heap-use-after-free in [@ mozilla::net::nsStreamLoader::WriteSegmentFun]
Categories
(Core :: Networking, defect, P1)
Tracking
()
People
(Reporter: tsmith, Assigned: valentin)
References
(Blocks 1 open bug)
Details
(Keywords: csectype-race, sec-high, Whiteboard: [necko-triaged] [necko-priority-queue][adv-main112+r][adv-esr102.10+r])
Attachments
(1 file)
48 bytes,
text/x-phabricator-request
|
diannaS
:
approval-mozilla-beta+
diannaS
:
approval-mozilla-esr102+
tjr
:
sec-approval+
|
Details | Review |
Found while fuzzing m-c 20230215-7b385abd39b4 (--enable-address-sanitizer --enable-fuzzing)
A reduced/reliable test case is not available. I will create a Pernosco session and attach the link shortly.
==325993==ERROR: AddressSanitizer: heap-use-after-free on address 0x6210018ca500 at pc 0x7f307886f935 bp 0x7f2fc2f777f0 sp 0x7f2fc2f777e8
READ of size 16 at 0x6210018ca500 thread T46 (StreamTrans #4)
#0 0x7f307886f934 in new_<const char &> /builds/worker/workspace/obj-build/dist/include/mozilla/Vector.h:251:12
#1 0x7f307886f934 in copyConstruct<char> /builds/worker/workspace/obj-build/dist/include/mozilla/Vector.h:284:7
#2 0x7f307886f934 in internalAppend<char> /builds/worker/workspace/obj-build/dist/include/mozilla/Vector.h:1441:3
#3 0x7f307886f934 in append<char> /builds/worker/workspace/obj-build/dist/include/mozilla/Vector.h:1431:3
#4 0x7f307886f934 in append<char> /builds/worker/workspace/obj-build/dist/include/mozilla/Vector.h:1514:10
#5 0x7f307886f934 in mozilla::net::nsStreamLoader::WriteSegmentFun(nsIInputStream*, void*, char const*, unsigned int, unsigned int, unsigned int*) /builds/worker/checkouts/gecko/netwerk/base/nsStreamLoader.cpp:112:20
#6 0x7f30787678cd in nsBufferedInputStream::ReadSegments(nsresult (*)(nsIInputStream*, void*, char const*, unsigned int, unsigned int, unsigned int*), void*, unsigned int, unsigned int*) /builds/worker/checkouts/gecko/netwerk/base/nsBufferedStreams.cpp:439:12
#7 0x7f307e446056 in mozilla::RemoteLazyInputStream::ReadSegments(nsresult (*)(nsIInputStream*, void*, char const*, unsigned int, unsigned int, unsigned int*), void*, unsigned int, unsigned int*) /builds/worker/checkouts/gecko/dom/file/ipc/RemoteLazyInputStream.cpp:414:25
#8 0x7f307886fa64 in mozilla::net::nsStreamLoader::OnDataAvailable(nsIRequest*, nsIInputStream*, unsigned long, unsigned int) /builds/worker/checkouts/gecko/netwerk/base/nsStreamLoader.cpp:125:24
#9 0x7f307879d3ca in nsInputStreamPump::OnStateTransfer() /builds/worker/checkouts/gecko/netwerk/base/nsInputStreamPump.cpp:584:22
#10 0x7f307879c15e in nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) /builds/worker/checkouts/gecko/netwerk/base/nsInputStreamPump.cpp:411:21
#11 0x7f307e4648da in mozilla::(anonymous namespace)::InputStreamCallbackRunnable::Run() /builds/worker/checkouts/gecko/dom/file/ipc/RemoteLazyInputStream.cpp:58:16
#12 0x7f307841f9cb in nsThreadPool::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:343:14
#13 0x7f30784120d4 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1219:16
#14 0x7f307841bd84 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477:10
#15 0x7f3079c23374 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300:20
#16 0x7f3079aa0c97 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#17 0x7f3079aa0c97 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#18 0x7f3079aa0c97 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#19 0x7f3078409a25 in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:384:10
#20 0x7f309a9db628 in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
#21 0x7f309b61a608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8
#22 0x7f309b1c5132 in __clone /build/glibc-SzIz7B/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
0x6210018ca500 is located 0 bytes inside of 4096-byte region [0x6210018ca500,0x6210018cb500)
freed by thread T45 (StreamTrans #3) here:
#0 0x55d2f99499d2 in free /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3
#1 0x7f3078763cd9 in operator delete[] /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:60:10
#2 0x7f3078763cd9 in nsBufferedStream::Close() /builds/worker/checkouts/gecko/netwerk/base/nsBufferedStreams.cpp:82:5
#3 0x7f3078769232 in Close /builds/worker/checkouts/gecko/netwerk/base/nsBufferedStreams.cpp:377:21
#4 0x7f3078769232 in CloseWithStatus /builds/worker/checkouts/gecko/netwerk/base/nsBufferedStreams.cpp:648:67
#5 0x7f3078769232 in non-virtual thunk to nsBufferedInputStream::CloseWithStatus(nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsBufferedStreams.cpp
#6 0x7f307e443a9c in mozilla::RemoteLazyInputStream::Close() /builds/worker/checkouts/gecko/dom/file/ipc/RemoteLazyInputStream.cpp:494:23
#7 0x7f307e4487ef in mozilla::RemoteLazyInputStream::CloseWithStatus(nsresult) /builds/worker/checkouts/gecko/dom/file/ipc/RemoteLazyInputStream.cpp:665:67
#8 0x7f30787dc6d1 in operator() /builds/worker/checkouts/gecko/netwerk/base/nsInputStreamPump.cpp:215:33
#9 0x7f30787dc6d1 in mozilla::detail::RunnableFunction<nsInputStreamPump::Cancel(nsresult)::$_4>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:546:5
#10 0x7f307841f9cb in nsThreadPool::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:343:14
#11 0x7f30784120d4 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1219:16
#12 0x7f307841bd84 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477:10
#13 0x7f3079c23374 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300:20
#14 0x7f3079aa0c97 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#15 0x7f3079aa0c97 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#16 0x7f3079aa0c97 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#17 0x7f3078409a25 in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:384:10
#18 0x7f309a9db628 in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
#19 0x7f309b61a608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8
previously allocated by thread T53 (RemoteLzyStream) here:
#0 0x55d2f9949c7e in malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
#1 0x7f30787641d5 in operator new[] /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:47:10
#2 0x7f30787641d5 in nsBufferedStream::Init(nsISupports*, unsigned int) /builds/worker/checkouts/gecko/netwerk/base/nsBufferedStreams.cpp:71:13
#3 0x7f30787665f7 in nsBufferedInputStream::Init(nsIInputStream*, unsigned int) /builds/worker/checkouts/gecko/netwerk/base/nsBufferedStreams.cpp:321:35
#4 0x7f307879e633 in NS_NewBufferedInputStream(nsIInputStream**, already_AddRefed<nsIInputStream>, unsigned int) /builds/worker/checkouts/gecko/netwerk/base/nsNetUtil.cpp:1354:14
#5 0x7f307e4449fe in mozilla::RemoteLazyInputStream::EnsureAsyncRemoteStream() /builds/worker/checkouts/gecko/dom/file/ipc/RemoteLazyInputStream.cpp:1056:19
#6 0x7f307e4686b3 in operator() /builds/worker/checkouts/gecko/dom/file/ipc/RemoteLazyInputStream.cpp:824:23
#7 0x7f307e4686b3 in std::_Function_handler<void (mozilla::Maybe<mozilla::ipc::IPCStream>&&), mozilla::RemoteLazyInputStream::StreamNeeded()::$_2::operator()() const::'lambda'(mozilla::Maybe<mozilla::ipc::IPCStream> const&)>::_M_invoke(std::_Any_data const&, mozilla::Maybe<mozilla::ipc::IPCStream>&&) /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/std_function.h:316:2
#8 0x7f307e462798 in mozilla::PRemoteLazyInputStreamChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PRemoteLazyInputStreamChild.cpp:263:27
#9 0x7f3079c1a129 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1800:25
#10 0x7f3079c1713d in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1725:9
#11 0x7f3079c17d0e in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1525:3
#12 0x7f3079c18f3e in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1623:14
#13 0x7f30784120d4 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1219:16
#14 0x7f307841bd84 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477:10
#15 0x7f3079c235c0 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:330:5
#16 0x7f3079aa0c97 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#17 0x7f3079aa0c97 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#18 0x7f3079aa0c97 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#19 0x7f3078409a25 in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:384:10
#20 0x7f309a9db628 in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
#21 0x7f309b61a608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8
Thread T46 (StreamTrans #4) created by T6 (Backgro~Pool #1) here:
#0 0x55d2f9932b6c in pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:208:3
#1 0x7f309a9cb6f9 in _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:458:14
#2 0x7f309a9bcb6e in PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:533:12
#3 0x7f307840cecb in nsThread::Init(nsTSubstring<char> const&) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:619:18
#4 0x7f3078419ad0 in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, nsIThreadManager::ThreadCreationOptions, nsIThread**) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadManager.cpp:548:12
#5 0x7f307842641c in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, nsIThreadManager::ThreadCreationOptions) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:173:57
#6 0x7f307841e1c3 in NS_NewNamedThread /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:165:10
#7 0x7f307841e1c3 in nsThreadPool::PutEvent(already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:126:17
#8 0x7f3078420acd in nsThreadPool::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:395:5
#9 0x7f30788718ed in mozilla::net::nsStreamTransportService::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/checkouts/gecko/netwerk/base/nsStreamTransportService.cpp:293:16
#10 0x7f307836137f in Dispatch /builds/worker/workspace/obj-build/dist/include/nsIEventTarget.h:38:14
#11 0x7f307836137f in nsAStreamCopier::PostContinuationEvent_Locked() /builds/worker/checkouts/gecko/xpcom/io/nsStreamUtils.cpp:463:21
#12 0x7f307835c291 in PostContinuationEvent /builds/worker/checkouts/gecko/xpcom/io/nsStreamUtils.cpp:455:12
#13 0x7f307835c291 in OnOutputStreamReady /builds/worker/checkouts/gecko/xpcom/io/nsStreamUtils.cpp:425:5
#14 0x7f307835c291 in non-virtual thunk to nsAStreamCopier::OnOutputStreamReady(nsIAsyncOutputStream*) /builds/worker/checkouts/gecko/xpcom/io/nsStreamUtils.cpp
#15 0x7f3079be4a75 in operator() /builds/worker/checkouts/gecko/ipc/glue/DataPipe.cpp:579:35
#16 0x7f3079be4a75 in already_AddRefed<mozilla::CancelableRunnable> NS_NewCancelableRunnableFunction<mozilla::ipc::DataPipeSender::AsyncWait(nsIOutputStreamCallback*, unsigned int, unsigned int, nsIEventTarget*)::$_6>(char const*, mozilla::ipc::DataPipeSender::AsyncWait(nsIOutputStreamCallback*, unsigned int, unsigned int, nsIEventTarget*)::$_6&&)::FuncCancelableRunnable::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:665:9
#17 0x7f307841f9cb in nsThreadPool::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:343:14
#18 0x7f30784120d4 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1219:16
#19 0x7f307841bd84 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477:10
#20 0x7f3079c23374 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300:20
#21 0x7f3079aa0c97 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#22 0x7f3079aa0c97 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#23 0x7f3079aa0c97 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#24 0x7f3078409a25 in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:384:10
#25 0x7f309a9db628 in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
#26 0x7f309b61a608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8
Thread T6 (Backgro~Pool #1) created by T0 (Isolated Web Co) here:
#0 0x55d2f9932b6c in pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:208:3
#1 0x7f309a9cb6f9 in _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:458:14
#2 0x7f309a9bcb6e in PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:533:12
#3 0x7f307840cecb in nsThread::Init(nsTSubstring<char> const&) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:619:18
#4 0x7f3078419ad0 in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, nsIThreadManager::ThreadCreationOptions, nsIThread**) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadManager.cpp:548:12
#5 0x7f307842641c in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, nsIThreadManager::ThreadCreationOptions) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:173:57
