1441596 - Null crash [@ cubeb_enumerate_devices]

Status: RESOLVED DUPLICATE of bug 1442640

(Core :: Audio/Video: cubeb, defect, P2)

Description

[Jason Kratzer [:jkratzer]]

Found while fuzzing mozilla-central rev b184be598740.  Currently reducing testcase and will update once available.  Note that this testcase will only reproduce on our headless EC2 spot instances.  Further, this issue is triggering at a rate which requires us to disable fuzzing of getUserMedia until it is resolved.

==23477==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f73097b9584 bp 0x7f72a9a5d280 sp 0x7f72a9a5d0a0 T24)
==23477==The signal is caused by a READ memory access.
==23477==Hint: address points to the zero page.
    #0 0x7f73097b9583 in cubeb_enumerate_devices /builds/worker/workspace/build/src/media/libcubeb/src/cubeb.c:591:17
    #1 0x7f730dde8419 in cubeb_core::context::ContextRef::enumerate_devices::h5011ead83be7d84d /builds/worker/workspace/build/src/third_party/rust/cubeb-core/src/context.rs:128
    #2 0x7f730dde8419 in audioipc_server::CubebServer::process_msg::hec5ada17e97fb7b8 /builds/worker/workspace/build/src/media/audioipc/server/src/lib.rs:158
    #3 0x7f730dde8419 in _$LT$audioipc_server..CubebServer$u20$as$u20$audioipc..rpc..server..Server$GT$::process::_$u7b$$u7b$closure$u7d$$u7d$::h4cfc8c3c40fd2be8 /builds/worker/workspace/build/src/media/audioipc/server/src/lib.rs:99
    #4 0x7f730dde8419 in audioipc_server::with_local_context::_$u7b$$u7b$closure$u7d$$u7d$::hd7d31df3b8b8829a /builds/worker/workspace/build/src/media/audioipc/server/src/lib.rs:65
    #5 0x7f730dde8419 in _$LT$std..thread..local..LocalKey$LT$T$GT$$GT$::try_with::h5922417ec514552a /checkout/src/libstd/thread/local.rs:377
    #6 0x7f730dde8419 in _$LT$std..thread..local..LocalKey$LT$T$GT$$GT$::with::h4d1605cd98397df7 /checkout/src/libstd/thread/local.rs:288
    #7 0x7f730dde8419 in audioipc_server::with_local_context::hcfe6b93cd91bd35d /builds/worker/workspace/build/src/media/audioipc/server/src/lib.rs:60
    #8 0x7f730dde8419 in _$LT$audioipc_server..CubebServer$u20$as$u20$audioipc..rpc..server..Server$GT$::process::h0d799b12f300608f /builds/worker/workspace/build/src/media/audioipc/server/src/lib.rs:97
    #9 0x7f730ddfa370 in _$LT$audioipc..rpc..server..ServerHandler$LT$S$GT$$u20$as$u20$audioipc..rpc..Handler$GT$::consume::hd44fabfd86fe1a8a /builds/worker/workspace/build/src/media/audioipc/audioipc/src/rpc/server.rs:117
    #10 0x7f730ddfa370 in _$LT$audioipc..rpc..driver..Driver$LT$T$GT$$GT$::process_incoming::he9cbe14180a05b32 /builds/worker/workspace/build/src/media/audioipc/audioipc/src/rpc/driver.rs:64
    #11 0x7f730ddfa370 in _$LT$audioipc..rpc..driver..Driver$LT$T$GT$$GT$::receive_incoming::h3dbf8991986f11ab /builds/worker/workspace/build/src/media/audioipc/audioipc/src/rpc/driver.rs:47
    #12 0x7f730ddfa370 in _$LT$audioipc..rpc..driver..Driver$LT$T$GT$$u20$as$u20$futures..future..Future$GT$::poll::h5f6d7738955ef1e4 /builds/worker/workspace/build/src/media/audioipc/audioipc/src/rpc/driver.rs:133
    #13 0x7f730ddfa370 in _$LT$futures..future..map_err..MapErr$LT$A$C$$u20$F$GT$$u20$as$u20$futures..future..Future$GT$::poll::h06ac6047c5c2716a /builds/worker/workspace/build/src/third_party/rust/futures/src/future/map_err.rs:30
    #14 0x7f730ddfa370 in _$LT$alloc..boxed..Box$LT$F$GT$$u20$as$u20$futures..future..Future$GT$::poll::h26f4cf9dfaa673d8 /builds/worker/workspace/build/src/third_party/rust/futures/src/future/mod.rs:106
    #15 0x7f730e32ad4c in _$LT$alloc..boxed..Box$LT$F$GT$$u20$as$u20$futures..future..Future$GT$::poll::h8cb63dced6305f6b /builds/worker/workspace/build/src/third_party/rust/futures/src/future/mod.rs:106
    #16 0x7f730e32ad4c in _$LT$futures..task_impl..Spawn$LT$F$GT$$GT$::poll_future::_$u7b$$u7b$closure$u7d$$u7d$::h4d92f268f8e9ad77 /builds/worker/workspace/build/src/third_party/rust/futures/src/task_impl/mod.rs:337
    #17 0x7f730e32ad4c in _$LT$futures..task_impl..Spawn$LT$T$GT$$GT$::enter::_$u7b$$u7b$closure$u7d$$u7d$::hf0fd4e54d99bd89f /builds/worker/workspace/build/src/third_party/rust/futures/src/task_impl/mod.rs:484
