1293422 - [openh264] Mode 0 crashes FF >= 50 immediately

Status: RESOLVED FIXED

(Core :: WebRTC: Audio/Video, defect, P1)

Description

[Nils Ohlmeier [:drno]]

When testing openH.264 on webrtc-landing it crashes right away when establishing the connection if mode 0 gets enforced. This is independent of the GMP plugin version.

Comment 1

[Nils Ohlmeier [:drno]]

Confirmed via mozregression that bug 1167544 causes this problem.

Comment 2

[Nils Ohlmeier [:drno]]

==6084==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000218d8f at pc 0x0000004a907c bp 0x7f72501f5dd0 sp 0x7f72501f5588
READ of size 12288 at 0x619000218d8f thread T19 (Socket Thread)
    #0 0x4a907b in __asan_memcpy (/home/nohlmeier/src/mozilla-central/objdir-ff-asan/dist/bin/firefox+0x4a907b)
    #1 0x7f72693ed8dc in webrtc::VCMSessionInfo::Insert(unsigned char const*, unsigned long, bool, unsigned char*) /home/nohlmeier/src/mozilla-central/media/webrtc/trunk/webrtc/modules/video_coding/main/source/session_info.cc:222:3
    #2 0x7f72693ed8dc in webrtc::VCMSessionInfo::InsertBuffer(unsigned char*, std::_List_iterator<webrtc::VCMPacket>) /home/nohlmeier/src/mozilla-central/media/webrtc/trunk/webrtc/modules/video_coding/main/source/session_info.cc:193
    #3 0x7f72693ef63f in webrtc::VCMSessionInfo::InsertPacket(webrtc::VCMPacket const&, unsigned char*, webrtc::VCMDecodeErrorMode, webrtc::FrameData const&) /home/nohlmeier/src/mozilla-central/media/webrtc/trunk/webrtc/modules/video_coding/main/source/session_info.cc:565:25
    #4 0x7f72693bfbc6 in webrtc::VCMFrameBuffer::InsertPacket(webrtc::VCMPacket const&, long, webrtc::VCMDecodeErrorMode, webrtc::FrameData const&) /home/nohlmeier/src/mozilla-central/media/webrtc/trunk/webrtc/modules/video_coding/main/source/frame_buffer.cc:144:18
    #5 0x7f72693cc89f in webrtc::VCMJitterBuffer::InsertPacket(webrtc::VCMPacket const&, bool*) /home/nohlmeier/src/mozilla-central/media/webrtc/trunk/webrtc/modules/video_coding/main/source/jitter_buffer.cc:778:7
    #6 0x7f72693e4fb9 in webrtc::VCMReceiver::InsertPacket(webrtc::VCMPacket const&, unsigned short, unsigned short) /home/nohlmeier/src/mozilla-central/media/webrtc/trunk/webrtc/modules/video_coding/main/source/receiver.cc:72:34
    #7 0x7f72693f7026 in webrtc::vcm::VideoReceiver::IncomingPacket(unsigned char const*, unsigned long, webrtc::WebRtcRTPHeader const&) /home/nohlmeier/src/mozilla-central/media/webrtc/trunk/webrtc/modules/video_coding/main/source/video_receiver.cc:580:17
    #8 0x7f72690dceae in webrtc::ViEReceiver::OnReceivedPayloadData(unsigned char const*, unsigned long, webrtc::WebRtcRTPHeader const*) /home/nohlmeier/src/mozilla-central/media/webrtc/trunk/webrtc/video_engine/vie_receiver.cc:249:7
    #9 0x7f7269291c81 in webrtc::RTPReceiverVideo::ParseRtpPacket(webrtc::WebRtcRTPHeader*, webrtc::PayloadUnion const&, bool, unsigned char const*, unsigned long, long, bool) /home/nohlmeier/src/mozilla-central/media/webrtc/trunk/webrtc/modules/rtp_rtcp/source/rtp_receiver_video.cc:101:10
