Project

General

Profile

Bug #5559

occasional firefox@testing crashes in brotli module

Added by Timo Teräs about 3 years ago. Updated about 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Aports
Target version:
-
Start date:
05/13/2016
Due date:
% Done:

100%

Estimated time:
Affected versions:
Security IDs:

Description

firefox 46.0-r1 @testing crashes with following backtrace at times:

Thread 31 "firefox" received signal SIGSEGV, Segmentation fault.
[Switching to LWP 31952]
memcpy () at src/string/x86_64/memcpy.s:18
18    src/string/x86_64/memcpy.s: No such file or directory.
(gdb) where
#0  memcpy () at src/string/x86_64/memcpy.s:18
#1  0x00006c115e145e31 in memcpy (__n=48615, __os=<optimized out>, __od=<optimized out>) at /usr/include/fortify/string.h:51
#2  WriteRingBuffer (available_out=available_out@entry=0x6c115050e248, next_out=next_out@entry=0x6c115050e240, 
    total_out=total_out@entry=0x1801851ace0, s=s@entry=0x180185198e0)
    at /home/tteras/aports/testing/firefox/src/firefox-46.0/modules/brotli/dec/decode.c:1161
#3  0x00006c115e149c2b in BrotliDecompressStream (available_in=available_in@entry=0x6c115050e250, next_in=next_in@entry=0x6c115050e238, 
    available_out=available_out@entry=0x6c115050e248, next_out=next_out@entry=0x6c115050e240, total_out=0x1801851ace0, s=0x180185198e0)
    at /home/tteras/aports/testing/firefox/src/firefox-46.0/modules/brotli/dec/decode.c:2244
#4  0x00006c115c7bebf3 in mozilla::net::nsHTTPCompressConv::BrotliHandler (stream=<optimized out>, closure=0x1800f040fc0, 
    dataIn=0x1800e9f0924 "", aAvail=13252, countRead=0x6c115052e2ec)
    at /home/tteras/aports/testing/firefox/src/firefox-46.0/netwerk/streamconv/converters/nsHTTPCompressConv.cpp:188
#5  0x00006c115c6fb9e0 in nsInputStreamTee::WriteSegmentFun (aIn=<optimized out>, aClosure=0x1800f041160, 
    aFromSegment=0x1800e9ed560 "\a\363^\021\225\275\037.\242\242\325\303\"\022\363\001\320HY8\177\177\021\030\067\361\261\316\363=\365\373U\365\277?_\025\031\321\333\335\321X\360\366QS}\241\202\212\242\250\340\263\254eRH \025H\314L\024\254\253?\337f\365\365\253\322V\315^\n\350\364\301\234\344\352c\222\236L\207d\217\220r=\354\a(\226%\267$C\230.\374\377l\276:I\347\t\227\033j\312_\264\331\252\060T\236\062\320\356\333\267\006A\261?\270?h \232\035IfX\243\024\330\360\030Y\024\306Jq\231T9\275~\316\265\214\334t)\313_\352\344\377\337\253z\270\324\065\t\\\343\360M\313\326Bk\322{\337}\340\177Y@\262\r\276\244\016\331Y\313\v"..., aOffset=<optimized out>, aCount=<optimized out>, aWriteCount=0x6c115052e2ec)
    at /home/tteras/aports/testing/firefox/src/firefox-46.0/xpcom/io/nsInputStreamTee.cpp:200
#6  0x00006c115c704577 in nsPipeInputStream::ReadSegments (this=0x1800bcbf9e0, 
    aWriter=0x6c115c6fb9cc <nsInputStreamTee::WriteSegmentFun(nsIInputStream*, void*, char const*, unsigned int, unsigned int, unsigned int*)>, 
    aClosure=0x1800f041160, aCount=13252, aReadCount=0x6c115052e374)
    at /home/tteras/aports/testing/firefox/src/firefox-46.0/xpcom/io/nsPipe3.cpp:1283
#7  0x00006c115c7bf538 in mozilla::net::nsHTTPCompressConv::OnDataAvailable (this=0x1800f040fc0, request=0x1800bc85c48, aContext=0x0, 
    iStr=0x1800f041160, aSourceOffset=0, aCount=13252)
    at /home/tteras/aports/testing/firefox/src/firefox-46.0/netwerk/streamconv/converters/nsHTTPCompressConv.cpp:444
#8  0x00006c115c78664e in nsStreamListenerTee::OnDataAvailable (this=0x1800f0410c0, request=0x1800bc85c48, context=0x0, input=<optimized out>, 
    offset=0, count=13252) at /home/tteras/aports/testing/firefox/src/firefox-46.0/netwerk/base/nsStreamListenerTee.cpp:93
#9  0x00006c115c8702f0 in mozilla::net::nsHttpChannel::OnDataAvailable (this=0x1800bc85c00, request=<optimized out>, ctxt=<optimized out>, 
    input=0x1800bcbf9e0, offset=<optimized out>, count=13252)
    at /home/tteras/aports/testing/firefox/src/firefox-46.0/netwerk/protocol/http/nsHttpChannel.cpp:6092
#10 0x00006c115c779c84 in nsInputStreamPump::OnStateTransfer (this=this@entry=0x1800e1e5400)
    at /home/tteras/aports/testing/firefox/src/firefox-46.0/netwerk/base/nsInputStreamPump.cpp:603
#11 0x00006c115c779df3 in nsInputStreamPump::OnInputStreamReady (this=0x1800e1e5400, stream=<optimized out>)
    at /home/tteras/aports/testing/firefox/src/firefox-46.0/netwerk/base/nsInputStreamPump.cpp:430
#12 0x00006c115c6fe8ce in nsInputStreamReadyEvent::Run (this=0x1800f041120)
    at /home/tteras/aports/testing/firefox/src/firefox-46.0/xpcom/io/nsStreamUtils.cpp:94
#13 0x00006c115c7122c3 in nsThread::ProcessNextEvent (this=0x1800a351160, aMayWait=<optimized out>, aResult=0x6c115052e707)
---Type <return> to continue, or q <return> to quit---
    at /home/tteras/aports/testing/firefox/src/firefox-46.0/xpcom/threads/nsThread.cpp:995
#14 0x00006c115c72dc87 in NS_ProcessNextEvent (aThread=<optimized out>, aMayWait=aMayWait@entry=true)
    at /home/tteras/aports/testing/firefox/src/firefox-46.0/xpcom/glue/nsThreadUtils.cpp:297
#15 0x00006c115c92731e in mozilla::ipc::MessagePumpForNonMainThreads::Run (this=0x1800a356240, aDelegate=0x1800a352240)
    at /home/tteras/aports/testing/firefox/src/firefox-46.0/ipc/glue/MessagePump.cpp:355
#16 0x00006c115c917212 in MessageLoop::RunHandler (this=<optimized out>)
    at /home/tteras/aports/testing/firefox/src/firefox-46.0/ipc/chromium/src/base/message_loop.cc:227
#17 MessageLoop::Run (this=this@entry=0x1800a352240)
    at /home/tteras/aports/testing/firefox/src/firefox-46.0/ipc/chromium/src/base/message_loop.cc:201
#18 0x00006c115c715876 in nsThread::ThreadFunc (aArg=0x1800a351160)
    at /home/tteras/aports/testing/firefox/src/firefox-46.0/xpcom/threads/nsThread.cpp:401
#19 0x00006c115af4229e in ?? () from /usr/lib/libnspr4.so
#20 0x00006c11670b5487 in start (p=0x6c115052eab0) at src/thread/pthread_create.c:145
#21 0x00006c11670b7138 in __clone () at src/thread/x86_64/clone.s:21
Backtrace stopped: frame did not save the PC
(gdb) disassemble 
Dump of assembler code for function memcpy:
   0x00006c11670b3b3d <+0>:    mov    %rdi,%rax
   0x00006c11670b3b40 <+3>:    cmp    $0x8,%rdx
   0x00006c11670b3b44 <+7>:    jb     0x6c11670b3b5a <memcpy+29>
   0x00006c11670b3b46 <+9>:    test   $0x7,%edi
   0x00006c11670b3b4c <+15>:    je     0x6c11670b3b5a <memcpy+29>
   0x00006c11670b3b4e <+17>:    movsb  %ds:(%rsi),%es:(%rdi)
   0x00006c11670b3b4f <+18>:    dec    %rdx
   0x00006c11670b3b52 <+21>:    test   $0x7,%edi
   0x00006c11670b3b58 <+27>:    jne    0x6c11670b3b4e <memcpy+17>
   0x00006c11670b3b5a <+29>:    mov    %rdx,%rcx
   0x00006c11670b3b5d <+32>:    shr    $0x3,%rcx
=> 0x00006c11670b3b61 <+36>:    rep movsq %ds:(%rsi),%es:(%rdi)
   0x00006c11670b3b64 <+39>:    and    $0x7,%edx
   0x00006c11670b3b67 <+42>:    je     0x6c11670b3b6e <memcpy+49>
   0x00006c11670b3b69 <+44>:    movsb  %ds:(%rsi),%es:(%rdi)
   0x00006c11670b3b6a <+45>:    dec    %edx
   0x00006c11670b3b6c <+47>:    jne    0x6c11670b3b69 <memcpy+44>
   0x00006c11670b3b6e <+49>:    retq   
End of assembler dump.
(gdb) info registers 
rax            0x6c115050e258    118821617721944
rbx            0xbde7    48615
rcx            0x207    519
rdx            0xbde7    48615
rsi            0x6c1144a09dc8    118821421620680
rdi            0x6c1150519000    118821617766400
rbp            0xbde7    0xbde7
rsp            0x6c115050e148    0x6c115050e148
r8             0x6c11449ff020    118821421576224
r9             0x3a    58
r10            0x300000000000000    216172782113783808
r11            0x1800e9f0917    1649512745239
r12            0x6c115050e248    118821617721928
r13            0x6c115050e240    118821617721920
r14            0x1801851ace0    1649675447520
r15            0x180185198e0    1649675442400
rip            0x6c11670b3b61    0x6c11670b3b61 <memcpy+36>
eflags         0x10203    [ CF IF RF ]
cs             0x33    51
ss             0x2b    43
ds             0x0    0
es             0x0    0
fs             0x0    0
gs             0x0    0

Seems to be brotli bug.

Associated revisions

Revision d4346ba2 (diff)
Added by Natanael Copa almost 3 years ago

testing/firefox: fix stack overflow in brotli decompressor

fixes #5559

https://bugzilla.mozilla.org/show_bug.cgi?id=1274732

History

#2 Updated by Natanael Copa about 3 years ago

  • Status changed from Resolved to New

This appears to be different issue.

#4 Updated by Natanael Copa almost 3 years ago

The problem is that it runs out of stack space.
https://hg.mozilla.org/releases/mozilla-release/annotate/0b8492c110be/netwerk/streamconv/converters/nsHTTPCompressConv.cpp#l169

I don't know which is the preferred solution. allocate 128kb with malloc or reduce buffer size to something like 16kb.

#5 Updated by Natanael Copa almost 3 years ago

  • Status changed from New to Resolved
  • % Done changed from 0 to 100

#6 Updated by Łukasz Jendrysik about 2 years ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF