1466175 - AddressSanitizer: SEGV /builds/worker/workspace/build/src/media/webrtc/signaling/src/peerconnection/TransceiverImpl.cpp:1001:22 in Stop

Status: RESOLVED FIXED

(Core :: WebRTC: Networking, defect, P2)

Description

[Jason Kratzer [:jkratzer]]

Attachment: trigger.html

Testcase found while fuzzing mozilla-central rev 9900cebb1f90.

==12176==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f152722e5e4 bp 0x7ffdfb904110 sp 0x7ffdfb9034c0 T0)
==12176==The signal is caused by a READ memory access.
==12176==Hint: address points to the zero page.
    #0 0x7f152722e5e3 in Stop /builds/worker/workspace/build/src/media/webrtc/signaling/src/peerconnection/TransceiverImpl.cpp:1001:22
    #1 0x7f152722e5e3 in mozilla::TransceiverImpl::SyncWithJS(mozilla::dom::RTCRtpTransceiver&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/media/webrtc/signaling/src/peerconnection/TransceiverImpl.cpp:370
    #2 0x7f1529d51b05 in mozilla::dom::TransceiverImplBinding::syncWithJS(JSContext*, JS::Handle<JSObject*>, mozilla::TransceiverImpl*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/TransceiverImplBinding.cpp:78:9
    #3 0x7f152acad111 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3285:13
    #4 0x7f15315a3e87 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:274:15
    #5 0x7f15315a3e87 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:471
    #6 0x7f153158ea1c in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:526:12
    #7 0x7f153158ea1c in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3122
    #8 0x7f1531574a66 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:421:12
    #9 0x7f15315a3c05 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:493:15
    #10 0x7f15315a4e82 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:539:10
    #11 0x7f15320ebf5a in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2981:12
    #12 0x7f1529574417 in mozilla::dom::RTCRtpTransceiverJSImpl::Sync(mozilla::ErrorResult&, JS::Realm*) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/RTCRtpTransceiverBinding.cpp:2313:8
    #13 0x7f152964325d in Sync /builds/worker/workspace/build/src/obj-firefox/dom/bindings/RTCRtpTransceiverBinding.cpp:2933:17
    #14 0x7f152964325d in mozilla::dom::RTCRtpTransceiverBinding::sync(JSContext*, JS::Handle<JSObject*>, mozilla::dom::RTCRtpTransceiver*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/RTCRtpTransceiverBinding.cpp:1333
    #15 0x7f152acad111 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3285:13
    #16 0x7f15315a3e87 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:274:15
    #17 0x7f15315a3e87 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:471
    #18 0x7f153158ea1c in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:526:12
    #19 0x7f153158ea1c in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3122
    #20 0x7f1531574a66 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:421:12
    #21 0x7f15315a3c05 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:493:15
    #22 0x7f15317843d2 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jit/BaselineIC.cpp:2372:14
    #23 0x2a3fccb4b297  (<unknown module>)

Comment 1

[Byron Campen [:bwc]]

I see what happened here. Fix on the way.

Comment 2

[Byron Campen [:bwc]]

Attachment: Bug 1466175: Check if TransceiverImpl has been shut down in SyncWithJS.

Review commit: https://reviewboard.mozilla.org/r/249360/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/249360/

Comment 3

[Michael Froman [:mjf]]

Comment on attachment 8983507 [details]
Bug 1466175: Check if TransceiverImpl has been shut down in SyncWithJS.

https://reviewboard.mozilla.org/r/249360/#review255826

Looks good to me.

Comment 4

[Pulsebot]

Pushed by bcampen@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/885590b1dbd2
Check if TransceiverImpl has been shut down in SyncWithJS. r=mjf

Comment 5

[Natalia Csoregi [:nataliaCs]]

https://hg.mozilla.org/mozilla-central/rev/885590b1dbd2

Comment 6

[Ryan VanderMeulen [:RyanVM]]

I assume this can just ride the trains, but feel free to nominate the patch for approval if you feel strongly otherwise.