Closed Bug 1464079 Opened 3 years ago Closed 3 years ago

AddressSanitizer: heap-use-after-free [@ ~lock_block] with READ of size 8

Categories

(Core :: WebRTC, defect)

59 Branch
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla62
Tracking Status
firefox-esr52 61+ fixed
firefox-esr60 61+ fixed
firefox60 --- wontfix
firefox61 + fixed
firefox62 + fixed

People

(Reporter: jkratzer, Assigned: bwc)

References

(Blocks 2 open bugs)

Details

(4 keywords, Whiteboard: [adv-main61+][adv-esr52.9+][adv-esr60.1+][post-critsmash-triage])

Attachments

(3 files)

Found while fuzzing mozilla-central rev 47e81ea1ef10.  Currently reducing the testcase and will update once complete.

==12064==ERROR: AddressSanitizer: heap-use-after-free on address 0x615001305e68 at pc 0x7ff62fb46a1f bp 0x7ffd41c02b00 sp 0x7ffd41c02af8
READ of size 8 at 0x615001305e68 thread T0 (file:// Content)
    #0 0x7ff62fb46a1e in ~lock_block /builds/worker/workspace/build/src/obj-firefox/dist/include/mtransport/sigslot.h:318:13
    #1 0x7ff62fb46a1e in operator() /builds/worker/workspace/build/src/obj-firefox/dist/include/mtransport/sigslot.h:2424
    #2 0x7ff62fb46a1e in mozilla::PeerConnectionMedia::IceConnectionStateChange_m(mozilla::NrIceCtx*, mozilla::NrIceCtx::ConnectionState) /builds/worker/workspace/build/src/media/webrtc/signaling/src/peerconnection/PeerConnectionMedia.cpp:1367
    #3 0x7ff62fb8eff2 in apply<mozilla::PeerConnectionMedia *, void (mozilla::PeerConnectionMedia::*)(mozilla::NrIceCtx *, mozilla::NrIceCtx::ConnectionState), mozilla::NrIceCtx *, mozilla::NrIceCtx::ConnectionState, 0, 1> /builds/worker/workspace/build/src/obj-firefox/dist/include/mtransport/runnable_utils.h:86:5
    #4 0x7ff62fb8eff2 in mozilla::runnable_args_memfn<mozilla::PeerConnectionMedia*, void (mozilla::PeerConnectionMedia::*)(mozilla::NrIceCtx*, mozilla::NrIceCtx::ConnectionState), mozilla::NrIceCtx*, mozilla::NrIceCtx::ConnectionState>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/mtransport/runnable_utils.h:156
    #5 0x7ff62df35d96 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1090:14
    #6 0x7ff62df51cd0 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
    #7 0x7ff62df34192 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:810:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:324:25
    #8 0x7ff62df34192 in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:810
    #9 0x7ff6342928da in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:152:14
    #10 0x7ff62df0d03b in mozilla::EventTargetWrapper::Runner::Run() /builds/worker/workspace/build/src/xpcom/threads/AbstractThread.cpp:150:32
    #11 0x7ff62df17471 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
    #12 0x7ff62df35d96 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1090:14
    #13 0x7ff62df51cd0 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
    #14 0x7ff62df34192 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:810:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:324:25
    #15 0x7ff62df34192 in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:810
    #16 0x7ff6342928da in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:152:14
    #17 0x7ff62df0d03b in mozilla::EventTargetWrapper::Runner::Run() /builds/worker/workspace/build/src/xpcom/threads/AbstractThread.cpp:150:32
    #18 0x7ff62df17471 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
    #19 0x7ff62df35d96 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1090:14
    #20 0x7ff62df51cd0 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
    #21 0x7ff6356d4f0d in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:2892:31)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:324:25
    #22 0x7ff6356d4f0d in mozilla::dom::XMLHttpRequestMainThread::SendInternal(mozilla::dom::BodyExtractorBase const*) /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:2892
    #23 0x7ff6356d3324 in mozilla::dom::XMLHttpRequestMainThread::Send(JSContext*, mozilla::dom::Nullable<mozilla::dom::DocumentOrBlobOrArrayBufferViewOrArrayBufferOrFormDataOrURLSearchParamsOrUSVString> const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:2679:11
    #24 0x7ff632b11fa4 in mozilla::dom::XMLHttpRequestBinding::send(JSContext*, JS::Handle<JSObject*>, mozilla::dom::XMLHttpRequest*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/XMLHttpRequestBinding.cpp:1275:9
    #25 0x7ff6336210b1 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3280:13
    #26 0x7ff639eed637 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:280:15
    #27 0x7ff639eed637 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:468
    #28 0x7ff639ed8485 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:523:12
    #29 0x7ff639ed8485 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3086
    #30 0x7ff639ebe9a6 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:418:12
    #31 0x7ff639eed3b5 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:490:15
    #32 0x7ff639eee632 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:536:10
    #33 0x7ff63a04fc5b in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/src/builtin/Promise.cpp:1237:14
    #34 0x7ff639eed637 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:280:15
    #35 0x7ff639eed637 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:468
    #36 0x7ff639eee632 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:536:10
    #37 0x7ff63aa33f9a in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2981:12
    #38 0x7ff631ca3262 in mozilla::dom::PromiseJobCallback::Call(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/PromiseBinding.cpp:25:8
    #39 0x7ff62dda76a5 in Call /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/PromiseBinding.h:91:12
    #40 0x7ff62dda76a5 in Call /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/PromiseBinding.h:104
    #41 0x7ff62dda76a5 in mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) /builds/worker/workspace/build/src/xpcom/base/CycleCollectedJSContext.cpp:205
    #42 0x7ff62dd8a801 in mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint() /builds/worker/workspace/build/src/xpcom/base/CycleCollectedJSContext.cpp:543:17
    #43 0x7ff62dd8b04d in mozilla::CycleCollectedJSContext::AfterProcessTask(unsigned int) /builds/worker/workspace/build/src/xpcom/base/CycleCollectedJSContext.cpp:374:3
    #44 0x7ff62f8294ed in XPCJSContext::AfterProcessTask(unsigned int) /builds/worker/workspace/build/src/js/xpconnect/src/XPCJSContext.cpp:1231:30
    #45 0x7ff62df3661d in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1125:24
    #46 0x7ff62df51cd0 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
    #47 0x7ff62df34192 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:810:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:324:25
    #48 0x7ff62df34192 in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:810
    #49 0x7ff6342928da in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:152:14
    #50 0x7ff62df0d03b in mozilla::EventTargetWrapper::Runner::Run() /builds/worker/workspace/build/src/xpcom/threads/AbstractThread.cpp:150:32
    #51 0x7ff62df17471 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
    #52 0x7ff62df35d96 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1090:14
    #53 0x7ff62df51cd0 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
    #54 0x7ff62df34192 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:810:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:324:25
    #55 0x7ff62df34192 in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:810
    #56 0x7ff6342928da in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:152:14
    #57 0x7ff62df0d03b in mozilla::EventTargetWrapper::Runner::Run() /builds/worker/workspace/build/src/xpcom/threads/AbstractThread.cpp:150:32
    #58 0x7ff62df17471 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
    #59 0x7ff62df35d96 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1090:14
    #60 0x7ff62df51cd0 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
    #61 0x7ff62df34192 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:810:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:324:25
    #62 0x7ff62df34192 in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:810
    #63 0x7ff6342928da in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:152:14
    #64 0x7ff62df0d03b in mozilla::EventTargetWrapper::Runner::Run() /builds/worker/workspace/build/src/xpcom/threads/AbstractThread.cpp:150:32
    #65 0x7ff62df17471 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
    #66 0x7ff62df35d96 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1090:14
    #67 0x7ff62df51cd0 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
    #68 0x7ff62df34192 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:810:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:324:25
    #69 0x7ff62df34192 in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:810
    #70 0x7ff6342928da in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:152:14
    #71 0x7ff62df0d03b in mozilla::EventTargetWrapper::Runner::Run() /builds/worker/workspace/build/src/xpcom/threads/AbstractThread.cpp:150:32
    #72 0x7ff62df17471 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
    #73 0x7ff62df35d96 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1090:14
    #74 0x7ff62df51cd0 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
    #75 0x7ff62df34192 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:810:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:324:25
    #76 0x7ff62df34192 in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:810
    #77 0x7ff6342928da in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:152:14
    #78 0x7ff62df0d03b in mozilla::EventTargetWrapper::Runner::Run() /builds/worker/workspace/build/src/xpcom/threads/AbstractThread.cpp:150:32
    #79 0x7ff62df17471 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
    #80 0x7ff62df35d96 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1090:14
    #81 0x7ff62df51cd0 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
    #82 0x7ff62df34192 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:810:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:324:25
    #83 0x7ff62df34192 in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:810
    #84 0x7ff6342928da in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:152:14
    #85 0x7ff62df0d03b in mozilla::EventTargetWrapper::Runner::Run() /builds/worker/workspace/build/src/xpcom/threads/AbstractThread.cpp:150:32
    #86 0x7ff62df17471 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
    #87 0x7ff62df35d96 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1090:14
    #88 0x7ff62df51cd0 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
    #89 0x7ff62df34192 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:810:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:324:25
    #90 0x7ff62df34192 in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:810
    #91 0x7ff6342928da in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:152:14
    #92 0x7ff62df0d03b in mozilla::EventTargetWrapper::Runner::Run() /builds/worker/workspace/build/src/xpcom/threads/AbstractThread.cpp:150:32
    #93 0x7ff62df17471 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
    #94 0x7ff62df35d96 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1090:14
    #95 0x7ff62df51cd0 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
    #96 0x7ff62df34192 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:810:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:324:25
    #97 0x7ff62df34192 in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:810
    #98 0x7ff6342928da in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:152:14
    #99 0x7ff62df0d03b in mozilla::EventTargetWrapper::Runner::Run() /builds/worker/workspace/build/src/xpcom/threads/AbstractThread.cpp:150:32
    #100 0x7ff62df17471 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
    #101 0x7ff62df35d96 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1090:14
    #102 0x7ff62df51cd0 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
    #103 0x7ff62df34192 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:810:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:324:25
    #104 0x7ff62df34192 in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:810
    #105 0x7ff6342928da in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:152:14
    #106 0x7ff62df0d03b in mozilla::EventTargetWrapper::Runner::Run() /builds/worker/workspace/build/src/xpcom/threads/AbstractThread.cpp:150:32
    #107 0x7ff62df17471 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
    #108 0x7ff62df35d96 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1090:14
    #109 0x7ff62df51cd0 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
    #110 0x7ff62df34192 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:810:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:324:25
    #111 0x7ff62df34192 in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:810
    #112 0x7ff6342928da in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:152:14
    #113 0x7ff62df0d03b in mozilla::EventTargetWrapper::Runner::Run() /builds/worker/workspace/build/src/xpcom/threads/AbstractThread.cpp:150:32
    #114 0x7ff62df17471 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
    #115 0x7ff62df35d96 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1090:14
    #116 0x7ff62df51cd0 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
    #117 0x7ff62df34192 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:810:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:324:25
    #118 0x7ff62df34192 in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:810
    #119 0x7ff6342928da in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:152:14
    #120 0x7ff62df0d03b in mozilla::EventTargetWrapper::Runner::Run() /builds/worker/workspace/build/src/xpcom/threads/AbstractThread.cpp:150:32
    #121 0x7ff62df17471 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
    #122 0x7ff62df35d96 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1090:14
    #123 0x7ff62df51cd0 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
    #124 0x7ff62df34192 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:810:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:324:25
    #125 0x7ff62df34192 in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:810
    #126 0x7ff6342928da in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:152:14
    #127 0x7ff62df0d03b in mozilla::EventTargetWrapper::Runner::Run() /builds/worker/workspace/build/src/xpcom/threads/AbstractThread.cpp:150:32
    #128 0x7ff62df17471 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
    #129 0x7ff62df35d96 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1090:14
    #130 0x7ff62df51cd0 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
    #131 0x7ff62ee32eba in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #132 0x7ff62ed86569 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #133 0x7ff62ed86569 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #134 0x7ff62ed86569 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #135 0x7ff6359a5aaa in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:157:27
    #136 0x7ff639c050db in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:893:22
    #137 0x7ff62ed86569 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #138 0x7ff62ed86569 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #139 0x7ff62ed86569 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #140 0x7ff639c04aa0 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:719:34
    #141 0x4f50dc in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #142 0x4f50dc in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:282
    #143 0x7ff64d91182f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #144 0x42476c in _start (/home/ubuntu/firefox/firefox+0x42476c)

0x615001305e68 is located 104 bytes inside of 456-byte region [0x615001305e00,0x615001305fc8)
freed by thread T0 (file:// Content) here:
    #0 0x4c5172 in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:68:3
    #1 0x7ff62fb8ea00 in apply<mozilla::PeerConnectionMedia *, void (mozilla::PeerConnectionMedia::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/mtransport/runnable_utils.h:86:5
    #2 0x7ff62fb8ea00 in mozilla::runnable_args_memfn<mozilla::PeerConnectionMedia*, void (mozilla::PeerConnectionMedia::*)()>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/mtransport/runnable_utils.h:156
    #3 0x7ff62df35d96 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1090:14
    #4 0x7ff62df51cd0 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
    #5 0x7ff62df34192 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:810:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:324:25
    #6 0x7ff62df34192 in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:810
    #7 0x7ff6342928da in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:152:14
    #8 0x7ff62df0d03b in mozilla::EventTargetWrapper::Runner::Run() /builds/worker/workspace/build/src/xpcom/threads/AbstractThread.cpp:150:32
    #9 0x7ff62df17471 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
    #10 0x7ff62df35d96 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1090:14
    #11 0x7ff62df51cd0 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
    #12 0x7ff6356d4f0d in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:2892:31)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:324:25
    #13 0x7ff6356d4f0d in mozilla::dom::XMLHttpRequestMainThread::SendInternal(mozilla::dom::BodyExtractorBase const*) /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:2892
    #14 0x7ff6356d3324 in mozilla::dom::XMLHttpRequestMainThread::Send(JSContext*, mozilla::dom::Nullable<mozilla::dom::DocumentOrBlobOrArrayBufferViewOrArrayBufferOrFormDataOrURLSearchParamsOrUSVString> const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:2679:11
    #15 0x7ff632b11fa4 in mozilla::dom::XMLHttpRequestBinding::send(JSContext*, JS::Handle<JSObject*>, mozilla::dom::XMLHttpRequest*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/XMLHttpRequestBinding.cpp:1275:9
    #16 0x7ff6336210b1 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3280:13
    #17 0x7ff639eed637 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:280:15
    #18 0x7ff639eed637 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:468
    #19 0x7ff639ed8485 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:523:12
    #20 0x7ff639ed8485 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3086
    #21 0x7ff639ebe9a6 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:418:12
    #22 0x7ff639eed3b5 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:490:15
    #23 0x7ff639eee632 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:536:10
    #24 0x7ff63ab1a415 in js::ForwardingProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /builds/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:176:12
    #25 0x7ff63aadee93 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /builds/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:358:23
    #26 0x7ff62f76102e in xpc::JSXrayTraits::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&, js::Wrapper const&) /builds/worker/workspace/build/src/js/xpconnect/wrappers/XrayWrapper.h:282:33
    #27 0x7ff63aaf4a71 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:510:21
    #28 0x7ff63aaf7834 in js::proxy_Call(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:769:12
    #29 0x7ff639eedd80 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:280:15
    #30 0x7ff639eedd80 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:450
    #31 0x7ff639ed8485 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:523:12
    #32 0x7ff639ed8485 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3086
    #33 0x7ff639ebe9a6 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:418:12
    #34 0x7ff639eed3b5 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:490:15
    #35 0x7ff639eee632 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:536:10
    #36 0x7ff63af58648 in js::CallSelfHostedFunction(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/SelfHosting.cpp:1848:12

