Open Bug 1842858 Opened 2 years ago Updated 3 months ago

Crash in [@ MaybePoison]

Categories

(Core :: Networking: Cache, defect, P2)

Product:
Core
Component:
Networking: Cache
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox-esr115 --- affected
firefox115 --- affected
firefox116 --- affected
firefox117 --- affected

People

(Reporter: aryx, Unassigned)

References

Details

(Keywords: crash, Whiteboard: [necko-triaged] [necko-priority-monitor][tbird crash])

Crash Data

~40 crash reports per release cycle, often on macOS.

Paul: Do you want to take a look at this based on bug 1808429?

Crash report: https://crash-stats.mozilla.org/report/index/d666cbf5-bba5-4852-a2fa-c8e040230711

Reason: EXC_BAD_ACCESS / KERN_MEMORY_ERROR

Top 10 frames of crashing thread:

0  libsystem_platform.dylib  _platform_memset  
1  libmozglue.dylib  MaybePoison  memory/build/mozjemalloc.cpp:1501
1  libmozglue.dylib  arena_dalloc  memory/build/mozjemalloc.cpp:3740
1  libmozglue.dylib  BaseAllocator::free  memory/build/mozjemalloc.cpp:4547
1  libmozglue.dylib  Allocator<MozJemallocBase>::free  memory/build/malloc_decls.h:54
1  libmozglue.dylib  free  memory/build/malloc_decls.h:54
2  XUL  mozilla::net::CacheFileUtils::FreeBuffer  netwerk/cache2/CacheFileUtils.cpp:616
2  XUL  mozilla::net::CacheFileMetadata::~CacheFileMetadata  netwerk/cache2/CacheFileMetadata.cpp:115
3  XUL  mozilla::net::CacheFileMetadata::~CacheFileMetadata  netwerk/cache2/CacheFileMetadata.cpp:103
3  XUL  mozilla::net::CacheFileMetadata::Release  netwerk/cache2/CacheFileMetadata.cpp:39

The severity field is not set for this bug.
:glandium, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(mh+mozilla)
Flags: needinfo?(mh+mozilla) → needinfo?(pbone)

These could be double frees (and jemalloc has unmapped the memory), or bad pointers (some are unaligned). It's hard to tell because we poison before taking the lock and asserting it's not a double free.

Flags: needinfo?(pbone)

If we assume these are bad pointers, is it a "bad coincidence" they all have similar freeing stacks? Should we not redirect this to mozilla::net::CacheFileMetadata for what's likely a double-free?

Flags: needinfo?(pbone)
See Also: → 1868499

I think we should adjust the crash signature processing so we can find the most common UAFs that crash here: Bug 1868499.

Meanwhile I'll try to figure out how to search these in our existing crash reports.

Flags: needinfo?(pbone)
Component: Memory Allocator → Networking

Note that not all crash signatures are related to ~CacheFileMetadata.
Some are from JS::GCContext::free_(js::gc::Cell*, void*, unsigned long, js::MemoryUse).

Severity: -- → S3
Component: Networking → Networking: Cache
Priority: -- → P2
Whiteboard: [necko-triaged] [necko-priority-new]
Whiteboard: [necko-triaged] [necko-priority-new] → [necko-triaged] [necko-priority-monitor]
Whiteboard: [necko-triaged] [necko-priority-monitor] → [necko-triaged] [necko-priority-monitor][tbird crash]
You need to log in before you can comment on or make changes to this bug.