Closed Bug 1329403 (CVE-2017-5396) Opened 8 years ago Closed 8 years ago

BaseMediaResource::ModifyLoadFlags Use-After-Free using MP4 video.

Categories

(Core :: Audio/Video: Playback, defect, P1)

Product:
Core
Component:
Audio/Video: Playback
Version:
53 Branch
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla53
Tracking Flags:
Tracking Status
firefox-esr45 51+ fixed
firefox50 --- wontfix
firefox51 + fixed
firefox52 + fixed
firefox53 + fixed

People

(Reporter: lipe, Assigned: jwwang)

References

Details

(5 keywords, Whiteboard: [adv-main51+][adv-esr45.7+])

Attachments

(5 files, 3 obsolete files)

test.html
589 bytes, text/html
Details
test.mp4
4.40 MB, video/mp4
Details
windbg.txt
4.95 KB, text/plain
Details
1329403_fix_v3.patch
1.47 KB, patch
jwwang
: review+
lizzard
: approval-mozilla-aurora+
abillings
: sec-approval+
Details | Diff | Splinter Review
1329403_fix_beta_51.patch
1.42 KB, patch
jwwang
: review+
lizzard
: approval-mozilla-beta+
lizzard
: approval-mozilla-release+
lizzard
: approval-mozilla-esr45+
Details | Diff | Splinter Review
Attached file test.html 
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0 SeaMonkey/2.46
Build ID: 20161229190117

Steps to reproduce:

  Download the attached mp4 video file and create an iframe tag with the src pointing to it, 
then removing the iframe nodes and doing a document.write in the main window right after can cause the media resource 
chanel used to download the mp4 to be freed and reused in a short time inside this new document.
  It doesn't crash if using timers or events so I had to wait in an alert or sync XMLHttpRequestt for the object deletion,
apparently as stated here https://dxr.mozilla.org/mozilla-central/source/dom/media/MediaResource.h#438, it can only be 
accessed from the main thread. 
  I'm reproducing it waiting 10 seconds before closing the alert, it's an arbitrary time. The basic idea is that it only continues
execution after a call to MediaResource::Destroy().

Using the testcase it only crashes using mp4 files.

Tested with a Nightly build 32bit version:

Name        Firefox
Version     53.0a1
Build ID    20161201030205



Actual results:

(910.da0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=e5e5e5e5 ebx=00000001 ecx=8374b9ee edx=00000015 esi=1786c02c edi=176dac40
eip=69fe630a esp=003bf0dc ebp=003bf0f8 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
xul!mozilla::BaseMediaResource::ModifyLoadFlags+0x5e:
69fe630a 8b08            mov     ecx,dword ptr [eax]  ds:002b:e5e5e5e5=????????
69fe630c ff5130          call    dword ptr [ecx+30h]
Attached video test.mp4 

    
    

    
  

      
      
      
      

        Attached file
          
        windbg.txt
      

    


  

    
    

    
  
Comment on attachment 8824658 [details]
windbg.txt

>bp xul!mozilla::BaseMediaResource::ModifyLoadFlags:
>eax=20400041 ebx=0de36801 ecx=176dac40 edx=003bf10c esi=176dac40 edi=1730f000
>eip=69fe62ac esp=003bf0fc ebp=003bf110 iopl=0         nv up ei pl nz na pe nc
>cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000206
>xul!mozilla::BaseMediaResource::ModifyLoadFlags:
>69fe62ac 55              push    ebp
>0:000> dd ecx
>176dac40  6abdcae4 00000007 176b74a0 1786c02c
>176dac50  178d6580 1710da68 00000009 00000005
>176dac60  176be7e8 00000020 00000005 e5e5e501
>176dac70  0043f783 00000000 14afa3e0 00000000
>176dac80  e5e50001 e5e5e5e5 176dac40 13aed340
>176dac90  00000101 e5e5e5e5 00000001 00000000
>176daca0  e5000100 e5e5e5e5 0043f783 00000000
>176dacb0  00466ad2 00000000 001c515f 00000000
>
>bp xul!mozilla::MediaResource::Destroy:
>0:000> r
>eax=176dac44 ebx=13a30ac0 ecx=176dac40 edx=00000010 esi=176dac40 edi=71f79b28
>eip=69146879 esp=003ba804 ebp=003ba80c iopl=0         nv up ei pl nz ac po nc
>cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
>xul!mozilla::MediaResource::Destroy:
>69146879 55              push    ebp
>0:000> kb
>ChildEBP RetAddr  Args to Child              
>003ba800 69146875 13a30af0 003ba828 691455d6 xul!mozilla::MediaResource::Destroy [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\media\mediaresource.cpp @ 51]
>003ba80c 691455d6 176dac40 00000000 13a30ac0 xul!mozilla::MediaResource::Release+0x2f [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\media\mediaresource.cpp @ 62]
>003ba828 6914530d 13a30ac0 003ba844 690f3553 xul!mozilla::MediaDecoder::~MediaDecoder+0x2b4 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\media\mediadecoder.cpp @ 520]
>003ba834 690f3553 00000001 0d153928 003ba850 xul!mozilla::MP4Decoder::`scalar deleting destructor'+0x1c
>003ba844 68ded799 13a30ac0 003ba868 691445b0 xul!mozilla::MediaDecoder::Release+0x38 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\media\mediadecoder.cpp @ 140]
>003ba850 691445b0 00000000 6b285d34 0d153910 xul!RefPtr<mozilla::net::nsSimpleURI>::assign_assuming_AddRef+0x18 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\obj-firefox\dist\include\mozilla\refptr.h @ 65]
>003ba868 691444fb 003ba884 0eb5f310 6b285d34 xul!mozilla::MozPromise<bool,bool,0>::MethodThenValue<mozilla::MediaDecoder,void (__thiscall mozilla::MediaDecoder::*)(void),void (__thiscall mozilla::MediaDecoder::*)(void)>::DoResolveOrRejectInternal+0x2e [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\obj-firefox\dist\include\mozilla\mozpromise.h @ 519]
>003ba888 691444b4 0eb5f310 00d0c160 00d09584 xul!mozilla::MozPromise<bool,bool,0>::ThenValueBase::DoResolveOrReject+0x25 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\obj-firefox\dist\include\mozilla\mozpromise.h @ 408]
>003ba89c 68f5c121 0d113c30 13a99020 00000001 xul!mozilla::MozPromise<bool,bool,0>::ThenValueBase::ResolveOrRejectRunnable::Run+0x42 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\obj-firefox\dist\include\mozilla\mozpromise.h @ 325]
>003ba90c 6904e396 00d0c160 00000001 003ba927 xul!nsThread::ProcessNextEvent+0x14d [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\xpcom\threads\nsthread.cpp @ 1219]
>003ba928 6904de85 00000008 00000000 6abdbee8 xul!NS_ProcessNextEvent+0x16 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\xpcom\glue\nsthreadutils.cpp @ 361]
>003ba93c 6913d541 13a99020 00000000 00d0c160 xul!nsThread::Shutdown+0x4c [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\xpcom\threads\nsthread.cpp @ 983]
>003ba960 693803ea 171185f0 003ba9dc 68f5c121 xul!nsThreadPool::Shutdown+0x80 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\xpcom\threads\nsthreadpool.cpp @ 328]
>....
>
>69fe6303 8b470c          mov     eax,dword ptr [edi+0Ch]
>69fe6306 ff7508          push    dword ptr [ebp+8]
>69fe6309 50              push    eax
>69fe630a 8b08            mov     ecx,dword ptr [eax]  ds:002b:e5e5e5e5=????????
>69fe630c ff5130          call    dword ptr [ecx+30h]
>69fe630f 84db            test    bl,bl
>69fe6311 740e            je      xul!mozilla::BaseMediaResource::ModifyLoadFlags+0x75 (69fe6321)
>69fe6313 8b45fc          mov     eax,dword ptr [ebp-4]
>69fe6316 6a00            push    0
>69fe6318 ff770c          push    dword ptr [edi+0Ch]
>69fe631b 8b08            mov     ecx,dword ptr [eax]
>(910.da0): Access violation - code c0000005 (first chance)
>First chance exceptions are reported before any exception handling.
>This exception may be expected and handled.
>eax=e5e5e5e5 ebx=00000001 ecx=8374b9ee edx=00000015 esi=1786c02c edi=176dac40
>eip=69fe630a esp=003bf0dc ebp=003bf0f8 iopl=0         nv up ei pl zr na pe nc
>cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
>xul!mozilla::BaseMediaResource::ModifyLoadFlags+0x5e:
>69fe630a 8b08            mov     ecx,dword ptr [eax]  ds:002b:e5e5e5e5=????????
>69fe630c ff5130          call    dword ptr [ecx+30h]
>
>0:000> k
>ChildEBP RetAddr  
>002ef3b0 69590d60 xul!mozilla::BaseMediaResource::ModifyLoadFlags+0x5e [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\media\mediaresource.cpp @ 1571]
>002ef3c8 6914754a xul!mozilla::BaseMediaResource::SetLoadInBackground+0x48d9ce [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\media\mediaresource.cpp @ 1550]
>002ef3e0 69147688 xul!mozilla::dom::HTMLMediaElement::ChangeDelayLoadStatus+0x50 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\html\htmlmediaelement.cpp @ 6030]
>002ef3f4 6914762e xul!mozilla::dom::HTMLMediaElement::FirstFrameLoaded+0x45 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\html\htmlmediaelement.cpp @ 4934]
>002ef404 693a4807 xul!mozilla::MediaDecoder::FirstFrameLoaded+0x9a [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\media\mediadecoder.cpp @ 899]
>002ef414 68ff44d7 xul!mozilla::detail::ListenerHelper<1,mozilla::AbstractThread,<lambda_b598f49334d1a4c730b6255e2d2fb618> >::R<nsAutoPtr<mozilla::MediaInfo>,enum mozilla::MediaDecoderEventVisibility>::Run+0x27 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\obj-firefox\dist\include\mediaeventsource.h @ 185]
>002ef42c 68f5c121 xul!mozilla::AutoTaskDispatcher::TaskGroupRunnable::Run+0x37 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\obj-firefox\dist\include\mozilla\taskdispatcher.h @ 196]
>002ef49c 68f5e4fb xul!nsThread::ProcessNextEvent+0x14d [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\xpcom\threads\nsthread.cpp @ 1219]
>002ef4d0 6913ab6c xul!mozilla::ipc::MessagePump::Run+0x70 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\ipc\glue\messagepump.cpp @ 96]
>002ef508 6913ab3b xul!MessageLoop::RunHandler+0x20 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\ipc\chromium\src\base\message_loop.cc @ 226]
>002ef528 68df018a xul!MessageLoop::Run+0x19 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\ipc\chromium\src\base\message_loop.cc @ 206]
>002ef538 68deff19 xul!nsBaseAppShell::Run+0x34 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\widget\nsbaseappshell.cpp @ 158]
>002ef548 68defece xul!nsAppShell::Run+0x26 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\widget\windows\nsappshell.cpp @ 262]
>002ef55c 68f66b89 xul!nsAppStartup::Run+0x22 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\toolkit\components\startup\nsappstartup.cpp @ 283]
>002ef750 69219ca0 xul!XREMain::XRE_mainRun+0x65c [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\toolkit\xre\nsapprunner.cpp @ 4480]
>002ef77c 6936434a xul!XREMain::XRE_main+0x16a [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\toolkit\xre\nsapprunner.cpp @ 4613]
>002ef8e0 00831931 xul!XRE_main+0x39 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\toolkit\xre\nsapprunner.cpp @ 4705]
>002efb78 00833373 firefox!do_main+0x381 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\browser\app\nsbrowserapp.cpp @ 328]
>002eff0c 00835de7 firefox!wmain+0x433 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\toolkit\xre\nswindowswmain.cpp @ 115]
>002eff54 7608338a firefox!__scrt_common_main_seh+0xf9 [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 253]
>002eff60 77299f72 kernel32!BaseThreadInitThunk+0xe
>002effa0 77299f45 ntdll!__RtlUserThreadStart+0x70
>002effb8 00000000 ntdll!_RtlUserThreadStart+0x1b

    
    

    
  
:jya or :rillian, can you (find someone to) take a look?
Group: firefox-core-security → core-security
Component: Untriaged → Audio/Video
Flags: needinfo?(jyavenard)
Flags: needinfo?(giles)
Keywords: crash, 
          
            csectype-uaf, 
          
            testcase
Product: Firefox → Core

    
    

    
  
Is this issue reproducible on Windows only?
Can it be reproduced in safe mode or with all plugin/addon disabled?
Flags: needinfo?(filipesw)

    
    

    
  
Maybe bug 1276529 is related.
See Also:  → 1276529

    
    

    
  
(In reply to JW Wang [:jwwang] [:jw_wang] from comment #5)
> Is this issue reproducible on Windows only?
> Can it be reproduced in safe mode or with all plugin/addon disabled?

Yes it also reproduces in safe mode, so far I only tested it on Windows with x86 and x86_64 versions and they both reproduce. Haven't tested on Linux yet because my distro is lacking PulseAudio and doesn't open the mp4 file.

    
    

    
  
Gerald, do you have any ideas?
Flags: needinfo?(giles) → needinfo?(gsquelart)

    
    

    
  
This is deeper than my usual playground, so no idea on the spot.
But keeping the NI:me to come back to it soon, unless Jean-Yves can work his magic beforehand.

    
    

    
  
(In reply to Filipe Gomes from comment #3)
> >bp xul!mozilla::MediaResource::Destroy:
> >0:000> r
> >eax=176dac44 ebx=13a30ac0 ecx=176dac40 edx=00000010 esi=176dac40 edi=71f79b28
> >eip=69146879 esp=003ba804 ebp=003ba80c iopl=0         nv up ei pl nz ac po nc
> >cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
> >xul!mozilla::MediaResource::Destroy:
> >69146879 55              push    ebp
> >0:000> kb
> >ChildEBP RetAddr  Args to Child              
> >003ba800 69146875 13a30af0 003ba828 691455d6 xul!mozilla::MediaResource::Destroy [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\media\mediaresource.cpp @ 51]
> >003ba80c 691455d6 176dac40 00000000 13a30ac0 xul!mozilla::MediaResource::Release+0x2f [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\media\mediaresource.cpp @ 62]
> >003ba828 6914530d 13a30ac0 003ba844 690f3553 xul!mozilla::MediaDecoder::~MediaDecoder+0x2b4 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\media\mediadecoder.cpp @ 520]
> >003ba834 690f3553 00000001 0d153928 003ba850 xul!mozilla::MP4Decoder::`scalar deleting destructor'+0x1c
> >003ba844 68ded799 13a30ac0 003ba868 691445b0 xul!mozilla::MediaDecoder::Release+0x38 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\media\mediadecoder.cpp @ 140]
> >003ba850 691445b0 00000000 6b285d34 0d153910 xul!RefPtr<mozilla::net::nsSimpleURI>::assign_assuming_AddRef+0x18 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\obj-firefox\dist\include\mozilla\refptr.h @ 65]
> >003ba868 691444fb 003ba884 0eb5f310 6b285d34 xul!mozilla::MozPromise<bool,bool,0>::MethodThenValue<mozilla::MediaDecoder,void (__thiscall mozilla::MediaDecoder::*)(void),void (__thiscall mozilla::MediaDecoder::*)(void)>::DoResolveOrRejectInternal+0x2e [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\obj-firefox\dist\include\mozilla\mozpromise.h @ 519]
> >003ba888 691444b4 0eb5f310 00d0c160 00d09584 xul!mozilla::MozPromise<bool,bool,0>::ThenValueBase::DoResolveOrReject+0x25 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\obj-firefox\dist\include\mozilla\mozpromise.h @ 408]
> >003ba89c 68f5c121 0d113c30 13a99020 00000001 xul!mozilla::MozPromise<bool,bool,0>::ThenValueBase::ResolveOrRejectRunnable::Run+0x42 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\obj-firefox\dist\include\mozilla\mozpromise.h @ 325]
> >003ba90c 6904e396 00d0c160 00000001 003ba927 xul!nsThread::ProcessNextEvent+0x14d [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\xpcom\threads\nsthread.cpp @ 1219]
> >003ba928 6904de85 00000008 00000000 6abdbee8 xul!NS_ProcessNextEvent+0x16 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\xpcom\glue\nsthreadutils.cpp @ 361]
> >003ba93c 6913d541 13a99020 00000000 00d0c160 xul!nsThread::Shutdown+0x4c [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\xpcom\threads\nsthread.cpp @ 983]
> >003ba960 693803ea 171185f0 003ba9dc 68f5c121 xul!nsThreadPool::Shutdown+0x80 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\xpcom\threads\nsthreadpool.cpp @ 328]
> >....

Do you have the full stack? I want to know the caller of nsThreadPool::Shutdown().

    
    

    
  
(In reply to JW Wang [:jwwang] [:jw_wang] from comment #11)
> (In reply to Filipe Gomes from comment #3)
> > >bp xul!mozilla::MediaResource::Destroy:
> > >0:000> r
> > >eax=176dac44 ebx=13a30ac0 ecx=176dac40 edx=00000010 esi=176dac40 edi=71f79b28
> > >eip=69146879 esp=003ba804 ebp=003ba80c iopl=0         nv up ei pl nz ac po nc
> > >cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212
> > >xul!mozilla::MediaResource::Destroy:
> > >69146879 55              push    ebp
> > >0:000> kb
> > >ChildEBP RetAddr  Args to Child              
> > >003ba800 69146875 13a30af0 003ba828 691455d6 xul!mozilla::MediaResource::Destroy [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\media\mediaresource.cpp @ 51]
> > >003ba80c 691455d6 176dac40 00000000 13a30ac0 xul!mozilla::MediaResource::Release+0x2f [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\media\mediaresource.cpp @ 62]
> > >003ba828 6914530d 13a30ac0 003ba844 690f3553 xul!mozilla::MediaDecoder::~MediaDecoder+0x2b4 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\media\mediadecoder.cpp @ 520]
> > >003ba834 690f3553 00000001 0d153928 003ba850 xul!mozilla::MP4Decoder::`scalar deleting destructor'+0x1c
> > >003ba844 68ded799 13a30ac0 003ba868 691445b0 xul!mozilla::MediaDecoder::Release+0x38 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\media\mediadecoder.cpp @ 140]
> > >003ba850 691445b0 00000000 6b285d34 0d153910 xul!RefPtr<mozilla::net::nsSimpleURI>::assign_assuming_AddRef+0x18 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\obj-firefox\dist\include\mozilla\refptr.h @ 65]
> > >003ba868 691444fb 003ba884 0eb5f310 6b285d34 xul!mozilla::MozPromise<bool,bool,0>::MethodThenValue<mozilla::MediaDecoder,void (__thiscall mozilla::MediaDecoder::*)(void),void (__thiscall mozilla::MediaDecoder::*)(void)>::DoResolveOrRejectInternal+0x2e [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\obj-firefox\dist\include\mozilla\mozpromise.h @ 519]
> > >003ba888 691444b4 0eb5f310 00d0c160 00d09584 xul!mozilla::MozPromise<bool,bool,0>::ThenValueBase::DoResolveOrReject+0x25 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\obj-firefox\dist\include\mozilla\mozpromise.h @ 408]
> > >003ba89c 68f5c121 0d113c30 13a99020 00000001 xul!mozilla::MozPromise<bool,bool,0>::ThenValueBase::ResolveOrRejectRunnable::Run+0x42 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\obj-firefox\dist\include\mozilla\mozpromise.h @ 325]
> > >003ba90c 6904e396 00d0c160 00000001 003ba927 xul!nsThread::ProcessNextEvent+0x14d [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\xpcom\threads\nsthread.cpp @ 1219]
> > >003ba928 6904de85 00000008 00000000 6abdbee8 xul!NS_ProcessNextEvent+0x16 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\xpcom\glue\nsthreadutils.cpp @ 361]
> > >003ba93c 6913d541 13a99020 00000000 00d0c160 xul!nsThread::Shutdown+0x4c [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\xpcom\threads\nsthread.cpp @ 983]
> > >003ba960 693803ea 171185f0 003ba9dc 68f5c121 xul!nsThreadPool::Shutdown+0x80 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\xpcom\threads\nsthreadpool.cpp @ 328]
> > >....
> 
> Do you have the full stack? I want to know the caller of
> nsThreadPool::Shutdown().


xul!mozilla::MediaResource::Destroy:
69146879 55              push    ebp
0:000> kb
ChildEBP RetAddr  Args to Child              
0029b8f0 69146875 1304a7b0 0029b918 691455d6 xul!mozilla::MediaResource::Destroy [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\media\mediaresource.cpp @ 51]
0029b8fc 691455d6 175b4ee0 00000000 1304a780 xul!mozilla::MediaResource::Release+0x2f [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\media\mediaresource.cpp @ 62]
0029b918 6914530d 1304a780 0029b934 690f3553 xul!mozilla::MediaDecoder::~MediaDecoder+0x2b4 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\media\mediadecoder.cpp @ 520]
0029b924 690f3553 00000001 02f5ba18 0029b940 xul!mozilla::MP4Decoder::`scalar deleting destructor'+0x1c
0029b934 68ded799 1304a780 0029b958 691445b0 xul!mozilla::MediaDecoder::Release+0x38 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\media\mediadecoder.cpp @ 140]
0029b940 691445b0 00000000 6b285d34 02f5ba00 xul!RefPtr<mozilla::net::nsSimpleURI>::assign_assuming_AddRef+0x18 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\obj-firefox\dist\include\mozilla\refptr.h @ 65]
0029b958 691444fb 0029b974 02f5f490 6b285d34 xul!mozilla::MozPromise<bool,bool,0>::MethodThenValue<mozilla::MediaDecoder,void (__thiscall mozilla::MediaDecoder::*)(void),void (__thiscall mozilla::MediaDecoder::*)(void)>::DoResolveOrRejectInternal+0x2e [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\obj-firefox\dist\include\mozilla\mozpromise.h @ 519]
0029b978 691444b4 02f5f490 00d0c160 00d09584 xul!mozilla::MozPromise<bool,bool,0>::ThenValueBase::DoResolveOrReject+0x25 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\obj-firefox\dist\include\mozilla\mozpromise.h @ 408]
0029b98c 68f5c121 02f82280 17ca4980 00000001 xul!mozilla::MozPromise<bool,bool,0>::ThenValueBase::ResolveOrRejectRunnable::Run+0x42 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\obj-firefox\dist\include\mozilla\mozpromise.h @ 325]
0029b9fc 6904e396 00d0c160 00000001 0029ba17 xul!nsThread::ProcessNextEvent+0x14d [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\xpcom\threads\nsthread.cpp @ 1219]
0029ba18 6904de85 00000008 00000000 6abdbee8 xul!NS_ProcessNextEvent+0x16 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\xpcom\glue\nsthreadutils.cpp @ 361]
0029ba2c 6913d541 17ca4980 00000000 00d0c160 xul!nsThread::Shutdown+0x4c [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\xpcom\threads\nsthread.cpp @ 983]
0029ba50 693803ea 17d6ce30 0029bacc 68f5c121 xul!nsThreadPool::Shutdown+0x80 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\xpcom\threads\nsthreadpool.cpp @ 328]
0029ba5c 68f5c121 00d25c00 0e7c4820 0029bcf0 xul!mozilla::detail::RunnableMethodImpl<enum nsresult (__stdcall nsIThread::*)(void),1,0>::Run+0x12 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\obj-firefox\dist\include\nsthreadutils.h @ 816]
0029bacc 693bf227 00d0c160 0029ba01 0029bd30 xul!nsThread::ProcessNextEvent+0x14d [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\xpcom\threads\nsthread.cpp @ 1219]
0029bae8 68f13156 00d0c160 0000000c 00000002 xul!_NS_InvokeByIndex+0x27 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\xpcom\reflect\xptcall\md\win32\xptcinvoke_asm_x86_msvc.asm @ 57]
0029bddc 0b734000 168d4e6a 0029be48 0e3e2911 xul!XPC_WN_CallMethod+0x526 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\js\xpconnect\src\xpcwrappednativejsops.cpp @ 1143]
WARNING: Frame IP not in any known module. Following frames may be wrong.
0029bf00 68e779a9 25f1c697 00000004 0ca6e1b8 0xb734000
0029bfd8 69000add 0029c0d4 69000add 0b734000 xul!EnterBaseline+0xcf [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\js\src\jit\baselinejit.cpp @ 157]
0029c0c8 68f1e2b2 0b734000 0029cbf8 68f1e2b2 xul!js::jit::EnterBaselineAtBranch+0x140 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\js\src\jit\baselinejit.cpp @ 261]
0029c9e0 6947ca91 0029caf4 0029caf4 0029caf4 xul!Interpret+0x8482 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\js\src\vm\interpreter.cpp @ 1914]
0029ca70 68dc2cea 0b734000 0029cae4 0029cbf8 xul!js::RunScript+0x231 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\js\src\vm\interpreter.cpp @ 403]
0029cb44 68dbfc9c 00000000 00000000 0b734000 xul!js::InternalCallOrConstruct+0x2ba [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\js\src\vm\interpreter.cpp @ 478]
0029cb6c 68f3c476 0029cd48 0029cb90 0029cd28 xul!js::Call+0x97 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\js\src\vm\interpreter.cpp @ 521]
0029cc7c 68f0ec55 0029cd3c 0029cd48 0029cd28 xul!JS_CallFunctionValue+0x1b4 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\js\src\jsapi.cpp @ 2771]
0029cedc 68f0e0ac 193658b0 157dcc40 00000003 xul!nsXPCWrappedJSClass::CallMethod+0x4c5 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\js\xpconnect\src\xpcwrappedjsclass.cpp @ 1211]
0029cf00 68f0dfee 157dcc40 00000003 0b7cb658 xul!nsXPCWrappedJS::CallMethod+0x34 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\js\xpconnect\src\xpcwrappedjs.cpp @ 610]
0029cfc8 6942db06 1337b320 00000003 0029cff0 xul!PrepareAndDispatch+0xc2 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\xpcom\reflect\xptcall\md\win32\xptcstubs.cpp @ 85]
0029cfe4 69b5551e 1337b320 17df0f28 0029d0e4 xul!SharedStub+0x16 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\xpcom\reflect\xptcall\md\win32\xptcstubs.cpp @ 113]
0029d170 69b55621 00000001 0029d1e8 13369f40 xul!nsGlobalWindow::AlertOrConfirm+0x273 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\base\nsglobalwindow.cpp @ 7117]
0029d194 69b5528e 0029d1e8 13369f40 0029d1d8 xul!nsGlobalWindow::AlertOuter+0x7f [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\base\nsglobalwindow.cpp @ 7140]
0029d1b4 69d8d3fa 0029d1e8 13369f40 0029d1d8 xul!nsGlobalWindow::Alert+0xa1 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\base\nsglobalwindow.cpp @ 7147]
0029d280 68f0ae3e 0b734000 0029d2ac 16cb1000 xul!mozilla::dom::WindowBinding::alert+0xcb [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\obj-firefox\dom\bindings\windowbinding.cpp @ 2618]
0029d2bc 68dc2bb1 0b734000 00000001 16cb1000 xul!mozilla::dom::WindowBinding::genericMethod+0xe8 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\obj-firefox\dom\bindings\windowbinding.cpp @ 15228]
0029d394 68dc0ff8 00000000 0b734000 00000000 xul!js::InternalCallOrConstruct+0x181 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\js\src\vm\interpreter.cpp @ 457]
0029d3b8 68f1b6f0 0b734000 00000002 15cadda0 xul!InternalCall+0xa8 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\js\src\vm\interpreter.cpp @ 502]
0029dcc0 6947ca91 0029ddd4 0029ddd4 0029ddd4 xul!Interpret+0x58c0 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\js\src\vm\interpreter.cpp @ 2920]
0029dd50 68dc2cea 0b734000 0029ddc4 0029dec0 xul!js::RunScript+0x231 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\js\src\vm\interpreter.cpp @ 403]
0029de24 68dbfc9c 00000000 0029df6c 0b734000 xul!js::InternalCallOrConstruct+0x2ba [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\js\src\vm\interpreter.cpp @ 478]
0029de4c 68f3c5e5 0029dfd0 0029e070 0029df90 xul!js::Call+0x97 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\js\src\vm\interpreter.cpp @ 521]
0029df44 68eb8092 0029e070 0029dfd0 0029df90 xul!JS::Call+0x107 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\js\src\jsapi.cpp @ 2830]
0029e044 68eb7e1c 0b734000 0029e070 15418ee0 xul!mozilla::dom::EventHandlerNonNull::Call+0x240 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\obj-firefox\dom\bindings\eventhandlerbinding.cpp @ 259]
0029e19c 68eb8a99 177f3288 15418ee0 0029e208 xul!mozilla::dom::EventHandlerNonNull::Call<nsISupports *>+0xb8 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\obj-firefox\dist\include\mozilla\dom\eventhandlerbinding.h @ 361]
0029e308 68eb9d99 177f3280 15418ee0 1754ca18 xul!mozilla::JSEventHandler::HandleEvent+0xee [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\events\jseventhandler.cpp @ 215]
0029e33c 68f02bd0 1754ca18 15418ee0 16cb1000 xul!mozilla::EventListenerManager::HandleEventSubType+0x67 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\events\eventlistenermanager.cpp @ 1133]
0029e494 68f0262c 13088800 0029e5f8 0029e588 xul!mozilla::EventListenerManager::HandleEventInternal+0x2c0 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\events\eventlistenermanager.cpp @ 1286]
0029e4e8 68f01590 00000000 0029e574 00000000 xul!mozilla::EventTargetChainItem::HandleEventTargetChain+0x42c [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\events\eventdispatcher.cpp @ 465]
0029e59c 6906f28f 0029e5f8 00000000 0029e5ec xul!mozilla::EventDispatcher::Dispatch+0xa90 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\events\eventdispatcher.cpp @ 825]
0029e658 69129ff9 1300bcc0 00000000 164c3800 xul!nsDocumentViewer::LoadComplete+0x28a [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\layout\base\nsdocumentviewer.cpp @ 1024]
0029e9c0 68dd676c 164c3814 1704a82c 00000000 xul!nsDocShell::EndPageLoad+0xff [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\docshell\base\nsdocshell.cpp @ 7607]
0029ea68 68eb8f00 164c3918 164c3814 1704a82c xul!nsDocShell::OnStateChange+0xb6 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\docshell\base\nsdocshell.cpp @ 7410]
0029eab0 692d9494 164c3814 1704a82c 0029eb08 xul!nsDocLoader::DoFireOnStateChange+0xbd [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\uriloader\base\nsdocloader.cpp @ 1255]
0029eb18 68dd84ef 1704a82c 00000000 17789c00 xul!nsDocLoader::doStopDocumentLoad+0x95 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\uriloader\base\nsdocloader.cpp @ 840]
0029eb54 68dd8508 00000001 17cf3b00 17789c04 xul!nsDocLoader::DocLoaderIsEmpty+0x1a3 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\uriloader\base\nsdocloader.cpp @ 732]
0029eb88 68dd91c7 00000001 6b2e26e8 12e9a82c xul!nsDocLoader::DocLoaderIsEmpty+0x1bc [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\uriloader\base\nsdocloader.cpp @ 736]
0029ec10 68dd8c5f 17789c04 12e9a82c 00000000 xul!nsDocLoader::OnStopRequest+0x12b [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\uriloader\base\nsdocloader.cpp @ 612]
0029ecc4 69fe62f5 1300bf80 12e9a82c 00000000 xul!mozilla::net::nsLoadGroup::RemoveRequest+0x11b [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\netwerk\base\nsloadgroup.cpp @ 633]
0029ecf0 69590d60 20400041 6b2e2efc 17cdc500 xul!mozilla::BaseMediaResource::ModifyLoadFlags+0x49 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\media\mediaresource.cpp @ 1566]
0029ed08 6914754a 01000201 6b2e2efc 12e1d84c xul!mozilla::BaseMediaResource::SetLoadInBackground+0x48d9ce [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\media\mediaresource.cpp @ 1550]
0029ed20 69147688 00000000 1304a780 16785900 xul!mozilla::dom::HTMLMediaElement::ChangeDelayLoadStatus+0x50 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\html\htmlmediaelement.cpp @ 6030]
0029ed34 6914762e 00000001 00000000 0029ed54 xul!mozilla::dom::HTMLMediaElement::FirstFrameLoaded+0x45 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\html\htmlmediaelement.cpp @ 4934]
0029ed44 693a4807 00000000 00000000 0029ed6c xul!mozilla::MediaDecoder::FirstFrameLoaded+0x9a [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\media\mediadecoder.cpp @ 899]
0029ed54 68ff44d7 154fbae0 00d0c160 00d09584 xul!mozilla::detail::ListenerHelper<1,mozilla::AbstractThread,<lambda_b598f49334d1a4c730b6255e2d2fb618> >::R<nsAutoPtr<mozilla::MediaInfo>,enum mozilla::MediaDecoderEventVisibility>::Run+0x27 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\obj-firefox\dist\include\mediaeventsource.h @ 185]
0029ed6c 68f5c121 17cdc550 00d24290 00d24280 xul!mozilla::AutoTaskDispatcher::TaskGroupRunnable::Run+0x37 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\obj-firefox\dist\include\mozilla\taskdispatcher.h @ 196]
0029eddc 68f5e4fb 00d0c160 00000000 0029ee0f xul!nsThread::ProcessNextEvent+0x14d [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\xpcom\threads\nsthread.cpp @ 1219]
0029ee10 6913ab6c 00d6d0c0 0e3e7c51 00d09580 xul!mozilla::ipc::MessagePump::Run+0x70 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\ipc\glue\messagepump.cpp @ 96]
0029ee48 6913ab3b 00d0c160 00000001 00d09500 xul!MessageLoop::RunHandler+0x20 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\ipc\chromium\src\base\message_loop.cc @ 226]
0029ee68 68df018a 0caa6340 00000000 0029ee88 xul!MessageLoop::Run+0x19 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\ipc\chromium\src\base\message_loop.cc @ 206]
0029ee78 68deff19 00d09580 0caa6340 0029ee9c xul!nsBaseAppShell::Run+0x34 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\widget\nsbaseappshell.cpp @ 158]
0029ee88 68defece 00d09580 0029f215 1055b700 xul!nsAppShell::Run+0x26 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\widget\windows\nsappshell.cpp @ 262]
0029ee9c 68f66b89 0caa6340 80000000 0029f118 xul!nsAppStartup::Run+0x22 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\toolkit\components\startup\nsappstartup.cpp @ 283]
0029f090 69219ca0 00d47060 0029f248 00000005 xul!XREMain::XRE_mainRun+0x65c [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\toolkit\xre\nsapprunner.cpp @ 4480]
0029f0bc 6936434a 00000000 00d01020 0029f0b0 xul!XREMain::XRE_main+0x16a [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\toolkit\xre\nsapprunner.cpp @ 4613]
0029f224 00fb1931 00000005 00d01020 0029f248 xul!XRE_main+0x39 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\toolkit\xre\nsapprunner.cpp @ 4705]
0029f4bc 00fb3373 00480f18 00d091c0 00000001 firefox!do_main+0x381 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\browser\app\nsbrowserapp.cpp @ 328]
0029f850 00fb5de7 00000005 ff785dd0 00483360 firefox!wmain+0x433 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\toolkit\xre\nswindowswmain.cpp @ 115]
0029f898 7608338a fffde000 0029f8e4 77299f72 firefox!__scrt_common_main_seh+0xf9 [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 253]
0029f8a4 77299f72 fffde000 7873d8e1 00000000 kernel32!BaseThreadInitThunk+0xe
0029f8e4 77299f45 00fb5e5d fffde000 00000000 ntdll!__RtlUserThreadStart+0x70
0029f8fc 00000000 00fb5e5d fffde000 00000000 ntdll!_RtlUserThreadStart+0x1b

    
    

    
  
Comment on attachment 8824658 [details]
windbg.txt

>xul!mozilla::MediaResource::Destroy:
>69146879 55              push    ebp
>0:000> kb
>ChildEBP RetAddr  Args to Child              
>0029b8f0 69146875 1304a7b0 0029b918 691455d6 xul!mozilla::MediaResource::Destroy [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\media\mediaresource.cpp @ 51]
>0029b8fc 691455d6 175b4ee0 00000000 1304a780 xul!mozilla::MediaResource::Release+0x2f [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\media\mediaresource.cpp @ 62]
>0029b918 6914530d 1304a780 0029b934 690f3553 xul!mozilla::MediaDecoder::~MediaDecoder+0x2b4 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\media\mediadecoder.cpp @ 520]
>0029b924 690f3553 00000001 02f5ba18 0029b940 xul!mozilla::MP4Decoder::`scalar deleting destructor'+0x1c
>0029b934 68ded799 1304a780 0029b958 691445b0 xul!mozilla::MediaDecoder::Release+0x38 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\media\mediadecoder.cpp @ 140]
>0029b940 691445b0 00000000 6b285d34 02f5ba00 xul!RefPtr<mozilla::net::nsSimpleURI>::assign_assuming_AddRef+0x18 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\obj-firefox\dist\include\mozilla\refptr.h @ 65]
>0029b958 691444fb 0029b974 02f5f490 6b285d34 xul!mozilla::MozPromise<bool,bool,0>::MethodThenValue<mozilla::MediaDecoder,void (__thiscall mozilla::MediaDecoder::*)(void),void (__thiscall mozilla::MediaDecoder::*)(void)>::DoResolveOrRejectInternal+0x2e [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\obj-firefox\dist\include\mozilla\mozpromise.h @ 519]
>0029b978 691444b4 02f5f490 00d0c160 00d09584 xul!mozilla::MozPromise<bool,bool,0>::ThenValueBase::DoResolveOrReject+0x25 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\obj-firefox\dist\include\mozilla\mozpromise.h @ 408]
>0029b98c 68f5c121 02f82280 17ca4980 00000001 xul!mozilla::MozPromise<bool,bool,0>::ThenValueBase::ResolveOrRejectRunnable::Run+0x42 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\obj-firefox\dist\include\mozilla\mozpromise.h @ 325]
>0029b9fc 6904e396 00d0c160 00000001 0029ba17 xul!nsThread::ProcessNextEvent+0x14d [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\xpcom\threads\nsthread.cpp @ 1219]
>0029ba18 6904de85 00000008 00000000 6abdbee8 xul!NS_ProcessNextEvent+0x16 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\xpcom\glue\nsthreadutils.cpp @ 361]
>0029ba2c 6913d541 17ca4980 00000000 00d0c160 xul!nsThread::Shutdown+0x4c [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\xpcom\threads\nsthread.cpp @ 983]
>0029ba50 693803ea 17d6ce30 0029bacc 68f5c121 xul!nsThreadPool::Shutdown+0x80 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\xpcom\threads\nsthreadpool.cpp @ 328]
>0029ba5c 68f5c121 00d25c00 0e7c4820 0029bcf0 xul!mozilla::detail::RunnableMethodImpl<enum nsresult (__stdcall nsIThread::*)(void),1,0>::Run+0x12 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\obj-firefox\dist\include\nsthreadutils.h @ 816]
>0029bacc 693bf227 00d0c160 0029ba01 0029bd30 xul!nsThread::ProcessNextEvent+0x14d [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\xpcom\threads\nsthread.cpp @ 1219]
>0029bae8 68f13156 00d0c160 0000000c 00000002 xul!_NS_InvokeByIndex+0x27 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\xpcom\reflect\xptcall\md\win32\xptcinvoke_asm_x86_msvc.asm @ 57]
>0029bddc 0b734000 168d4e6a 0029be48 0e3e2911 xul!XPC_WN_CallMethod+0x526 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\js\xpconnect\src\xpcwrappednativejsops.cpp @ 1143]
>WARNING: Frame IP not in any known module. Following frames may be wrong.
>0029bf00 68e779a9 25f1c697 00000004 0ca6e1b8 0xb734000
>0029bfd8 69000add 0029c0d4 69000add 0b734000 xul!EnterBaseline+0xcf [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\js\src\jit\baselinejit.cpp @ 157]
>0029c0c8 68f1e2b2 0b734000 0029cbf8 68f1e2b2 xul!js::jit::EnterBaselineAtBranch+0x140 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\js\src\jit\baselinejit.cpp @ 261]
>0029c9e0 6947ca91 0029caf4 0029caf4 0029caf4 xul!Interpret+0x8482 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\js\src\vm\interpreter.cpp @ 1914]
>0029ca70 68dc2cea 0b734000 0029cae4 0029cbf8 xul!js::RunScript+0x231 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\js\src\vm\interpreter.cpp @ 403]
>0029cb44 68dbfc9c 00000000 00000000 0b734000 xul!js::InternalCallOrConstruct+0x2ba [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\js\src\vm\interpreter.cpp @ 478]
>0029cb6c 68f3c476 0029cd48 0029cb90 0029cd28 xul!js::Call+0x97 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\js\src\vm\interpreter.cpp @ 521]
>0029cc7c 68f0ec55 0029cd3c 0029cd48 0029cd28 xul!JS_CallFunctionValue+0x1b4 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\js\src\jsapi.cpp @ 2771]
>0029cedc 68f0e0ac 193658b0 157dcc40 00000003 xul!nsXPCWrappedJSClass::CallMethod+0x4c5 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\js\xpconnect\src\xpcwrappedjsclass.cpp @ 1211]
>0029cf00 68f0dfee 157dcc40 00000003 0b7cb658 xul!nsXPCWrappedJS::CallMethod+0x34 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\js\xpconnect\src\xpcwrappedjs.cpp @ 610]
>0029cfc8 6942db06 1337b320 00000003 0029cff0 xul!PrepareAndDispatch+0xc2 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\xpcom\reflect\xptcall\md\win32\xptcstubs.cpp @ 85]
>0029cfe4 69b5551e 1337b320 17df0f28 0029d0e4 xul!SharedStub+0x16 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\xpcom\reflect\xptcall\md\win32\xptcstubs.cpp @ 113]
>0029d170 69b55621 00000001 0029d1e8 13369f40 xul!nsGlobalWindow::AlertOrConfirm+0x273 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\base\nsglobalwindow.cpp @ 7117]
>0029d194 69b5528e 0029d1e8 13369f40 0029d1d8 xul!nsGlobalWindow::AlertOuter+0x7f [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\base\nsglobalwindow.cpp @ 7140]
>0029d1b4 69d8d3fa 0029d1e8 13369f40 0029d1d8 xul!nsGlobalWindow::Alert+0xa1 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\base\nsglobalwindow.cpp @ 7147]
>0029d280 68f0ae3e 0b734000 0029d2ac 16cb1000 xul!mozilla::dom::WindowBinding::alert+0xcb [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\obj-firefox\dom\bindings\windowbinding.cpp @ 2618]
>0029d2bc 68dc2bb1 0b734000 00000001 16cb1000 xul!mozilla::dom::WindowBinding::genericMethod+0xe8 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\obj-firefox\dom\bindings\windowbinding.cpp @ 15228]
>0029d394 68dc0ff8 00000000 0b734000 00000000 xul!js::InternalCallOrConstruct+0x181 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\js\src\vm\interpreter.cpp @ 457]
>0029d3b8 68f1b6f0 0b734000 00000002 15cadda0 xul!InternalCall+0xa8 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\js\src\vm\interpreter.cpp @ 502]
>0029dcc0 6947ca91 0029ddd4 0029ddd4 0029ddd4 xul!Interpret+0x58c0 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\js\src\vm\interpreter.cpp @ 2920]
>0029dd50 68dc2cea 0b734000 0029ddc4 0029dec0 xul!js::RunScript+0x231 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\js\src\vm\interpreter.cpp @ 403]
>0029de24 68dbfc9c 00000000 0029df6c 0b734000 xul!js::InternalCallOrConstruct+0x2ba [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\js\src\vm\interpreter.cpp @ 478]
>0029de4c 68f3c5e5 0029dfd0 0029e070 0029df90 xul!js::Call+0x97 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\js\src\vm\interpreter.cpp @ 521]
>0029df44 68eb8092 0029e070 0029dfd0 0029df90 xul!JS::Call+0x107 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\js\src\jsapi.cpp @ 2830]
>0029e044 68eb7e1c 0b734000 0029e070 15418ee0 xul!mozilla::dom::EventHandlerNonNull::Call+0x240 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\obj-firefox\dom\bindings\eventhandlerbinding.cpp @ 259]
>0029e19c 68eb8a99 177f3288 15418ee0 0029e208 xul!mozilla::dom::EventHandlerNonNull::Call<nsISupports *>+0xb8 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\obj-firefox\dist\include\mozilla\dom\eventhandlerbinding.h @ 361]
>0029e308 68eb9d99 177f3280 15418ee0 1754ca18 xul!mozilla::JSEventHandler::HandleEvent+0xee [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\events\jseventhandler.cpp @ 215]
>0029e33c 68f02bd0 1754ca18 15418ee0 16cb1000 xul!mozilla::EventListenerManager::HandleEventSubType+0x67 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\events\eventlistenermanager.cpp @ 1133]
>0029e494 68f0262c 13088800 0029e5f8 0029e588 xul!mozilla::EventListenerManager::HandleEventInternal+0x2c0 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\events\eventlistenermanager.cpp @ 1286]
>0029e4e8 68f01590 00000000 0029e574 00000000 xul!mozilla::EventTargetChainItem::HandleEventTargetChain+0x42c [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\events\eventdispatcher.cpp @ 465]
>0029e59c 6906f28f 0029e5f8 00000000 0029e5ec xul!mozilla::EventDispatcher::Dispatch+0xa90 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\events\eventdispatcher.cpp @ 825]
>0029e658 69129ff9 1300bcc0 00000000 164c3800 xul!nsDocumentViewer::LoadComplete+0x28a [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\layout\base\nsdocumentviewer.cpp @ 1024]
>0029e9c0 68dd676c 164c3814 1704a82c 00000000 xul!nsDocShell::EndPageLoad+0xff [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\docshell\base\nsdocshell.cpp @ 7607]
>0029ea68 68eb8f00 164c3918 164c3814 1704a82c xul!nsDocShell::OnStateChange+0xb6 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\docshell\base\nsdocshell.cpp @ 7410]
>0029eab0 692d9494 164c3814 1704a82c 0029eb08 xul!nsDocLoader::DoFireOnStateChange+0xbd [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\uriloader\base\nsdocloader.cpp @ 1255]
>0029eb18 68dd84ef 1704a82c 00000000 17789c00 xul!nsDocLoader::doStopDocumentLoad+0x95 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\uriloader\base\nsdocloader.cpp @ 840]
>0029eb54 68dd8508 00000001 17cf3b00 17789c04 xul!nsDocLoader::DocLoaderIsEmpty+0x1a3 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\uriloader\base\nsdocloader.cpp @ 732]
>0029eb88 68dd91c7 00000001 6b2e26e8 12e9a82c xul!nsDocLoader::DocLoaderIsEmpty+0x1bc [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\uriloader\base\nsdocloader.cpp @ 736]
>0029ec10 68dd8c5f 17789c04 12e9a82c 00000000 xul!nsDocLoader::OnStopRequest+0x12b [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\uriloader\base\nsdocloader.cpp @ 612]
>0029ecc4 69fe62f5 1300bf80 12e9a82c 00000000 xul!mozilla::net::nsLoadGroup::RemoveRequest+0x11b [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\netwerk\base\nsloadgroup.cpp @ 633]
>0029ecf0 69590d60 20400041 6b2e2efc 17cdc500 xul!mozilla::BaseMediaResource::ModifyLoadFlags+0x49 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\media\mediaresource.cpp @ 1566]
>0029ed08 6914754a 01000201 6b2e2efc 12e1d84c xul!mozilla::BaseMediaResource::SetLoadInBackground+0x48d9ce [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\media\mediaresource.cpp @ 1550]
>0029ed20 69147688 00000000 1304a780 16785900 xul!mozilla::dom::HTMLMediaElement::ChangeDelayLoadStatus+0x50 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\html\htmlmediaelement.cpp @ 6030]
>0029ed34 6914762e 00000001 00000000 0029ed54 xul!mozilla::dom::HTMLMediaElement::FirstFrameLoaded+0x45 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\html\htmlmediaelement.cpp @ 4934]
>0029ed44 693a4807 00000000 00000000 0029ed6c xul!mozilla::MediaDecoder::FirstFrameLoaded+0x9a [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\media\mediadecoder.cpp @ 899]
>0029ed54 68ff44d7 154fbae0 00d0c160 00d09584 xul!mozilla::detail::ListenerHelper<1,mozilla::AbstractThread,<lambda_b598f49334d1a4c730b6255e2d2fb618> >::R<nsAutoPtr<mozilla::MediaInfo>,enum mozilla::MediaDecoderEventVisibility>::Run+0x27 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\obj-firefox\dist\include\mediaeventsource.h @ 185]
>0029ed6c 68f5c121 17cdc550 00d24290 00d24280 xul!mozilla::AutoTaskDispatcher::TaskGroupRunnable::Run+0x37 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\obj-firefox\dist\include\mozilla\taskdispatcher.h @ 196]
>0029eddc 68f5e4fb 00d0c160 00000000 0029ee0f xul!nsThread::ProcessNextEvent+0x14d [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\xpcom\threads\nsthread.cpp @ 1219]
>0029ee10 6913ab6c 00d6d0c0 0e3e7c51 00d09580 xul!mozilla::ipc::MessagePump::Run+0x70 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\ipc\glue\messagepump.cpp @ 96]
>0029ee48 6913ab3b 00d0c160 00000001 00d09500 xul!MessageLoop::RunHandler+0x20 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\ipc\chromium\src\base\message_loop.cc @ 226]
>0029ee68 68df018a 0caa6340 00000000 0029ee88 xul!MessageLoop::Run+0x19 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\ipc\chromium\src\base\message_loop.cc @ 206]
>0029ee78 68deff19 00d09580 0caa6340 0029ee9c xul!nsBaseAppShell::Run+0x34 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\widget\nsbaseappshell.cpp @ 158]
>0029ee88 68defece 00d09580 0029f215 1055b700 xul!nsAppShell::Run+0x26 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\widget\windows\nsappshell.cpp @ 262]
>0029ee9c 68f66b89 0caa6340 80000000 0029f118 xul!nsAppStartup::Run+0x22 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\toolkit\components\startup\nsappstartup.cpp @ 283]
>0029f090 69219ca0 00d47060 0029f248 00000005 xul!XREMain::XRE_mainRun+0x65c [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\toolkit\xre\nsapprunner.cpp @ 4480]
>0029f0bc 6936434a 00000000 00d01020 0029f0b0 xul!XREMain::XRE_main+0x16a [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\toolkit\xre\nsapprunner.cpp @ 4613]
>0029f224 00fb1931 00000005 00d01020 0029f248 xul!XRE_main+0x39 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\toolkit\xre\nsapprunner.cpp @ 4705]
>0029f4bc 00fb3373 00480f18 00d091c0 00000001 firefox!do_main+0x381 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\browser\app\nsbrowserapp.cpp @ 328]
>0029f850 00fb5de7 00000005 ff785dd0 00483360 firefox!wmain+0x433 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\toolkit\xre\nswindowswmain.cpp @ 115]
>0029f898 7608338a fffde000 0029f8e4 77299f72 firefox!__scrt_common_main_seh+0xf9 [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 253]
>0029f8a4 77299f72 fffde000 7873d8e1 00000000 kernel32!BaseThreadInitThunk+0xe
>0029f8e4 77299f45 00fb5e5d fffde000 00000000 ntdll!__RtlUserThreadStart+0x70
>0029f8fc 00000000 00fb5e5d fffde000 00000000 ntdll!_RtlUserThreadStart+0x1b

Should've posted with the better formating.

    
    

    
  
It turns out that my assumption in bug 1276529 comment 7 is right.

BaseMediaResource::ModifyLoadFlags calls nsLoadGroup::RemoveRequest which somehow spins the event loop and calls MediaResource::Destroy to delete the object. All access to BaseMediaResource members after nsLoadGroup::RemoveRequest() becomes use-after-free.

Not sure if this is a normal behavior about netwerk...

    
  
Flags: needinfo?(filipesw)

    
    

    
  
(In reply to JW Wang [:jwwang] [:jw_wang] from comment #15)
> https://archive.mozilla.org/pub/firefox/try-builds/jwwang@mozilla.com-
> c3e775c283a410171e675de8c83e722c36294416/try-win64-debug/firefox-53.0a1.en-
> US.win64.installer.exe
> 
> https://archive.mozilla.org/pub/firefox/try-builds/jwwang@mozilla.com-
> c3e775c283a410171e675de8c83e722c36294416/try-win64/firefox-53.0a1.en-US.
> win64.installer.exe
> 
> Can you try if these builds fix the issue for you? Thanks!

I did the test and the builds doesn't reproduce the crash with the testcase anymore, I guess it's fixed.

    
    

    
  
CC :smaug for review.

    
    

    
  

      
      
      
      

        Attached patch
          
          
        1329403_fix.patch (obsolete)
        — Splinter Review
      

    


  
Assignee: nobody → jwwang
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true

        Attachment #8825689 -
        Flags: review?(bugs)

    
    

    
  
Comment on attachment 8825689 [details] [diff] [review]
1329403_fix.patch

I don't yet understand the crash.

Where are we crashing and why?

Is the issue that MediaDecoder calls FirstFrameLoaded without keeping mOwner alive, so not following the COM rules that caller should keep the callee alive?
And I guess similar applies to mDecoder->SetLoadInBackground(!aDelay); call.
Does something guarantee mDecoder stays alive long enough?

I think adding nsAutoScriptBlocker just hides to issues we have with lifetime management here. If you disagree, explain why and ask review again.

However, having nsAutoScriptBlocker here is perhaps good idea to ensure load event fires at the end of the method, not somewhere in middle.

So I could imagine a patch having nsAutoScriptBlocker and some RefPtrs to keep right objects alive. (The patch just with RefPtr should be enough to fix the crash)

        Attachment #8825689 -
        Flags: review?(bugs) → review-

    
    

    
  
(In reply to Olli Pettay [:smaug] from comment #19)
> I don't yet understand the crash.
> Where are we crashing and why?

Here is the stack from comment 13:

http://searchfox.org/mozilla-central/rev/225ab0637ed51b8b3f9f4ee2f9c339a37a65b626/dom/media/MediaResource.cpp#1561

BaseMediaResource::ModifyLoadFlags calls nsLoadGroup::RemoveRequest which somehow causes 'onload' to fire to run the script in test.html (which calls document.write() to replace the content) to delete the media element which in turn deletes MediaDecoder as well as MediaResource.

So access to mChannel at #1567 is a UAF since the MediaResource object is already deleted.

    
    

    
  
(In reply to Olli Pettay [:smaug] from comment #19)
> I think adding nsAutoScriptBlocker just hides to issues we have with
> lifetime management here. If you disagree, explain why and ask review again.

Of course we can use death grips to keep the objects we care about alive durinig reentrant functions calls. However, I think reentrant functions calls are evil and result in unexpected/complicated call flow which I would like to prevent in the first place.

    
  
Flags: needinfo?(bugs)

    
    

    
  
But is it guaranteed that nsAutoScriptBlocker fixes all the possible reentrancy issues?

Following the normal rules that caller keeps the callee alive feels like safer option to me.  

And, I don't see anything keeping the element itself alive, so after FirstFrameLoaded() has called ChangeDelayLoadStatus(false), 'this' can be deleted object. (nsAutoScriptBlocker in ChangeDelayLoadStatus doesn't help with that, since scripts can run when the blocker goes out of scope)

Note, we do already in other case explicitly keep the element alive
http://searchfox.org/mozilla-central/rev/225ab0637ed51b8b3f9f4ee2f9c339a37a65b626/dom/html/HTMLMediaElement.cpp#4690
Flags: needinfo?(bugs)

    
    

    
  
(In reply to Olli Pettay [:smaug] from comment #22)
 (nsAutoScriptBlocker in ChangeDelayLoadStatus doesn't help
> with that, since scripts can run when the blocker goes out of scope)

This is bad for I expected nsAutoScriptBlocker to delay the script such that it will run asynchronously in next cycle.

I think the path forward is to fix bug 1329934 so |mLoadBlockedDoc->UnblockOnload(false)| [1] can work as expected to fire 'onlonad' asynchronously.

[1] http://searchfox.org/mozilla-central/rev/a712d69adb9b2588f88aff678216b2be94d3719c/dom/html/HTMLMediaElement.cpp#6294

    
    

    
  
It is still scary to call non-trivial methods when not keeping the callee explicitly alive.
Group: core-security → media-core-security
Keywords: sec-high

    
    

    
  
(In reply to Olli Pettay [:smaug] from comment #24)
> It is still scary to call non-trivial methods when not keeping the callee
> explicitly alive.

It is the responsibility of the caller to keep callee alive until the function returns (let alone death grip doesn't work for non-ref-counting types). However, reentrancy breaks this assumption which is what I want to prevent in the first place.

    
    

    
  
(In reply to JW Wang [:jwwang] [:jw_wang] from comment #26)
> https://archive.mozilla.org/pub/firefox/try-builds/jwwang@mozilla.com-
> f66e669fcbfbfa98685740ee277706aace472e36/try-win64/firefox-53.0a1.en-US.
> win64.installer.exe
> 
> https://archive.mozilla.org/pub/firefox/try-builds/jwwang@mozilla.com-
> f66e669fcbfbfa98685740ee277706aace472e36/try-win64-debug/firefox-53.0a1.en-
> US.win64.installer.exe
> 
> Hi Filipe,
> Can you try again if these builds fix the issue? Thanks!

Okay, these builds doesn't reproduce the crash.
Priority: -- → P1

    
    

    
  
(In reply to JW Wang [:jwwang] [:jw_wang] from comment #25)
> It is the responsibility of the caller to keep callee alive until the
> function returns (let alone death grip doesn't work for non-ref-counting
> types). However, reentrancy breaks this assumption which is what I want to
> prevent in the first place.
No, reentrancy doesn't break that. It is still up to the caller to keep callee alive. That is how we deal with this kinds of issues elsewhere in Gecko.

    
    

    
  
Well, I will avoid reentrancy whenever possible. It also avoid subtle bugs where the object lifetime must be carefully audited. I will submit for review soon.

    
    

    
  

      
      
      
      

        Attached patch
          
          
        1329403_fix_v2.patch (obsolete)
        — Splinter Review
      

    


  
This patch fix an old bug (bug 608634 comment 632 ~ bug 608634 comment 638) where the 'onload' event is fired prematurely before the media element is done loading resource.

http://searchfox.org/mozilla-central/rev/3f614bdf91a2379a3e2c822da84e524f5e742121/dom/html/HTMLMediaElement.cpp#6294
|mLoadBlockedDoc->UnblockOnload(false)| can now work correctly to fire 'onload' asynchronously to avoid subtle bugs caused by reentrancy. (If 'onload' is fired synchronously, the script might call into media element functions recursively.)

        Attachment #8825689 -
        Attachment is obsolete: true
Flags: needinfo?(filipesw)

        Attachment #8826447 -
        Flags: review?(bugs)

    
    

    
  
[Tracking Requested - why for this release]:

Bug 608634 landed in 51; marking 50 and ESR45 as ? since the bug that fixed went back much further.

Marking for 51 tracking though time is short.  JW (or smaug), please nominate for anything appropriate ASAP and for S-A, especially if you think it should be in 51 (RC1 is the next build).  Otherwise, we may need to wait to later in the cycle to land this.

          status-firefox50:
          --- → ?

          status-firefox51:
          --- → affected

          status-firefox52:
          --- → affected

          status-firefox53:
          --- → affected

          status-firefox-esr45:
          --- → ?

          tracking-firefox51:
          --- → ?
Component: Audio/Video → Audio/Video: Playback
Flags: needinfo?(gsquelart)

    
    

    
  
Comment on attachment 8826447 [details] [diff] [review]
1329403_fix_v2.patch

// We need to add the blocker once mScriptGlobalObject is set.
We may need to add ...

        Attachment #8826447 -
        Flags: review?(bugs) → review+

    
    

    
  
Thanks for the review!
Flags: needinfo?(jyavenard)

    
    

    
  

      
      
      
      

        Attached patch
          
          
        1329403_fix_v3.patch (obsolete)
        — Splinter Review
      

    


  
Fix comments per comment 32.

        Attachment #8826447 -
        Attachment is obsolete: true

        Attachment #8827083 -
        Flags: review+

    
    

    
  


  
uploaded the wrong patch... This one is correct now.

        Attachment #8827083 -
        Attachment is obsolete: true

        Attachment #8827084 -
        Flags: review+

    
    

    
  
Comment on attachment 8827084 [details] [diff] [review]
1329403_fix_v3.patch

[Security approval request comment]
How easily could an exploit be constructed based on the patch?
Very unlikely. The patch is all about the delaying-the-load-event flag of media elements (https://html.spec.whatwg.org/multipage/embedded-content.html#loading-the-media-resource:delaying-the-load-event-flag).

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? No.

Which older supported branches are affected by this flaw?
Not sure. But it should be as early as the beginning of bug 608634.

If not all supported branches, which bug introduced the flaw?
Not sure. It might already be there since the feature is introduced by bug 293818.

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
Since bug 293818 is too old, I will only uplift the fix to esr45 and later version.

How likely is this patch to cause regressions; how much testing does it need?
The risk should be low for the change is quite simple. However, I would like a DOM peer to evaluate the risk. Treeherder should be enough for tests.

        Attachment #8827084 -
        Flags: sec-approval?

    
    

    
  
We will likely do an RC2 build since there's still at least one open blocker for the release. So we could still take this fix for 51 if it has sec-approval.

          status-firefox50:
          ?wontfix

          tracking-firefox51:
          ?+

          tracking-firefox52:
          --- → +

          tracking-firefox53:
          --- → +

    
    

    
  
Comment on attachment 8827084 [details] [diff] [review]
1329403_fix_v3.patch

Sec-approval+ for trunk. Please nominate branch patches too and do it ASAP so we can make RC2.

        Attachment #8827084 -
        Flags: sec-approval? → sec-approval+

    
  
Keywords: checkin-needed

    
    

    
  
Comment on attachment 8827084 [details] [diff] [review]
1329403_fix_v3.patch

Approval Request Comment
[Feature/Bug causing the regression]:1329403
[User impact if declined]:UAF
[Is this code covered by automated tests?]:yes
[Has the fix been verified in Nightly?]:yes
[Needs manual test from QE? If yes, steps to reproduce]: see the test case in comment 0
[List of other uplifts needed for the feature/fix]: none
[Is the change risky?]: low
[Why is the change risky/not risky?]: The change is simple and doesn't cause obvious failures on TreeHerder.
[String changes made/needed]: none

        Attachment #8827084 -
        Flags: approval-mozilla-aurora?

    
    

    
  


  
Approval Request Comment
[Feature/Bug causing the regression]:1329403
[User impact if declined]:UAF
[Is this code covered by automated tests?]:yes
[Has the fix been verified in Nightly?]:yes
[Needs manual test from QE? If yes, steps to reproduce]: see the test case in comment 0
[List of other uplifts needed for the feature/fix]:none
[Is the change risky?]:low
[Why is the change risky/not risky?]:The change is simple and doesn't cause obvious failures on TreeHerder.
[String changes made/needed]:none

        Attachment #8827805 -
        Flags: review+

        Attachment #8827805 -
        Flags: approval-mozilla-beta?

    
    

    
  
Comment on attachment 8827805 [details] [diff] [review]
1329403_fix_beta_51.patch

Approval Request Comment 40

(also nominating for release as 51 has been merged to mozilla-release already.)

        Attachment #8827805 -
        Flags: approval-mozilla-release?

    
    

    
  
https://hg.mozilla.org/integration/mozilla-inbound/rev/17542663b5648395038161ac86f3ef91267e73d3

Sounds like we should see if this applies to esr45 as well still?
Flags: needinfo?(jwwang)
Keywords: checkin-needed

    
    

    
  
Comment on attachment 8827805 [details] [diff] [review]
1329403_fix_beta_51.patch

Last minute for 51 RC2 build.

        Attachment #8827805 -
        Flags: approval-mozilla-release?

        Attachment #8827805 -
        Flags: approval-mozilla-release+

        Attachment #8827805 -
        Flags: approval-mozilla-beta?

        Attachment #8827805 -
        Flags: approval-mozilla-beta+

        Attachment #8827084 -
        Flags: approval-mozilla-aurora? → approval-mozilla-aurora+

    
    

    
  
Comment on attachment 8827805 [details] [diff] [review]
1329403_fix_beta_51.patch

Should also apply to esr45.

        Attachment #8827805 -
        Flags: approval-mozilla-esr45+

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/17542663b564
Status: ASSIGNED → RESOLVED
Closed: 8 years ago

          status-firefox53:
          affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
Alias: CVE-2017-5396

          tracking-firefox-esr45:
          ?51+
Whiteboard: [adv-main51+][adv-esr45.7+]
Group: media-core-security → core-security-release

    
  
Blocks: 1295923
Flags: sec-bounty?
Flags: sec-bounty? → sec-bounty+
Group: core-security-release

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: