Closed
Bug 1324995
Opened 7 years ago
Closed 7 years ago
Crash in jemalloc_crash | je_free | r_free | stun_get_win32_addrs
Categories
(Core :: WebRTC: Networking, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla53
Tracking | Status | |
---|---|---|
firefox50 | --- | unaffected |
firefox51 | --- | unaffected |
firefox52 | --- | fixed |
firefox53 | --- | fixed |
backlog | webrtc/webaudio+ |
People
(Reporter: kanru, Assigned: drno)
References
Details
(Keywords: crash, regression)
Crash Data
Attachments
(1 file, 1 obsolete file)
59 bytes,
text/x-review-board-request
|
bwc
:
review+
jcristau
:
approval-mozilla-aurora+
|
Details |
This bug was filed from the Socorro interface and is report bp-6d9ebcab-8de4-49c6-8ed9-43b272161221. ============================================================= #8 crash in 20161219004024 aurora. Total 258 crashes since 2016-12-14 Only 52 was affected. Stack looks like: jemalloc_crash je_free r_free stun_get_win32_addrs nr_stun_get_addrs nr_stun_find_local_addresses Byron, this seems webrtc related, can you take a look?
Flags: needinfo?(docfaraday)
Comment hidden (mozreview-request) |
Assignee | ||
Comment 2•7 years ago
|
||
I causes this with the new code from bug 1309585. The attached patch should fix it.
Flags: needinfo?(docfaraday)
Assignee | ||
Updated•7 years ago
|
Assignee: nobody → drno
backlog: --- → webrtc/webaudio+
Rank: 15
Priority: -- → P1
Reporter | ||
Updated•7 years ago
|
Keywords: regression
Comment 3•7 years ago
|
||
mozreview-review |
Comment on attachment 8820581 [details] Bug 1324995: only free AdapterAddresses if needed. https://reviewboard.mozilla.org/r/100062/#review100764 drive-by r+
Attachment #8820581 -
Flags: review+
Comment 4•7 years ago
|
||
mozreview-review |
Comment on attachment 8820581 [details] Bug 1324995: only free AdapterAddresses if needed. https://reviewboard.mozilla.org/r/100062/#review101910
Attachment #8820581 -
Flags: review?(docfaraday) → review+
Pushed by ryanvm@gmail.com: https://hg.mozilla.org/integration/autoland/rev/cc2c3de0b1ff only free AdapterAddresses if needed. r=bwc,jesup
Assignee | ||
Comment 6•7 years ago
|
||
Thanks Ryan :-)
Assignee | ||
Comment 7•7 years ago
|
||
Comment on attachment 8820581 [details] Bug 1324995: only free AdapterAddresses if needed. Approval Request Comment [Feature/Bug causing the regression]: The code from bug 1309585 caused this. [User impact if declined]: Browser can crash on Windows if WebRTC is being used. [Is this code covered by automated tests?]: The code in question should be executed by every single WebRTC mochitest executed on Windows. Most likely our tests did not encounter this crash is that appears to be almost exclusively on Win7 Service Pack 1, plus that regular network interface gathering fails on these machines. [Has the fix been verified in Nightly?]: No. We don't know exactly how to reproduce it. [Needs manual test from QE? If yes, steps to reproduce]: See above. Probably only reproducible on a specific version of Win, plus some unknown other factors. [List of other uplifts needed for the feature/fix]: N/A [Is the change risky?]: No. [Why is the change risky/not risky?]: It only guards a call for free() with an if condition to cover for an early error scenario. [String changes made/needed]: N/A
Attachment #8820581 -
Flags: approval-mozilla-aurora?
Comment 8•7 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/cc2c3de0b1ff
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
Comment 9•7 years ago
|
||
I don't really understand this patch. AFAICT RFREE(ptr) is a no-op if ptr is NULL, if https://dxr.mozilla.org/mozilla-central/source/media/mtransport/third_party/nrappkit/src/util/libekr/r_memory.h#90 is to be believed. I wonder if the issue couldn't be when you reach the ABORT at https://dxr.mozilla.org/mozilla-central/source/media/mtransport/third_party/nICEr/src/stun/addrs.c#184 you've already freed AdapterAddresses as part of the loop, and then end up double-freeing it at https://dxr.mozilla.org/mozilla-central/source/media/mtransport/third_party/nICEr/src/stun/addrs.c#247. Hmm? What am I missing?
Flags: needinfo?(drno)
Assignee | ||
Comment 10•7 years ago
|
||
Thanks Julien. I think you are right. My theory how this crash happens in a double free (which apparently has undefined behavior) here https://dxr.mozilla.org/mozilla-central/source/media/mtransport/third_party/nICEr/src/stun/addrs.c#247 But since the free() operation leaves the pointer untouched the right solution is to reset the pointer after freeing it to prevent the double free. What I find strange is that this crash apparently only ever happens on 52 and never happened on 53. I have no real explanation for that. Does Nightly have different compiler setting then Aurora which could cause this?
Status: RESOLVED → REOPENED
Flags: needinfo?(drno)
Resolution: FIXED → ---
Assignee | ||
Updated•7 years ago
|
Comment hidden (mozreview-request) |
Assignee | ||
Updated•7 years ago
|
Attachment #8820581 -
Attachment is obsolete: true
Attachment #8820581 -
Flags: approval-mozilla-aurora?
Comment 12•7 years ago
|
||
mozreview-review |
Comment on attachment 8823903 [details] Bug 1324995: null pointer after freeing. https://reviewboard.mozilla.org/r/102366/#review102944
Attachment #8823903 -
Flags: review?(docfaraday) → review+
Is this good to land?
Flags: needinfo?(drno)
Assignee | ||
Comment 14•7 years ago
|
||
Yes it is. Autoland is currently closed. I'll check back tomorrow to see if it actually landed.
Flags: needinfo?(drno)
Comment 15•7 years ago
|
||
Pushed by drno@ohlmeier.org: https://hg.mozilla.org/integration/autoland/rev/f7af5ba471c7 null pointer after freeing. r=bwc
Assignee | ||
Comment 16•7 years ago
|
||
Speaking of the devil... it landed on autoland :-)
Assignee | ||
Comment 17•7 years ago
|
||
Comment on attachment 8823903 [details] Bug 1324995: null pointer after freeing. [Feature/Bug causing the regression]: The code from bug 1309585 caused this. [User impact if declined]: Browser can crash on Windows if WebRTC is being used. [Is this code covered by automated tests?]: The code in question should be executed by every single WebRTC mochitest executed on Windows. Most likely our tests did not encounter this crash because it appears to be almost exclusively on Win7 Service Pack 1, plus that regular network interface gathering fails on these machines. [Has the fix been verified in Nightly?]: No. We don't know exactly how to reproduce it. [Needs manual test from QE? If yes, steps to reproduce]: See above. Probably only reproducible on a specific version of Win, plus some unknown other factors. [List of other uplifts needed for the feature/fix]: N/A [Is the change risky?]: No. [Why is the change risky/not risky?]: It only set a pointer to Null after freeing it in an error scenario to not free the same pointer twice later. [String changes made/needed]: N/A
Attachment #8823903 -
Flags: approval-mozilla-aurora?
Comment 18•7 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/f7af5ba471c7
Status: REOPENED → RESOLVED
Closed: 7 years ago → 7 years ago
Resolution: --- → FIXED
Comment 19•7 years ago
|
||
Comment on attachment 8823903 [details] Bug 1324995: null pointer after freeing. avoid double free in webrtc code, aurora52+
Attachment #8823903 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Comment 20•7 years ago
|
||
bugherder uplift |
https://hg.mozilla.org/releases/mozilla-aurora/rev/248982f8164b
You need to log in
before you can comment on or make changes to this bug.
Description
•