Closed Bug 1426129 Opened 5 years ago Closed 5 years ago

AddressSanitizer: heap-use-after-free near [@ mozilla::camera::PCamerasChild::SendNumberOfCaptureDevices]

Categories

(Core :: WebRTC, defect, P2)

Product:
Core
Component:
WebRTC
Version:
59 Branch
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla60
Tracking Flags:
Tracking Status
firefox-esr52 60+ fixed
firefox58 --- wontfix
firefox59 + wontfix
firefox60 + fixed

People

(Reporter: jkratzer, Assigned: padenot)

References

(Blocks 2 open bugs)

Details

(4 keywords, Whiteboard: [adv-main60+][adv-esr52.8+][post-critsmash-triage])

Attachments

(5 files, 2 obsolete files)

Bug-1426129-hold-CamerasChild-via-promoting-this-to-a-RefPtr.patch
5.99 KB, patch
jib
: review+
abillings
: sec-approval+
Details | Diff | Splinter Review
Bug 1422820 - Don't recurse too much when shutting down cameras. r?pehrsons
3.81 KB, patch
pehrsons
: review+
Details | Diff | Splinter Review
Use `NewRunnableMethod` instead of the non-owning variant
8.14 KB, patch
pehrsons
: review+
Details | Diff | Splinter Review
rollup witht the threadsafe addref/release
11.99 KB, patch
lizzard
: approval-mozilla-release-
Details | Diff | Splinter Review
patch-esr52
10.49 KB, patch
pehrsons
: review+
RyanVM
: approval-mozilla-esr52+
Details | Diff | Splinter Review 
While reducing the testcase for bug 1422820 I routinely hit the following uaf in m-c rev 5572465c08a9.

I have not yet been able to produce a testcase which reliably triggers the uaf but will update if one becomes available.

==3314==ERROR: AddressSanitizer: heap-use-after-free on address 0x6130001b1088 at pc 0x7ff8519356db bp 0x7ff7f775eef0 sp 0x7ff7f775eee8
READ of size 4 at 0x6130001b1088 thread T460 (Cameras IPC)
    #0 0x7ff8519356da in Id /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ipc/ProtocolUtils.h:181:33
    #1 0x7ff8519356da in mozilla::camera::PCamerasChild::SendNumberOfCaptureDevices(mozilla::camera::CaptureEngine const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PCamerasChild.cpp:47
    #2 0x7ff8564eb52c in applyImpl<mozilla::camera::CamerasChild, bool (mozilla::camera::PCamerasChild::*)(const mozilla::camera::CaptureEngine &), StoreCopyPassByConstLRef<mozilla::camera::CaptureEngine> , 0> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1142:12
    #3 0x7ff8564eb52c in apply<mozilla::camera::CamerasChild, bool (mozilla::camera::PCamerasChild::*)(const mozilla::camera::CaptureEngine &)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1148
    #4 0x7ff8564eb52c in mozilla::detail::RunnableMethodImpl<mozilla::camera::CamerasChild*, bool (mozilla::camera::PCamerasChild::*)(mozilla::camera::CaptureEngine const&), false, (mozilla::RunnableKind)0, mozilla::camera::CaptureEngine>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1192
    #5 0x7ff8502c781e in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1033:14
    #6 0x7ff8502e35a0 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:508:10
    #7 0x7ff85115a29f in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:334:20
    #8 0x7ff8510ac839 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #9 0x7ff8510ac839 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #10 0x7ff8510ac839 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #11 0x7ff8502c262e in nsThread::ThreadFunc(void*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:423:11
    #12 0x7ff86c84cd7e in _pt_root /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:216:5
    #13 0x7ff86fe456b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
    #14 0x7ff86eece3dc in clone /build/glibc-bfm8X4/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109

0x6130001b1088 is located 8 bytes inside of 384-byte region [0x6130001b1080,0x6130001b1200)
freed by thread T460 (Cameras IPC) here:
    #0 0x4c2f22 in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:68:3
    #1 0x7ff851102735 in Release /builds/worker/workspace/build/src/obj-firefox/dist/include/CamerasChild.h:152:3
    #2 0x7ff851102735 in Release /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:41
    #3 0x7ff851102735 in Release /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:398
    #4 0x7ff851102735 in ~RefPtr /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:79
    #5 0x7ff851102735 in mozilla::ipc::BackgroundChildImpl::DeallocPCamerasChild(mozilla::camera::PCamerasChild*) /builds/worker/workspace/build/src/ipc/glue/BackgroundChildImpl.cpp:377
    #6 0x7ff851591ce2 in mozilla::ipc::PBackgroundChild::DeallocSubtree() /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:2898:13
    #7 0x7ff85159427a in mozilla::ipc::PBackgroundChild::OnChannelError() /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:2334:5
    #8 0x7ff851153d6b in mozilla::ipc::MessageChannel::OnNotifyMaybeChannelError() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp
    #9 0x7ff85116b7f4 in applyImpl<mozilla::ipc::MessageChannel, void (mozilla::ipc::MessageChannel::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1142:12
    #10 0x7ff85116b7f4 in apply<mozilla::ipc::MessageChannel, void (mozilla::ipc::MessageChannel::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1148
    #11 0x7ff85116b7f4 in mozilla::detail::RunnableMethodImpl<mozilla::ipc::MessageChannel*, void (mozilla::ipc::MessageChannel::*)(), false, (mozilla::RunnableKind)1>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1192
    #12 0x7ff8502c781e in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1033:14
    #13 0x7ff8502e35a0 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:508:10
    #14 0x7ff85115a295 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:364:5
    #15 0x7ff8510ac839 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #16 0x7ff8510ac839 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #17 0x7ff8510ac839 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #18 0x7ff8502c262e in nsThread::ThreadFunc(void*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:423:11
    #19 0x7ff86c84cd7e in _pt_root /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:216:5
    #20 0x7ff86fe456b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)

previously allocated by thread T460 (Cameras IPC) here:
    #0 0x4c3263 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3
    #1 0x4f3d2d in moz_xmalloc /builds/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:84:17
    #2 0x7ff85110266f in operator new /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:206:12
    #3 0x7ff85110266f in mozilla::ipc::BackgroundChildImpl::AllocPCamerasChild() /builds/worker/workspace/build/src/ipc/glue/BackgroundChildImpl.cpp:361
    #4 0x7ff8515786f5 in mozilla::ipc::PBackgroundChild::SendPCamerasConstructor() /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:667:36
    #5 0x7ff8564e9262 in mozilla::camera::InitializeIPCThread::Run() /builds/worker/workspace/build/src/dom/media/systemservices/CamerasChild.cpp:103:76
    #6 0x7ff8503529dd in mozilla::SyncRunnable::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/SyncRunnable.h:112:16
    #7 0x7ff8502c781e in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1033:14
    #8 0x7ff8502e35a0 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:508:10
    #9 0x7ff85115a100 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:334:20
    #10 0x7ff8510ac839 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #11 0x7ff8510ac839 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #12 0x7ff8510ac839 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #13 0x7ff8502c262e in nsThread::ThreadFunc(void*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:423:11
    #14 0x7ff86c84cd7e in _pt_root /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:216:5
    #15 0x7ff86fe456b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)