    #10 0x7f726928e746 in webrtc::RtpReceiverImpl::IncomingRtpPacket(webrtc::RTPHeader const&, unsigned char const*, unsigned long, webrtc::PayloadUnion, bool) /home/nohlmeier/src/mozilla-central/media/webrtc/trunk/webrtc/modules/rtp_rtcp/source/rtp_receiver_impl.cc:222:21
    #11 0x7f72690dd4da in webrtc::ViEReceiver::ReceivePacket(unsigned char const*, unsigned long, webrtc::RTPHeader const&, bool) /home/nohlmeier/src/mozilla-central/media/webrtc/trunk/webrtc/video_engine/vie_receiver.cc:358:10
    #12 0x7f72690dc1ed in webrtc::ViEReceiver::InsertRTPPacket(unsigned char const*, unsigned long, webrtc::PacketTime const&) /home/nohlmeier/src/mozilla-central/media/webrtc/trunk/webrtc/video_engine/vie_receiver.cc:332:13
    #13 0x7f72690d9656 in webrtc::ViENetworkImpl::ReceivedRTPPacket(int, void const*, unsigned long, webrtc::PacketTime const&) /home/nohlmeier/src/mozilla-central/media/webrtc/trunk/webrtc/video_engine/vie_network_impl.cc:138:10
    #14 0x7f726337d0a8 in mozilla::WebrtcVideoConduit::ReceivedRTPPacket(void const*, int) /home/nohlmeier/src/mozilla-central/media/webrtc/signaling/src/media-conduit/VideoConduit.cpp:1564:8
    #15 0x7f7263387ae1 in mozilla::MediaPipeline::RtpPacketReceived(mozilla::TransportLayer*, unsigned char const*, unsigned long) /home/nohlmeier/src/mozilla-central/media/webrtc/signaling/src/mediapipeline/MediaPipeline.cpp:966:9
    #16 0x7f72633896df in mozilla::MediaPipeline::PacketReceived(mozilla::TransportLayer*, unsigned char const*, unsigned long) /home/nohlmeier/src/mozilla-central/media/webrtc/signaling/src/mediapipeline/MediaPipeline.cpp:1074:5
    #17 0x7f726350b9f6 in sigslot::signal3<mozilla::TransportLayer*, unsigned char const*, unsigned long, sigslot::single_threaded>::operator()(mozilla::TransportLayer*, unsigned char const*, unsigned long) /home/nohlmeier/src/mozilla-central/media/mtransport/sigslot.h:2486:6
    #18 0x7f72635101f3 in mozilla::TransportLayerIce::IcePacketReceived(mozilla::NrIceMediaStream*, int, unsigned char const*, int) /home/nohlmeier/src/mozilla-central/media/mtransport/transportlayerice.cpp:224:3
    #19 0x7f72634ce71e in sigslot::signal4<mozilla::NrIceMediaStream*, int, unsigned char const*, int, sigslot::single_threaded>::operator()(mozilla::NrIceMediaStream*, int, unsigned char const*, int) /home/nohlmeier/src/mozilla-central/media/mtransport/sigslot.h:2553:6
    #20 0x7f72634c4e93 in mozilla::NrIceCtx::msg_recvd(void*, nr_ice_peer_ctx_*, nr_ice_media_stream_*, int, unsigned char*, int) /home/nohlmeier/src/mozilla-central/media/mtransport/nricectx.cpp:368:3
    #21 0x7f726945fbeb in nr_ice_peer_ctx_deliver_packet_maybe /home/nohlmeier/src/mozilla-central/media/mtransport/third_party/nICEr/src/ice/ice_peer_ctx.c:773:7
    #22 0x7f7269454496 in nr_ice_ctx_deliver_packet /home/nohlmeier/src/mozilla-central/media/mtransport/third_party/nICEr/src/ice/ice_ctx.c:873:9