#6 0x7f307841e1c3 in NS_NewNamedThread /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:165:10
#7 0x7f307841e1c3 in nsThreadPool::PutEvent(already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:126:17
#8 0x7f3078420acd in nsThreadPool::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:395:5
#9 0x7f30783f0361 in mozilla::TaskQueue::DispatchLocked(nsCOMPtr<nsIRunnable>&, unsigned int, mozilla::AbstractThread::DispatchReason) /builds/worker/checkouts/gecko/xpcom/threads/TaskQueue.cpp:122:26
#10 0x7f30784305fe in mozilla::TaskQueue::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/workspace/obj-build/dist/include/mozilla/TaskQueue.h:73:14
#11 0x7f3079bd7639 in (anonymous namespace)::ChildImpl::ThreadInfoWrapper::InitStarter(mozilla::ipc::Endpoint<mozilla::ipc::PBackgroundStarterChild>&&) /builds/worker/checkouts/gecko/ipc/glue/BackgroundImpl.cpp:365:18
#12 0x7f3079b91802 in InitStarter<mozilla::dom::ContentChild> /builds/worker/checkouts/gecko/ipc/glue/BackgroundImpl.cpp:350:7
#13 0x7f3079b91802 in InitContentStarter /builds/worker/checkouts/gecko/ipc/glue/BackgroundImpl.cpp:1254:38
#14 0x7f3079b91802 in mozilla::ipc::BackgroundChild::InitContentStarter(mozilla::dom::ContentChild*) /builds/worker/checkouts/gecko/ipc/glue/BackgroundImpl.cpp:724:3
#15 0x7f30803f6d8c in mozilla::dom::ContentProcess::Init(int, char**) /builds/worker/checkouts/gecko/dom/ipc/ContentProcess.cpp:237:3
#16 0x7f308629e095 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:641:21
#17 0x55d2f9986824 in content_process_main(mozilla::Bootstrap*, int, char**) /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#18 0x55d2f9986ce7 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:353:18
#19 0x7f309b0ca082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
Thread T45 (StreamTrans #3) created by T6 (Backgro~Pool #1) here:
#0 0x55d2f9932b6c in pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:208:3
#1 0x7f309a9cb6f9 in _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:458:14
#2 0x7f309a9bcb6e in PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:533:12
#3 0x7f307840cecb in nsThread::Init(nsTSubstring<char> const&) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:619:18
#4 0x7f3078419ad0 in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, nsIThreadManager::ThreadCreationOptions, nsIThread**) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadManager.cpp:548:12
#5 0x7f307842641c in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, nsIThreadManager::ThreadCreationOptions) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:173:57
#6 0x7f307841e1c3 in NS_NewNamedThread /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:165:10
#7 0x7f307841e1c3 in nsThreadPool::PutEvent(already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:126:17
#8 0x7f3078420acd in nsThreadPool::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:395:5
#9 0x7f30788718ed in mozilla::net::nsStreamTransportService::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/checkouts/gecko/netwerk/base/nsStreamTransportService.cpp:293:16
#10 0x7f307836137f in Dispatch /builds/worker/workspace/obj-build/dist/include/nsIEventTarget.h:38:14
#11 0x7f307836137f in nsAStreamCopier::PostContinuationEvent_Locked() /builds/worker/checkouts/gecko/xpcom/io/nsStreamUtils.cpp:463:21
#12 0x7f307835c291 in PostContinuationEvent /builds/worker/checkouts/gecko/xpcom/io/nsStreamUtils.cpp:455:12
#13 0x7f307835c291 in OnOutputStreamReady /builds/worker/checkouts/gecko/xpcom/io/nsStreamUtils.cpp:425:5
#14 0x7f307835c291 in non-virtual thunk to nsAStreamCopier::OnOutputStreamReady(nsIAsyncOutputStream*) /builds/worker/checkouts/gecko/xpcom/io/nsStreamUtils.cpp
#15 0x7f3079be4a75 in operator() /builds/worker/checkouts/gecko/ipc/glue/DataPipe.cpp:579:35
#16 0x7f3079be4a75 in already_AddRefed<mozilla::CancelableRunnable> NS_NewCancelableRunnableFunction<mozilla::ipc::DataPipeSender::AsyncWait(nsIOutputStreamCallback*, unsigned int, unsigned int, nsIEventTarget*)::$_6>(char const*, mozilla::ipc::DataPipeSender::AsyncWait(nsIOutputStreamCallback*, unsigned int, unsigned int, nsIEventTarget*)::$_6&&)::FuncCancelableRunnable::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:665:9