Thread T460 (Cameras IPC) created by T253 (MediaManager) here:
    #0 0x4ac5bd in __interceptor_pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:204:3
    #1 0x7ff86c849acf in _PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:457:14
    #2 0x7ff86c8496be in PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:548:12
    #3 0x7ff8502c43f3 in nsThread::Init(nsTSubstring<char> const&) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:594:8
    #4 0x7ff8502ccbd1 in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /builds/worker/workspace/build/src/xpcom/threads/nsThreadManager.cpp:357:22
    #5 0x7ff8502e0dfb in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, nsIRunnable*, unsigned int) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:134:45
    #6 0x7ff8564c8fd3 in NS_NewNamedThread<12> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:72:10
    #7 0x7ff8564c8fd3 in mozilla::camera::GetCamerasChild() /builds/worker/workspace/build/src/dom/media/systemservices/CamerasChild.cpp:123
    #8 0x7ff856625a2e in GetChildAndCall<int (mozilla::camera::CamerasChild::*)(mozilla::DeviceChangeCallback *), mozilla::MediaEngineWebRTC *> /builds/worker/workspace/build/src/obj-firefox/dist/include/CamerasChild.h:135:25
    #9 0x7ff856625a2e in mozilla::MediaEngineWebRTC::MediaEngineWebRTC(mozilla::MediaEnginePrefs&) /builds/worker/workspace/build/src/dom/media/webrtc/MediaEngineWebRTC.cpp:123
    #10 0x7ff855ff1515 in mozilla::MediaManager::GetBackend(unsigned long) /builds/worker/workspace/build/src/dom/media/MediaManager.cpp:2909:20
    #11 0x7ff856044a55 in operator() /builds/worker/workspace/build/src/dom/media/MediaManager.cpp:1721:30
    #12 0x7ff856044a55 in mozilla::media::LambdaTask<mozilla::MediaManager::EnumerateRawDevices(unsigned long, mozilla::dom::MediaSourceEnum, mozilla::dom::MediaSourceEnum, bool)::$_1>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/media/MediaTaskUtils.h:37
    #13 0x7ff8502c781e in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1033:14
    #14 0x7ff8502e35a0 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:508:10
    #15 0x7ff85115a295 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:364:5
    #16 0x7ff8510ac839 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #17 0x7ff8510ac839 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #18 0x7ff8510ac839 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #19 0x7ff8510cbdaf in base::Thread::ThreadMain() /builds/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:181:16
    #20 0x7ff8510bd81c in ThreadFunc(void*) /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:38:13
    #21 0x7ff86fe456b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)

Thread T253 (MediaManager) created by T0 (file:// Content) here:
    #0 0x4ac5bd in __interceptor_pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:204:3
    #1 0x7ff8510bb16f in CreateThread /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:135:14
    #2 0x7ff8510bb16f in PlatformThread::Create(unsigned long, PlatformThread::Delegate*, unsigned long*) /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:146
    #3 0x7ff8510cb74f in base::Thread::StartWithOptions(base::Thread::Options const&) /builds/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:99:8
    #4 0x7ff855fe10a8 in mozilla::MediaManager::Get() /builds/worker/workspace/build/src/dom/media/MediaManager.cpp:1865:36
    #5 0x7ff855f03865 in mozilla::dom::MediaDevices::AddEventListener(nsTSubstring<char16_t> const&, mozilla::dom::EventListener*, mozilla::dom::AddEventListenerOptionsOrBoolean const&, mozilla::dom::Nullable<bool> const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/media/MediaDevices.cpp:299:3
    #6 0x7ff854f1ab04 in mozilla::dom::EventTargetBinding::addEventListener(JSContext*, JS::Handle<JSObject*>, mozilla::dom::EventTarget*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventTargetBinding.cpp:850:9
    #7 0x7ff854f19a36 in mozilla::dom::EventTargetBinding::genericMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventTargetBinding.cpp:1150:13
    #8 0x7ff85bf89ae1 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
    #9 0x7ff85bf89ae1 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:473
    #10 0x7ff85bf6fb48 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:528:12
    #11 0x7ff85bf6fb48 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3096
    #12 0x7ff85bf5c2b0 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:423:12
    #13 0x7ff85bf8c9b1 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:706:15
    #14 0x7ff85bfe0c3a in EvalKernel(JSContext*, JS::Handle<JS::Value>, EvalType, js::AbstractFramePtr, JS::Handle<JSObject*>, unsigned char*, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/builtin/Eval.cpp:323:12
    #15 0x7ff85bfe0153 in js::IndirectEval(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/src/builtin/Eval.cpp:416:12
    #16 0x238cd5d98af5  (<unknown module>)
    #17 0x6210001ae9f7  (<unknown module>)
    #18 0x238cd5d98ce1  (<unknown module>)
    #19 0x621000203e87  (<unknown module>)
    #20 0x238cd5d314e7  (<unknown module>)
    #21 0x7ff85c202e4b in EnterBaseline /builds/worker/workspace/build/src/js/src/jit/BaselineJIT.cpp:149:9
    #22 0x7ff85c202e4b in js::jit::EnterBaselineAtBranch(JSContext*, js::InterpreterFrame*, unsigned char*) /builds/worker/workspace/build/src/js/src/jit/BaselineJIT.cpp:226
    #23 0x7ff85bf7d984 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2049:28
    #24 0x7ff85bf5c2b0 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:423:12
    #25 0x7ff85bf8c9b1 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:706:15
    #26 0x7ff85bf8d14f in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:738:12
    #27 0x7ff85ca97ee6 in ExecuteScript(JSContext*, JS::AutoObjectVector&, JS::Handle<JSScript*>, JS::Value*) /builds/worker/workspace/build/src/js/src/jsapi.cpp:4721:12
    #28 0x7ff8535c5686 in nsJSUtils::ExecutionContext::CompileAndExec(JS::CompileOptions&, JS::SourceBufferHolder&, JS::MutableHandle<JSScript*>) /builds/worker/workspace/build/src/dom/base/nsJSUtils.cpp:266:8
    #29 0x7ff8574052f9 in mozilla::dom::ScriptLoader::EvaluateScript(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:2285:25
    #30 0x7ff857400729 in mozilla::dom::ScriptLoader::ProcessRequest(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1927:10
    #31 0x7ff8573e2f6a in mozilla::dom::ScriptLoader::ProcessScriptElement(nsIScriptElement*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1625:10
    #32 0x7ff8573deee7 in mozilla::dom::ScriptElement::MaybeProcessScript() /builds/worker/workspace/build/src/dom/script/ScriptElement.cpp:147:18
    #33 0x7ff8523b40e6 in AttemptToExecute /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIScriptElement.h:226:18
    #34 0x7ff8523b40e6 in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:735
    #35 0x7ff8523ad38d in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:539:7
    #36 0x7ff8523b9f9f in nsHtml5ExecutorReflusher::Run() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:56:18
    #37 0x7ff8502a0f44 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:396:25
    #38 0x7ff8502c781e in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1033:14
    #39 0x7ff8502e35a0 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:508:10
    #40 0x7ff851158e9a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #41 0x7ff8510ac839 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #42 0x7ff8510ac839 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #43 0x7ff8510ac839 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #44 0x7ff857590e5a in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:157:27
    #45 0x7ff85bca778b in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:865:22
    #46 0x7ff8510ac839 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #47 0x7ff8510ac839 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #48 0x7ff8510ac839 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #49 0x7ff85bca717d in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:691:34
    #50 0x4f2e8c in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:63:30
    #51 0x4f2e8c in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280
    #52 0x7ff86ede782f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291

SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ipc/ProtocolUtils.h:181:33 in Id
Shadow bytes around the buggy address:
  0x0c268002e1c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c268002e1d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c268002e1e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c268002e1f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c268002e200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c268002e210: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c268002e220: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c268002e230: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c268002e240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c268002e250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c268002e260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==3314==ABORTING
Group: core-security → media-core-security
Keywords: csectype-uaf, sec-high
See Also: → 1422820
It looks like CamerasChild::NumberOfCaptureDevices() creates a runnable with a weak (?) pointer to |this|, so we can end up firing off the runnable after it was destroyed.
The code contains quite a bit of machinery to make that impossible, but the crash stack shows "mozilla::ipc::PBackgroundChild::OnChannelError()" "mozilla::ipc::BackgroundChildImpl::DeallocPCamerasChild" which probably violates all assumptions about proper shutdown.
Jesup, can you find an owner? I see there's shutdown work in bug 1428390.
Flags: needinfo?(rjesup)
https://dxr.mozilla.org/mozilla-central/rev/c38d22170d6f27e94c3c53093215d20255fab27a/dom/media/systemservices/CamerasChild.cpp#279

It's supposed to block while the Runnable executes, but if the IPC channel dies it will give up, e.g:
https://dxr.mozilla.org/mozilla-central/rev/c38d22170d6f27e94c3c53093215d20255fab27a/dom/media/systemservices/CamerasChild.cpp#711

At this point we can't guarantee that the destructor won't run while the Runnables are still outstanding.
jib?  Munro?
Flags: needinfo?(rjesup) → needinfo?(jib)
Both Munro and Andreas are on PTO until next week. Needinfo'ing both of them. Also, can someone add me to bug 1422820?
Flags: needinfo?(mchiang)
Flags: needinfo?(jib)
Flags: needinfo?(apehrson)
Looks like same-thread queued runnables not holding `this` alive. CamerasChild is apparently refcountable already [1]. Would promoting `this` to a RefPtr passed to the runnable solve this [2]?

[1] https://searchfox.org/mozilla-central/rev/88439dc6c5b02e167032374071cdc697a056efa1/ipc/glue/BackgroundChildImpl.cpp#372
[2] https://searchfox.org/mozilla-central/rev/03877052c151a8f062eea177f684a2743cd7b1d5/dom/media/systemservices/CamerasChild.cpp#312
Quite possibly.... 'this' with lambdas or BlahRunnableFrom/etc is a dangerous pattern unless it's known to be held alive in some other way
Rank: 12
Priority: -- → P2
Assignee: nobody → mchiang
Flags: needinfo?(mchiang)
Could you add me into bug 1422820?
I want to verify my wip with the reduced test case.
Flags: needinfo?(jkratzer)
Comment on attachment 8942830 [details] [diff] [review]
Bug-1426129-hold-CamerasChild-via-promoting-this-to-a-RefPtr.patch

Review of attachment 8942830 [details] [diff] [review]:
-----------------------------------------------------------------

Lgtm.
Attachment #8942830 - Flags: review?(jib) → review+
(In reply to Munro Mengjue Chiang [:mchiang] from comment #10)
> Could you add me into bug 1422820?
> I want to verify my wip with the reduced test case.

Done.
Flags: needinfo?(jkratzer)
Comment on attachment 8942830 [details] [diff] [review]
Bug-1426129-hold-CamerasChild-via-promoting-this-to-a-RefPtr.patch

[Security approval request comment]
How easily could an exploit be constructed based on the patch?
Hard to inject anything of substance

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?

No.

Which older supported branches are affected by this flaw?
all supported branches

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?

backport should be trivial

How likely is this patch to cause regressions; how much testing does it need?
very low. Run fuzzing with domfuzz2.
Attachment #8942830 - Flags: sec-approval?
This is too late for 58 and this release cycle.

This has sec-approval for checkin on February 6, two weeks into the next cycle. At that point, you should nominate a patch for beta and ESR52 as well.
status-firefox58: --- → wontfix
status-firefox60: --- → affected
status-firefox-esr52: --- → affected
tracking-firefox60: --- → +
tracking-firefox-esr52: --- → ?
Whiteboard: [checkin on 2/6]
Attachment #8942830 - Flags: sec-approval? → sec-approval+
Flags: needinfo?(apehrson)
Assignee: bonchiang → apehrson
Status: NEW → ASSIGNED
Wouldn't it be generally simpler and safer to use NS_NewRunnableMethod, so that the runnable is holding a reference to the CamerasChild for the entire lifetime of the runnable, rather than a single reference being held while the runnable is being dispatched?
https://hg.mozilla.org/integration/mozilla-inbound/rev/c59fcd67f97923d48aa359643d9bb37ab27e7a0c

This grafts cleanly to Beta as-landed. Please request approval on it when you get a chance. It'll also need a rebased patch for ESR52 (doesn't graft cleanly).
tracking-firefox59: --- → +
tracking-firefox-esr52: ?59+
Flags: needinfo?(apehrson)
Whiteboard: [checkin on 2/6]
(In reply to Andreas Pehrson [:pehrsons] from comment #18)
> (In reply to Nathan Froyd [:froydnj] from comment #17)
> > Wouldn't it be generally simpler and safer to use NS_NewRunnableMethod, so
> > that the runnable is holding a reference to the CamerasChild for the entire
> > lifetime of the runnable, rather than a single reference being held while
> > the runnable is being dispatched?
> 
> I agree this would be simpler. However with this checkin happening tomorrow
> I'm leaning towards letting this patch go in as is. I have double checked
> that all uses of this pattern in this patch captures `self` in the lambda so
> it's safe. I can do this conversion in a followup that will ride the trains
> instead.

Wait those are not lambda captures. Ugh. This will need a retake.
Ok, the landing was backed out anyway. I'm not sure why things failed:
https://hg.mozilla.org/integration/mozilla-inbound/rev/927dfa701c40

So we'll put up a new patch and do the whole cycle all over.

And with me knee deep in a bunch of other issues, Paul will take this one over, in case the android issues seen on try needs further investigation.
Assignee: apehrson → padenot
Flags: needinfo?(apehrson)
This is a double lock, here are annotated stackframes leading to this:

  0  libmozglue.so!mozilla::detail::MutexImpl::lock [Mutex_posix.cpp:74 + 0x0]
  1  libxul.so!mozilla::OffTheBooksMutex::Lock [BlockingResourceBase.cpp:385 + 0x5]
  2  libxul.so!mozilla::BaseAutoLock<mozilla::OffTheBooksMutex>::BaseAutoLock [Mutex.h:166 + 0x3]
  3  libxul.so!mozilla::camera::CamerasChild::~CamerasChild [CamerasChild.cpp:732 + 0x7]
  4  libxul.so!mozilla::camera::CamerasChild::~CamerasChild [CamerasChild.cpp:728 + 0x3]
  5  libxul.so!mozilla::camera::CamerasChild::Release [CamerasChild.h:151 + 0x9]
  6  libxul.so!RefPtr<mozilla::camera::CamerasChild>::~RefPtr [RefPtr.h:41 + 0x3]
  7  libxul.so!mozilla::camera::CamerasChild::ShutdownParent [CamerasChild.cpp: 626 + 0xb]
  8  libxul.so!mozilla::camera::CamerasChild::ShutdownAll [CamerasChild.cpp: 604 + 0x3]
  9  libxul.so!mozilla::camera::Shutdown [CamerasChild.cpp:578 + 0x3]
 10  libxul.so!mozilla::MediaEngineWebRTC::Shutdown [MediaEngineWebRTC.cpp:354 + 0x3]

Stack frame 9 we take the global singleton mutex.
In the dtor of CameraChild (stack frame 3 and below), we are trying to re-acquire this mutex, and it errors out in debug, probably locks up in release builds.
Gross fix for the above analysis. The whole problem boils down to the fact that this is doing resources management in the dtor, and this should never be the case.