    #23 0x7f7269460ef2 in nr_ice_socket_readable_cb /home/nohlmeier/src/mozilla-central/media/mtransport/third_party/nICEr/src/ice/ice_socket.c:191:7
    #24 0x7f72634a8f24 in mozilla::NrUdpSocketIpc::recv_callback_s(RefPtr<mozilla::nr_udp_message>) /home/nohlmeier/src/mozilla-central/media/mtransport/nr_socket_prsock.cpp:1649:5
    #25 0x7f72634bec11 in void mozilla::detail::RunnableMethodCallHelper<void>::apply<RefPtr<mozilla::NrUdpSocketIpc>, void (mozilla::NrUdpSocketIpc::*)(RefPtr<mozilla::nr_udp_message>), RefPtr<mozilla::nr_udp_message>, 0ul>(RefPtr<mozilla::NrUdpSocketIpc>, void (mozilla::NrUdpSocketIpc::*)(RefPtr<mozilla::nr_udp_message>), mozilla::Tuple<RefPtr<mozilla::nr_udp_message> >&, mozilla::IndexSequence<0ul>) /home/nohlmeier/src/mozilla-central/media/mtransport/runnable_utils.h:102:7
    #26 0x7f72634be896 in mozilla::runnable_args_memfn<RefPtr<mozilla::NrUdpSocketIpc>, void (mozilla::NrUdpSocketIpc::*)(RefPtr<mozilla::nr_udp_message>), RefPtr<mozilla::nr_udp_message> >::Run() /home/nohlmeier/src/mozilla-central/media/mtransport/runnable_utils.h:169:5
    #27 0x7f72614d7478 in nsThread::ProcessNextEvent(bool, bool*) /home/nohlmeier/src/mozilla-central/xpcom/threads/nsThread.cpp:1058:7
    #28 0x7f726157563d in NS_ProcessNextEvent(nsIThread*, bool) /home/nohlmeier/src/mozilla-central/xpcom/glue/nsThreadUtils.cpp:290:10
    #29 0x7f726176f3f3 in mozilla::net::nsSocketTransportService::Run() /home/nohlmeier/src/mozilla-central/netwerk/base/nsSocketTransportService2.cpp:901:21
    #30 0x7f7261771a6a in non-virtual thunk to mozilla::net::nsSocketTransportService::Run() /home/nohlmeier/src/mozilla-central/netwerk/base/nsSocketTransportService2.cpp:787:27
    #31 0x7f72614d7478 in nsThread::ProcessNextEvent(bool, bool*) /home/nohlmeier/src/mozilla-central/xpcom/threads/nsThread.cpp:1058:7
    #32 0x7f726157563d in NS_ProcessNextEvent(nsIThread*, bool) /home/nohlmeier/src/mozilla-central/xpcom/glue/nsThreadUtils.cpp:290:10
    #33 0x7f72623f5e03 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /home/nohlmeier/src/mozilla-central/ipc/glue/MessagePump.cpp:338:20
    #34 0x7f7262308c7c in MessageLoop::RunInternal() /home/nohlmeier/src/mozilla-central/ipc/chromium/src/base/message_loop.cc:232:3
    #35 0x7f72623089f8 in MessageLoop::RunHandler() /home/nohlmeier/src/mozilla-central/ipc/chromium/src/base/message_loop.cc:225:3
    #36 0x7f72623089f8 in MessageLoop::Run() /home/nohlmeier/src/mozilla-central/ipc/chromium/src/base/message_loop.cc:205
    #37 0x7f72614d237f in nsThread::ThreadFunc(void*) /home/nohlmeier/src/mozilla-central/xpcom/threads/nsThread.cpp:459:5
    #38 0x7f727f5b479f in _pt_root /home/nohlmeier/src/mozilla-central/nsprpub/pr/src/pthreads/ptthread.c:216:5
    #39 0x7f727f2036a9 in start_thread /build/glibc-qbmteM/glibc-2.21/nptl/pthread_create.c:333
    #40 0x7f727e28c13c in clone /build/glibc-qbmteM/glibc-2.21/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109

0x619000218d8f is located 0 bytes to the right of 1039-byte region [0x619000218980,0x619000218d8f)
allocated by thread T19 (Socket Thread) here:
    #0 0x4bfb82 in malloc (/home/nohlmeier/src/mozilla-central/objdir-ff-asan/dist/bin/firefox+0x4bfb82)
    #1 0x4e1e0d in moz_xmalloc /home/nohlmeier/src/mozilla-central/memory/mozalloc/mozalloc.cpp:83:17
    #2 0x7f726338783a in operator new[](unsigned long) /home/nohlmeier/src/mozilla-central/objdir-ff-asan/dist/include/mozilla/mozalloc.h:205:12
    #3 0x7f726338783a in mozilla::detail::UniqueSelector<unsigned char []>::UnknownBound mozilla::MakeUnique<unsigned char []>(unsigned long) /home/nohlmeier/src/mozilla-central/objdir-ff-asan/dist/include/mozilla/UniquePtr.h:688
    #4 0x7f726338783a in mozilla::MediaPipeline::RtpPacketReceived(mozilla::TransportLayer*, unsigned char const*, unsigned long) /home/nohlmeier/src/mozilla-central/media/webrtc/signaling/src/mediapipeline/MediaPipeline.cpp:944
    #5 0x7f72633896df in mozilla::MediaPipeline::PacketReceived(mozilla::TransportLayer*, unsigned char const*, unsigned long) /home/nohlmeier/src/mozilla-central/media/webrtc/signaling/src/mediapipeline/MediaPipeline.cpp:1074:5
    #6 0x7f726350b9f6 in sigslot::signal3<mozilla::TransportLayer*, unsigned char const*, unsigned long, sigslot::single_threaded>::operator()(mozilla::TransportLayer*, unsigned char const*, unsigned long) /home/nohlmeier/src/mozilla-central/media/mtransport/sigslot.h:2486:6
    #7 0x7f72635101f3 in mozilla::TransportLayerIce::IcePacketReceived(mozilla::NrIceMediaStream*, int, unsigned char const*, int) /home/nohlmeier/src/mozilla-central/media/mtransport/transportlayerice.cpp:224:3
    #8 0x7f72634ce71e in sigslot::signal4<mozilla::NrIceMediaStream*, int, unsigned char const*, int, sigslot::single_threaded>::operator()(mozilla::NrIceMediaStream*, int, unsigned char const*, int) /home/nohlmeier/src/mozilla-central/media/mtransport/sigslot.h:2553:6
    #9 0x7f72634c4e93 in mozilla::NrIceCtx::msg_recvd(void*, nr_ice_peer_ctx_*, nr_ice_media_stream_*, int, unsigned char*, int) /home/nohlmeier/src/mozilla-central/media/mtransport/nricectx.cpp:368:3
    #10 0x7f726945fbeb in nr_ice_peer_ctx_deliver_packet_maybe /home/nohlmeier/src/mozilla-central/media/mtransport/third_party/nICEr/src/ice/ice_peer_ctx.c:773:7
    #11 0x7f7269454496 in nr_ice_ctx_deliver_packet /home/nohlmeier/src/mozilla-central/media/mtransport/third_party/nICEr/src/ice/ice_ctx.c:873:9
    #12 0x7f7269460ef2 in nr_ice_socket_readable_cb /home/nohlmeier/src/mozilla-central/media/mtransport/third_party/nICEr/src/ice/ice_socket.c:191:7
    #13 0x7f72634a8f24 in mozilla::NrUdpSocketIpc::recv_callback_s(RefPtr<mozilla::nr_udp_message>) /home/nohlmeier/src/mozilla-central/media/mtransport/nr_socket_prsock.cpp:1649:5
    #14 0x7f72634bec11 in void mozilla::detail::RunnableMethodCallHelper<void>::apply<RefPtr<mozilla::NrUdpSocketIpc>, void (mozilla::NrUdpSocketIpc::*)(RefPtr<mozilla::nr_udp_message>), RefPtr<mozilla::nr_udp_message>, 0ul>(RefPtr<mozilla::NrUdpSocketIpc>, void (mozilla::NrUdpSocketIpc::*)(RefPtr<mozilla::nr_udp_message>), mozilla::Tuple<RefPtr<mozilla::nr_udp_message> >&, mozilla::IndexSequence<0ul>) /home/nohlmeier/src/mozilla-central/media/mtransport/runnable_utils.h:102:7
    #15 0x7f72634be896 in mozilla::runnable_args_memfn<RefPtr<mozilla::NrUdpSocketIpc>, void (mozilla::NrUdpSocketIpc::*)(RefPtr<mozilla::nr_udp_message>), RefPtr<mozilla::nr_udp_message> >::Run() /home/nohlmeier/src/mozilla-central/media/mtransport/runnable_utils.h:169:5
    #16 0x7f72614d7478 in nsThread::ProcessNextEvent(bool, bool*) /home/nohlmeier/src/mozilla-central/xpcom/threads/nsThread.cpp:1058:7
    #17 0x7f726157563d in NS_ProcessNextEvent(nsIThread*, bool) /home/nohlmeier/src/mozilla-central/xpcom/glue/nsThreadUtils.cpp:290:10
    #18 0x7f726176f3f3 in mozilla::net::nsSocketTransportService::Run() /home/nohlmeier/src/mozilla-central/netwerk/base/nsSocketTransportService2.cpp:901:21
    #19 0x7f7261771a6a in non-virtual thunk to mozilla::net::nsSocketTransportService::Run() /home/nohlmeier/src/mozilla-central/netwerk/base/nsSocketTransportService2.cpp:787:27
    #20 0x7f72614d7478 in nsThread::ProcessNextEvent(bool, bool*) /home/nohlmeier/src/mozilla-central/xpcom/threads/nsThread.cpp:1058:7
    #21 0x7f726157563d in NS_ProcessNextEvent(nsIThread*, bool) /home/nohlmeier/src/mozilla-central/xpcom/glue/nsThreadUtils.cpp:290:10
    #22 0x7f72623f5e03 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /home/nohlmeier/src/mozilla-central/ipc/glue/MessagePump.cpp:338:20
    #23 0x7f7262308c7c in MessageLoop::RunInternal() /home/nohlmeier/src/mozilla-central/ipc/chromium/src/base/message_loop.cc:232:3
    #24 0x7f72623089f8 in MessageLoop::RunHandler() /home/nohlmeier/src/mozilla-central/ipc/chromium/src/base/message_loop.cc:225:3
    #25 0x7f72623089f8 in MessageLoop::Run() /home/nohlmeier/src/mozilla-central/ipc/chromium/src/base/message_loop.cc:205
    #26 0x7f72614d237f in nsThread::ThreadFunc(void*) /home/nohlmeier/src/mozilla-central/xpcom/threads/nsThread.cpp:459:5
    #27 0x7f727f5b479f in _pt_root /home/nohlmeier/src/mozilla-central/nsprpub/pr/src/pthreads/ptthread.c:216:5
    #28 0x7f727f2036a9 in start_thread /build/glibc-qbmteM/glibc-2.21/nptl/pthread_create.c:333

Thread T19 (Socket Thread) created by T0 (Web Content) here:
    #0 0x4a7e80 in __interceptor_pthread_create (/home/nohlmeier/src/mozilla-central/objdir-ff-asan/dist/bin/firefox+0x4a7e80)
    #1 0x7f727f5b09bc in _PR_CreateThread /home/nohlmeier/src/mozilla-central/nsprpub/pr/src/pthreads/ptthread.c:457:14
    #2 0x7f727f5b059a in PR_CreateThread /home/nohlmeier/src/mozilla-central/nsprpub/pr/src/pthreads/ptthread.c:548:12
    #3 0x7f72614d3c6a in nsThread::Init() /home/nohlmeier/src/mozilla-central/xpcom/threads/nsThread.cpp:630:8
    #4 0x7f72614db58c in nsThreadManager::NewThread(unsigned int, unsigned int, nsIThread**) /home/nohlmeier/src/mozilla-central/xpcom/threads/nsThreadManager.cpp:253:17
    #5 0x7f72615748a8 in NS_NewThread(nsIThread**, nsIRunnable*, unsigned int) /home/nohlmeier/src/mozilla-central/xpcom/glue/nsThreadUtils.cpp:64:5
    #6 0x7f72617a742e in nsresult NS_NewNamedThread<14ul>(char const (&) [14ul], nsIThread**, nsIRunnable*, unsigned int) /home/nohlmeier/src/mozilla-central/objdir-ff-asan/dist/include/nsThreadUtils.h:79:17
    #7 0x7f726176c32e in mozilla::net::nsSocketTransportService::Init() /home/nohlmeier/src/mozilla-central/netwerk/base/nsSocketTransportService2.cpp:523:19
    #8 0x7f72622c7817 in nsSocketTransportServiceConstructor(nsISupports*, nsID const&, void**) /home/nohlmeier/src/mozilla-central/netwerk/build/nsNetModule.cpp:80:1
    #9 0x7f72614a57f9 in nsComponentManagerImpl::CreateInstanceByContractID(char const*, nsISupports*, nsID const&, void**) /home/nohlmeier/src/mozilla-central/xpcom/components/nsComponentManager.cpp:1160:10
    #10 0x7f726149d351 in nsComponentManagerImpl::GetServiceByContractID(char const*, nsID const&, void**) /home/nohlmeier/src/mozilla-central/xpcom/components/nsComponentManager.cpp:1516:10
    #11 0x7f726156773f in nsGetServiceByContractIDWithError::operator()(nsID const&, void**) const /home/nohlmeier/src/mozilla-central/xpcom/glue/nsComponentManagerUtils.cpp:292:21
    #12 0x7f726173a2ce in nsCOMPtr<nsPISocketTransportService>::assign_from_gs_contractid_with_error(nsGetServiceByContractIDWithError const&, nsID const&) /home/nohlmeier/src/mozilla-central/objdir-ff-asan/dist/include/nsCOMPtr.h:1146:7
    #13 0x7f72616c24de in nsCOMPtr<nsPISocketTransportService>::operator=(nsGetServiceByContractIDWithError const&) /home/nohlmeier/src/mozilla-central/objdir-ff-asan/dist/include/nsCOMPtr.h:644:5
    #14 0x7f72616c24de in mozilla::net::nsIOService::InitializeSocketTransportService() /home/nohlmeier/src/mozilla-central/netwerk/base/nsIOService.cpp:297
    #15 0x7f72616c1a75 in mozilla::net::nsIOService::SetOffline(bool) /home/nohlmeier/src/mozilla-central/netwerk/base/nsIOService.cpp:1076:13
    #16 0x7f72616c04b5 in mozilla::net::nsIOService::Init() /home/nohlmeier/src/mozilla-central/netwerk/base/nsIOService.cpp:264:5
    #17 0x7f72616c2dc4 in mozilla::net::nsIOService::GetInstance() /home/nohlmeier/src/mozilla-central/netwerk/base/nsIOService.cpp:349:23
    #18 0x7f72622c7490 in nsIOServiceConstructor(nsISupports*, nsID const&, void**) /home/nohlmeier/src/mozilla-central/netwerk/build/nsNetModule.cpp:62:1
    #19 0x7f72614a57f9 in nsComponentManagerImpl::CreateInstanceByContractID(char const*, nsISupports*, nsID const&, void**) /home/nohlmeier/src/mozilla-central/xpcom/components/nsComponentManager.cpp:1160:10
    #20 0x7f726149d351 in nsComponentManagerImpl::GetServiceByContractID(char const*, nsID const&, void**) /home/nohlmeier/src/mozilla-central/xpcom/components/nsComponentManager.cpp:1516:10
    #21 0x7f72635dbf6d in nsresult CallGetService<nsIIOService>(char const*, nsIIOService**) /home/nohlmeier/src/mozilla-central/objdir-ff-asan/dist/include/nsServiceManagerUtils.h:89:10
    #22 0x7f72635dbf6d in nsScriptSecurityManager::Init() /home/nohlmeier/src/mozilla-central/caps/nsScriptSecurityManager.cpp:1398
    #23 0x7f72635dc740 in nsScriptSecurityManager::InitStatics() /home/nohlmeier/src/mozilla-central/caps/nsScriptSecurityManager.cpp:1473:19
    #24 0x7f726311fe2d in nsXPConnect::InitStatics() /home/nohlmeier/src/mozilla-central/js/xpconnect/src/nsXPConnect.cpp:121:5
    #25 0x7f7263083341 in xpcModuleCtor() /home/nohlmeier/src/mozilla-central/js/xpconnect/src/XPCModule.cpp:13:5
    #26 0x7f7268fc5045 in Initialize() /home/nohlmeier/src/mozilla-central/layout/build/nsLayoutModule.cpp:428:8
    #27 0x7f72614a302e in nsComponentManagerImpl::KnownModule::Load() /home/nohlmeier/src/mozilla-central/xpcom/components/nsComponentManager.cpp:831:21
    #28 0x7f72614a43a0 in nsFactoryEntry::GetFactory() /home/nohlmeier/src/mozilla-central/xpcom/components/nsComponentManager.cpp:1853:10
    #29 0x7f72614a5778 in nsComponentManagerImpl::CreateInstanceByContractID(char const*, nsISupports*, nsID const&, void**) /home/nohlmeier/src/mozilla-central/xpcom/components/nsComponentManager.cpp:1157:34
    #30 0x7f7261567317 in nsCreateInstanceByContractID::operator()(nsID const&, void**) const /home/nohlmeier/src/mozilla-central/xpcom/glue/nsComponentManagerUtils.cpp:197:21
    #31 0x7f726142a5e3 in nsCOMPtr<nsIScriptError>::assign_from_helper(nsCOMPtr_helper const&, nsID const&) /home/nohlmeier/src/mozilla-central/objdir-ff-asan/dist/include/nsCOMPtr.h:1157:7
    #32 0x7f72614af8ff in nsCOMPtr<nsIScriptError>::nsCOMPtr(nsCOMPtr_helper const&) /home/nohlmeier/src/mozilla-central/objdir-ff-asan/dist/include/nsCOMPtr.h:558:5
    #33 0x7f72614af8ff in LogMessageWithContext(mozilla::FileLocation&, unsigned int, char const*, ...) /home/nohlmeier/src/mozilla-central/xpcom/components/ManifestParser.cpp:207
    #34 0x7f72614a26a0 in nsComponentManagerImpl::ManifestContract(nsComponentManagerImpl::ManifestProcessingContext&, int, char* const*) /home/nohlmeier/src/mozilla-central/xpcom/components/nsComponentManager.cpp:768:5
    #35 0x7f72614b1f5d in ParseManifest(NSLocationType, mozilla::FileLocation&, char*, bool, bool) /home/nohlmeier/src/mozilla-central/xpcom/components/ManifestParser.cpp:788:5
    #36 0x7f72614a0e5a in DoRegisterManifest(NSLocationType, mozilla::FileLocation&, bool, bool) /home/nohlmeier/src/mozilla-central/xpcom/components/nsComponentManager.cpp:595:5
    #37 0x7f72614a0e5a in nsComponentManagerImpl::RegisterManifest(NSLocationType, mozilla::FileLocation&, bool) /home/nohlmeier/src/mozilla-central/xpcom/components/nsComponentManager.cpp:608
    #38 0x7f72614a1195 in nsComponentManagerImpl::ManifestManifest(nsComponentManagerImpl::ManifestProcessingContext&, int, char* const*) /home/nohlmeier/src/mozilla-central/xpcom/components/nsComponentManager.cpp:617:3
    #39 0x7f72614b1bf5 in ParseManifest(NSLocationType, mozilla::FileLocation&, char*, bool, bool) /home/nohlmeier/src/mozilla-central/xpcom/components/ManifestParser.cpp:780:10
    #40 0x7f72614a0e5a in DoRegisterManifest(NSLocationType, mozilla::FileLocation&, bool, bool) /home/nohlmeier/src/mozilla-central/xpcom/components/nsComponentManager.cpp:595:5
    #41 0x7f72614a0e5a in nsComponentManagerImpl::RegisterManifest(NSLocationType, mozilla::FileLocation&, bool) /home/nohlmeier/src/mozilla-central/xpcom/components/nsComponentManager.cpp:608
    #42 0x7f72614a0094 in nsComponentManagerImpl::RereadChromeManifests(bool) /home/nohlmeier/src/mozilla-central/xpcom/components/nsComponentManager.cpp:794:5
    #43 0x7f726149ec44 in nsComponentManagerImpl::Init() /home/nohlmeier/src/mozilla-central/xpcom/components/nsComponentManager.cpp:398:3
    #44 0x7f726153ebea in NS_InitXPCOM2 /home/nohlmeier/src/mozilla-central/xpcom/build/XPCOMInit.cpp:713:8
    #45 0x7f7269ee6dbf in XRE_InitEmbedding2 /home/nohlmeier/src/mozilla-central/toolkit/xre/nsEmbedFunctions.cpp:171:8
    #46 0x7f72623f93c7 in mozilla::ipc::ScopedXREEmbed::Start() /home/nohlmeier/src/mozilla-central/ipc/glue/ScopedXREEmbed.cpp:106:10
    #47 0x7f72678de342 in mozilla::dom::ContentProcess::Init() /home/nohlmeier/src/mozilla-central/dom/ipc/ContentProcess.cpp:123:5
    #48 0x7f7269ee7a42 in XRE_InitChildProcess /home/nohlmeier/src/mozilla-central/toolkit/xre/nsEmbedFunctions.cpp:642:12
    #49 0x4dff0d in content_process_main(int, char**) /home/nohlmeier/src/mozilla-central/browser/app/../../ipc/contentproc/plugin-container.cpp:197:19
    #50 0x4e0809 in main /home/nohlmeier/src/mozilla-central/browser/app/nsBrowserApp.cpp:357:18
    #51 0x7f727e1a5abf in __libc_start_main /build/glibc-qbmteM/glibc-2.21/csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memcpy
Shadow bytes around the buggy address:
  0x0c328003b160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c328003b170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c328003b180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c328003b190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c328003b1a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c328003b1b0: 00[07]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c328003b1c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c328003b1d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c328003b1e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c328003b1f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c328003b200: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==6084==ABORTING

