Closed
Bug 1915008
Opened 1 year ago
Closed 1 year ago
Hit MOZ_CRASH(nsWeakReference not thread-safe) at /builds/worker/checkouts/gecko/xpcom/base/nsISupportsImpl.cpp:43
Categories
(Core :: Security: PSM, defect, P1)
Core
Security: PSM
Tracking
()
People
(Reporter: tsmith, Assigned: keeler)
References
(Blocks 1 open bug, )
Details
(Keywords: assertion, csectype-race, sec-moderate, Whiteboard: [psm-assigned][adv-main131+r][adv-esr128.3+r])
Attachments
(3 files)
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
48 bytes,
text/x-phabricator-request
|
phab-bot
:
approval-mozilla-beta+
|
Details | Review |
|
48 bytes,
text/x-phabricator-request
|
phab-bot
:
approval-mozilla-esr128+
|
Details | Review |
Found with m-c 20240824-4da5ac911a89 (--enable-debug --enable-fuzzing)
This was found by visiting a live website with a debug build.
STR:
- Launch browser and visit site
This issue was triggered by visiting http://accurence.com/. Unfortunately I have not been able to reproduce the issue.
Hit MOZ_CRASH(nsWeakReference not thread-safe) at /builds/worker/checkouts/gecko/xpcom/base/nsISupportsImpl.cpp:43
68|0|xul.dll|nsWeakReference::Release()|hg:hg.mozilla.org/mozilla-central:xpcom/base/nsWeakReference.cpp:4da5ac911a894efbdc6b548ee9c61181825d7b1b|123|0x105
68|1|xul.dll|mozilla::net::QuicSocketControl::~QuicSocketControl()|hg:hg.mozilla.org/mozilla-central:netwerk/protocol/http/QuicSocketControl.h:4da5ac911a894efbdc6b548ee9c61181825d7b1b|53|0x53
68|2|xul.dll|CommonSocketControl::Release()|hg:hg.mozilla.org/mozilla-central:security/manager/ssl/CommonSocketControl.cpp:4da5ac911a894efbdc6b548ee9c61181825d7b1b|28|0x63
68|3|xul.dll|mozilla::net::QuicSocketControl::Release()|hg:hg.mozilla.org/mozilla-central:netwerk/protocol/http/QuicSocketControl.h:4da5ac911a894efbdc6b548ee9c61181825d7b1b|30|0xd
68|4|xul.dll|mozilla::psm::SSLServerCertVerificationResult::`vector deleting destructor'(unsigned int)|||0x16
68|5|xul.dll|mozilla::Runnable::Release()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:4da5ac911a894efbdc6b548ee9c61181825d7b1b|66|0x5b
68|6|xul.dll|mozilla::psm::SSLServerCertVerificationJob::~SSLServerCertVerificationJob()|hg:hg.mozilla.org/mozilla-central:security/manager/ssl/SSLServerCertVerification.h:4da5ac911a894efbdc6b548ee9c61181825d7b1b|98|0x3d
68|7|xul.dll|mozilla::psm::SSLServerCertVerificationJob::~SSLServerCertVerificationJob()|hg:hg.mozilla.org/mozilla-central:security/manager/ssl/SSLServerCertVerification.h:4da5ac911a894efbdc6b548ee9c61181825d7b1b|98|0xf
68|8|xul.dll|mozilla::Runnable::Release()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:4da5ac911a894efbdc6b548ee9c61181825d7b1b|66|0x5b
68|9|xul.dll|nsThreadPool::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadPool.cpp:4da5ac911a894efbdc6b548ee9c61181825d7b1b|458|0x995
68|10|xul.dll|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:4da5ac911a894efbdc6b548ee9c61181825d7b1b|1149|0x968
68|11|xul.dll|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:4da5ac911a894efbdc6b548ee9c61181825d7b1b|480|0x6c
68|12|xul.dll|mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:4da5ac911a894efbdc6b548ee9c61181825d7b1b|299|0xad
68|13|xul.dll|MessageLoop::RunHandler()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:4da5ac911a894efbdc6b548ee9c61181825d7b1b|363|0x4c
68|14|xul.dll|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:4da5ac911a894efbdc6b548ee9c61181825d7b1b|345|0x6e
68|15|xul.dll|nsThread::ThreadFunc(void*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:4da5ac911a894efbdc6b548ee9c61181825d7b1b|366|0x15a
68|16|nss3.dll|_PR_NativeRunThread(void*)|hg:hg.mozilla.org/mozilla-central:nsprpub/pr/src/threads/combined/pruthr.c:4da5ac911a894efbdc6b548ee9c61181825d7b1b|399|0x120
68|17|nss3.dll|pr_root(void*)|hg:hg.mozilla.org/mozilla-central:nsprpub/pr/src/md/windows/w95thred.c:4da5ac911a894efbdc6b548ee9c61181825d7b1b|139|0x10
68|18|ucrtbase.dll||||
68|19|KERNELBASE.dll||||
68|20|ucrtbase.dll||||
68|21|ucrtbase.dll||||
68|22|mozglue.dll|patched_BaseThreadInitThunk(int, void*, void*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/dllservices/mozglue/WindowsDllBlocklist.cpp:4da5ac911a894efbdc6b548ee9c61181825d7b1b|562|0x8a
68|23|ntdll.dll||||
68|24|KERNELBASE.dll||||
68|25|xul.dll|js::jit::MacroAssembler::branchTestObjectNeedsProxyResultValidation(js::jit::AssemblerX86Shared::Condition, js::jit::Register, js::jit::Register, js::jit::Label*)|hg:hg.mozilla.org/mozilla-central:js/src/jit/MacroAssembler.cpp:4da5ac911a894efbdc6b548ee9c61181825d7b1b|5404|0x126
|
||
Updated•1 year ago
|
Component: Networking → Storage: IndexedDB
|
Reporter | |
Comment 1•1 year ago
|
||
Sorry wrong stack (fixed).
Component: Storage: IndexedDB → Networking
|
||
Comment 2•1 year ago
|
||
Looks like SSLServerCertVerificationJob might be releasing a QuicSocketControl (via mResultTask) on the wrong thread. There's an existing place where it intentionally leaks this field on some error condition. Maybe there's another error state that isn't being handled? It might be a good idea to always do this in the dtor to be safe.
Group: network-core-security → crypto-core-security
Component: Networking → Security: PSM
Keywords: csectype-race,
sec-moderate
|
Assignee | |
Updated•1 year ago
|
Assignee: nobody → dkeeler
Severity: -- → S2
Priority: -- → P1
Whiteboard: [psm-assigned]
|
|
Assignee | |
Comment 3•1 year ago
|
||
Pushed by dkeeler@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/1c9c98d77f1b
leak mResultTask if dispatch fails in certificate verification r=jschanck
|
|
||
Comment 5•1 year ago
|
||
Group: crypto-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 1 year ago
status-firefox132:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 132 Branch
|
||
Comment 6•1 year ago
|
||
The patch landed in nightly and beta is affected.
:keeler, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- If no, please set
status-firefox131towontfix.
For more information, please visit BugBot documentation.
Flags: needinfo?(dkeeler)
|
||
Comment 7•1 year ago
|
||
FWIW, this will need a tiny bit of rebasing around bug 1913794 for ESR128 uplift.
status-firefox130:
--- → wontfix
status-firefox-esr115:
--- → wontfix
status-firefox-esr128:
--- → affected
tracking-firefox131:
--- → +
tracking-firefox132:
--- → +
tracking-firefox-esr128:
--- → 131+
|
|
Assignee | |
Comment 8•1 year ago
|
||
Original Revision: https://phabricator.services.mozilla.com/D221381
|
||
Updated•1 year ago
|
Attachment #9424241 -
Flags: approval-mozilla-beta?
|
|
||
Comment 9•1 year ago
|
||
beta Uplift Approval Request
- User impact if declined: minor
- Code covered by automated testing: yes
- Fix verified in Nightly: no
- Needs manual QE test: no
- Steps to reproduce for manual QE testing: n/a
- Risk associated with taking this patch: small
- Explanation of risk level: this just leaks small objects when task dispatch fails (which should be rare)
- String changes made/needed: none
- Is Android affected?: yes
|
|
Assignee | |
Updated•1 year ago
|
Flags: needinfo?(dkeeler)
|
|
||
Updated•1 year ago
|
Attachment #9424241 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
|
||
Comment 10•1 year ago
|
||
| uplift | ||
|
||
Updated•1 year ago
|
|
||
Updated•1 year ago
|
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify-
|
||
Comment 11•1 year ago
|
||
:keeler are still going to be uplifting a rebased patch to esr128? Just a friendly reminder that next week is RC week
Flags: needinfo?(dkeeler)
|
|
||
Comment 12•1 year ago
|
||
:jschanck as the reviewer of the patch, do you think you can help with the patch to esr128? i noticed keeler is out of office (feel free to redirect this if needed)
Flags: needinfo?(jschanck)
|
|
Assignee | |
Comment 13•1 year ago
|
||
I was just out yesterday - I can take care of it today.
Flags: needinfo?(jschanck)
Flags: needinfo?(dkeeler)
|
|
Assignee | |
Comment 14•1 year ago
|
||
|
|
||
Updated•1 year ago
|
Attachment #9426238 -
Flags: approval-mozilla-esr128?
|
|
||
Comment 15•1 year ago
|
||
esr128 Uplift Approval Request
- User impact if declined: potential crashes
- Code covered by automated testing: yes
- Fix verified in Nightly: yes
- Needs manual QE test: no
- Steps to reproduce for manual QE testing: n/a
- Risk associated with taking this patch: low
- Explanation of risk level: this just changes some error handling
- String changes made/needed: none
- Is Android affected?: yes
|
|
||
Updated•1 year ago
|
Attachment #9426238 -
Flags: approval-mozilla-esr128? → approval-mozilla-esr128+
|
|
||
Comment 16•1 year ago
|
||
| uplift | ||
|
|
||
Updated•1 year ago
|
|
||
Updated•1 year ago
|
Whiteboard: [psm-assigned] → [psm-assigned][adv-main131+r]
|
|
||
Updated•1 year ago
|
Whiteboard: [psm-assigned][adv-main131+r] → [psm-assigned][adv-main131+r][adv-esr128.3+r]
|
||
Updated•1 year ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•