Green on try.
Attachment #8949757 - Flags: review?(apehrson)
Comment on attachment 8949757 [details] [diff] [review]
Bug 1422820 - Don't recurse too much when shutting down cameras. r?pehrsons

Review of attachment 8949757 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks for fixing this Paul!
Attachment #8949757 - Flags: review?(apehrson) → review+
We already have sec-approval here and we're past the 6th, I'm landing this. Will nominate for the other affected branches a bit later.
https://hg.mozilla.org/mozilla-central/rev/425d921fee55
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox60: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla60
Group: media-core-security → core-security-release
Is this ready for uplift requests?
Flags: needinfo?(padenot)
Yes.
Flags: needinfo?(padenot)
Comment on attachment 8942830 [details] [diff] [review]
Bug-1426129-hold-CamerasChild-via-promoting-this-to-a-RefPtr.patch

Approval Request Comment
[Feature/Bug causing the regression]: UAF leading to a crash.
[User impact if declined]: Crash, possible exploit, as often with UAFs.
[Is this code covered by automated tests?]: This crashes during shutdown in some tests we already have.
[Has the fix been verified in Nightly?]: yes
[Needs manual test from QE? If yes, steps to reproduce]: No
[List of other uplifts needed for the feature/fix]: The two patches in this bug.
[Is the change risky?]: No.
[Why is the change risky/not risky?]: This has baked on nightly for some time, also it's clearly a programming error (missing lock).
[String changes made/needed]: None.
Attachment #8942830 - Flags: approval-mozilla-beta?
It's unclear how to test this. The attachment in the other bug does not make it crash for me.
Attachment #8953503 - Flags: review?(apehrson)
Comment on attachment 8953503 [details] [diff] [review]
Use `NewRunnableMethod` instead of the non-owning variant

Review of attachment 8953503 [details] [diff] [review]:
-----------------------------------------------------------------

::: dom/media/systemservices/CamerasChild.cpp
@@ +298,2 @@
>        "camera::PCamerasChild::SendNumberOfCapabilities",
>        self,

Thanks! Note that you no longer need `self` now. Pass the rawptr `this` and it'll be addrefed automatically.
Attachment #8953503 - Flags: review?(apehrson) → review+
Based on IRC conversation with Andreas, this bug should have been reopened given the ongoing work happening in it. Also, I think a rollup patch for Beta/ESR52 uplifts would be helpful.
Status: RESOLVED → REOPENED
status-firefox60: fixedaffected
Resolution: FIXED → ---
Target Milestone: mozilla60 → ---
Comment on attachment 8942830 [details] [diff] [review]
Bug-1426129-hold-CamerasChild-via-promoting-this-to-a-RefPtr.patch

Canceling the uplift request for now.
Attachment #8942830 - Flags: approval-mozilla-beta?
https://hg.mozilla.org/mozilla-central/rev/ee3fdd1fb7be
Status: REOPENED → RESOLVED
Closed: 5 years ago5 years ago
status-firefox60: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla60
I'm still seeing this as recent as m-c rev b184be598740.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
FYI
Flags: needinfo?(padenot)
Flags: needinfo?(apehrson)
Jason, can you repro with the same test-case? I've been unsuccessful in doing so, do you do anything specific maybe ?
Flags: needinfo?(padenot) → needinfo?(jkratzer)
padenot owns this issue.
Flags: needinfo?(apehrson)
(In reply to Paul Adenot (:padenot) from comment #39)
> Jason, can you repro with the same test-case? I've been unsuccessful in
> doing so, do you do anything specific maybe ?

No.  It appears that the original testcase only triggers the issue in bug 1422820.  I'm trying to find a testcase that reproduces for this issue but don't currently have one.
Flags: needinfo?(jkratzer)
Given that we seem to all agree that the original testcase is indeed fixed, I think we should re-resolve this bug. Can we move any more follow-ups into a new bug if/when a different testcase is found?

Also, we're extremely low on time to get this fixed in Fx59 and ESR 52.7.0 as both have RC builds coming in the next few days. We could really use roll-up patches and approval requests at this point so we can close this out and not make tracking a pain.
Flags: needinfo?(padenot)
Attached patch rollup-beta.patch (obsolete) — Splinter Review 
Approval Request Comment
[Feature/Bug causing the regression]: UAF leading to a crash.
[User impact if declined]: Crash, possible exploit, as often with UAFs.
[Is this code covered by automated tests?]: This crashes during shutdown in some tests we already have.
[Has the fix been verified in Nightly?]: yes, but somehow it can be reproduced in another way but we don't have a test-case.
[Needs manual test from QE? If yes, steps to reproduce]: No
[List of other uplifts needed for the feature/fix]: This is a self contained patch that applies to beta.
[Is the change risky?]: No.
[Why is the change risky/not risky?]: Baked for some time, fixes the test cases when running locally.
[String changes made/needed]: None.
Flags: needinfo?(padenot)
Attachment #8956116 - Flags: approval-mozilla-beta?
Comment on attachment 8956116 [details] [diff] [review]
rollup-beta.patch

This is meant for 59, so let's uplift to m-r.
Attachment #8956116 - Flags: approval-mozilla-release+
Attachment #8956116 - Flags: approval-mozilla-beta?
Attachment #8956116 - Flags: approval-mozilla-beta-
Status: REOPENED → RESOLVED
Closed: 5 years ago5 years ago
Resolution: --- → FIXED
Landed:
https://hg.mozilla.org/releases/mozilla-beta/rev/d613c28bb2fc2771d381e43b3b7f8e25553b50a7 (FIREFOX_59b_RELBRANCH)
https://hg.mozilla.org/releases/mozilla-release/rev/d656aa52e9d6a6bbda825354867f5d9f0bf53cd2

And backed out for crashing in mda's dom/media/tests/mochitest/test_enumerateDevices.html:
https://hg.mozilla.org/releases/mozilla-beta/rev/e633045eb64aa3935340eda5cacfbedcd5d72110 (FIREFOX_59b_RELBRANCH)
https://hg.mozilla.org/releases/mozilla-release/rev/2f6a4d2cf42c9d59626061d45c043817cb220814

Push with failures: https://treeherder.mozilla.org/#/jobs?repo=mozilla-release&revision=51cb98b0074df774faf333f2b3a2e977e8b97f8c&filter-resultStatus=testfailed&filter-resultStatus=busted&filter-resultStatus=exception&filter-resultStatus=retry&filter-resultStatus=usercancel&filter-resultStatus=runnable

Failure log Android test_enumerateDevices.html: https://treeherder.mozilla.org/logviewer.html#?job_id=166045621&repo=mozilla-release

