tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE
commit d8fb700cf5037e179dda09b2ba6e9941b5c2bcff
parent 5eaa32be35164a86287b561d0f0bc98cf8d2883a
Author: Kui-Feng Lee <thinker.li@gmail.com>
Date:   Mon,  8 Dec 2025 18:54:35 +0000

Bug 2003885 - Diagnose crashes at CacheFileChunkBuffer. r=necko-reviewers,kershaw,valentin

CacheFileChunkBuffer::DataSize() crashes for a reason unknown
yet. This patch uses MOZ_DIAGNOSTIC_ASSERT() to check if
mReadingStateBuf and other fields set properly, and clear mCallback of
ReadEvent to catch when calling OnDataRead() twice.

For both cases, they are going to crash definitely. So the changes
here will not cause more damages.

Differential Revision: https://phabricator.services.mozilla.com/D274979

Diffstat:

Mnetwerk/cache2/CacheFileChunk.cpp | 6+++---


Mnetwerk/cache2/CacheFileIOManager.cpp | 12+++++++++---


2 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/netwerk/cache2/CacheFileChunk.cpp b/netwerk/cache2/CacheFileChunk.cpp
@@ -606,9 +606,9 @@ nsresult CacheFileChunk::OnDataRead(CacheFileHandle* aHandle, char* aBuf,
   {
     CacheFileAutoLock lock(mFile);
 
-    MOZ_ASSERT(mState == READING);
-    MOZ_ASSERT(mListener);
-    MOZ_ASSERT(mReadingStateBuf);
+    MOZ_DIAGNOSTIC_ASSERT(mState == READING);
+    MOZ_DIAGNOSTIC_ASSERT(mListener);
+    MOZ_DIAGNOSTIC_ASSERT(mReadingStateBuf);
     MOZ_RELEASE_ASSERT(mBuf->ReadHandlesCount() == 0);
     MOZ_RELEASE_ASSERT(!mBuf->WriteHandleExists());
 
diff --git a/netwerk/cache2/CacheFileIOManager.cpp b/netwerk/cache2/CacheFileIOManager.cpp
@@ -799,13 +799,17 @@ class ReadEvent : public Runnable, public IOPerfReportEvent {
       nsCOMPtr<nsIEventTarget> ioTarget = CacheFileIOManager::IOTarget();
       ioTarget->Dispatch(NS_NewRunnableFunction(
           "net::ReadEvent::Callback", [self = RefPtr(this), rv]() {
-            self->mCallback->OnDataRead(self->mHandle, self->mBuf, rv);
+            // Prevent calling back twice
+            nsCOMPtr<CacheFileIOListener> cb = std::move(self->mCallback);
+            cb->OnDataRead(self->mHandle, self->mBuf, rv);
           }));
       return NS_OK;
     }
 #endif
 
-    mCallback->OnDataRead(mHandle, mBuf, rv);
+    // Prevent calling back twice
+    nsCOMPtr<CacheFileIOListener> cb = std::move(mCallback);
+    cb->OnDataRead(mHandle, mBuf, rv);
     return NS_OK;
   }
 
@@ -819,7 +823,9 @@ class ReadEvent : public Runnable, public IOPerfReportEvent {
       Report(CacheFileIOManager::gInstance->mIOThread);
     }
 
-    mCallback->OnDataRead(mHandle, mBuf, result);
+    // Prevent calling back twice
+    nsCOMPtr<CacheFileIOListener> cb = std::move(mCallback);
+    cb->OnDataRead(mHandle, mBuf, result);
     mHandle->EndAsyncOperation();
     return NS_OK;
   }