#17 0x7f307841f9cb in nsThreadPool::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:343:14
#18 0x7f30784120d4 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1219:16
#19 0x7f307841bd84 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477:10
#20 0x7f3079c23374 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300:20
#21 0x7f3079aa0c97 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#22 0x7f3079aa0c97 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#23 0x7f3079aa0c97 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#24 0x7f3078409a25 in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:384:10
#25 0x7f309a9db628 in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
#26 0x7f309b61a608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8
Thread T53 (RemoteLzyStream) created by T48 (DOM Worker) here:
#0 0x55d2f9932b6c in pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:208:3
#1 0x7f309a9cb6f9 in _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:458:14
#2 0x7f309a9bcb6e in PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:533:12
#3 0x7f307840cecb in nsThread::Init(nsTSubstring<char> const&) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:619:18
#4 0x7f3078419ad0 in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, nsIThreadManager::ThreadCreationOptions, nsIThread**) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadManager.cpp:548:12
#5 0x7f307842641c in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, nsIThreadManager::ThreadCreationOptions) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:173:57
#6 0x7f307e4531a5 in NS_NewNamedThread<16UL> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:85:10
#7 0x7f307e4531a5 in mozilla::RemoteLazyInputStreamThread::Initialize() /builds/worker/checkouts/gecko/dom/file/ipc/RemoteLazyInputStreamThread.cpp:90:17
#8 0x7f307e448694 in mozilla::RemoteLazyInputStreamThread::GetOrCreate() /builds/worker/checkouts/gecko/dom/file/ipc/RemoteLazyInputStreamThread.cpp:80:29
#9 0x7f307e4422e4 in mozilla::BindChildActor(nsID, mozilla::ipc::Endpoint<mozilla::PRemoteLazyInputStreamChild>) /builds/worker/checkouts/gecko/dom/file/ipc/RemoteLazyInputStream.cpp:160:18
#10 0x7f307e44e3fa in mozilla::RemoteLazyInputStream::IPCRead(IPC::MessageReader*) /builds/worker/checkouts/gecko/dom/file/ipc/RemoteLazyInputStream.cpp:1389:7
#11 0x7f307e44eb2e in IPC::ParamTraits<mozilla::RemoteLazyInputStream*>::Read(IPC::MessageReader*, RefPtr<mozilla::RemoteLazyInputStream>*) /builds/worker/checkouts/gecko/dom/file/ipc/RemoteLazyInputStream.cpp:1422:14
#12 0x7f307e4577c7 in Read /builds/worker/checkouts/gecko/ipc/chromium/src/chrome/common/ipc_message_utils.h:866:12
#13 0x7f307e4577c7 in ReadParam<RefPtr<mozilla::RemoteLazyInputStream> > /builds/worker/checkouts/gecko/ipc/chromium/src/chrome/common/ipc_message_utils.h:331:10
#14 0x7f307e4577c7 in IPC::ParamTraits<mozilla::RemoteLazyStream>::Read(IPC::MessageReader*) /builds/worker/workspace/obj-build/ipc/ipdl/IPCBlob.cpp:292:23
#15 0x7f307e459448 in ReadParam<mozilla::RemoteLazyStream> /builds/worker/checkouts/gecko/ipc/chromium/src/chrome/common/ipc_message_utils.h:328:12
#16 0x7f307e459448 in IPC::ParamTraits<mozilla::dom::IPCBlob>::Read(IPC::MessageReader*) /builds/worker/workspace/obj-build/ipc/ipdl/IPCBlob.cpp:498:20
#17 0x7f307e43f8dd in bool IPC::ReadParam<mozilla::dom::IPCBlob>(IPC::MessageReader*, mozilla::dom::IPCBlob*) /builds/worker/checkouts/gecko/ipc/chromium/src/chrome/common/ipc_message_utils.h:314:18
#18 0x7f30804d8787 in std::enable_if<std::is_same_v<mozilla::dom::IPCBlob*, std::remove_reference<decltype(fp0(std::add_rvalue_reference<unsigned int>::type std::declval<unsigned int>()()))>::type>, bool>::type IPC::ReadSequenceParam<IPC::ParamTraits<nsTArray<mozilla::dom::IPCBlob>>::Read(IPC::MessageReader*, nsTArray<mozilla::dom::IPCBlob>*)::'lambda'(unsigned int), mozilla::dom::IPCBlob>(IPC::MessageReader*, unsigned int&&) /builds/worker/checkouts/gecko/ipc/chromium/src/chrome/common/ipc_message_utils.h:500:12
#19 0x7f3080488f5f in Read /builds/worker/workspace/obj-build/dist/include/ipc/IPCMessageUtilsSpecializations.h:172:12
#20 0x7f3080488f5f in ReadParam<nsTArray<mozilla::dom::IPCBlob> > /builds/worker/checkouts/gecko/ipc/chromium/src/chrome/common/ipc_message_utils.h:331:10
#21 0x7f3080488f5f in IPC::ParamTraits<mozilla::dom::ClonedMessageData>::Read(IPC::MessageReader*) /builds/worker/workspace/obj-build/ipc/ipdl/DOMTypes.cpp:156:20
#22 0x7f308048bf05 in ReadParam<mozilla::dom::ClonedMessageData> /builds/worker/checkouts/gecko/ipc/chromium/src/chrome/common/ipc_message_utils.h:328:12
#23 0x7f308048bf05 in IPC::ParamTraits<mozilla::dom::MessageDataType>::Read(IPC::MessageReader*) /builds/worker/workspace/obj-build/ipc/ipdl/DOMTypes.cpp:705:23
#24 0x7f308048c773 in ReadParam<mozilla::dom::MessageDataType> /builds/worker/checkouts/gecko/ipc/chromium/src/chrome/common/ipc_message_utils.h:328:12
#25 0x7f308048c773 in IPC::ParamTraits<mozilla::dom::MessageData>::Read(IPC::MessageReader*) /builds/worker/workspace/obj-build/ipc/ipdl/DOMTypes.cpp:783:20
#26 0x7f3080a0d648 in ReadParam<mozilla::dom::MessageData> /builds/worker/checkouts/gecko/ipc/chromium/src/chrome/common/ipc_message_utils.h:314:18
#27 0x7f3080a0d648 in std::enable_if<std::is_same_v<mozilla::dom::MessageData*, std::remove_reference<decltype(fp0(std::add_rvalue_reference<unsigned int>::type std::declval<unsigned int>()()))>::type>, bool>::type IPC::ReadSequenceParam<IPC::ParamTraits<nsTArray<mozilla::dom::MessageData>>::Read(IPC::MessageReader*, nsTArray<mozilla::dom::MessageData>*)::'lambda'(unsigned int), mozilla::dom::MessageData>(IPC::MessageReader*, unsigned int&&) /builds/worker/checkouts/gecko/ipc/chromium/src/chrome/common/ipc_message_utils.h:500:12
#28 0x7f3080a04987 in Read /builds/worker/workspace/obj-build/dist/include/ipc/IPCMessageUtilsSpecializations.h:172:12
#29 0x7f3080a04987 in ReadParam<nsTArray<mozilla::dom::MessageData> > /builds/worker/checkouts/gecko/ipc/chromium/src/chrome/common/ipc_message_utils.h:331:10
#30 0x7f3080a04987 in mozilla::dom::PMessagePortChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PMessagePortChild.cpp:250:28
#31 0x7f3079cc7d41 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6306:32
#32 0x7f3079c1a129 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1800:25
#33 0x7f3079c1713d in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1725:9
#34 0x7f3079c17d0e in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1525:3
#35 0x7f3079c18f3e in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1623:14
#36 0x7f30784120d4 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1219:16
#37 0x7f307841bd84 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477:10
#38 0x7f308091ebdc in mozilla::dom::WorkerPrivate::DoRunLoop(JSContext*) /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:3275:7
#39 0x7f30808f5422 in mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:2044:42
#40 0x7f30784120d4 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1219:16
#41 0x7f307841bd84 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477:10
#42 0x7f3079c23374 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300:20
#43 0x7f3079aa0c97 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#44 0x7f3079aa0c97 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#45 0x7f3079aa0c97 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#46 0x7f3078409a25 in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:384:10
#47 0x7f309a9db628 in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
#48 0x7f309b61a608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8
Thread T48 (DOM Worker) created by T0 (Isolated Web Co) here:
#0 0x55d2f9932b6c in pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:208:3
#1 0x7f309a9cb6f9 in _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:458:14
#2 0x7f309a9bcb6e in PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:533:12
#3 0x7f307840cecb in nsThread::Init(nsTSubstring<char> const&) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:619:18
#4 0x7f308094634a in mozilla::dom::WorkerThread::Create(mozilla::dom::WorkerThreadFriendKey const&) /builds/worker/checkouts/gecko/dom/workers/WorkerThread.cpp:102:7
#5 0x7f30808cb607 in mozilla::dom::workerinternals::RuntimeService::ScheduleWorker(mozilla::dom::WorkerPrivate&) /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:1325:37
#6 0x7f30808ca6f8 in mozilla::dom::workerinternals::RuntimeService::RegisterWorker(mozilla::dom::WorkerPrivate&) /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:1207:19
#7 0x7f3080918eae in mozilla::dom::WorkerPrivate::Constructor(JSContext*, nsTSubstring<char16_t> const&, bool, mozilla::dom::WorkerKind, mozilla::dom::RequestCredentials, mozilla::dom::WorkerType, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, mozilla::dom::WorkerLoadInfo*, mozilla::ErrorResult&, nsTString<char16_t>) /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:2648:24
#8 0x7f3080959118 in mozilla::dom::RemoteWorkerChild::ExecWorkerOnMainThread(mozilla::dom::RemoteWorkerData&&) /builds/worker/checkouts/gecko/dom/workers/remoteworkers/RemoteWorkerChild.cpp:452:41
#9 0x7f308098f18a in operator() /builds/worker/checkouts/gecko/dom/workers/remoteworkers/RemoteWorkerChild.cpp:307:29
#10 0x7f308098f18a in mozilla::detail::RunnableFunction<mozilla::dom::RemoteWorkerChild::ExecWorker(mozilla::dom::RemoteWorkerData const&)::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:546:5
#11 0x7f30783d286f in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:114:20
#12 0x7f30783e6ae9 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:541:16
#13 0x7f30783dce7c in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:855:26
#14 0x7f30783da0f8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:686:15
#15 0x7f30783da820 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:464:36
#16 0x7f30783ecfc1 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:188:37
#17 0x7f30783ecfc1 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_2>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:546:5
#18 0x7f307841180e in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1225:16
#19 0x7f307841bd84 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477:10
#20 0x7f3079c21d2e in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#21 0x7f3079aa0c97 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#22 0x7f3079aa0c97 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#23 0x7f3079aa0c97 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#24 0x7f3081276ca9 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#25 0x7f308629e928 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:742:20
#26 0x7f3079aa0c97 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#27 0x7f3079aa0c97 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#28 0x7f3079aa0c97 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#29 0x7f308629e0bf in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:675:34
#30 0x55d2f9986824 in content_process_main(mozilla::Bootstrap*, int, char**) /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#31 0x55d2f9986ce7 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:353:18
#32 0x7f309b0ca082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
Comment 1•2 years ago
|
||
Apparently, nsBufferedInputStream
is not thread safe. We should add a lock to protect its members.
Reporter | ||
Comment 2•2 years ago
|
||
I am able to reproduce the issue reliably enough to test patches if needed.
Assignee | ||
Comment 3•2 years ago
|
||
The problem seems to be with nsBufferedStream::mBuffer
We release it in nsBufferedStream::Close on one thread while using it on the other.
Considering that we're using the buffer while calling into an external function, (nsStreamLoader::WriteSegmentFun from nsBufferedInputStream::ReadSegments) I think mBuffere should be protected by a RecursiveMutex, so we don't cause a deadlock if nsStreamLoader::WriteSegmentFun or some other closure decides to close the stream.
Assignee | ||
Comment 4•2 years ago
|
||
It needs to be a recursive mutex instead of a regular one in case
nsStreamLoader::WriteSegmentFun
closes the stream while holding the mutex.
Assignee | ||
Comment 5•2 years ago
|
||
Hi Tyson, could you check that the attached patch fixes the issue? Thanks!
