Closed Bug 1414422 Opened 7 years ago Closed 7 years ago

=ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fbb80b1f4a1 bp 0x7ffcb364a330 sp 0x7ffcb364a260 T0) dom/media/MediaManager.cpp:2000:5

Categories

(Core :: WebRTC: Audio/Video, defect, P2)

Product:
Core
Component:
WebRTC: Audio/Video
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1412394
Tracking Flags:
Tracking Status
firefox-esr52 --- ?
firefox57 --- wontfix
firefox58 --- affected
firefox59 --- affected

People

(Reporter: rforbes, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase, Whiteboard: [stockwell disabled])

Attachments

(1 file)

testcase
545 bytes, text/html
Details
Attached file testcase 
testcase found by fuzzing on mozilla-inbound rev 20171103-43c726ab7f71

==53787==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fbb80b1f4a1 bp 0x7ffcb364a330 sp 0x7ffcb364a260 T0)
==53787==The signal is caused by a WRITE memory access.
==53787==Hint: address points to the zero page.
    #0 0x7fbb80b1f4a0 in PostTask /builds/worker/workspace/build/src/dom/media/MediaManager.cpp:2000:5
    #1 0x7fbb80b1f4a0 in mozilla::SourceListener::StopTrack(int) /builds/worker/workspace/build/src/dom/media/MediaManager.cpp:3708
    #2 0x7fbb80b1e289 in mozilla::SourceListener::Stop() /builds/worker/workspace/build/src/dom/media/MediaManager.cpp:3624:5
    #3 0x7fbb80b20429 in NotifyFinished /builds/worker/workspace/build/src/dom/media/MediaManager.cpp:3858:3
    #4 0x7fbb80b20429 in mozilla::SourceListener::NotifyRemoved() /builds/worker/workspace/build/src/dom/media/MediaManager.cpp:3870
    #5 0x7fbb80b2fae9 in mozilla::GetUserMediaWindowListener::~GetUserMediaWindowListener() /builds/worker/workspace/build/src/dom/media/MediaManager.cpp:612:10
    #6 0x7fbb80b818ab in Release /builds/worker/workspace/build/src/dom/media/MediaManager.cpp:315:3
    #7 0x7fbb80b818ab in Release /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:41
    #8 0x7fbb80b818ab in Release /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:398
    #9 0x7fbb80b818ab in ~RefPtr /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:79
    #10 0x7fbb80b818ab in ~nsBaseHashtableET /builds/worker/workspace/build/src/obj-firefox/dist/include/nsBaseHashtable.h:454
    #11 0x7fbb80b818ab in nsTHashtable<nsBaseHashtableET<nsUint64HashKey, RefPtr<mozilla::GetUserMediaWindowListener> > >::s_ClearEntry(PLDHashTable*, PLDHashEntryHdr*) /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTHashtable.h:448
    #12 0x7fbb7b65ae4b in ~PLDHashTable /builds/worker/workspace/build/src/xpcom/ds/PLDHashTable.cpp:325:7
    #13 0x7fbb7b65ae4b in PLDHashTable::ClearAndPrepareForLength(unsigned int) /builds/worker/workspace/build/src/xpcom/ds/PLDHashTable.cpp:340
    #14 0x7fbb80b1846d in Clear /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTHashtable.h:277:12
    #15 0x7fbb80b1846d in Clear /builds/worker/workspace/build/src/obj-firefox/dist/include/nsBaseHashtable.h:396
    #16 0x7fbb80b1846d in mozilla::MediaManager::Shutdown() /builds/worker/workspace/build/src/dom/media/MediaManager.cpp:3066
    #17 0x7fbb80b2ca74 in mozilla::MediaManager::Get()::Blocker::BlockShutdown(nsIAsyncShutdownClient*) /builds/worker/workspace/build/src/dom/media/MediaManager.cpp:1932:38
    #18 0x7fbb7b79ea91 in NS_InvokeByIndex /builds/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:129
    #19 0x7fbb7cfa2b90 in Invoke /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1996:12
    #20 0x7fbb7cfa2b90 in Call /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1315
    #21 0x7fbb7cfa2b90 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1282
    #22 0x7fbb7cfa991f in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:929:12
    #23 0x7fbb867217d0 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
    #24 0x7fbb867217d0 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:472
    #25 0x7fbb8670d06b in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:527:12
    #26 0x7fbb8670d06b in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3061
    #27 0x7fbb866f4c6a in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:422:12
    #28 0x7fbb867218cf in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:494:15
    #29 0x7fbb867227c2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:540:10
    #30 0x7fbb86806509 in js::PromiseObject::create(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, bool) /builds/worker/workspace/build/src/js/src/builtin/Promise.cpp:1666:19
    #31 0x7fbb868dc064 in PromiseConstructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/src/builtin/Promise.cpp:1594:30
    #32 0x7fbb86722e6e in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
    #33 0x7fbb86722e6e in CallJSNativeConstructor /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:324
    #34 0x7fbb86722e6e in InternalConstruct(JSContext*, js::AnyConstructArgs const&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:567
    #35 0x7fbb8670d0a2 in ConstructFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:605:12
    #36 0x7fbb8670d0a2 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3053
    #37 0x7fbb866f4c6a in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:422:12
    #38 0x7fbb867218cf in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:494:15
    #39 0x7fbb869563ef in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jit/BaselineIC.cpp:2539:14
    #40 0x2b231d700486  (<unknown module>)
Flags: in-testsuite?
Summary: =ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fbb80b1f4a1 bp 0x7ffcb364a330 sp 0x7ffcb364a260 T0) /builds/worker/workspace/build/src/dom/media/MediaManager.cpp:2000:5 → =ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fbb80b1f4a1 bp 0x7ffcb364a330 sp 0x7ffcb364a260 T0) dom/media/MediaManager.cpp:2000:5
Group: dom-core-security → media-core-security
Flags: needinfo?(jib)
Flags: needinfo?(apehrson)
This looks like bug 1412394.
Flags: needinfo?(apehrson)
(In reply to Andreas Pehrson [:pehrsons] from comment #1)
> This looks like bug 1412394.