Comment 3

[Dan Minor [:dminor]]

What are the steps to reproduce?

Naively forcing packetizationMode to zero in WebrtcGmpVideoEncoder::InitEncode and making an appear.in call is not sufficient, which is probably why I didn't notice this in the first place :/.

Comment 4

[Dan Minor [:dminor]]

Nevermind, got it:

STR:

1) Visit: https://mozilla.github.io/webrtc-landing/pc_test.html
2) Check Require H.264 video
3) Start the call

Comment 5

[Dan Minor [:dminor]]

The bug does not reproduce if I remove "|| packetization_mode_ == 0" from [1] which was the change to force PacketizeFuA to be called or if I comment out the lines at [2] which pushes the packets inside PacketizeFuA.

I see crashes with different backtraces, so it appears the problem is heap corruption.

I'm going to dig into PacketizeFuA further, maybe we're giving it data it can't handle when packetization mode is zero.

[1] https://dxr.mozilla.org/mozilla-central/rev/720b5d2c84d5b253d4dfde4897e13384dc97a46a/media/webrtc/trunk/webrtc/modules/rtp_rtcp/source/rtp_format_h264.cc#159
[2] https://dxr.mozilla.org/mozilla-central/rev/720b5d2c84d5b253d4dfde4897e13384dc97a46a/media/webrtc/trunk/webrtc/modules/rtp_rtcp/source/rtp_format_h264.cc#183

Comment 6

[Dan Minor [:dminor]]

We were calling PacketizeFuA which was stripping the NAL header, but the fragments fix inside a single packet, so later on in NextPacket we were sending it as a NAL unit packet with no header, causing fun when it was received. As discussed on irc, I'll add a PacketizeMode0 function that does the right thing for mode 0.

Comment 7

[Dan Minor [:dminor]]

Attachment: Bug 1293422 - Add PacketizeMode0 to RtpPacketizerH264;

We were previously using PacketizeFuA which stripped the NAL header. Since the
fragment fit in a single packet it would then be sent without any header
causing difficulties on the receiving side. This adds a PacketizeMode0 which
leaves the header intact.

Review commit: https://reviewboard.mozilla.org/r/70666/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/70666/

Comment 8

[Randell Jesup [:jesup] (needinfo me)]

Comment on attachment 8779732 [details]
Bug 1293422 - Add PacketizeMode0 to RtpPacketizerH264;

https://reviewboard.mozilla.org/r/70666/#review68116

Comment 9

[Pulsebot]

Pushed by dminor@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/6c2bac3a1afc
Add PacketizeMode0 to RtpPacketizerH264; r=jesup

Comment 10

[Dan Minor [:dminor]]

Comment on attachment 8779732 [details]
Bug 1293422 - Add PacketizeMode0 to RtpPacketizerH264;

Approval Request Comment
[Feature/regressing bug #]: Bug 1167544
[User impact if declined]: Firefox will send invalid packets if mode 0 is enabled, causing the receiving side to crash or have no video.
[Describe test coverage new/current, TreeHerder]: Manually tested using https://mozilla.github.io/webrtc-landing/pc_test.html
[Risks and why]: This patch only affects sending packets in mode 0 and won't impact sending packets in mode 1. Mode 0 currently causes crashes, so this won't make things worse.
[String/UUID change made/needed]: None.

Comment 11

[Wes Kocher (:KWierso) (Not reading bugmail; email directly if needed)]

https://hg.mozilla.org/mozilla-central/rev/6c2bac3a1afc

Comment 12

[Ritu Kothari (:ritu) (Inactive, please n-i to RyanVM, jcristau, or pascal)]

Hi Dan, I noticed that the try push associated with a patch shows a few test cases failed. Have we reviewed these and none are blocking/unexpected regressions from this change? Please let me know. Thanks!

Comment 13

[Dan Minor [:dminor]]

(In reply to Ritu Kothari (:ritu) from comment #12)
> Hi Dan, I noticed that the try push associated with a patch shows a few test
> cases failed. Have we reviewed these and none are blocking/unexpected
> regressions from this change? Please let me know. Thanks!

Hi Ritu, I had another look at the try job. Most of the failures were retried successfully. The tc-M[mda] failure on linux ASAN is a playback error and not related to this change. The Android 4.3 API debug failure is a known intermittent, so I think that is ok as well, although it did also fail on the push to inbound. As this has been since merged to central, I think everything is in order here. Thanks, Dan

Comment 14

[Ritu Kothari (:ritu) (Inactive, please n-i to RyanVM, jcristau, or pascal)]

(In reply to Dan Minor [:dminor] from comment #13)
> (In reply to Ritu Kothari (:ritu) from comment #12)
> > Hi Dan, I noticed that the try push associated with a patch shows a few test
> > cases failed. Have we reviewed these and none are blocking/unexpected
> > regressions from this change? Please let me know. Thanks!
> 
> Hi Ritu, I had another look at the try job. Most of the failures were
> retried successfully. The tc-M[mda] failure on linux ASAN is a playback
> error and not related to this change. The Android 4.3 API debug failure is a
> known intermittent, so I think that is ok as well, although it did also fail
> on the push to inbound. As this has been since merged to central, I think
> everything is in order here. Thanks, Dan

Thanks for a prompt follow up. I also noticed that it made to m-c so things must be looking good. I'll approve the uplift now.

Comment 15

[Ritu Kothari (:ritu) (Inactive, please n-i to RyanVM, jcristau, or pascal)]

Comment on attachment 8779732 [details]
Bug 1293422 - Add PacketizeMode0 to RtpPacketizerH264;

Crash fix, Aurora50+

Comment 16

[Randell Jesup [:jesup] (needinfo me)]

https://hg.mozilla.org/releases/mozilla-aurora/rev/96c1a1c7fbaa