Assignee | ||
Comment 6•2 years ago
|
||
Comment on attachment 9321415 [details]
Bug 1818357 - [ESR102] Guard nsBufferedStream::mBuffer with recursive mutex r=#necko,jesup
Security Approval Request
- How easily could an exploit be constructed based on the patch?: Not straightforward but an attacker could deduce the root cause from the patch and find a way to exercise that scenario - though an exploit would probably still be racy.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Yes
- Which older supported branches are affected by this flaw?: all
- If not all supported branches, which bug introduced the flaw?: None
- Do you have backports for the affected branches?: Yes
- If not, how different, hard to create, and risky will they be?: Applies cleanly to esr102
- How likely is this patch to cause regressions; how much testing does it need?: The risk of regressions is low. This patch shouldn't cause an observable change in behaviour. We just protect mBuffer using a recursive mutex.
- Is Android affected?: Yes
Updated•2 years ago
|
Reporter | ||
Comment 7•2 years ago
|
||
I am unable to reproduce the issue with the patch applied.
Reporter | ||
Updated•2 years ago
|
Assignee | ||
Comment 8•2 years ago
|
||
Thank you!
Comment 9•2 years ago
|
||
Comment on attachment 9321415 [details]
Bug 1818357 - [ESR102] Guard nsBufferedStream::mBuffer with recursive mutex r=#necko,jesup
Approved to land and uplift
Updated•2 years ago
|
Assignee | ||
Comment 10•2 years ago
|
||
Comment on attachment 9321415 [details]
Bug 1818357 - [ESR102] Guard nsBufferedStream::mBuffer with recursive mutex r=#necko,jesup
Beta/Release Uplift Approval Request
- User impact if declined: Use-after-free
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): We guard the use of mBuffer with a recursive mutex.
- String changes made/needed:
- Is Android affected?: Yes
Comment 11•2 years ago
|
||
Guard nsBufferedStream::mBuffer with recursive mutex r=necko-reviewers,jesup
https://hg.mozilla.org/integration/autoland/rev/6436a939ca9df0289ff0f76493e708db953ce412
https://hg.mozilla.org/mozilla-central/rev/6436a939ca9d
Updated•2 years ago
|
Comment 12•2 years ago
|
||
Comment on attachment 9321415 [details]
Bug 1818357 - [ESR102] Guard nsBufferedStream::mBuffer with recursive mutex r=#necko,jesup
Approved for 112.0b3
Comment 13•2 years ago
|
||
uplift |
Comment 14•2 years ago
|
||
Comment on attachment 9321415 [details]
Bug 1818357 - [ESR102] Guard nsBufferedStream::mBuffer with recursive mutex r=#necko,jesup
Approved for 102.10esr
Comment 15•2 years ago
|
||
uplift |
Comment 16•2 years ago
|
||
Backed out 3b5174799c88 from esr102 for causing failures
Backout: https://hg.mozilla.org/releases/mozilla-esr102/rev/7231b6aa4325
Backout push: https://treeherder.mozilla.org/jobs?repo=mozilla-esr102&revision=7231b6aa432550307627126a28f4e7a9235ecf12
log with failures: https://treeherder.mozilla.org/logviewer?job_id=409511508&repo=mozilla-esr102&lineNumber=28346
push with failures: https://treeherder.mozilla.org/jobs?repo=mozilla-esr102&revision=d58e0a95e12d2e8cdad84598ee775d3ce225aa0e
Updated•2 years ago
|
Assignee | ||
Comment 17•2 years ago
|
||
MOZ_GUARDED_BY wasn't available in ESR. I removed it from the ESR patch.
Comment 18•2 years ago
|
||
uplift |
Updated•2 years ago
|
Updated•2 years ago
|
Updated•2 years ago
|
Comment 19•1 year ago
•
|
||
Given bug 1826206 and its patch, is this RecursiveMutex still needed? If not, perhaps we can replace this with an assert somewhere about tread usage?
Assignee | ||
Comment 20•1 year ago
|
||
I agree that bug 1826206 addressed the root cause of this.
I'm ➕ on replacing it with a thread assert.
Updated•1 year ago
|
Description
•