Closed
Bug 1951494
Opened 9 months ago
Closed 8 months ago
Hit MOZ_CRASH(nsWeakReference not thread-safe) at /builds/worker/checkouts/gecko/xpcom/base/nsISupportsImpl.cpp:43
Categories
(Core :: Security: PSM, defect, P1)
Core
Security: PSM
Tracking
()
People
(Reporter: tsmith, Assigned: keeler)
References
(Blocks 1 open bug, )
Details
(4 keywords, Whiteboard: [psm-assigned] [adv-main137+r][adv-esr128.9+r] )
Attachments
(3 files)
|
48 bytes,
text/x-phabricator-request
|
Details | Review | |
|
48 bytes,
text/x-phabricator-request
|
phab-bot
:
approval-mozilla-beta+
|
Details | Review |
|
48 bytes,
text/x-phabricator-request
|
phab-bot
:
approval-mozilla-esr128+
|
Details | Review |
Found with m-c 20250101-b60410fc60da (--enable-debug)
This was found by visiting a live website with a debug build.
STR:
- Launch browser and visit site
This issue was triggered by visiting https://www.techtarget.com/. It is currently one of the most frequently reported live site testing issues. Unfortunately it does not reproduce reliably. A Pernosco session can be found here: https://pernos.co/debug/ATmDqAiX7r4hYCeHTHIGAQ/index.html
Hit MOZ_CRASH(nsWeakReference not thread-safe) at /builds/worker/checkouts/gecko/xpcom/base/nsISupportsImpl.cpp:43
#0 0x7fffe29255d4 in MOZ_CrashSequence /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:267:3
#1 0x7fffe29255d4 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:382:3
#2 0x7fffe29255d4 in AssertCurrentThreadOwnsMe /builds/worker/checkouts/gecko/xpcom/base/nsISupportsImpl.cpp:43:5
#3 0x7fffe29255d4 in AssertOwnership<32> /builds/worker/workspace/obj-build/dist/include/nsISupportsImpl.h:59:5
#4 0x7fffe29255d4 in nsWeakReference::Release() /builds/worker/checkouts/gecko/xpcom/base/nsWeakReference.cpp:123:1
#5 0x7fffe3141a19 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:49:40
#6 0x7fffe3141a19 in ~nsCOMPtr /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:344:7
#7 0x7fffe3141a19 in ~QuicSocketControl /builds/worker/checkouts/gecko/netwerk/protocol/http/QuicSocketControl.h:54:32
#8 0x7fffe3141a19 in mozilla::net::QuicSocketControl::~QuicSocketControl() /builds/worker/checkouts/gecko/netwerk/protocol/http/QuicSocketControl.h:54:32
#9 0x7fffe8d6cea8 in CommonSocketControl::Release() /builds/worker/checkouts/gecko/security/manager/ssl/CommonSocketControl.cpp:28:1
#10 0x7fffe31418d4 in mozilla::net::QuicSocketControl::Release() /builds/worker/checkouts/gecko/netwerk/protocol/http/QuicSocketControl.h:30:3
#11 0x7fffe8daa704 in ~SSLServerCertVerificationResult /builds/worker/checkouts/gecko/security/manager/ssl/SSLServerCertVerification.h:84:46
#12 0x7fffe8daa704 in non-virtual thunk to mozilla::psm::SSLServerCertVerificationResult::~SSLServerCertVerificationResult() /builds/worker/checkouts/gecko/security/manager/ssl/SSLServerCertVerification.h
#13 0x7fffe29d83f0 in mozilla::Runnable::Release() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:66:1
#14 0x7fffe8daa0e7 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:49:40
#15 0x7fffe8daa0e7 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:409:36
#16 0x7fffe8daa0e7 in ~RefPtr /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:80:7
#17 0x7fffe8daa0e7 in mozilla::psm::SSLServerCertVerificationJob::~SSLServerCertVerificationJob() /builds/worker/checkouts/gecko/security/manager/ssl/SSLServerCertVerification.h:99:7
#18 0x7fffe8daa27d in mozilla::psm::SSLServerCertVerificationJob::~SSLServerCertVerificationJob() /builds/worker/checkouts/gecko/security/manager/ssl/SSLServerCertVerification.h:99:7
#19 0x7fffe29d83f0 in mozilla::Runnable::Release() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:66:1
#20 0x7fffe29efb1d in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:49:40
#21 0x7fffe29efb1d in assign_assuming_AddRef /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:322:7
#22 0x7fffe29efb1d in operator= /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:597:5
#23 0x7fffe29efb1d in nsThreadPool::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:458:13
#24 0x7fffe29e6b7a in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1153:16
#25 0x7fffe29ecfdf in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#26 0x7fffe354e968 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:299:20
#27 0x7fffe34a3891 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:362:3
#28 0x7fffe34a3891 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:344:3
#29 0x7fffe29e2497 in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:366:10
#30 0x7ffff71f79df in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:191:3
#31 0x7ffff7abcac2 in start_thread nptl/pthread_create.c:442:8
#32 0x7ffff7b4e84f misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
|
||
Comment 1•9 months ago
|
||
Looks like a variation of bug 1915008, which was fixed last year.
Group: network-core-security → crypto-core-security
Component: Networking: HTTP → Security: PSM
See Also: → 1915008
|
|
||
Updated•9 months ago
|
Keywords: csectype-race,
sec-moderate
|
Assignee | |
Updated•9 months ago
|
Assignee: nobody → dkeeler
Severity: -- → S2
Priority: -- → P1
Whiteboard: [psm-assigned]
|
|
Assignee | |
Comment 2•9 months ago
|
||
|
|
Assignee | |
Comment 3•9 months ago
|
||
If the result task runs to completion before the verification job finishes, the verification job will still have a reference to the result task, which will still have a reference to the socket control. Thus, the last reference to the socket control is released on a verification thread. This patch should address this by having the result task release its reference to the socket control when it is done running (on the socket thread).
Pushed by dkeeler@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/90b23d9ba6e2
ensure socket control is released on the socket thread r=jschanck
|
|
||
Comment 5•8 months ago
|
||
Group: crypto-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 8 months ago
Resolution: --- → FIXED
Target Milestone: --- → 138 Branch
|
||
Updated•8 months ago
|
status-firefox136:
--- → wontfix
status-firefox137:
--- → affected
status-firefox-esr115:
--- → wontfix
status-firefox-esr128:
--- → affected
tracking-firefox137:
--- → +
tracking-firefox138:
--- → +
tracking-firefox-esr128:
--- → 137+
|
||
Comment 6•8 months ago
|
||
The patch landed in nightly and beta is affected.
:keeler, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- If no, please set
status-firefox137towontfix.
For more information, please visit BugBot documentation.
Flags: needinfo?(dkeeler)
|
|
Assignee | |
Comment 7•8 months ago
|
||
Original Revision: https://phabricator.services.mozilla.com/D240234
|
||
Updated•8 months ago
|
Attachment #9470888 -
Flags: approval-mozilla-beta?
|
|
||
Comment 8•8 months ago
|
||
beta Uplift Approval Request
- User impact if declined: potential crashes
- Code covered by automated testing: yes
- Fix verified in Nightly: no
- Needs manual QE test: no
- Steps to reproduce for manual QE testing: n/a
- Risk associated with taking this patch: low
- Explanation of risk level: this is a very simple, straightforward patch that should be safe
- String changes made/needed: none
- Is Android affected?: yes
|
|
Assignee | |
Updated•8 months ago
|
Flags: needinfo?(dkeeler)
|
||
Comment 9•8 months ago
|
||
Dana, ESR128 is also affected, could you request uplift on this branch as well? Thanks
Flags: needinfo?(dkeeler)
|
|
Assignee | |
Comment 10•8 months ago
|
||
Original Revision: https://phabricator.services.mozilla.com/D240234
|
|
||
Updated•8 months ago
|
Attachment #9471121 -
Flags: approval-mozilla-esr128?
|
|
||
Comment 11•8 months ago
|
||
esr128 Uplift Approval Request
- User impact if declined: potential crashes
- Code covered by automated testing: yes
- Fix verified in Nightly: no
- Needs manual QE test: no
- Steps to reproduce for manual QE testing: n/a
- Risk associated with taking this patch: low
- Explanation of risk level: this is a very small patch that should be safe
- String changes made/needed: none
- Is Android affected?: yes
|
|
Assignee | |
Updated•8 months ago
|
Flags: needinfo?(dkeeler)
|
|
||
Updated•8 months ago
|
Attachment #9470888 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
|
|
||
Updated•8 months ago
|
Attachment #9471121 -
Flags: approval-mozilla-esr128? → approval-mozilla-esr128+
|
||
Comment 12•8 months ago
|
||
| uplift | ||
|
||
Updated•8 months ago
|
|
|
||
Comment 13•8 months ago
|
||
| uplift | ||
|
|
||
Updated•8 months ago
|
|
||
Updated•8 months ago
|
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify-
|
||
Updated•8 months ago
|
Whiteboard: [psm-assigned] → [psm-assigned] [adv-main137+r]
|
|
||
Updated•8 months ago
|
Whiteboard: [psm-assigned] [adv-main137+r] → [psm-assigned] [adv-main137+r][adv-esr128.9+r]
|
||
Updated•2 months ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•