enabled by default in CI, but I've been running Try pushes in the hopes of getting it green enough to do so.

Group: core-security → network-core-security
Attached file tsan log
Blocks: tsan
Assignee: nobody → kershaw
Severity: -- → S4
Priority: -- → P2
Whiteboard: [necko-triaged] [necko-priority-queue]

Not clear this could be exploited, but WebSockets are clearly not as Threadsafe as comments in the code claim it is.

Keywords: csectype-race, sec-moderate
Attached file Bug 1811047, r=#necko

When WebSocketConnectionParent::RecvOnError is called, we call WebSocketChannel::OnError and WebSocketChannel::CleanupConnection could be called.
In WebSocketChannel::CleanupConnection, WebSocketConnectionParent::Close will be called and the WebSocketChannel will be released (set mListener to null).
To avoid WebSocketChannel being released in WebSocketConnectionParent::Close, we don't need to set mListener to null.

Whiteboard: [necko-triaged] [necko-priority-queue] → [necko-triaged]

https://hg.mozilla.org/mozilla-central/rev/604ac36df407

Group: network-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox110: --- → wontfix
status-firefox111: --- → affected
status-firefox112: --- → fixed
status-firefox-esr102: --- → affected
Resolution: --- → FIXED
Target Milestone: --- → 112 Branch

The patch landed in nightly and beta is affected.
:kershaw, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox111 to wontfix.

For more information, please visit auto_nag documentation.

Flags: needinfo?(kershaw)

socket process feature is not enabled, so we don't need to uplift.

status-firefox111: affectedwontfix
status-firefox-esr102: affectedwontfix
Flags: needinfo?(kershaw)
Flags: qe-verify-
Whiteboard: [necko-triaged] → [necko-triaged][post-critsmash-triage]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: