Closed Bug 1923017 Opened 9 months ago Closed 6 days ago

Crash in [@ mozilla::net::CacheFileHandle::IsClosed]

Categories

(Core :: Networking: Cache, defect, P3)

Product:
Core
Component:
Networking: Cache
Platform:
Unspecified
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
141 Branch
Tracking Flags:
Tracking Status
firefox141 --- fixed

People

(Reporter: gsvelto, Assigned: valentin)

Details

(Keywords: crash, Whiteboard: [necko-triaged][necko-priority-next])

Crash Data

Attachments

(1 file)

Bug 1923017 - Fix null ptr deref in CacheFileIOManager::Read r=#necko
48 bytes, text/x-phabricator-request
Details | Review

Crash report: https://crash-stats.mozilla.org/report/index/cd402b90-12b4-4521-8f35-723880241005

Reason:

SIGSEGV / SEGV_MAPERR

Top 10 frames:

0  libxul.so  std::__atomic_base<unsigned int>::load(std::memory_order) const  /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/include/c++/8/bits/atomic_base.h:396
0  libxul.so  mozilla::detail::IntrinsicMemoryOps<unsigned int, (mozilla::MemoryOrdering)1>...  mfbt/Atomics.h:199
0  libxul.so  mozilla::Atomic<bool, (mozilla::MemoryOrdering)1, void>::operator bool() const  mfbt/Atomics.h:500
0  libxul.so  mozilla::net::CacheFileHandle::IsClosed() const  netwerk/cache2/CacheFileIOManager.h:63
0  libxul.so  mozilla::net::CacheFileIOManager::Read(mozilla::net::CacheFileHandle*, long, ...  netwerk/cache2/CacheFileIOManager.cpp:1959
1  libxul.so  mozilla::net::CacheFileChunk::Read(mozilla::net::CacheFileHandle*, unsigned i...  netwerk/cache2/CacheFileChunk.cpp:360
1  libxul.so  mozilla::net::CacheFile::GetChunkLocked(unsigned int, mozilla::net::CacheFile...  netwerk/cache2/CacheFile.cpp:1484
2  libxul.so  mozilla::net::CacheFile::PreloadChunks(unsigned int)  netwerk/cache2/CacheFile.cpp:1615
3  libxul.so  mozilla::net::CacheFile::GetChunkLocked(unsigned int, mozilla::net::CacheFile...  netwerk/cache2/CacheFile.cpp:1451
4  libxul.so  mozilla::net::CacheFileInputStream::EnsureCorrectChunk(bool)  netwerk/cache2/CacheFileInputStream.cpp:592

This look like a NULL pointer access. The NULL file handle seem to have originated from here.

So somehow mHandle is null.

Basically nothing has changed since Jun that goes anywhere near mHandle. (and probably nothing for quite a while before). Could this be a signature change? Perhaps crashes like https://crash-stats.mozilla.org/report/index/d1a605b0-8a7e-41d0-82f8-2a3540240729 ?
Yeah, that's the same stack; they stopped showing up in August when this started.

Severity: -- → S3
Crash Signature: [@ mozilla::net::CacheFileHandle::IsClosed] → [@ mozilla::net::CacheFileHandle::IsClosed] [@ mozilla::Atomic<T>::operator bool]
Priority: -- → P3
Whiteboard: [necko-triaged][necko-priority-new]
Whiteboard: [necko-triaged][necko-priority-new] → [necko-triaged][necko-priority-next]
Assignee: nobody → valentin.gosu

https://hg.mozilla.org/mozilla-central/rev/ac099aece561

Status: NEW → RESOLVED
Closed: 6 days ago
status-firefox141: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 141 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: