Closed Bug 991669 Opened 6 years ago Closed Last year

HTTP cache v2: Crash during memory report [@ CacheFileMetadata::SizeOfExcludingThis ], mWriteBuf freed outside the lock

Categories

(Core :: Networking: Cache, defect, P3, critical)

defect

Tracking

()

RESOLVED WONTFIX

People

(Reporter: mayhemer, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [necko-backlog])

Crash Data

Cache2 I/O:

 	nss3.dll!PR_Lock(0x0be37840) Line 215	C
 	xul.dll!mozilla::net::CacheIndexAutoLock::CacheIndexAutoLock(0x0bee6048) Line 166	C++
 	xul.dll!mozilla::net::CacheFile::OnMetadataWritten(NS_OK) Line 596	C++
>	xul.dll!mozilla::net::CacheFileMetadata::OnDataWritten(0x06d5ace0, 0x1df0e8b8, NS_OK) Line 565	C++
 	xul.dll!mozilla::net::WriteEvent::Run() Line 740	C++


Main thread:

>	msvcr100.dll!__msize()	Unknown
 	xul.dll!mozilla::net::CacheFileMetadata::SizeOfExcludingThis(0x0ffc0ff1) Line 872	C++
 	xul.dll!mozilla::net::CacheFileMetadata::SizeOfIncludingThis(0x0ffc0ff1) Line 881	C++
 	xul.dll!mozilla::net::CacheFile::SizeOfExcludingThis(0x00000180) Line 1654	C++
 	xul.dll!mozilla::net::CacheFile::SizeOfIncludingThis(0x0ffc0ff1) Line 1680	C++
 	xul.dll!mozilla::net::CacheEntry::SizeOfExcludingThis(0x0ffc0ff1) Line 1546	C++
 	xul.dll!mozilla::net::CacheEntry::SizeOfIncludingThis(0x0ffc0ff1) Line 1569	C++


IO thread just freed (and then nullified) its mWriteBuf while the file CacheFile lock is not held.  Main thread in the meantime under the file's lock passes mWriteBuf to mallocSizeOf just before it's freed but the pointer examination happens after it has been freed.  Tight but possible.
Crash Signature: CacheFileMetadata::SizeOfExcludingThis
Summary: HTTP cache v2: Crash during memory report [@ CacheFileMetadata::mWriteBuf is freed outside the lock, memory reporter may crash → HTTP cache v2: Crash during memory report [@ CacheFileMetadata::SizeOfExcludingThis ], mWriteBuf freed outside the lock
Whiteboard: [necko-backlog]
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: -- → P1
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: P1 → P3
Closing because no crash reported since 12 weeks.
Status: NEW → RESOLVED
Closed: Last year
Resolution: --- → WONTFIX
Closing because no crash reported since 12 weeks.
You need to log in before you can comment on or make changes to this bug.