1338504 - Crash in mozilla::widget::AudioSession::StopInternal when unplugging USB headset

Status: RESOLVED INVALID

(Core :: Widget: Win32, defect, P1)

Description

[Iulia Cristescu, QA [:JuliaC] (away, please needinfo? cornel.ionce@softvision.ro)]

This bug was filed from the Socorro interface and is 
report bp-2371b4a4-d090-41a8-a379-e399b2170210.
=============================================================
[Prerequisites]:
- Have an available USB headset connected to your station

[Steps to reproduce]:
1. Launch Firefox
2. Go to https://apprtc.appspot.com/, create a room, provide the camera and microphone permissions and join it
3. Join the same room from another station
4. Unplug the USB headset
5. Connect back the USB headset
6. Refresh the page in order to reestablish the call

[Regression range]:
- I will investigate this as soon as possible

[Additional notes]:
- The issue is reproducible on Windows 7 x64 and Mac OS X 10.11.6

Comment 1

[Jim Mathies [:jimm]]

Stephen, could you please take a look at with on OSX? Maybe we can knock both platforms out with the same work.

Comment 2

[Stephen A Pohl [:spohl]]

(In reply to Iulia Cristescu, QA [:IuliaC] from comment #0)
> This bug was filed from the Socorro interface and is 
> report bp-2371b4a4-d090-41a8-a379-e399b2170210.
> 
> [...]
>
> [Additional notes]:
> - The issue is reproducible on Windows 7 x64 and Mac OS X 10.11.6

Could I get a link to a crash report for OSX? The one referenced here is in Windows widget code. I haven't been able to find any reports in Socorro for OSX yet. Thanks!

Comment 3

[Daniel Veditz [:dveditz]]

I see a fair number of Thunderbird crashes here, so it can't just be WebRTC related.

The scary EXCEPTION_ACCESS_VIOLATION_EXEC crashes seem to be on old builds: I only see them on Firefox 47 and earlier. On those we seem to have a valid mAudioControlSession in mozilla::widget::AudioSession::Start(), but it gets a failure calling mAudioSessionControl->SetIconPath(). In the failure handling block it calls StopInternal(), but the stack shows an intervening call to RegisterForMediaCallback in audioses.dll before the mozilla::widget::AudioSession::StopInternal(), where mAudioControlSession is apparently now bogus.

I see no crashes in 48 or 49

Starting in Firefox 50 it's an infrequent EXCEPTION_ACCESS_VIOLATION_READ. The stacks are maybe corrupt because I don't think the OS's HeapFree() is going to be calling back into our audio session control.

There was a fix for this signature in bug 1268233 (see also bug 910813) that landed in 48 and probably was why the earlier scary signatures went away. Something changed in 50 that brought back a related crash. sec-critical might have been appropriate for the older _EXEC crash but seems a bit alarmist for the current incarnation.

Comment 4

[Randell Jesup [:jesup] (needinfo me)]

Right - I did some searches, going back 3 months, and the scary ones are gone.  good sleuthing on the fix source... which however points out it might be a sec-crit for ESR45.  Perhaps we should uplift bug 1268233/etc.

There are no clear UAF addresses, but there are some random ones, and a lot of ffffff's.  Agree on sec-high for the 50+ crashes.

Comment 5

[Jim Mathies [:jimm]]

Julia, I'm not reproducing this in nightly, can you confirm again? Also, is there simpler STR we can come up with here?

Comment 6

[Iulia Cristescu, QA [:JuliaC] (away, please needinfo? cornel.ionce@softvision.ro)]

(In reply to Jim Mathies [:jimm] from comment #5)
> Julia, I'm not reproducing this in nightly, can you confirm again? Also, is
> there simpler STR we can come up with here?

Hello, Jim! 
I didn't manage to reproduce the crash anymore on 54.0a2 (2017-04-07) and 55.0a1 (2017-04-07), using the steps from comment 0.