Closed
Bug 1029401
Opened 10 years ago
Closed 10 years ago
crash in mozilla::MediaEngineTabVideoSource::StopRunnable
Categories
(Core :: WebRTC, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla33
People
(Reporter: gcp, Assigned: gcp)
References
Details
Attachments
(2 files, 1 obsolete file)
1.26 KB,
patch
|
blassey
:
review-
|
Details | Diff | Splinter Review |
1.63 KB,
patch
|
blassey
:
review+
|
Details | Diff | Splinter Review |
https://bugzilla.mozilla.org/show_bug.cgi?id=1018928#c16
Android 2.3 only, though there's no reason to think it's specific to that
https://tbpl.mozilla.org/php/getParsedLog.php?id=42304741&tree=Try&full=1#error0
The crashing line is:
mVideoSource->mTabSource->NotifyStreamStop(mVideoSource->mWindow);
Other weird stuff:
if (privateDOMWindow && mVideoSource && privateDOMWindow->GetChromeEventHandler()) {
privateDOMWindow->GetChromeEventHandler()->RemoveEventListener(NS_LITERAL_STRING("MozAfterPaint"), mVideoSource, false);
}
if (mVideoSource->mTimer) {
mVideoSource->mTimer->Cancel();
mVideoSource->mTimer = nullptr;
}
Note how the first line checks if mVideoSource != nullptr and the second part just dereferences it without a check.
Maybe related to bug 964754.
Assignee | ||
Comment 1•10 years ago
|
||
The bug is 100% reproducible on try:
https://tbpl.mozilla.org/?tree=Try&rev=3522953e529c
I didn't manage to reproduce it on my local Android 2.3 device + Robocop, though.
Updated•10 years ago
|
Assignee: nobody → gpascutto
Priority: -- → P1
Target Milestone: --- → mozilla33
Assignee | ||
Comment 2•10 years ago
|
||
Some roundtrips with the tryserver confirm that mVideoSource->mTabSource is a nullptr.
https://tbpl.mozilla.org/php/getParsedLog.php?id=42471931&tree=Try&full=1#error0
If I'm going to guess, this looks like a classic case of the Runnable to shut down only being activated after the object destructor has already finished.
Assignee | ||
Comment 3•10 years ago
|
||
Investigating who owns the MediaEngineTabVideoSource, I see it's on the aVSources thing in MediaEngineWebRTC, which is curiously different from all other engines which are permanently owned by MediaEngineWebRTC. So this changes it to also own the TabVideoSource, which handily avoids reinitializing it every time it's used. This does mean the window lookup has to be moved around.
I'm not positively sure all of that is correct, but after applying the patch manual testing of Tab Streaming seem to show it still works, and it makes my new Android WebRTC tests go green on try:
https://tbpl.mozilla.org/?tree=Try&pusher=gpascutto@mozilla.com
Attachment #8446528 -
Flags: review?(blassey.bugs)
Attachment #8446528 -
Flags: feedback?(rjesup)
Updated•10 years ago
|
Attachment #8446528 -
Flags: review?(blassey.bugs) → review+
Assignee | ||
Comment 4•10 years ago
|
||
Assignee | ||
Comment 5•10 years ago
|
||
Bah, I missed that the final try run had this go orange on 2.3 anyway:
https://tbpl.mozilla.org/?tree=Try&rev=5b198b28880b
So this patch is not correct/incomplete.
Comment 6•10 years ago
|
||
(In reply to Gian-Carlo Pascutto [:gcp] from comment #5)
> Bah, I missed that the final try run had this go orange on 2.3 anyway:
> https://tbpl.mozilla.org/?tree=Try&rev=5b198b28880b
>
> So this patch is not correct/incomplete.
yeah sorry had to this out for testfailure like https://tbpl.mozilla.org/php/getParsedLog.php?id=42620970&tree=Mozilla-Inbound
Assignee | ||
Comment 7•10 years ago
|
||
I put some more debugging/tracing stuff and fired off a few try runs:
https://hg.mozilla.org/try/rev/0be49eb27ef2
04:05:42 INFO - 06-30 03:39:26.379 I/Gecko ( 798): [798] ###!!! ABORT: VideoSource was never started: file /builds/slave/try-and-0000000000000000000000/build/content/media/webrtc/MediaEngineTabVideoSource.cpp, line 81
04:05:42 INFO - 06-30 03:39:26.412 E/Gecko ( 798): mozalloc_abort: [798] ###!!! ABORT: VideoSource was never started: file /builds/slave/try-and-0000000000000000000000/build/content/media/webrtc/MediaEngineTabVideoSource.cpp, line 81
So the problem is that the StopRunnable can be called without the StartRunnable having been run (and it's not a use-after-free problem). That means we can just bail from the StopRunnable for an easy fix.
Assignee | ||
Comment 8•10 years ago
|
||
See previous comments. Not sure why this ends up being needed, but it's extra safety and a small code cleanup, so why not.
Attachment #8446528 -
Attachment is obsolete: true
Attachment #8446528 -
Flags: feedback?(rjesup)
Attachment #8448002 -
Flags: review?(blassey.bugs)
Comment 9•10 years ago
|
||
Comment on attachment 8448002 [details] [diff] [review]
Patch 1. Check if the runnable was initialized
Review of attachment 8448002 [details] [diff] [review]:
-----------------------------------------------------------------
::: content/media/webrtc/MediaEngineTabVideoSource.cpp
@@ +51,5 @@
>
> nsresult
> MediaEngineTabVideoSource::StopRunnable::Run()
> {
> + if (!mVideoSource || !mVideoSource->mWindow)
seems like we should fall through to cancel the timer and notify the stream (even with null).
Attachment #8448002 -
Flags: review?(blassey.bugs) → review-
Comment 10•10 years ago
|
||
Comment on attachment 8448002 [details] [diff] [review]
Patch 1. Check if the runnable was initialized
Review of attachment 8448002 [details] [diff] [review]:
-----------------------------------------------------------------
Having now read your previous comment, I'd prefer we do this check before dispatching the runnable in the first place.
It is possible to not dispatch the start runnable if we don't get a window from the tab source http://mxr.mozilla.org/mozilla-central/source/content/media/webrtc/MediaEngineTabVideoSource.cpp#100
We should be able to null check mWindow here http://mxr.mozilla.org/mozilla-central/source/content/media/webrtc/MediaEngineTabVideoSource.cpp#100
Assignee | ||
Comment 11•10 years ago
|
||
Null checking in the place you indicated is already done: it's exactly what's causing this bug because it bails before the initialization finishes, so thanks for pointing that out :)
This moves the null check before the StopRunnable is created.
Attachment #8448580 -
Flags: review?(blassey.bugs)
Updated•10 years ago
|
Attachment #8448580 -
Flags: review?(blassey.bugs) → review+
Assignee | ||
Comment 12•10 years ago
|
||
Blocks: 1032991
No longer blocks: 1032991
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•