    #18 0x7f730e32ad4c in futures::task_impl::set::_$u7b$$u7b$closure$u7d$$u7d$::h6b5f3c87644084c5 /builds/worker/workspace/build/src/third_party/rust/futures/src/task_impl/mod.rs:61
    #19 0x7f730e32ad4c in _$LT$std..thread..local..LocalKey$LT$T$GT$$GT$::try_with::h63ab9b22d1368c6f /checkout/src/libstd/thread/local.rs:377
    #20 0x7f730e32ad4c in _$LT$std..thread..local..LocalKey$LT$T$GT$$GT$::with::h8b8cc07ff6420c97 /checkout/src/libstd/thread/local.rs:288
    #21 0x7f730e32ad4c in futures::task_impl::set::h2b9c2e5936948958 /builds/worker/workspace/build/src/third_party/rust/futures/src/task_impl/mod.rs:54
    #22 0x7f730e32ad4c in _$LT$futures..task_impl..Spawn$LT$T$GT$$GT$::enter::h26bfd7347831a944 /builds/worker/workspace/build/src/third_party/rust/futures/src/task_impl/mod.rs:484
    #23 0x7f730e32ad4c in _$LT$futures..task_impl..Spawn$LT$F$GT$$GT$::poll_future::he90b42f4f9ba70d8 /builds/worker/workspace/build/src/third_party/rust/futures/src/task_impl/mod.rs:337
    #24 0x7f730e32ad4c in tokio_core::reactor::Core::dispatch_task::_$u7b$$u7b$closure$u7d$$u7d$::h1fc24394f14692c8 /builds/worker/workspace/build/src/third_party/rust/tokio-core/src/reactor/mod.rs:366
    #25 0x7f730e32ad4c in _$LT$scoped_tls..ScopedKey$LT$T$GT$$GT$::set::hb0d4365c1572ad94 /builds/worker/workspace/build/src/third_party/rust/scoped-tls/src/lib.rs:135
    #26 0x7f730e32ad4c in tokio_core::reactor::Core::dispatch_task::haaf023d2f18d0d02 /builds/worker/workspace/build/src/third_party/rust/tokio-core/src/reactor/mod.rs:366
    #27 0x7f730e32ad4c in tokio_core::reactor::Core::dispatch::h9e3a5f93d90df87c /builds/worker/workspace/build/src/third_party/rust/tokio-core/src/reactor/mod.rs:324
    #28 0x7f730e32ad4c in tokio_core::reactor::Core::poll::hde66804c442f5cfd /builds/worker/workspace/build/src/third_party/rust/tokio-core/src/reactor/mod.rs:312
    #29 0x7f730ddf5973 in tokio_core::reactor::Core::run::he7fd87cf9e20f5d6 /builds/worker/workspace/build/src/third_party/rust/tokio-core/src/reactor/mod.rs:249
    #30 0x7f730ddf4dd6 in audioipc::core::spawn_thread::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::h3759c1bd29020032 /builds/worker/workspace/build/src/media/audioipc/audioipc/src/core.rs:81
    #31 0x7f730ddf4dd6 in _$LT$core..result..Result$LT$T$C$$u20$E$GT$$GT$::and_then::h1364a898497f3e6d /checkout/src/libcore/result.rs:621
    #32 0x7f730ddf4dd6 in audioipc::core::spawn_thread::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::hb3f8cbcef62e3d12 /builds/worker/workspace/build/src/media/audioipc/audioipc/src/core.rs:80
    #33 0x7f730ddf4dd6 in _$LT$scoped_tls..ScopedKey$LT$T$GT$$GT$::set::ha8d1e7e90ff38418 /builds/worker/workspace/build/src/third_party/rust/scoped-tls/src/lib.rs:135
    #34 0x7f730ddf4dd6 in audioipc::core::spawn_thread::_$u7b$$u7b$closure$u7d$$u7d$::h59e34f5de5b745ce /builds/worker/workspace/build/src/media/audioipc/audioipc/src/core.rs:79
    #35 0x7f730ddf4dd6 in std::sys_common::backtrace::__rust_begin_short_backtrace::he58ff9979349e56f /checkout/src/libstd/sys_common/backtrace.rs:133
    #36 0x7f730ddf4c5a in std::thread::Builder::spawn::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::hd8ab1161e08c3430 /checkout/src/libstd/thread/mod.rs:406
    #37 0x7f730ddf4c5a in _$LT$std..panic..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h17812eb292663027 /checkout/src/libstd/panic.rs:300
    #38 0x7f730ddf4c5a in std::panicking::try::do_call::hc87737440af07167 /checkout/src/libstd/panicking.rs:480
    #39 0x7f730ddf4c5a in __rust_maybe_catch_panic /checkout/src/libpanic_abort/lib.rs:38
    #40 0x7f730ddf4c5a in std::panicking::try::h9c1a859034b30a5f /checkout/src/libstd/panicking.rs:459
    #41 0x7f730ddf4c5a in std::panic::catch_unwind::h7c4632d24a422594 /checkout/src/libstd/panic.rs:365
    #42 0x7f730ddf4c5a in std::thread::Builder::spawn::_$u7b$$u7b$closure$u7d$$u7d$::h9548b153b51e80e1 /checkout/src/libstd/thread/mod.rs:405
    #43 0x7f730ddf4c5a in _$LT$F$u20$as$u20$alloc..boxed..FnBox$LT$A$GT$$GT$::call_box::he7f4da6e51f86f76 /checkout/src/liballoc/boxed.rs:815
    #44 0x7f730e3c9d13 in _$LT$alloc..boxed..Box$LT$alloc..boxed..FnBox$LT$A$C$$u20$Output$u3d$R$GT$$u20$$u2b$$u20$$u27$a$GT$$u20$as$u20$core..ops..function..FnOnce$LT$A$GT$$GT$::call_once::hf6357ae8c4e17346 /checkout/src/liballoc/boxed.rs:825
    #45 0x7f730e3c9d13 in std::sys_common::thread::start_thread::hebf0035ba4789615 /checkout/src/libstd/sys_common/thread.rs:24
    #46 0x7f730e3c9d13 in std::sys::unix::thread::Thread::new::thread_start::hd71cb092e75e9bed /checkout/src/libstd/sys/unix/thread.rs:90
    #47 0x7f732043c6b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
    #48 0x7f731f4c541c in clone /build/glibc-Cl5G7W/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/media/libcubeb/src/cubeb.c:591:17 in cubeb_enumerate_devices
Thread T24 (AudioIPC Server) created by T0 here:
    #0 0x4b065d in __interceptor_pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:204:3
    #1 0x7f730e3c9a44 in std::sys::unix::thread::Thread::new::hfacd17f85cfe49c8 /checkout/src/libstd/sys/unix/thread.rs:78
    #2 0x7f730ddf3257 in std::thread::Builder::spawn::hb6090df0535ba4f8 /checkout/src/libstd/thread/mod.rs:416
    #3 0x7f730ddf3257 in audioipc::core::spawn_thread::he2cc4f4678bc146d /builds/worker/workspace/build/src/media/audioipc/audioipc/src/core.rs:73
    #4 0x7f730ddf3257 in audioipc_server::run::h4065d808845b1c24 /builds/worker/workspace/build/src/media/audioipc/server/src/lib.rs:409
    #5 0x7f730ddf3257 in audioipc_server_start /builds/worker/workspace/build/src/media/audioipc/server/src/lib.rs:426
    #6 0x7f7305da8bee in StartSoundServer /builds/worker/workspace/build/src/dom/media/CubebUtils.cpp:81:19
    #7 0x7f7305da8bee in mozilla::CubebUtils::PrefChanged(char const*, void*) /builds/worker/workspace/build/src/dom/media/CubebUtils.cpp:270
    #8 0x7f72ffd6104a in mozilla::Preferences::RegisterCallbackAndCall(void (*)(char const*, void*), char const*, void*, mozilla::Preferences::MatchKind) /builds/worker/workspace/build/src/modules/libpref/Preferences.cpp:4363:5
    #9 0x7f7305daeb97 in RegisterCallbackAndCall /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Preferences.h:270:12
    #10 0x7f7305daeb97 in mozilla::CubebUtils::InitLibrary() /builds/worker/workspace/build/src/dom/media/CubebUtils.cpp:546
    #11 0x7f7308835007 in nsLayoutStatics::Initialize() /builds/worker/workspace/build/src/layout/build/nsLayoutStatics.cpp:258:3
    #12 0x7f7308834e60 in Initialize() /builds/worker/workspace/build/src/layout/build/nsLayoutModule.cpp:297:8
    #13 0x7f72ffc8c57b in Load /builds/worker/workspace/build/src/xpcom/components/nsComponentManager.cpp:763:21
    #14 0x7f72ffc8c57b in nsFactoryEntry::GetFactory() /builds/worker/workspace/build/src/xpcom/components/nsComponentManager.cpp:1785
    #15 0x7f72ffc8d85d in nsComponentManagerImpl::CreateInstanceByContractID(char const*, nsISupports*, nsID const&, void**) /builds/worker/workspace/build/src/xpcom/components/nsComponentManager.cpp:1083:41
    #16 0x7f72ffc8435d in nsComponentManagerImpl::GetServiceByContractID(char const*, nsID const&, void**) /builds/worker/workspace/build/src/xpcom/components/nsComponentManager.cpp:1446:10
    #17 0x7f72ffc9388c in CallGetService /builds/worker/workspace/build/src/xpcom/components/nsComponentManagerUtils.cpp:67:43
    #18 0x7f72ffc9388c in nsGetServiceByContractID::operator()(nsID const&, void**) const /builds/worker/workspace/build/src/xpcom/components/nsComponentManagerUtils.cpp:280
    #19 0x7f72ffb4c2b9 in nsCOMPtr_base::assign_from_gs_contractid(nsGetServiceByContractID, nsID const&) /builds/worker/workspace/build/src/xpcom/base/nsCOMPtr.cpp:95:7
    #20 0x7f72ffd364d2 in nsCOMPtr /builds/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:928:5
    #21 0x7f72ffd364d2 in NS_InitXPCOM2 /builds/worker/workspace/build/src/xpcom/build/XPCOMInit.cpp:703
    #22 0x7f730bc364fb in Initialize /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:1568:8
    #23 0x7f730bc364fb in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4810
    #24 0x7f730bc37954 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4906:21
    #25 0x4f6d45 in do_main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:231:22
    #26 0x4f6d45 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:304
    #27 0x7f731f3de82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291

==23477==ABORTING

Comment 1

[Jason Kratzer [:jkratzer]]

Attachment: trigger.html

Comment 2

[Tyson Smith [:tsmith]]

Our fuzzers seem to be hitting this and other related (cubeb in stack) bugs since Tuesday. We've seen ~10k reports so far.

mfj, can you please bump the priority of this bug we need to get this fixed ASAP. It affecting non media fuzzing.

Comment 3

[Tyson Smith [:tsmith]]

mjf, not mfj typo sorry :)

Comment 4

[Michael Froman [:mjf]]

(In reply to Tyson Smith [:tsmith] from comment #2)
> Our fuzzers seem to be hitting this and other related (cubeb in stack) bugs
> since Tuesday. We've seen ~10k reports so far.
> 
> mfj, can you please bump the priority of this bug we need to get this fixed
> ASAP. It affecting non media fuzzing.

I bumped the priority/rank, but I don't have any control over who works on this or when.

Comment 5

[u480271]

Do these headless EC2 spot instances have sounds configured? I just want to try reproduce the issue locally to ensure it's fixed by Bug 1441588.

Comment 6

[Jason Kratzer [:jkratzer]]

(In reply to Dan Glastonbury :kamidphish from comment #5)
> Do these headless EC2 spot instances have sounds configured? I just want to
> try reproduce the issue locally to ensure it's fixed by Bug 1441588.

They do not.