Closed Bug 1294097 Opened 3 years ago Closed 3 years ago

Crash in mozilla::TransportFlow::CheckThreadInt

Categories

(Core :: WebRTC: Networking, defect, P1, critical)

49 Branch
All
Windows
defect

Tracking

()

RESOLVED DUPLICATE of bug 1294095
Tracking Status
firefox49 + fixed
firefox50 --- fixed
firefox51 --- fixed

People

(Reporter: philipp, Assigned: bwc)

Details

(Keywords: crash, regression, sec-critical, Whiteboard: [adv-main49-])

Crash Data

This bug was filed from the Socorro interface and is 
report bp-85bd0299-8e95-4856-ad71-e371a2160810.
=============================================================
Crashing Thread (6)
Frame 	Module 	Signature 	Source
0 	xul.dll 	mozilla::TransportFlow::CheckThreadInt() 	media/mtransport/transportflow.h:116
1 	xul.dll 	mozilla::TransportFlow::CheckThread() 	media/mtransport/transportflow.h:109
2 	xul.dll 	mozilla::TransportFlow::SendPacket(unsigned char const*, unsigned __int64) 	media/mtransport/transportflow.cpp:196
3 	xul.dll 	mozilla::DataChannelConnection::SendPacket(unsigned char* const, unsigned __int64, bool) 	netwerk/sctp/datachannel/DataChannel.cpp:652
4 	xul.dll 	mozilla::runnable_args_memfn<RefPtr<mozilla::DataChannelConnection>, int ( mozilla::DataChannelConnection::*)(unsigned char* const, unsigned __int64, bool), unsigned char*, unsigned __int64, bool>::Run() 	obj-firefox/dist/include/mtransport/runnable_utils.h:169
5 	xul.dll 	nsThread::ProcessNextEvent(bool, bool*) 	xpcom/threads/nsThread.cpp:1067
6 	xul.dll 	NS_ProcessNextEvent(nsIThread*, bool) 	xpcom/glue/nsThreadUtils.cpp:290
7 	xul.dll 	mozilla::net::nsSocketTransportService::Run() 	netwerk/base/nsSocketTransportService2.cpp:911
8 	xul.dll 	nsThread::ProcessNextEvent(bool, bool*) 	xpcom/threads/nsThread.cpp:1067
9 	xul.dll 	NS_ProcessNextEvent(nsIThread*, bool) 	xpcom/glue/nsThreadUtils.cpp:290
10 	xul.dll 	mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) 	ipc/glue/MessagePump.cpp:354
11 	xul.dll 	MessageLoop::RunHandler() 	ipc/chromium/src/base/message_loop.cc:228
12 	xul.dll 	MessageLoop::Run() 	ipc/chromium/src/base/message_loop.cc:208
13 	xul.dll 	nsThread::ThreadFunc(void*) 	xpcom/threads/nsThread.cpp:467
14 	nss3.dll 	PR_NativeRunThread 	nsprpub/pr/src/threads/combined/pruthr.c:397
15 	nss3.dll 	pr_root 	nsprpub/pr/src/md/windows/w95thred.c:95
16 	ucrtbase.dll 	crt_at_quick_exit 	
17 	kernel32.dll 	BaseThreadInitThunk 	
18 	ntdll.dll 	RtlUserThreadStart

crashes with this signature are regressing in number since the 49 nightly cycle. it's a rather low volume crash, currently making up 0.07% of browser crashes in 49.0b1.
Rank: 5
Priority: -- → P1
Note: e5e5 crash, and only showing up in 49 and 50.  None in 48 or earlier in a quick search.  Perhaps due to an uplifted patch?  be interesting to see when they started.

Nothing I can think of changed recently in this area in DataChannels
Group: media-core-security
Flags: needinfo?(docfaraday)
Keywords: sec-critical
Byron -- Since this is a UAF that appears to start in Fx49, this needs to trump other work.
Assignee: nobody → docfaraday
is this similar to bug 1294095 then perhaps?
(In reply to Randell Jesup [:jesup] from comment #1)
> Note: e5e5 crash, and only showing up in 49 and 50.  None in 48 or earlier
> in a quick search.  Perhaps due to an uplifted patch?  be interesting to see
> when they started.
> 
> Nothing I can think of changed recently in this area in DataChannels

I'm not seeing e5e5 anywhere in that report. Am I missing something?
Ah, there are other reports that do. I see. Looking...
Flags: needinfo?(docfaraday)
(In reply to [:philipp] from comment #3)
> is this similar to bug 1294095 then perhaps?

They both started to show up around 2016-08-03 and 04.
So what changed around then?
I suspect this is a dup of bug 1294095, especially since they started at the same time, roughly.  Recheck after we land bug 1294095 to see if this goes away as well.
Status: NEW → RESOLVED
Closed: 3 years ago
Flags: needinfo?(rjesup)
Resolution: --- → DUPLICATE
Duplicate of bug: 1294095
Tracking just to make sure we don't lose sight of this for 49.
the signature has disappeared after the fix from bug 1294095 landed in beta.
Whiteboard: [adv-main49-]
Flags: needinfo?(rjesup)
Group: media-core-security
You need to log in before you can comment on or make changes to this bug.