Closed Bug 1414623 Opened 2 years ago Closed 2 years ago

Crash in mozilla::AudioStream::GetUnprocessed

Categories

(Core :: Audio/Video: Playback, defect, P2, critical)

58 Branch
Unspecified
Linux
defect

Tracking

()

RESOLVED FIXED
mozilla59
Tracking Status
firefox-esr52 --- unaffected
firefox56 --- unaffected
firefox57 --- unaffected
firefox58 --- disabled
firefox59 --- fixed

People

(Reporter: philipp, Assigned: kamidphish)

Details

(Keywords: crash, regression)

Crash Data

Attachments

(2 files)

This bug was filed from the Socorro interface and is 
report bp-4b0fb92a-963d-4a3c-8a34-f2edb0171105.
=============================================================
Crashing Thread (45)
Frame 	Module 	Signature 	Source
0 	libxul.so 	mozilla::AudioStream::GetUnprocessed 	dom/media/AudioStream.h:135
1 	libxul.so 	mozilla::AudioStream::DataCallback 	dom/media/AudioStream.cpp:657
2 	libxul.so 	std::sys_common::backtrace::__rust_begin_short_backtrace<closure, ()> 	media/audioipc/client/src/stream.rs:67
3 	libxul.so 	alloc::boxed::{{impl}}::call_box<(), closure> 	src/libstd/thread/mod.rs:394
4 	libxul.so 	std::sys::imp::thread::{{impl}}::new::thread_start 	src/liballoc/boxed.rs:692
Ø 5 	libpthread-2.26.so 	libpthread-2.26.so@0x7089 	
Ø 6 	libc-2.26.so 	libc-2.26.so@0xf647e

these crash reports on linux are regressing in 58.0a1 starting with build 20171020100426. this is the pushlog to the day before: https://hg.mozilla.org/mozilla-central/pushloghtml?startdate=2017-10-19&tochange=d1e995c8640a191cd127e87273ec96cb2fabffa9
so perhaps related to bug 1407487?
Flags: needinfo?(dglastonbury)
It doesn't look this crash is related to bug 1407487 since this crash can date back to 2017-05-14.
Component: Audio/Video → Audio/Video: Playback
Priority: -- → P2
on linux it's regressing in 58.0a1 though.
(In reply to Blake Wu [:bwu][:blakewu] from comment #1)
> It doesn't look this crash is related to bug 1407487 since this crash can
> date back to 2017-05-14.

Which report was on 2017-05-14?
Going back 1 year, I see reports from 48.0.2 to 58.01, on osx, win and linux.

Possibly bug 1407487 made this rare bug more easy to hit on linux (which all crash w/ SIGBUS)?

Here's a report from 2017-05-15:

https://crash-stats.mozilla.com/report/index/f9c05eb5-bf28-43c6-bc84-b21470170515
(In reply to Mike Taylor [:miketaylr] (58 Regression Engineering Owner) from comment #4)
> Going back 1 year, I see reports from 48.0.2 to 58.01, on osx, win and linux.
> 
> Possibly bug 1407487 made this rare bug more easy to hit on linux (which all
> crash w/ SIGBUS)?
> 
> Here's a report from 2017-05-15:
> 
> https://crash-stats.mozilla.com/report/index/f9c05eb5-bf28-43c6-bc84-
> b21470170515

This one looks like a UAF which is really bad. I think this one is caused by some other memory bugs instead of cubeb/AudioStream itself.
I've been pondering on this one for a while and JW's assertion that this is a UAF gives me a clue at to what is causing this. I'll put together a patch and lets see if the issue disappears after that patch is applied.
Flags: needinfo?(dglastonbury)
Assignee: nobody → dglastonbury
Status: NEW → ASSIGNED
Comment on attachment 8927116 [details]
Bug 1414623 - P1: Make state_callback synchronous.

https://reviewboard.mozilla.org/r/198332/#review203570

Seems like a good idea.
Attachment #8927116 - Flags: review?(kinetik) → review+
Comment on attachment 8928019 [details]
Bug 1414623 - P2: Connect callback send/receive with Mutex.

https://reviewboard.mozilla.org/r/199252/#review204294
Attachment #8928019 - Flags: review?(kinetik) → review+
Pushed by dglastonbury@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/96e5e96d36e9
P1: Make state_callback synchronous. r=kinetik
https://hg.mozilla.org/integration/autoland/rev/b69589aa7089
P2: Connect callback send/receive with Mutex. r=kinetik
https://hg.mozilla.org/mozilla-central/rev/96e5e96d36e9
https://hg.mozilla.org/mozilla-central/rev/b69589aa7089
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla59
Dan, do you want to uplift that in 58?
Flags: needinfo?(dglastonbury)
(In reply to Sylvestre Ledru [:sylvestre] from comment #15)
> Dan, do you want to uplift that in 58?

Yes.
Flags: needinfo?(dglastonbury)
(In reply to Dan Glastonbury :kamidphish from comment #16)
> (In reply to Sylvestre Ledru [:sylvestre] from comment #15)
> > Dan, do you want to uplift that in 58?
> 
> Yes.

Although the feature is only enabled on Nightly, so it might not be an issue that we see for Beta because it is disabled by default.
Flags: needinfo?(sledru)
OK, thanks. I updated the flag then. No need to take the patch then!
Flags: needinfo?(sledru)
This signature is still present in recent nightlies and betas:

https://crash-stats.mozilla.com/signature/?product=Firefox&signature=mozilla%3A%3AAudioStream%3A%3AGetUnprocessed

I encountered it today.  Different bug?
You need to log in before you can comment on or make changes to this bug.