[task 2018-03-05T19:23:20.071Z] 19:23:20     INFO -  9 INFO None10 INFO TEST-START | dom/media/tests/mochitest/test_enumerateDevices.html
[task 2018-03-05T19:24:11.523Z] 19:24:11     INFO -  INFO | automation.py | Application ran for: 0:04:07.108848
[task 2018-03-05T19:24:11.523Z] 19:24:11     INFO -  INFO | zombiecheck | Reading PID log: /tmp/tmpm3atWwpidlog
[task 2018-03-05T19:24:12.610Z] 19:24:12     INFO -  mozcrash Copy/paste: /usr/local/bin/linux64-minidump_stackwalk /tmp/tmpOugc90/6221edd3-e7dd-d648-1485-a663aaf41305.dmp /builds/worker/workspace/build/symbols
[task 2018-03-05T19:24:21.648Z] 19:24:21     INFO -  mozcrash Saved minidump as /builds/worker/workspace/build/blobber_upload_dir/6221edd3-e7dd-d648-1485-a663aaf41305.dmp
[task 2018-03-05T19:24:21.649Z] 19:24:21     INFO -  mozcrash Saved app info as /builds/worker/workspace/build/blobber_upload_dir/6221edd3-e7dd-d648-1485-a663aaf41305.extra
[task 2018-03-05T19:24:21.653Z] 19:24:21  WARNING -  PROCESS-CRASH | dom/media/tests/mochitest/test_enumerateDevices.html | application crashed [@ MOZ_CrashOOL]
[task 2018-03-05T19:24:21.653Z] 19:24:21     INFO -  Crash dump filename: /tmp/tmpOugc90/6221edd3-e7dd-d648-1485-a663aaf41305.dmp
[task 2018-03-05T19:24:21.655Z] 19:24:21     INFO -  Operating system: Android
[task 2018-03-05T19:24:21.655Z] 19:24:21     INFO -                    0.0.0 Linux 2.6.29-gea477bb #1 Wed Sep 26 11:04:45 PDT 2012 armv7l
[task 2018-03-05T19:24:21.655Z] 19:24:21     INFO -  CPU: arm
[task 2018-03-05T19:24:21.655Z] 19:24:21     INFO -       ARMv7 ARM Cortex-A8 features: swp,half,thumb,fastmult,vfpv2,edsp,neon,vfpv3
[task 2018-03-05T19:24:21.655Z] 19:24:21     INFO -       1 CPU
[task 2018-03-05T19:24:21.655Z] 19:24:21     INFO -  GPU: UNKNOWN
[task 2018-03-05T19:24:21.655Z] 19:24:21     INFO -  Crash reason:  SIGSEGV
[task 2018-03-05T19:24:21.655Z] 19:24:21     INFO -  Crash address: 0x0
[task 2018-03-05T19:24:21.656Z] 19:24:21     INFO -  Process uptime: not available
[task 2018-03-05T19:24:21.656Z] 19:24:21     INFO -  Thread 62 (crashed)
[task 2018-03-05T19:24:21.656Z] 19:24:21     INFO -   0  libmozglue.so!MOZ_CrashOOL [Assertions.cpp:51cb98b0074d : 33 + 0x0]
[task 2018-03-05T19:24:21.656Z] 19:24:21     INFO -       r0 = 0x00000000    r1 = 0x5a7d2ebe    r2 = 0x5e4201b7    r3 = 0x0000002e
[task 2018-03-05T19:24:21.656Z] 19:24:21     INFO -       r4 = 0x5e466dcd    r5 = 0x0000002e    r6 = 0x687041c0    r7 = 0x53bffb48
[task 2018-03-05T19:24:21.656Z] 19:24:21     INFO -       r8 = 0x53bffbd0    r9 = 0x5b890b51   r10 = 0x59af3b44   r12 = 0x00000003
[task 2018-03-05T19:24:21.657Z] 19:24:21     INFO -       fp = 0x53bffcf8    sp = 0x53bffb40    lr = 0x52783cf9    pc = 0x52798304
[task 2018-03-05T19:24:21.657Z] 19:24:21     INFO -      Found by: given as instruction pointer in context
[task 2018-03-05T19:24:21.657Z] 19:24:21     INFO -   1  libxul.so!nsAutoOwningThread::AssertCurrentThreadOwnsMe [nsISupportsImpl.cpp:51cb98b0074d : 46 + 0xb]
[task 2018-03-05T19:24:21.657Z] 19:24:21     INFO -       r4 = 0x5e466dcd    r5 = 0x55a8ff80    r6 = 0x687041c0    r7 = 0x53bffb58
[task 2018-03-05T19:24:21.658Z] 19:24:21     INFO -       r8 = 0x53bffbd0    r9 = 0x5b890b51   r10 = 0x59af3b44    fp = 0x53bffcf8
[task 2018-03-05T19:24:21.658Z] 19:24:21     INFO -       sp = 0x53bffb50    lr = 0x5b2fc963    pc = 0x5b2fc963
[task 2018-03-05T19:24:21.658Z] 19:24:21     INFO -      Found by: call frame info
[task 2018-03-05T19:24:21.659Z] 19:24:21     INFO -   2  libxul.so!mozilla::camera::CamerasChild::AddRef [nsISupportsImpl.h:51cb98b0074d : 69 + 0x5]
[task 2018-03-05T19:24:21.659Z] 19:24:21     INFO -       r4 = 0x55624c50    r5 = 0x53bffbf4    r6 = 0x687041c0    r7 = 0x53bffb68
[task 2018-03-05T19:24:21.659Z] 19:24:21     INFO -       r8 = 0x53bffbd0    r9 = 0x5b890b51   r10 = 0x59af3b44    fp = 0x53bffcf8
[task 2018-03-05T19:24:21.659Z] 19:24:21     INFO -       sp = 0x53bffb60    lr = 0x5b66dc3f    pc = 0x5b66dc3f
[task 2018-03-05T19:24:21.660Z] 19:24:21     INFO -      Found by: call frame info
[task 2018-03-05T19:24:21.660Z] 19:24:21     INFO -   3  libxul.so!RefPtr<mozilla::camera::CamerasChild>::RefPtr [RefPtr.h:51cb98b0074d : 38 + 0x5]
[task 2018-03-05T19:24:21.660Z] 19:24:21     INFO -       r4 = 0x687041d0    r5 = 0x53bffbf4    r6 = 0x687041c0    r7 = 0x53bffb78
[task 2018-03-05T19:24:21.661Z] 19:24:21     INFO -       r8 = 0x53bffbd0    r9 = 0x5b890b51   r10 = 0x59af3b44    fp = 0x53bffcf8
[task 2018-03-05T19:24:21.661Z] 19:24:21     INFO -       sp = 0x53bffb70    lr = 0x5b66d04b    pc = 0x5b66d04b
[task 2018-03-05T19:24:21.661Z] 19:24:21     INFO -      Found by: call frame info
[task 2018-03-05T19:24:21.662Z] 19:24:21     INFO -   4  libxul.so!mozilla::detail::RunnableMethodImpl<mozilla::camera::CamerasChild *, bool (mozilla::camera::PCamerasChild::*)(const mozilla::camera::CaptureEngine &), true, mozilla::RunnableKind::Standard, mozilla::camera::CaptureEngine>::RunnableMethodImpl<mozilla::camera::CamerasChild *, mozilla::camera::CaptureEngine &> [nsThreadUtils.h:51cb98b0074d : 737 + 0x3]
[task 2018-03-05T19:24:21.662Z] 19:24:21     INFO -       r4 = 0x5b890b51    r5 = 0x53bffbf4    r6 = 0x687041c0    r7 = 0x53bffb90
[task 2018-03-05T19:24:21.662Z] 19:24:21     INFO -       r8 = 0x53bffbd0    r9 = 0x5b890b51   r10 = 0x59af3b44    fp = 0x53bffcf8
[task 2018-03-05T19:24:21.662Z] 19:24:21     INFO -       sp = 0x53bffb80    lr = 0x5c5d736b    pc = 0x5c5d736b