previously allocated by thread T0 (file:// Content) here:
    #0 0x4c54b3 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3
    #1 0x4f5f7d in moz_xmalloc /builds/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:70:17
    #2 0x7ff62faf94c9 in operator new /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:156:12
    #3 0x7ff62faf94c9 in mozilla::PeerConnectionImpl::Initialize(mozilla::dom::PeerConnectionObserver&, nsGlobalWindowInner*, mozilla::PeerConnectionConfiguration const&, nsISupports*) /builds/worker/workspace/build/src/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp:650
    #4 0x7ff62fafe69a in mozilla::PeerConnectionImpl::Initialize(mozilla::dom::PeerConnectionObserver&, nsGlobalWindowInner&, mozilla::dom::RTCConfiguration const&, nsISupports*, mozilla::ErrorResult&) /builds/worker/workspace/build/src/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp:730:9
    #5 0x7ff631b4b55b in mozilla::dom::PeerConnectionImplBinding::initialize(JSContext*, JS::Handle<JSObject*>, mozilla::PeerConnectionImpl*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/PeerConnectionImplBinding.cpp:89:9
    #6 0x7ff6336210b1 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3280:13
    #7 0x7ff639eed637 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:280:15
    #8 0x7ff639eed637 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:468
    #9 0x7ff639ed8485 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:523:12
    #10 0x7ff639ed8485 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3086
    #11 0x7ff639ebe9a6 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:418:12
    #12 0x7ff639eed3b5 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:490:15
    #13 0x7ff639eee632 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:536:10
    #14 0x7ff63aa33f9a in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2981:12
    #15 0x7ff631d2da50 in mozilla::dom::RTCPeerConnectionJSImpl::__Init(mozilla::dom::RTCConfiguration const&, mozilla::dom::Optional<JS::Handle<JSObject*> > const&, mozilla::ErrorResult&, JSCompartment*) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/RTCPeerConnectionBinding.cpp:8556:8
    #16 0x7ff631d47ff5 in mozilla::dom::RTCPeerConnection::Constructor(mozilla::dom::GlobalObject const&, JSContext*, mozilla::dom::RTCConfiguration const&, mozilla::dom::Optional<JS::Handle<JSObject*> > const&, mozilla::ErrorResult&, JS::Handle<JSObject*>) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/RTCPeerConnectionBinding.cpp:9957:16
    #17 0x7ff631e1800e in mozilla::dom::RTCPeerConnectionBinding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/RTCPeerConnectionBinding.cpp:5824:63
    #18 0x7ff639eeee0d in CallJSNative /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:280:15
    #19 0x7ff639eeee0d in CallJSNativeConstructor /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:313
    #20 0x7ff639eeee0d in InternalConstruct(JSContext*, js::AnyConstructArgs const&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:575
    #21 0x7ff639ed834a in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3078:18
    #22 0x7ff639ebe9a6 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:418:12
    #23 0x7ff639eed3b5 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:490:15
    #24 0x7ff639eee632 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:536:10
    #25 0x7ff63aa33f9a in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2981:12
    #26 0x7ff632dce235 in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventListenerBinding.cpp:51:8
    #27 0x7ff633d49b7e in HandleEvent<mozilla::dom::EventTarget *> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:66:12
    #28 0x7ff633d49b7e in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1121
    #29 0x7ff633d4b30b in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1291:20
    #30 0x7ff633d35617 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:528:16
    #31 0x7ff633d39413 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:961:9
    #32 0x7ff636044ab8 in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1166:7
    #33 0x7ff6391a73c2 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7169:21
    #34 0x7ff6391a37e9 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6962:7
    #35 0x7ff6391aafef in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp

SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/obj-firefox/dist/include/mtransport/sigslot.h:318:13 in ~lock_block
Shadow bytes around the buggy address:
  0x0c2a80258b70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a80258b80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a80258b90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a80258ba0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a80258bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c2a80258bc0: fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd
  0x0c2a80258bd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a80258be0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a80258bf0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
  0x0c2a80258c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a80258c10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==12064==ABORTING
Group: core-security → media-core-security
Flags: needinfo?(docfaraday)
I don't see how this could happen without something reordering the event queue on main... perhaps there's some flaw in sigslot that prevents us from disconnecting from the ICE signals?

I'll keep an eye out for that test-case, but it seems it depends on the content process shutting down.
Assignee: nobody → docfaraday
Flags: needinfo?(docfaraday)
Attached file trigger.html
Attached testcase.
Looks like a reentrancy bug. I think I know how to fix it.
Wow, this is awesome.
I tried to do something similar for the gathering state changes, but the tests were extremely sad, and we unroll in c++ for gathering state changes anyway.
Attachment #8983038 - Flags: review?(jib)
Comment on attachment 8983038 [details] [diff] [review]
Bring ICE connection state change callback up to spec

Review of attachment 8983038 [details] [diff] [review]:
-----------------------------------------------------------------

r=me with spec nit.

::: dom/media/PeerConnection.js
@@ +1802,5 @@
>  
>        case "IceConnectionState":
> +        let connState = this._dompc._pc.iceConnectionState;
> +        this._dompc._queueTaskWithClosedCheck(() => {
> +          this.handleIceConnectionStateChange(connState);

Spec [1] says we should check for closed here:

  "1. If connection's [[IsClosed]] slot is true, abort these steps."

[1] http://w3c.github.io/webrtc-pc/#update-ice-connection-state
Attachment #8983038 - Flags: review?(jib) → review+
Comment on attachment 8983038 [details] [diff] [review]
Bring ICE connection state change callback up to spec

[Security approval request comment]
How easily could an exploit be constructed based on the patch?

   Based on just the patch, the problem isn't totally obvious, but someone who knew that they could cause main to spin with XHR might think to do something like this.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?

   No.

Which older supported branches are affected by this flaw?

   All, I think.

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?

   Not yet, but I do not believe they'll be difficult.

How likely is this patch to cause regressions; how much testing does it need?

   Pretty unlikely, and any regression is likely to be minor.
Attachment #8983038 - Flags: sec-approval?
sec-approval+ for trunk. Can we get Beta, ESR60, and ESR52 patches made and nominated too?
Attachment #8983038 - Flags: sec-approval? → sec-approval+
https://hg.mozilla.org/integration/mozilla-inbound/rev/4e4dadfffd60538ec94ff6e77e47cf8dc0cec4e4
Bug 1464079: Bring ICE connection state change callback up to spec. r=jib
https://hg.mozilla.org/mozilla-central/rev/4e4dadfffd60

Please request Beta/ESR60/ESR52 approval on this when you get a chance. It grafts cleanly as-landed to all of them.
Group: media-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 3 years ago
Flags: needinfo?(docfaraday)
Resolution: --- → FIXED
Target Milestone: --- → mozilla62
Comment on attachment 8983038 [details] [diff] [review]
Bring ICE connection state change callback up to spec

[Approval Request Comment]
User impact if declined: 

   Relatively easy UAF from JS.

Fix Landed on Version:

   62

Risk to taking this patch (and alternatives if risky): 

   I guess it is possible that some automated tests will be sad due to the signal firing a little later. Probably not more than that.

String or UUID changes made by this patch: 

   None.

[Is this code covered by automated tests?]:

   Yes.

[Has the fix been verified in Nightly?]:

   Yes.

[Needs manual test from QE? If yes, steps to reproduce]: 

   No.

[List of other uplifts needed for the feature/fix]:

   None.
Flags: needinfo?(docfaraday)
Attachment #8983038 - Flags: approval-mozilla-esr60?
Attachment #8983038 - Flags: approval-mozilla-esr52?
Attachment #8983038 - Flags: approval-mozilla-beta?
Comment on attachment 8983038 [details] [diff] [review]
Bring ICE connection state change callback up to spec

Fixes a UAF in WebRTC code. Approved for 61.0b13, ESR 60.1, and ESR 52.9.
Attachment #8983038 - Flags: approval-mozilla-esr60?
Attachment #8983038 - Flags: approval-mozilla-esr60+
Attachment #8983038 - Flags: approval-mozilla-esr52?
Attachment #8983038 - Flags: approval-mozilla-esr52+
Attachment #8983038 - Flags: approval-mozilla-beta?
Attachment #8983038 - Flags: approval-mozilla-beta+
Because nothing in life is simple, this has wpt failures on ESR52:
https://treeherder.mozilla.org/logviewer.html#?job_id=182609365&repo=mozilla-esr52

Looks like bug 1363982 was the last to touch these tests, back in the 55 timeframe. Is it as simple as backporting those changes?
Flags: needinfo?(docfaraday)
Attachment #8983038 - Attachment is obsolete: true
Ok, this seems to work for me, but I had to make some alterations to the function we pulled from the transceivers bug. I will ask for review from jib just to make sure it looks sane.
Flags: needinfo?(docfaraday) → needinfo?(ryanvm)
Attachment #8985207 - Flags: review?(jib)
Comment on attachment 8985207 [details] [diff] [review]
(ESR 52 backport) Bring ICE connection state change callback up to spec

Review of attachment 8985207 [details] [diff] [review]:
-----------------------------------------------------------------

Lgtm, though I don't think you need to add the priority argument.

::: dom/media/PeerConnection.js
@@ +523,5 @@
> +        if (!this._closed) {
> +          func();
> +          resolve();
> +        }
> +      }}, Ci.nsIThread.DISPATCH_NORMAL);

Looks like the priority argument was added in 57 [1], so I don't think it does much good in 52. Probably no harm either.

[1] https://searchfox.org/mozilla-central/diff/393c62eba7631a2f79fac84f088421b911796e52/xpcom/threads/nsIThreadManager.idl#96
Attachment #8985207 - Flags: review?(jib) → review+
(In reply to Jan-Ivar Bruaroey [:jib] (needinfo? me) from comment #20)
> Comment on attachment 8985207 [details] [diff] [review]
> (ESR 52 backport) Bring ICE connection state change callback up to spec
> 
> Review of attachment 8985207 [details] [diff] [review]:
> -----------------------------------------------------------------
> 
> Lgtm, though I don't think you need to add the priority argument.
> 
> ::: dom/media/PeerConnection.js
> @@ +523,5 @@
> > +        if (!this._closed) {
> > +          func();
> > +          resolve();
> > +        }
> > +      }}, Ci.nsIThread.DISPATCH_NORMAL);
> 
> Looks like the priority argument was added in 57 [1], so I don't think it
> does much good in 52. Probably no harm either.
> 
> [1]
> https://searchfox.org/mozilla-central/diff/
> 393c62eba7631a2f79fac84f088421b911796e52/xpcom/threads/nsIThreadManager.
> idl#96

dispatchToMainThread doesn't exist in 52, so I'm calling |dispatch| here. Does that still look sane to you?
Flags: needinfo?(jib)
My understanding is that jib might be indisposed this week - can you please take a look at comment 21, Nils?
Flags: needinfo?(ryanvm) → needinfo?(drno)
Since the comment for |dispatchToMainThread| indicates the equivalent here https://searchfox.org/mozilla-central/rev/285da1fd7dcf67448b9175741fa330158edcff73/xpcom/threads/nsIThreadManager.idl#115 I think it should be okay to use the less convenient form for esr52.
Flags: needinfo?(jib)
Flags: needinfo?(drno)
Attachment #8983038 - Attachment is obsolete: false
Attachment #8983038 - Flags: approval-mozilla-esr52+
Attachment #8985207 - Flags: approval-mozilla-esr52+
Whiteboard: [adv-main61+][adv-esr52.9+][adv-esr60.1+]
Flags: qe-verify-
Whiteboard: [adv-main61+][adv-esr52.9+][adv-esr60.1+] → [adv-main61+][adv-esr52.9+][adv-esr60.1+][post-critsmash-triage]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.