Closed
Bug 1419374
Opened 7 years ago
Closed 6 years ago
Crash in std::_Function_handler<T>::_M_invoke
Categories
(Core :: WebRTC: Audio/Video, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla59
Tracking | Status | |
---|---|---|
firefox-esr52 | --- | unaffected |
firefox57 | --- | unaffected |
firefox58 | --- | unaffected |
firefox59 | + | fixed |
People
(Reporter: calixte, Assigned: mchiang)
References
(Blocks 1 open bug)
Details
(4 keywords, Whiteboard: [clouseau])
Crash Data
Attachments
(1 file)
3.55 KB,
patch
|
jib
:
review+
|
Details | Diff | Splinter Review |
This bug was filed from the Socorro interface and is report bp-4e4f14c1-ec71-4d4b-9cb7-73c370171120. ============================================================= Top 10 frames of crashing thread: 0 libxul.so std::_Function_handler<void> >::_M_invoke dom/media/systemservices/CamerasParent.cpp:892 1 libxul.so mozilla::camera::VideoEngine::WithEntry gcc/include/c++/6.4.0/functional:2127 2 libxul.so mozilla::media::LambdaRunnable<mozilla::camera::CamerasParent::RecvStartCapture> >::Run dom/media/systemservices/CamerasParent.cpp:919 3 libxul.so nsThread::ProcessNextEvent 4 libxul.so NS_ProcessNextEvent 5 libxul.so mozilla::ipc::MessagePumpForNonMainThreads::Run 6 libxul.so MessageLoop::Run 7 libxul.so base::Thread::ThreadMain ipc/chromium/src/base/thread.cc:181 8 libxul.so ThreadFunc ipc/chromium/src/base/platform_thread_posix.cc:38 9 libpthread-2.26.so libpthread-2.26.so@0x7089 ============================================================= There are 2 crashes in nightly 59 with buildid 20171119100329. In analyzing the backtrace, the regression may have been introduced by patch [1] to fix bug 1388667. [1] https://hg.mozilla.org/mozilla-central/rev/d057ff6cbcfb
Flags: needinfo?(mchiang)
Assignee | ||
Updated•7 years ago
|
Assignee: nobody → mchiang
Flags: needinfo?(mchiang)
Comment 1•7 years ago
|
||
[Tracking Requested - why for this release]: crash
Comment 2•7 years ago
|
||
Sure, I can track this since it's a recent regression in 59. Let me know if you need anything.
Comment 3•7 years ago
|
||
Several of the crashes are wildptr's -> sec-high
Group: media-core-security
Rank: 10 → 5
Flags: needinfo?(mchiang)
Keywords: csectype-wildptr,
sec-high
Priority: P2 → P1
Assignee | ||
Updated•7 years ago
|
Flags: needinfo?(mchiang)
Assignee | ||
Comment 4•7 years ago
|
||
Don't have a clue yet. I thought we don't use pointer in the crash line. https://hg.mozilla.org/mozilla-central/annotate/709f355a7a8c/dom/media/systemservices/CamerasParent.cpp#l892
Comment 5•7 years ago
|
||
(In reply to Munro Mengjue Chiang [:mchiang] from comment #4) > Don't have a clue yet. > I thought we don't use pointer in the crash line. Maybe not directly, but indirectly for vtbl and/or the iterator, etc.
Assignee | ||
Comment 6•6 years ago
|
||
MOZ_ASSERT doesn't scream in Nightly. And here we didn't check if iterator is valid before using it. So I add a check here. I also replace MOZ_ASSERT with MOZ_DIAGNOSTIC_ASSERT to confirm we were indeed hit by this problem. After confirming it, I will change back to MOZ_ASSERT.
Attachment #8938316 -
Flags: review?(jib)
Comment 7•6 years ago
|
||
Comment on attachment 8938316 [details] [diff] [review] bug1419374-check-if-the-iterator-is-valid.patch Review of attachment 8938316 [details] [diff] [review]: ----------------------------------------------------------------- Change lgtm as an improvement. But can you tell me more about this invariant, and how it's broken? It sounds like we haven't gotten to the bottom of the issue. E.g. is this a case of a camera with zero capabilities? Something else? A race?
Attachment #8938316 -
Flags: review?(jib) → review+
Assignee | ||
Comment 8•6 years ago
|
||
The chance we hit a race condition is low because we only access mAllCandidateCapabilities in videocapture thread, and we use self to hold the camerasparent so it cannot be destroyed. Probably we hit the case candidateCapabilities->second.size() == 0. Maybe the (dummy) hardware is very special and it returns zero supported capacity. That's what we gonna find out with the MOZ_DIAGNOSTIC_ASSERT.
Assignee | ||
Updated•6 years ago
|
Keywords: checkin-needed,
leave-open
Comment 9•6 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/530f8947e66c15581c0eac0ad3a39bd8d6856d48
Keywords: checkin-needed
Assignee | ||
Updated•6 years ago
|
Keywords: leave-open
Assignee | ||
Updated•6 years ago
|
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Updated•6 years ago
|
Target Milestone: --- → mozilla59
Updated•6 years ago
|
Group: media-core-security → core-security-release
Updated•6 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•