Brave-browser: Crash in `webtorrent::OnHeadersReceived_TorrentRedirectWork` (0.70.x and older)

Created on 5 Oct 2019  路  6Comments  路  Source: brave/brave-browser

Description

Seeing these occasionally and have received some reports via Twitter/reddit.

Seems to be present in 0.68.138 and newer (ex: Chromium 77)

A few examples here:
https://stats.brave.com/dashboard#crash/5d8d07059557ce001f950f58
https://stats.brave.com/dashboard#crash/5d8cbe577d65f2001fe6642a
https://stats.brave.com/dashboard#crash/5d8d13425b062b001f078863

Call stack looks like this:

0  Brave Browser Framework! [iterator : 1437 + 0x0]
    rax = 0xa00007fe5bc4445e   rdx = 0x0000000000000004
    rcx = 0x000070000d0ba720   rbx = 0x0000000000000008
    rsi = 0x000070000d0ba738   rdi = 0x00007fe5b8e8bcc0
    rbp = 0x000070000d0ba710   rsp = 0x000070000d0ba6d0
     r8 = 0x0000000000000004    r9 = 0x000070000d0baa30
    r10 = 0x00007fe5ba200000   r11 = 0xfffff01a4fb205e0
    r12 = 0x000070000d0ba740   r13 = 0x00007fe5b8e8bcc0
    r14 = 0x0000000000000000   r15 = 0x000070000d0ba738
    rip = 0x0000000107c10816
    Found by: given as instruction pointer in context
 1  Brave Browser Framework! [http_response_headers.cc : 888 + 0x8]
    rbp = 0x000070000d0ba7a0   rsp = 0x000070000d0ba720
    rip = 0x0000000107c10fac
    Found by: previous frame's frame pointer
 2  Brave Browser Framework! [http_response_headers.cc : 895 + 0x5]
    rbp = 0x000070000d0ba7e0   rsp = 0x000070000d0ba7b0
    rip = 0x0000000107c11066
    Found by: previous frame's frame pointer
 3  Brave Browser Framework!webtorrent::OnHeadersReceived_TorrentRedirectWork(net::HttpResponseHeaders const*, scoped_refptr*, GURL*, base::RepeatingCallback const&, std::__1::shared_ptr) [brave_torrent_redirect_network_delegate_helper.cc : 46 + 0x8]
    rbp = 0x000070000d0ba950   rsp = 0x000070000d0ba7f0
    rip = 0x000000010609f182
    Found by: previous frame's frame pointer
 4  Brave Browser Framework!base::internal::Invoker*, GURL*, base::RepeatingCallback const&, std::__1::shared_ptr)>, int (net::HttpResponseHeaders const*, scoped_refptr*, GURL*, base::RepeatingCallback const&, std::__1::shared_ptr)>::Run(base::internal::BindStateBase*, net::HttpResponseHeaders const*, scoped_refptr*, GURL*, base::RepeatingCallback const&, std::__1::shared_ptr&&) [bind_internal.h : 399 + 0xe]
    rbp = 0x000070000d0ba980   rsp = 0x000070000d0ba960
    rip = 0x0000000106097a0b
    Found by: previous frame's frame pointer
 5  Brave Browser Framework! [callback.h : 132 + 0xa]
    rbp = 0x000070000d0baa90   rsp = 0x000070000d0ba990
    rip = 0x0000000106096665
    Found by: previous frame's frame pointer
 6  Brave Browser Framework!base::internal::Invoker), base::WeakPtr, std::__1::shared_ptr >, void ()>::Run(base::internal::BindStateBase*) [bind_internal.h : 499 + 0x3]
    rbp = 0x000070000d0baad0   rsp = 0x000070000d0baaa0
    rip = 0x0000000106097deb
    Found by: previous frame's frame pointer
 7  Brave Browser Framework! [callback.h : 98 + 0x3]
    rbp = 0x000070000d0bab80   rsp = 0x000070000d0baae0
    rip = 0x00000001075c7aaf
    Found by: previous frame's frame pointer
 8  Brave Browser Framework!base::sequence_manager::internal::ThreadControllerWithMessagePumpImpl::DoWorkImpl(base::sequence_manager::LazyNow*, bool*) [thread_controller_with_message_pump_impl.cc : 365 + 0x13]
    rbp = 0x000070000d0bace0   rsp = 0x000070000d0bab90
    rip = 0x00000001075d769d
    Found by: previous frame's frame pointer
<SNIP>

Steps to Reproduce

?

Brave version (brave://version info)

0.68.138 and newer for sure. Possibly before that. I am suspecting network service related changes

cc: @iefremov @bridiver

QNo crash needs-investigation prioritP1 release-noteinclude
Source
picture bsclifton

Most helpful comment

Fixed in 0.70.x with https://github.com/brave/brave-core/pull/3632

picture bsclifton on 8 Oct 2019
🎉1 👍1

All 6 comments

Previously captured with https://github.com/brave/brave-browser/issues/6193 - this was fixed in 0.71.x and 0.72.x (and future versions) with https://github.com/brave/brave-core/pull/3583

A separate fix would be needed for this

Some more Report IDs:

  • d6447dd0dc85b96c
  • c8d77dd04888c038
bsclifton picture bsclifton on 5 Oct 2019

+1 from https://twitter.com/vinvinXD/status/1180181676862971904 while using 0.68.142 as per https://stats.brave.com/dashboard#crash/5d9789082872bf001f2bd8ed:

Brave Browser Framework!webtorrent::OnHeadersReceived_TorrentRedirectWork
kjozwiak picture kjozwiak on 6 Oct 2019

Another +1 from https://github.com/brave/brave-browser/issues/6300#issuecomment-538288621. Looks like https://stats.brave.com/dashboard#crash/5d96f4a8958efc001fd1b142 crashed via the following:

Brave Browser Framework!webtorrent::OnHeadersReceived_TorrentRedirectWork
kjozwiak picture kjozwiak on 6 Oct 2019

from convo on Slack

@yrliou :
was it related to accessing original_response_headers?
would copy headers in context or maybe keep string raw_headers in our context to use help?

@iefremov :
I think I can issue a smaller fix, without pulling all threading changes

bsclifton picture bsclifton on 7 Oct 2019

Fixed in 0.69.x with https://github.com/brave/brave-core/pull/3614

bsclifton picture bsclifton on 8 Oct 2019
🎉1 👍1

Fixed in 0.70.x with https://github.com/brave/brave-core/pull/3632

bsclifton picture bsclifton on 8 Oct 2019
🎉1 👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

pitsi picture pitsi  路  3Comments
GeetaSarvadnya picture GeetaSarvadnya  路  3Comments
AlexCombas picture AlexCombas  路  3Comments
fmarier picture fmarier  路  3Comments
simonhong picture simonhong  路  3Comments