Closed
Bug 409500
Opened 17 years ago
Closed 15 years ago
Crash when serializing security info to disk cache [@ memcpy - nsStringInputStream::SetData]
Categories
(Core :: Networking: Cache, defect, P2)
Tracking
()
VERIFIED
FIXED
mozilla1.9.3a1
Tracking | Status | |
---|---|---|
status1.9.2 | --- | beta1-fixed |
status1.9.1 | --- | .4-fixed |
People
(Reporter: syskin2, Assigned: bzbarsky)
References
()
Details
(Keywords: crash, fixed1.9.0.15, regression)
Crash Data
Attachments
(1 file, 1 obsolete file)
1.77 KB,
patch
|
jduell.mcbugs
:
review+
benjamin
:
approval1.9.2+
dveditz
:
approval1.9.1.4+
dveditz
:
approval1.9.0.15+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b3pre) Gecko/2007122105 Minefield/3.0b3pre
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b3pre) Gecko/2007122105 Minefield/3.0b3pre
I've been hitting this new crasher when using my bank website.
Reproducible: Sometimes
Steps to Reproduce:
1. Set browser.cache.disk_cache_ssl = true
2. Visit https://www3.netbank.commbank.com.au/netbank/bankmain
3. Keep highlighting the url and pressing enter to reaload the page
Actual Results:
bp-c6c0970f-aeb7-11dc-9747-001a4bd43e5c
bp-6bf0588a-adda-11dc-adfb-001a4bd46e84
..and friends
Expected Results:
No crash :)
I could not crash under debugger. I tried other https websites and they don't crash - luckily the login page of my bank is enough (although navigation later on crashes more easily, I think).
Updated•17 years ago
|
0 msvcr80.dll@0x151ac
1 nsStringInputStream::SetData(char const*, int) mozilla/xpcom/io/nsStringStream.cpp:189
2 NS_NewByteInputStream(nsIInputStream**, char const*, int, nsAssignmentType) mozilla/xpcom/io/nsStringStream.cpp:366
3 NS_NewCStringInputStream(nsIInputStream**, nsACString_internal const&) mozilla/xpcom/io/nsStringStream.cpp:412
4 NS_DeserializeObject(nsACString_internal const&, nsISupports**) mozilla/netwerk/base/src/nsSerializationHelper.cpp:82
5 nsDiskCacheEntry::CreateCacheEntry(nsCacheDevice*) mozilla/netwerk/cache/src/nsDiskCacheEntry.cpp:90
Summary: Crash when serializing security info to disk cache → Crash when serializing security info to disk cache [@ memcpy - nsStringInputStream::SetData]
Comment 2•16 years ago
|
||
Bug 458340 may be related.
Comment 3•15 years ago
|
||
I am seeing a similar crash too at one of our customer sites:
00 msvcr90!TrailUpVec+0x18
01 xpcom_core!nsStringInputStream::SetData+0x42
02 xpcom_core!NS_NewByteInputStream+0x6c
03 xpcom_core!NS_NewCStringInputStream+0x1a
04 necko!NS_DeserializeObject+0x54
05 necko!nsDiskCacheEntry::CreateCacheEntry+0xce
06 necko!nsDiskCacheDevice::FindEntry+0x83
07 necko!nsCacheService::SearchCacheDevices+0x61
08 necko!nsCacheService::ActivateEntry+0x84
09 necko!nsCacheService::ProcessRequest+0x2d
0a necko!nsCacheService::OpenCacheEntry+0x60
0b necko!nsCacheSession::OpenCacheEntry+0x19
0c necko!nsHttpChannel::OpenCacheEntry+0x1ce
0d necko!nsHttpChannel::Connect+0x106
0e necko!nsHttpChannel::AsyncOpen+0x11e
0f gklayout!nsScriptLoader::ProcessScriptElement+0x8fe
10 gklayout!nsScriptElement::MaybeProcessScript+0x6d
11 gklayout!nsHTMLScriptElement::MaybeProcessScript+0x1e
12 gklayout!nsHTMLScriptElement::DoneAddingChildren+0xc
13 gklayout!HTMLContentSink::ProcessSCRIPTEndTag+0x59
14 gklayout!SinkContext::CloseContainer+0x134
15 gklayout!HTMLContentSink::CloseContainer+0x2f
16 gkparser!CNavDTD::CloseContainer+0xa1
17 gkparser!CNavDTD::HandleEndToken+0x27c
18 gkparser!CNavDTD::HandleToken+0x2df
19 gkparser!CNavDTD::BuildModel+0x177
1a gkparser!nsParser::BuildModel+0x6c
1b gkparser!nsParser::ResumeParse+0xbe
1c gkparser!nsParser::ContinueInterruptedParsing+0x31
1d gklayout!nsContentSink::ContinueInterruptedParsingIfEnabled+0x1d
1e gklayout!nsRunnableMethod<nsJSChannel>::Run+0xd
1f xpcom_core!nsThread::ProcessNextEvent+0xc3
20 xpcom_core!NS_ProcessNextEvent_P+0x20
21 gkwidget!nsBaseAppShell::Run+0x2a
22 tkitcmps!nsAppStartup::Run+0x1e
23 xul!XRE_main+0x1360
24 HsEngine!NS_internal_main+0xc1
25 HsEngine!wmain+0xf3
26 HsEngine!__tmainCRTStartup+0x10f
27 kernel32!BaseProcessStart+0x23
Updated•15 years ago
|
Whiteboard: [needs stack evaluated for usefulness - cache]
Assignee | ||
Comment 4•15 years ago
|
||
So... NS_DeserializeObject (introduced in bug 262116) is just broken. In particular, it computes |size| to be _sufficient_ to hold the base64-decoded data, then decodes the data, then uses |size| as the correct datasize. It's only the correct datasize if the original data had a size that's 0 mod 3. Otherwise, it's too big. The correct way to compute the datasize can be found in nsDataChannel::OpenContentStream, say (or various other consumers of PL_Base64Decode). It's too bad NSPR's API here sucks so much.
In any case, we end up passing a length that's bigger than the actual allocated size of the buffer (but only when the original data size was 1 mod 3, due to the null that NSPR allocates for us). Then the string input stream tries to make a copy and memcpys that one extra byte that's outside the buffer. That's presumably when the crash (or UMR in bug 458340) would hit.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [needs stack evaluated for usefulness - cache]
Assignee | ||
Comment 6•15 years ago
|
||
Assignee: nobody → bzbarsky
Status: NEW → ASSIGNED
Attachment #400945 -
Flags: review?(jduell.mcbugs)
Assignee | ||
Comment 7•15 years ago
|
||
Attachment #400945 -
Attachment is obsolete: true
Attachment #400946 -
Flags: review?(jduell.mcbugs)
Attachment #400945 -
Flags: review?(jduell.mcbugs)
Updated•15 years ago
|
Attachment #400946 -
Flags: review?(jduell.mcbugs) → review+
Assignee | ||
Comment 8•15 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 9•15 years ago
|
||
Comment on attachment 400946 [details] [diff] [review]
Actally looking for the right char too
We should fix this on branches...
Attachment #400946 -
Flags: approval1.9.2?
Attachment #400946 -
Flags: approval1.9.1.4?
Attachment #400946 -
Flags: approval1.9.0.16?
Attachment #400946 -
Flags: approval1.9.0.15?
Comment 10•15 years ago
|
||
Comment on attachment 400946 [details] [diff] [review]
Actally looking for the right char too
>+ size = (size * 3) / 4;
If the string length is > 0x55555555 then this overflows to a small number. Does something upstream from here ensure that the object won't be that big?
Assignee | ||
Comment 11•15 years ago
|
||
I don't know for sure, but if |size| ends up too small (possibly only if some of the objects are serializing data under web page control like URIs), then we'll just fail to deserialize the object (since the stream will end before we have all the data we expect to get). Presumably the upstream code can already deal with that, since deserialization failure can happen for various reasons...
Comment 12•15 years ago
|
||
Comment on attachment 400946 [details] [diff] [review]
Actally looking for the right char too
Approved for 1.9.1.4 and 1.9.0.15, a=dveditz
code-freeze is Sept 22. If this misses we'll push it to the next cycle.
Attachment #400946 -
Flags: approval1.9.1.4?
Attachment #400946 -
Flags: approval1.9.1.4+
Attachment #400946 -
Flags: approval1.9.0.16?
Attachment #400946 -
Flags: approval1.9.0.15?
Attachment #400946 -
Flags: approval1.9.0.15+
Assignee | ||
Updated•15 years ago
|
Flags: blocking1.9.2?
Assignee | ||
Comment 13•15 years ago
|
||
Pushed http://hg.mozilla.org/releases/mozilla-1.9.1/rev/14cd5d57b639
Checking in netwerk/base/src/nsSerializationHelper.cpp;
/cvsroot/mozilla/netwerk/base/src/nsSerializationHelper.cpp,v <-- nsSerializationHelper.cpp
new revision: 1.2; previous revision: 1.1
done
status1.9.1:
--- → .4-fixed
Keywords: fixed1.9.0.15
Updated•15 years ago
|
Flags: blocking1.9.2? → blocking1.9.2+
Updated•15 years ago
|
Priority: -- → P2
Comment 14•15 years ago
|
||
I can't get this to crash in 1.9.0.14 at all.
Comment 15•15 years ago
|
||
Al, this bug never had much of a reproducible testcase. You might have better luck under Valgrind (see bug 458340, a dup of this bug).
Comment 16•15 years ago
|
||
Comment on attachment 400946 [details] [diff] [review]
Actally looking for the right char too
blocking doesn't need approval
Attachment #400946 -
Flags: approval1.9.2? → approval1.9.2+
Assignee | ||
Comment 17•15 years ago
|
||
status1.9.2:
--- → beta1-fixed
Comment 18•15 years ago
|
||
(In reply to comment #15)
> Al, this bug never had much of a reproducible testcase. You might have better
> luck under Valgrind (see bug 458340, a dup of this bug).
Jesse, I'm not familiar with Valgrind. So it's kinda hard for me to verify. Would it be easy a fast for you to run a check? You have reported bug 458340 which has been duped. Thanks.
Severity: major → critical
Target Milestone: --- → mozilla1.9.3a1
Comment 19•15 years ago
|
||
Bug 458340 was a one-off occurrence, so I can't really retest that. I tested the steps in comment 0 and didn't see any cache-related warnings from Valgrind. V.
Status: RESOLVED → VERIFIED
Updated•13 years ago
|
Crash Signature: [@ memcpy - nsStringInputStream::SetData]
You need to log in
before you can comment on or make changes to this bug.
Description
•