I'm going to move it to that component then.
Component: Audio/Video → WebRTC: Audio/Video
nullptr -> not sec sensitive
Group: media-core-security
Raymond, I cannot repro on linux with a recent Nightly. What's the context here? At least knowing revision and what non-default prefs are set would be useful.
Flags: needinfo?(rforbes)
I figured it out. I can repro with dom.allow_scripts_to_close_windows: true.
Flags: needinfo?(rforbes)
Flags: needinfo?(jib)
Rank: 10
Priority: -- → P2
Andreas, you said in comment 5 you can repro, can you do a regression range?
Flags: needinfo?(apehrson)
Keywords: regressionwindow-wanted
(In reply to Jan-Ivar Bruaroey [:jib] (needinfo? me) from comment #8)
> Andreas, you said in comment 5 you can repro, can you do a regression range?

FYI - This triggers in the oldest available build on taskcluster (Buildid 20161117004257).
(In reply to Jan-Ivar Bruaroey [:jib] (needinfo? me) from comment #8)
> Andreas, you said in comment 5 you can repro, can you do a regression range?

I would have guessed bug 1320994, but comment 9 proves it was latent already then. Jib, do you want the range still when it's that old?
Flags: needinfo?(apehrson) → needinfo?(jib)
I can set all the tracking flags except esr52 based on that. Is that the oldest mozregression will do?
status-firefox57: --- → affected
status-firefox58: --- → affected
status-firefox59: --- → affected
status-firefox-esr52: --- → ?
Flags: needinfo?(jib)
Keywords: regressionwindow-wanted
I can check if 52 is affected. I also feel inclined to dupe this to bug 1412394 since that's where the patches are.
Flags: needinfo?(apehrson)
Status: NEW → RESOLVED
Closed: 7 years ago
tracking-firefox58: ? → ---
tracking-firefox59: ? → ---
Resolution: --- → DUPLICATE
Flags: needinfo?(apehrson)
Whiteboard: [stockwell disabled]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: