1400558 - Crash in mozilla::SystemClockDriver::WaitForNextIteration | mozilla::MediaStreamGraphImpl::UpdateMainThreadState

Status: RESOLVED DUPLICATE of bug 1382366

(Core :: Audio/Video: MediaStreamGraph, defect)

Description

[Randell Jesup [:jesup] (needinfo me)]

This bug was filed from the Socorro interface and is 
report bp-1c98806b-ac7e-448b-b10b-016840170914.
=============================================================

UAF crash in accessing mGraphImpl, which implies that either the SystemClockDriver object has been freed, or (perhaps more likely?) that mGraphImpl is a UAF value that came from elsewhere.

Starting in 53.0b3 as best I can tell (there are crashes early in 47, but they're all nullptrs and in Atomics).  Also it shows up in 52.1.0esr, implying that something was uplifted to ESR with the bug.

Comment 1

[Andreas Pehrson [:pehrsons]]

At least [1] looks like it could have been fixed by bug 1360334 (see thread 33).

There are some crashes in 56.0b99 too, but their addresses are different. They do show multiple system clock drivers though, so a hole of some sort remains.

[1] https://crash-stats.mozilla.com/report/index/08225732-bcde-461e-946c-22a270170927#allthreads

Comment 2

[Randell Jesup [:jesup] (needinfo me)]

Newest build with a crash is 20170918210324 (56b99).  Bug 1360334 hit 56 beta on 9/11, so should have been in the 9/18 build.

Comment 3

[Randell Jesup [:jesup] (needinfo me)]

Dup of another bug I filed... but neither have been progressing.

Also: still causing crashes in 57b8: https://crash-stats.mozilla.com/report/index/a73e1b70-6fc8-4936-88aa-97c800171017