[task 2018-03-05T19:24:21.663Z] 19:24:21     INFO -      Found by: call frame info
[task 2018-03-05T19:24:21.663Z] 19:24:21     INFO -   5  libxul.so!mozilla::NewRunnableMethod<mozilla::camera::CaptureEngine, mozilla::camera::CamerasChild *, bool (mozilla::camera::PCamerasChild::*)(const mozilla::camera::CaptureEngine &), mozilla::camera::CaptureEngine &> [nsThreadUtils.h:51cb98b0074d : 1477 + 0xf]
[task 2018-03-05T19:24:21.663Z] 19:24:21     INFO -       r4 = 0x687041c0    r5 = 0x53bffbf4    r6 = 0x5c5d0924    r7 = 0x53bffbc0
[task 2018-03-05T19:24:21.663Z] 19:24:21     INFO -       r8 = 0x53bffbd0    r9 = 0x5b890b51   r10 = 0x59af3b44    fp = 0x53bffcf8
[task 2018-03-05T19:24:21.664Z] 19:24:21     INFO -       sp = 0x53bffb98    lr = 0x5c5d0ce5    pc = 0x5c5d0ce5
[task 2018-03-05T19:24:21.664Z] 19:24:21     INFO -      Found by: call frame info
[task 2018-03-05T19:24:21.664Z] 19:24:21     INFO -   6  libxul.so!mozilla::camera::CamerasChild::EnsureInitialized [CamerasChild.cpp:51cb98b0074d : 339 + 0xb]
[task 2018-03-05T19:24:21.665Z] 19:24:21     INFO -       r4 = 0x53bffbd0    r5 = 0x55624c50    r6 = 0x53bffbf4    r7 = 0x53bffc18
[task 2018-03-05T19:24:21.665Z] 19:24:21     INFO -       r8 = 0x53bffc5c    r9 = 0x00000000   r10 = 0x59af3b44    fp = 0x53bffcf8
[task 2018-03-05T19:24:21.665Z] 19:24:21     INFO -       sp = 0x53bffbc8    lr = 0x5c5d08cd    pc = 0x5c5d08cd
[task 2018-03-05T19:24:21.665Z] 19:24:21     INFO -      Found by: call frame info
[task 2018-03-05T19:24:21.666Z] 19:24:21     INFO -   7  libxul.so!mozilla::camera::CamerasChild::AddDeviceChangeCallback [CamerasChild.cpp:51cb98b0074d : 171 + 0x7]
[task 2018-03-05T19:24:21.666Z] 19:24:21     INFO -       r4 = 0x55a8fc80    r5 = 0x55624c50    r6 = 0x53bffc60    r7 = 0x53bffc28
[task 2018-03-05T19:24:21.666Z] 19:24:21     INFO -       r8 = 0x53bffc5c    r9 = 0x53bffd87   r10 = 0x59af3b44    fp = 0x53bffcf8
[task 2018-03-05T19:24:21.669Z] 19:24:21     INFO -       sp = 0x53bffc20    lr = 0x5c5d0893    pc = 0x5c5d0893
[task 2018-03-05T19:24:21.669Z] 19:24:21     INFO -      Found by: call frame info
[task 2018-03-05T19:24:21.669Z] 19:24:21     INFO -   8  libxul.so!mozilla::camera::GetChildAndCall<int (mozilla::camera::CamerasChild::*)(mozilla::DeviceChangeCallback *), mozilla::MediaEngineWebRTC *> + 0x47
[task 2018-03-05T19:24:21.669Z] 19:24:21     INFO -       r4 = 0x53bffc34    r5 = 0xffffffff    r6 = 0x53bffc60    r7 = 0x53bffc50
[task 2018-03-05T19:24:21.669Z] 19:24:21     INFO -       r8 = 0x53bffc5c    r9 = 0x53bffd87   r10 = 0x59af3b44    fp = 0x53bffcf8
[task 2018-03-05T19:24:21.670Z] 19:24:21     INFO -       sp = 0x53bffc30    lr = 0x5c60d43d    pc = 0x5c60d43d
[task 2018-03-05T19:24:21.670Z] 19:24:21     INFO -      Found by: call frame info
[task 2018-03-05T19:24:21.670Z] 19:24:21     INFO -   9  libxul.so!mozilla::MediaEngineWebRTC::MediaEngineWebRTC [MediaEngineWebRTC.cpp:51cb98b0074d : 122 + 0x3]
[task 2018-03-05T19:24:21.670Z] 19:24:21     INFO -       r4 = 0x55a8fc80    r5 = 0x55a8fcc7    r6 = 0x53bffc6c    r7 = 0x53bffc80
[task 2018-03-05T19:24:21.670Z] 19:24:21     INFO -       r8 = 0x59d41cc0    r9 = 0x53bffd87   r10 = 0x59af3b44    fp = 0x53bffcf8
[task 2018-03-05T19:24:21.670Z] 19:24:21     INFO -       sp = 0x53bffc58    lr = 0x5c60d39f    pc = 0x5c60d39f
[task 2018-03-05T19:24:21.670Z] 19:24:21     INFO -      Found by: call frame info
[task 2018-03-05T19:24:21.670Z] 19:24:21     INFO -  10  libxul.so!mozilla::MediaManager::GetBackend [MediaManager.cpp:51cb98b0074d : 2916 + 0x3]
[task 2018-03-05T19:24:21.670Z] 19:24:21     INFO -       r4 = 0x68858740    r5 = 0x688587f8    r6 = 0x55a8fc80    r7 = 0x53bffc98
[task 2018-03-05T19:24:21.671Z] 19:24:21     INFO -       r8 = 0x59d41cc0    r9 = 0x53bffd87   r10 = 0x59af3b44    fp = 0x53bffcf8
[task 2018-03-05T19:24:21.671Z] 19:24:21     INFO -       sp = 0x53bffc88    lr = 0x5c500655    pc = 0x5c500655
[task 2018-03-05T19:24:21.671Z] 19:24:21     INFO -      Found by: call frame info
[task 2018-03-05T19:24:21.671Z] 19:24:21     INFO -  11  libxul.so!mozilla::media::LambdaTask<(lambda at /builds/worker/workspace/build/src/dom/media/MediaManager.cpp:1711:39)>::Run [MediaManager.cpp:51cb98b0074d : 1723 + 0x3]
[task 2018-03-05T19:24:21.671Z] 19:24:21     INFO -       r4 = 0x59af3b30    r5 = 0x53bffcf8    r6 = 0x00000001    r7 = 0x53bffce0
[task 2018-03-05T19:24:21.672Z] 19:24:21     INFO -       r8 = 0x59d41cc0    r9 = 0x53bffd87   r10 = 0x59af3b44    fp = 0x53bffcf8
[task 2018-03-05T19:24:21.672Z] 19:24:21     INFO -       sp = 0x53bffca0    lr = 0x5c510a35    pc = 0x5c510a35
[task 2018-03-05T19:24:21.672Z] 19:24:21     INFO -      Found by: call frame info
[task 2018-03-05T19:24:21.673Z] 19:24:21     INFO -  12  libxul.so!mozilla::media::LambdaTask<(lambda at /builds/worker/workspace/build/src/dom/media/MediaManager.cpp:3258:40)>::Run [MediaManager.cpp:51cb98b0074d : 3259 + 0x5]
[task 2018-03-05T19:24:21.673Z] 19:24:21     INFO -       r4 = 0x59af3b30    r5 = 0x53bffcf8    r6 = 0x00000001    r7 = 0x53bffce8
[task 2018-03-05T19:24:21.673Z] 19:24:21     INFO -       r8 = 0x00000001    r9 = 0x53bffd87   r10 = 0x59af3b44    fp = 0x53bffcf8
[task 2018-03-05T19:24:21.674Z] 19:24:21     INFO -       sp = 0x53bffce8    lr = 0x5c513655    pc = 0x5c513655
[task 2018-03-05T19:24:21.674Z] 19:24:21     INFO -      Found by: call frame info
[task 2018-03-05T19:24:21.674Z] 19:24:21     INFO -  13  libxul.so!nsThread::ProcessNextEvent [nsThread.cpp:51cb98b0074d : 1040 + 0x5]
[task 2018-03-05T19:24:21.674Z] 19:24:21     INFO -       r4 = 0x59af3b30    r5 = 0x53bffcf8    r6 = 0x00000001    r7 = 0x53bffd78
[task 2018-03-05T19:24:21.674Z] 19:24:21     INFO -       r8 = 0x00000001    r9 = 0x53bffd87   r10 = 0x59af3b44    fp = 0x53bffcf8
[task 2018-03-05T19:24:21.675Z] 19:24:21     INFO -       sp = 0x53bffcf0    lr = 0x5b34db09    pc = 0x5b34db09
[task 2018-03-05T19:24:21.675Z] 19:24:21     INFO -      Found by: call frame info
[task 2018-03-05T19:24:21.675Z] 19:24:21     INFO -  14  libxul.so!NS_ProcessNextEvent [nsThreadUtils.cpp:51cb98b0074d : 517 + 0xd]
[task 2018-03-05T19:24:21.676Z] 19:24:21     INFO -       r4 = 0x00000001    r5 = 0x59af3b30    r6 = 0x00000000    r7 = 0x53bffd98
[task 2018-03-05T19:24:21.676Z] 19:24:21     INFO -       r8 = 0x5598fa7c    r9 = 0x59af3b30   r10 = 0x5598fa70    fp = 0x2a36c198
[task 2018-03-05T19:24:21.676Z] 19:24:21     INFO -       sp = 0x53bffd80    lr = 0x5b354c81    pc = 0x5b354c81
[task 2018-03-05T19:24:21.676Z] 19:24:21     INFO -      Found by: call frame info
[task 2018-03-05T19:24:21.677Z] 19:24:21     INFO -  15  libxul.so!mozilla::ipc::MessagePumpForNonMainThreads::Run [MessagePump.cpp:51cb98b0074d : 364 + 0x7]
[task 2018-03-05T19:24:21.677Z] 19:24:21     INFO -       r4 = 0x5598fa60    r5 = 0x53bffe18    r6 = 0x00000000    r7 = 0x53bffdc0
[task 2018-03-05T19:24:21.677Z] 19:24:21     INFO -       r8 = 0x5598fa7c    r9 = 0x59af3b30   r10 = 0x5598fa70    fp = 0x2a36c198
[task 2018-03-05T19:24:21.677Z] 19:24:21     INFO -       sp = 0x53bffda0    lr = 0x5b6823a9    pc = 0x5b6823a9
[task 2018-03-05T19:24:21.678Z] 19:24:21     INFO -      Found by: call frame info
[task 2018-03-05T19:24:21.678Z] 19:24:21     INFO -  16  libxul.so!MessageLoop::RunInternal [message_loop.cc:51cb98b0074d : 326 + 0x7]
[task 2018-03-05T19:24:21.678Z] 19:24:21     INFO -       r4 = 0x53bffe18    r5 = 0x5973def4    r6 = 0x00000005    r7 = 0x53bffde0
[task 2018-03-05T19:24:21.679Z] 19:24:21     INFO -       r8 = 0x53bffe18    r9 = 0x53b00000   r10 = 0x53bfff00    fp = 0x2a36c198
[task 2018-03-05T19:24:21.679Z] 19:24:21     INFO -       sp = 0x53bffdc8    lr = 0x5b63e105    pc = 0x5b63e105
[task 2018-03-05T19:24:21.679Z] 19:24:21     INFO -      Found by: call frame info
[task 2018-03-05T19:24:21.680Z] 19:24:21     INFO -  17  libxul.so!MessageLoop::Run [message_loop.cc:51cb98b0074d : 319 + 0x5]
[task 2018-03-05T19:24:21.680Z] 19:24:21     INFO -       r0 = 0x53bffe18    r1 = 0x00000000    r2 = 0x00000001    r3 = 0x000003c2
[task 2018-03-05T19:24:21.680Z] 19:24:21     INFO -       r4 = 0x53bffe18    r5 = 0x5973def4    r6 = 0x00000005    r7 = 0x53bffe00
[task 2018-03-05T19:24:21.680Z] 19:24:21     INFO -       r8 = 0x53bffe18    r9 = 0x53b00000   r10 = 0x53bfff00    fp = 0x2a36c198
[task 2018-03-05T19:24:21.680Z] 19:24:21     INFO -       sp = 0x53bffde8    lr = 0x5b63e0b3    pc = 0x5b63e0b3
[task 2018-03-05T19:24:21.681Z] 19:24:21     INFO -      Found by: call frame info
[task 2018-03-05T19:24:21.681Z] 19:24:21     INFO -  18  libxul.so!base::Thread::ThreadMain [thread.cc:51cb98b0074d : 181 + 0x5]
[task 2018-03-05T19:24:21.681Z] 19:24:21     INFO -       r0 = 0x00000001    r1 = 0x00000000    r2 = 0x53bffe18    r3 = 0x00000000
[task 2018-03-05T19:24:21.681Z] 19:24:21     INFO -       r4 = 0x5973dee0    r5 = 0x5973def4    r6 = 0x00000005    r7 = 0x53bffed8
[task 2018-03-05T19:24:21.681Z] 19:24:21     INFO -       r8 = 0x53bffe18    r9 = 0x53b00000   r10 = 0x53bfff00    fp = 0x2a36c198
[task 2018-03-05T19:24:21.681Z] 19:24:21     INFO -       sp = 0x53bffe08    lr = 0x5b64930f    pc = 0x5b64930f
[task 2018-03-05T19:24:21.681Z] 19:24:21     INFO -      Found by: call frame info
[task 2018-03-05T19:24:21.681Z] 19:24:21     INFO -  19  libxul.so!ThreadFunc [platform_thread_posix.cc:51cb98b0074d : 38 + 0x5]
[task 2018-03-05T19:24:21.682Z] 19:24:21     INFO -       r4 = 0x53bfff00    r5 = 0x2a36c198    r6 = 0x5b641787    r7 = 0x53bffee0
[task 2018-03-05T19:24:21.682Z] 19:24:21     INFO -       r8 = 0x5973dee8    r9 = 0x53b00000   r10 = 0x53bfff00    fp = 0x2a36c198
[task 2018-03-05T19:24:21.682Z] 19:24:21     INFO -       sp = 0x53bffee0    lr = 0x5b641791    pc = 0x5b641791
[task 2018-03-05T19:24:21.682Z] 19:24:21     INFO -      Found by: call frame info
[task 2018-03-05T19:24:21.683Z] 19:24:21     INFO -  20  libc.so + 0xca5a
[task 2018-03-05T19:24:21.683Z] 19:24:21     INFO -       r4 = 0x53bfff00    r5 = 0x2a36c198    r6 = 0x5b641787    r7 = 0x5973dee0
[task 2018-03-05T19:24:21.683Z] 19:24:21     INFO -       r8 = 0x5973dee8    r9 = 0x53b00000   r10 = 0x53bfff00    fp = 0x2a36c198
[task 2018-03-05T19:24:21.683Z] 19:24:21     INFO -       sp = 0x53bffee8    lr = 0x40033a5c    pc = 0x40033a5c
[task 2018-03-05T19:24:21.683Z] 19:24:21     INFO -      Found by: call frame info
[task 2018-03-05T19:24:21.683Z] 19:24:21     INFO -  21  libc.so + 0xcbd6
[task 2018-03-05T19:24:21.685Z] 19:24:21     INFO -       sp = 0x53bfff00    pc = 0x40033bd8
[task 2018-03-05T19:24:21.685Z] 19:24:21     INFO -      Found by: stack scanning
[task 2018-03-05T19:24:21.685Z] 19:24:21     INFO -  22  dalvik-jit-code-cache (deleted) + 0x2debc
[task 2018-03-05T19:24:21.685Z] 19:24:21     INFO -       sp = 0x53bfff18    pc = 0x5a7d2ebe
[task 2018-03-05T19:24:21.685Z] 19:24:21     INFO -      Found by: stack scanning


On Linux dom/media/tests/mochitest/test_fingerprinting_resistance.html fails: https://treeherder.mozilla.org/logviewer.html#?job_id=166047160&repo=mozilla-release Might be the same reason.
Flags: needinfo?(padenot)
We may need to wontfix this for 59. 

dveditz, is that ok with you or should we push to get this into RC2? 
Can it wait for either a dot release, or for 60?
Flags: needinfo?(dveditz)
I'd suggest 60. Even in a dot release, if we're not ready to take this now, would it really be something we'd want to add to a chemspill?
Flags: needinfo?(jib)
Agree with Al: if it's dodgy for 59.0 with a week to go we should not consider dropping it into a point release!
status-firefox59: affectedwontfix
tracking-firefox-esr52: 59+60+
Flags: needinfo?(dveditz)
No panic, I had just missed that the old branch was having non-thread safe addref and release. Here is a push with it added:

https://treeherder.mozilla.org/#/jobs?repo=try&revision=e5c3da3ae3ca4aeeac77b609dea8c4924f6ff754
Flags: needinfo?(padenot)

        Attachment #8956116 -
        Attachment is obsolete: true

        Attachment #8956534 -
        Flags: approval-mozilla-release?

    
    

    
  
Liz, your call if you want to take this new one, try looks good and the reason for the failures is pretty obvious. Obviously it should have been caught locally but time is a bit tight as minute.
Flags: needinfo?(lhenry)

    
    

    
  
Comment on attachment 8956534 [details] [diff] [review]
rollup witht the threadsafe addref/release

With a lot of issues in flux right now that we can't avoid, I'd like to stick with this landing for 60. We actually would have more time in a dot release (not a chemspill) situation for landing and testing this than we do now. Right now for the RC2, anything extra we try to land adds a risk of delaying the release.
Flags: needinfo?(lhenry)

        Attachment #8956534 -
        Flags: approval-mozilla-release? → approval-mozilla-release-

        Attachment #8956116 -
        Flags: approval-mozilla-release+
Flags: needinfo?(jib)

    
    

    
  
Did we ever determine whether or not ESR52 is really affected?
Flags: needinfo?(padenot)

    
    

    
  
The logic has been changed a lot since then, I'd be surprised if it were the case.
Flags: needinfo?(padenot)

    
    

    
  
Per IRC discussion with Paul, it appears that ESR52 is in fact affected by virtue of bug 1336510. NI him for a rebased patch for 52.8.0 uplift.
Flags: needinfo?(padenot)

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Patch for esr52 (obsolete)
        — Splinter Review
      

    


  
Slight adjustments were needed because of changes in NonOwningRunnableMethod.

Andreas, can you double check this?
Flags: needinfo?(padenot)

        Attachment #8968207 -
        Flags: review?(apehrson)

    
  

        Attachment #8968207 -
        Attachment is patch: true

    
    

    
  
Comment on attachment 8968207 [details] [diff] [review]
Patch for esr52

Review of attachment 8968207 [details] [diff] [review]:
-----------------------------------------------------------------

::: dom/media/systemservices/CamerasChild.cpp
@@ +286,5 @@
>  {
>    LOG((__PRETTY_FUNCTION__));
>    LOG(("NumberOfCapabilities for %s", deviceUniqueIdUTF8));
>    nsCString unique_id(deviceUniqueIdUTF8);
> +  RefPtr<CamerasChild> self = this;

Addrefing here doesn't help when the runnable methods are non-owning, see comment 31, etc.

Skip this addref and make the runnables own the instance they'll be running on instead.

        Attachment #8968207 -
        Flags: review?(apehrson) → review-

    
    

    
  
(In reply to Andreas Pehrson [:pehrsons] from comment #57)
> Comment on attachment 8968207 [details] [diff] [review]
> Patch for esr52
> 
> Review of attachment 8968207 [details] [diff] [review]:
> -----------------------------------------------------------------
> 
> ::: dom/media/systemservices/CamerasChild.cpp
> @@ +286,5 @@
> >  {
> >    LOG((__PRETTY_FUNCTION__));
> >    LOG(("NumberOfCapabilities for %s", deviceUniqueIdUTF8));
> >    nsCString unique_id(deviceUniqueIdUTF8);
> > +  RefPtr<CamerasChild> self = this;
> 
> Addrefing here doesn't help when the runnable methods are non-owning, see
> comment 31, etc.
> 
> Skip this addref and make the runnables own the instance they'll be running
> on instead.

This appears to not be in the ESR52 release now, which ships next week.
Flags: needinfo?(padenot)

    
    

    
  

      
      
      
      

        Attached patch
          
          
        patch-esr52Splinter Review
      

    


  

        Attachment #8968207 -
        Attachment is obsolete: true
Flags: needinfo?(padenot)

        Attachment #8971552 -
        Flags: review?(apehrson)

        Attachment #8971552 -
        Flags: review?(apehrson) → review+

    
    

    
  
For people following along, comment 11 is half-correct half-incorrect,  because the calls to LockAndDispatch waits synchronously for a reply from the parent process, so we're good here, simply addreffing in the scope works.

    
    

    
  
Can you request uplift to esr52? Thanks.
Flags: needinfo?(padenot)

    
    

    
  
Comment on attachment 8971552 [details] [diff] [review]
patch-esr52

[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration: N/A
User impact if declined: crash
Fix Landed on Version: All other versions
Risk to taking this patch (and alternatives if risky): Well tested, and landed everywhere
String or UUID changes made by this patch: None

See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info.
Flags: needinfo?(padenot)

        Attachment #8971552 -
        Flags: approval-mozilla-esr52?

    
    

    
  
Comment on attachment 8971552 [details] [diff] [review]
patch-esr52

Approved for ESR 52.8.0. Thanks for doing the rebase, Paul!

        Attachment #8971552 -
        Flags: approval-mozilla-esr52? → approval-mozilla-esr52+
Whiteboard: [adv-main60+][adv-esr52.8+]
Flags: qe-verify-
Whiteboard: [adv-main60+][adv-esr52.8+] → [adv-main60+][adv-esr52.8+][post-critsmash-triage]
Group: core-security-release

          You need to log in
          before you can comment on or make changes to this bug.