Closed Bug 1471953 Opened Last year Closed Last year

AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:296:27 in get

Categories

(Core :: Audio/Video: MediaStreamGraph, defect, P1, critical)

59 Branch
defect

Tracking

()

RESOLVED FIXED
mozilla63
Tracking Status
firefox-esr52 --- unaffected
firefox-esr60 62+ fixed
firefox61 --- wontfix
firefox62 + fixed
firefox63 + fixed

People

(Reporter: jkratzer, Assigned: karlt)

References

Details

(Keywords: csectype-uaf, sec-high, testcase-wanted, Whiteboard: [post-critsmash-triage][adv-main62+][adv-esr60.2+])

Attachments

(1 file)

Found while fuzzing mozilla-central rev b429b9fb68f1.  Currently attempting to reduce the testcase and will update once complete.

=================================================================
==12249==ERROR: AddressSanitizer: heap-use-after-free on address 0x6150006652b0 at pc 0x7f2004770f0d bp 0x7f1fa6f08ee0 sp 0x7f1fa6f08ed8
READ of size 8 at 0x6150006652b0 thread T37284 (MediaStreamGrph)
    #0 0x7f2004770f0c in get /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:296:27
    #1 0x7f2004770f0c in operator-> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:328
    #2 0x7f2004770f0c in mozilla::MediaStreamGraphImpl::Dispatch(already_AddRefed<nsIRunnable>&&) /builds/worker/workspace/build/src/dom/media/MediaStreamGraph.cpp:1827
    #3 0x7f2004463eea in mozilla::OfflineClockDriver::~OfflineClockDriver() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:165:18
    #4 0x7f2004465298 in mozilla::SystemClockDriver::~SystemClockDriver() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:268:1
    #5 0x7f200449a96f in Release /builds/worker/workspace/build/src/dom/media/GraphDriver.h:118:3
    #6 0x7f200449a96f in Release /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:42
    #7 0x7f200449a96f in Release /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:407
    #8 0x7f200449a96f in ~RefPtr /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:80
    #9 0x7f200449a96f in ~MediaStreamGraphInitThreadRunnable /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:169
    #10 0x7f200449a96f in mozilla::MediaStreamGraphInitThreadRunnable::~MediaStreamGraphInitThreadRunnable() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:169
    #11 0x7f1ffc8faceb in mozilla::Runnable::Release() /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:50:1
    #12 0x7f1ffc8eb2d9 in ~nsCOMPtr_base /builds/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:313:7
    #13 0x7f1ffc8eb2d9 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1076
    #14 0x7f1ffc8f35b5 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
    #15 0x7f1ffda888df in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:334:20
    #16 0x7f1ffd98c2ec in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
    #17 0x7f1ffd98c2ec in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
    #18 0x7f1ffd98c2ec in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
    #19 0x7f1ffc8e3dc1 in nsThread::ThreadFunc(void*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:423:11
    #20 0x7f201dd6bdc8 in _pt_root /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #21 0x7f20213656b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
    #22 0x7f20203ee41c in clone /build/glibc-Cl5G7W/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109

0x6150006652b0 is located 432 bytes inside of 472-byte region [0x615000665100,0x6150006652d8)
freed by thread T0 (file:// Content) here:
    #0 0x4c4cc2 in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:68:3
    #1 0x7f200478a21b in mozilla::MediaStreamGraphImpl::Release() /builds/worker/workspace/build/src/dom/media/MediaStreamGraph.cpp:3794:1
    #2 0x7f20047a3555 in Release /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:42:11
    #3 0x7f20047a3555 in Release /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:407
    #4 0x7f20047a3555 in ~RefPtr /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:80
    #5 0x7f20047a3555 in ~MediaStreamGraphShutDownRunnable /builds/worker/workspace/build/src/dom/media/MediaStreamGraph.cpp:1441
    #6 0x7f20047a3555 in mozilla::(anonymous namespace)::MediaStreamGraphShutDownRunnable::~MediaStreamGraphShutDownRunnable() /builds/worker/workspace/build/src/dom/media/MediaStreamGraph.cpp:1441
    #7 0x7f1ffc8faceb in mozilla::Runnable::Release() /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:50:1
    #8 0x7f1ffc8bcdb2 in ~nsCOMPtr_base /builds/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:313:7
    #9 0x7f1ffc8bcdb2 in Destruct /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:544
    #10 0x7f1ffc8bcdb2 in DestructRange /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:2075
    #11 0x7f1ffc8bcdb2 in ClearAndRetainStorage /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:1296
    #12 0x7f1ffc8bcdb2 in ~nsTArray_Impl /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:867
    #13 0x7f1ffc8bcdb2 in mozilla::AutoTaskDispatcher::PerThreadTaskGroup::~PerThreadTaskGroup() /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/TaskDispatcher.h:183
    #14 0x7f1ffc8bcc75 in operator() /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/UniquePtr.h:528:5
    #15 0x7f1ffc8bcc75 in reset /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/UniquePtr.h:343
    #16 0x7f1ffc8bcc75 in ~UniquePtr /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/UniquePtr.h:288
    #17 0x7f1ffc8bcc75 in ~TaskGroupRunnable /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/TaskDispatcher.h:190
    #18 0x7f1ffc8bcc75 in mozilla::AutoTaskDispatcher::TaskGroupRunnable::~TaskGroupRunnable() /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/TaskDispatcher.h:190
    #19 0x7f1ffc8faceb in mozilla::Runnable::Release() /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:50:1
    #20 0x7f1ffc8b8fd4 in Release /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:42:11
    #21 0x7f1ffc8b8fd4 in Release /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:407
    #22 0x7f1ffc8b8fd4 in ~RefPtr /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:80
    #23 0x7f1ffc8b8fd4 in ~Runner /builds/worker/workspace/build/src/xpcom/threads/AbstractThread.cpp:114
    #24 0x7f1ffc8b8fd4 in mozilla::EventTargetWrapper::Runner::~Runner() /builds/worker/workspace/build/src/xpcom/threads/AbstractThread.cpp:114
    #25 0x7f1ffc8fb2ab in Release /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:50:1
    #26 0x7f1ffc8fb2ab in mozilla::CancelableRunnable::Release() /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:74
    #27 0x7f1ffc8b091e in assign_assuming_AddRef /builds/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:355:7
    #28 0x7f1ffc8b091e in operator= /builds/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:638
    #29 0x7f1ffc8b091e in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:341
    #30 0x7f1ffc8ead98 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1051:14
    #31 0x7f1ffc8e9051 in NS_ProcessNextEvent /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
    #32 0x7f1ffc8e9051 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:799:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:324
    #33 0x7f1ffc8e9051 in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:799
    #34 0x7f2004499831 in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:152:14
    #35 0x7f1ffc8b8658 in mozilla::EventTargetWrapper::Runner::Run() /builds/worker/workspace/build/src/xpcom/threads/AbstractThread.cpp:150:32
    #36 0x7f1ffc8b08b2 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
    #37 0x7f1ffc8ead98 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1051:14
    #38 0x7f1ffc8e9051 in NS_ProcessNextEvent /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
    #39 0x7f1ffc8e9051 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:799:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:324
    #40 0x7f1ffc8e9051 in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:799
    #41 0x7f2004499831 in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:152:14
    #42 0x7f1ffc8b8658 in mozilla::EventTargetWrapper::Runner::Run() /builds/worker/workspace/build/src/xpcom/threads/AbstractThread.cpp:150:32
    #43 0x7f1ffc8b08b2 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
    #44 0x7f1ffc8ead98 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1051:14
    #45 0x7f1ffc8f35b5 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
    #46 0x7f2005ce9066 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:2891:31)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:324:25
    #47 0x7f2005ce9066 in mozilla::dom::XMLHttpRequestMainThread::SendInternal(mozilla::dom::BodyExtractorBase const*) /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:2891
    #48 0x7f2005ce6e9e in mozilla::dom::XMLHttpRequestMainThread::Send(JSContext*, mozilla::dom::Nullable<mozilla::dom::DocumentOrBlobOrArrayBufferViewOrArrayBufferOrFormDataOrURLSearchParamsOrUSVString> const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:2678:11
    #49 0x7f20027eb21f in mozilla::dom::XMLHttpRequest_Binding::send(JSContext*, JS::Handle<JSObject*>, mozilla::dom::XMLHttpRequest*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/XMLHttpRequestBinding.cpp:1276:9
    #50 0x7f20035720c9 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3311:13
    #51 0x7f200ad794c0 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:440:15
    #52 0x7f200af5fc17 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jit/BaselineIC.cpp:2657:14
    #53 0x16ec07f2e0c7  (<unknown module>)
    #54 0x621000f23657  (<unknown module>)

previously allocated by thread T0 (file:// Content) here:
    #0 0x4c5003 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3
    #1 0x4f637d in moz_xmalloc /builds/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:70:17
    #2 0x7f20047896a3 in operator new /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:156:12
    #3 0x7f20047896a3 in mozilla::MediaStreamGraph::GetInstance(mozilla::MediaStreamGraph::GraphDriverType, nsPIDOMWindowInner*, int) /builds/worker/workspace/build/src/dom/media/MediaStreamGraph.cpp:3748
    #4 0x7f2004da607c in mozilla::dom::AudioDestinationNode::AudioDestinationNode(mozilla::dom::AudioContext*, bool, bool, unsigned int, unsigned int, float) /builds/worker/workspace/build/src/dom/media/webaudio/AudioDestinationNode.cpp:342:9
    #5 0x7f2004d91e3d in mozilla::dom::AudioContext::AudioContext(nsPIDOMWindowInner*, bool, unsigned int, unsigned int, float) /builds/worker/workspace/build/src/dom/media/webaudio/AudioContext.cpp:157:22
    #6 0x7f2004d95382 in mozilla::dom::AudioContext::Constructor(mozilla::dom::GlobalObject const&, mozilla::dom::AudioContextOptions const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/media/webaudio/AudioContext.cpp:243:9
    #7 0x7f2000b971aa in mozilla::dom::AudioContext_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/AudioContextBinding.cpp:550:58
    #8 0x7f200ad7b67b in InternalConstruct(JSContext*, js::AnyConstructArgs const&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:440:15
    #9 0x7f200ad63e6d in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3182:18
    #10 0x7f200ad4999a in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:423:12
    #11 0x7f200ad79d77 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:553:15
    #12 0x7f200ad7ad92 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:599:10
    #13 0x7f200b8ca32a in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2887:12
    #14 0x7f2002b67d9e in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventListenerBinding.cpp:51:8
    #15 0x7f2003dcbc40 in HandleEvent<mozilla::dom::EventTarget *> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:66:12
    #16 0x7f2003dcbc40 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1121
    #17 0x7f2003dcd894 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1298:20
    #18 0x7f2003db0663 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:622:16
    #19 0x7f2003db6e40 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:1088:9
    #20 0x7f2003dba015 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp
    #21 0x7f20008c84a0 in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsINode.cpp:1089:5
    #22 0x7f20002c5df9 in nsContentUtils::DispatchEvent(nsIDocument*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:4496:28
    #23 0x7f20002c5b89 in nsContentUtils::DispatchTrustedEvent(nsIDocument*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, bool*) /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:4460:10
    #24 0x7f20007b09e1 in nsIDocument::DispatchContentLoadedEvents() /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:4968:3
    #25 0x7f20008b2f4b in applyImpl<nsIDocument, void (nsIDocument::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1166:12
    #26 0x7f20008b2f4b in apply<nsIDocument, void (nsIDocument::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1172
    #27 0x7f20008b2f4b in mozilla::detail::RunnableMethodImpl<nsIDocument*, void (nsIDocument::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1217
    #28 0x7f1ffc8b08b2 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
    #29 0x7f1ffc8ead98 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1051:14
    #30 0x7f1ffc8e9051 in NS_ProcessNextEvent /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
    #31 0x7f1ffc8e9051 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:799:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:324
    #32 0x7f1ffc8e9051 in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:799
    #33 0x7f2004499831 in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:152:14
    #34 0x7f1ffc8b8658 in mozilla::EventTargetWrapper::Runner::Run() /builds/worker/workspace/build/src/xpcom/threads/AbstractThread.cpp:150:32
    #35 0x7f1ffc8b08b2 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32

Thread T37284 (MediaStreamGrph) created by T36833 (CubebOp~tion #1) here:
    #0 0x4ae08d in __interceptor_pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:204:3
    #1 0x7f201dd68b05 in _PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:433:14
    #2 0x7f201dd686ee in PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:518:12
    #3 0x7f1ffc8e6cc3 in nsThread::Init(nsTSubstring<char> const&) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:597:8
    #4 0x7f1ffc8f2089 in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /builds/worker/workspace/build/src/xpcom/threads/nsThreadManager.cpp:471:22
    #5 0x7f1ffc8f6f4e in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, nsIRunnable*, unsigned int) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:143:45
    #6 0x7f2004464596 in NS_NewNamedThread<16> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:73:10
    #7 0x7f2004464596 in mozilla::ThreadedDriver::Start() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:222
    #8 0x7f200446b3bb in mozilla::AudioCallbackDriver::FallbackToSystemClockDriver() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:107:17
    #9 0x7f20044687d9 in mozilla::AudioCallbackDriver::Init() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:627:5
    #10 0x7f200446794a in mozilla::AsyncCubebTask::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:497:21
    #11 0x7f1ffc8f7fe2 in nsThreadPool::Run() /builds/worker/workspace/build/src/xpcom/threads/nsThreadPool.cpp:231:14
    #12 0x7f1ffc8f8c84 in non-virtual thunk to nsThreadPool::Run() /builds/worker/workspace/build/src/xpcom/threads/nsThreadPool.cpp
    #13 0x7f1ffc8ead98 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1051:14
    #14 0x7f1ffc8f35b5 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
    #15 0x7f1ffda888df in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:334:20
    #16 0x7f1ffd98c2ec in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
    #17 0x7f1ffd98c2ec in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
    #18 0x7f1ffd98c2ec in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
    #19 0x7f1ffc8e3dc1 in nsThread::ThreadFunc(void*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:423:11
    #20 0x7f201dd6bdc8 in _pt_root /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #21 0x7f20213656b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)

Thread T36833 (CubebOp~tion #1) created by T36816 (MediaStreamGrph) here:
    #0 0x4ae08d in __interceptor_pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:204:3
    #1 0x7f201dd68b05 in _PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:433:14
    #2 0x7f201dd686ee in PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:518:12
    #3 0x7f1ffc8e6cc3 in nsThread::Init(nsTSubstring<char> const&) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:597:8
    #4 0x7f1ffc8f2089 in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /builds/worker/workspace/build/src/xpcom/threads/nsThreadManager.cpp:471:22
    #5 0x7f1ffc8f67aa in NS_NewNamedThread /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:143:45
    #6 0x7f1ffc8f67aa in nsThreadPool::PutEvent(already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/workspace/build/src/xpcom/threads/nsThreadPool.cpp:109
    #7 0x7f1ffc8f8ed6 in nsThreadPool::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/workspace/build/src/xpcom/threads/nsThreadPool.cpp:280:5
    #8 0x7f200446c6d6 in Dispatch /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIEventTarget.h:37:14
    #9 0x7f200446c6d6 in Dispatch /builds/worker/workspace/build/src/dom/media/GraphDriver.h:583
    #10 0x7f200446c6d6 in mozilla::AudioCallbackDriver::Start() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:750
    #11 0x7f2004465b16 in mozilla::ThreadedDriver::RunThread() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:107:17
    #12 0x7f2004499e0f in mozilla::MediaStreamGraphInitThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:206:14
    #13 0x7f1ffc8ead98 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1051:14
    #14 0x7f1ffc8f35b5 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
    #15 0x7f1ffda88a6f in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:364:5
    #16 0x7f1ffd98c2ec in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
    #17 0x7f1ffd98c2ec in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
    #18 0x7f1ffd98c2ec in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
    #19 0x7f1ffc8e3dc1 in nsThread::ThreadFunc(void*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:423:11
    #20 0x7f201dd6bdc8 in _pt_root /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #21 0x7f20213656b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)

Thread T36816 (MediaStreamGrph) created by T0 (file:// Content) here:
    #0 0x4ae08d in __interceptor_pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:204:3
    #1 0x7f201dd68b05 in _PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:433:14
    #2 0x7f201dd686ee in PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:518:12
    #3 0x7f1ffc8e6cc3 in nsThread::Init(nsTSubstring<char> const&) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:597:8
    #4 0x7f1ffc8f2089 in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /builds/worker/workspace/build/src/xpcom/threads/nsThreadManager.cpp:471:22
    #5 0x7f1ffc8f6f4e in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, nsIRunnable*, unsigned int) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:143:45
    #6 0x7f2004464596 in NS_NewNamedThread<16> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:73:10
    #7 0x7f2004464596 in mozilla::ThreadedDriver::Start() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:222
    #8 0x7f200476ee40 in mozilla::MediaStreamGraphImpl::RunInStableState(bool) /builds/worker/workspace/build/src/dom/media/MediaStreamGraph.cpp:1689:17
    #9 0x7f20047a3755 in mozilla::(anonymous namespace)::MediaStreamGraphStableStateRunnable::Run() /builds/worker/workspace/build/src/dom/media/MediaStreamGraph.cpp:1544:15
    #10 0x7f1ffc6c0bf6 in mozilla::CycleCollectedJSContext::ProcessStableStateQueue() /builds/worker/workspace/build/src/xpcom/base/CycleCollectedJSContext.cpp:331:12
    #11 0x7f1ffc6c3390 in mozilla::CycleCollectedJSContext::AfterProcessTask(unsigned int) /builds/worker/workspace/build/src/xpcom/base/CycleCollectedJSContext.cpp:396:3
    #12 0x7f1ffe961da5 in XPCJSContext::AfterProcessTask(unsigned int) /builds/worker/workspace/build/src/js/xpconnect/src/XPCJSContext.cpp:1218:30
    #13 0x7f1ffc8eb850 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1086:24
    #14 0x7f1ffc8f35b5 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
    #15 0x7f2005ce9066 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:2891:31)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:324:25
    #16 0x7f2005ce9066 in mozilla::dom::XMLHttpRequestMainThread::SendInternal(mozilla::dom::BodyExtractorBase const*) /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:2891
    #17 0x7f2005ce6e9e in mozilla::dom::XMLHttpRequestMainThread::Send(JSContext*, mozilla::dom::Nullable<mozilla::dom::DocumentOrBlobOrArrayBufferViewOrArrayBufferOrFormDataOrURLSearchParamsOrUSVString> const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:2678:11
    #18 0x7f20027eb21f in mozilla::dom::XMLHttpRequest_Binding::send(JSContext*, JS::Handle<JSObject*>, mozilla::dom::XMLHttpRequest*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/XMLHttpRequestBinding.cpp:1276:9
    #19 0x7f20035720c9 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3311:13
    #20 0x7f200ad794c0 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:440:15
    #21 0x7f200ad63fa5 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:586:12
    #22 0x7f200ad63fa5 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3190
    #23 0x7f200ad4999a in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:423:12
    #24 0x7f200ad79d77 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:553:15
    #25 0x7f200ad7ad92 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:599:10
    #26 0x7f200b8ca32a in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2887:12
    #27 0x7f2002b67d9e in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventListenerBinding.cpp:51:8
    #28 0x7f2003dcbc40 in HandleEvent<mozilla::dom::EventTarget *> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:66:12
    #29 0x7f2003dcbc40 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1121
    #30 0x7f2003dcd894 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1298:20
    #31 0x7f2003db0663 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:622:16
    #32 0x7f2003db6e40 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:1088:9
    #33 0x7f2003dba015 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp
    #34 0x7f20008c84a0 in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsINode.cpp:1089:5
    #35 0x7f20002c5df9 in nsContentUtils::DispatchEvent(nsIDocument*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:4496:28
    #36 0x7f20002c5b89 in nsContentUtils::DispatchTrustedEvent(nsIDocument*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, bool*) /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:4460:10
    #37 0x7f20007b09e1 in nsIDocument::DispatchContentLoadedEvents() /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:4968:3
    #38 0x7f20008b2f4b in applyImpl<nsIDocument, void (nsIDocument::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1166:12
    #39 0x7f20008b2f4b in apply<nsIDocument, void (nsIDocument::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1172
    #40 0x7f20008b2f4b in mozilla::detail::RunnableMethodImpl<nsIDocument*, void (nsIDocument::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1217
    #41 0x7f1ffc8b08b2 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
    #42 0x7f1ffc8ead98 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1051:14
    #43 0x7f1ffc8f35b5 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
    #44 0x7f1ffda8724e in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #45 0x7f1ffd98c2ec in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
    #46 0x7f1ffd98c2ec in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
    #47 0x7f1ffd98c2ec in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
    #48 0x7f20060b28a6 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
    #49 0x7f200aa56ede in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:896:22
    #50 0x7f1ffd98c2ec in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
    #51 0x7f1ffd98c2ec in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
    #52 0x7f1ffd98c2ec in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
    #53 0x7f200aa5609c in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:722:34
    #54 0x4f54d1 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #55 0x4f54d1 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:287
    #56 0x7f202030782f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291

SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:296:27 in get
Shadow bytes around the buggy address:
  0x0c2a800c4a00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a800c4a10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a800c4a20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a800c4a30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a800c4a40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c2a800c4a50: fd fd fd fd fd fd[fd]fd fd fd fd fa fa fa fa fa
  0x0c2a800c4a60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a800c4a70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a800c4a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a800c4a90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a800c4aa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==12249==ABORTING
Group: core-security → media-core-security
Flags: needinfo?(padenot)
Flags: needinfo?(karlt)
Priority: -- → P3
Alex, do you think https://reviewboard.mozilla.org/r/246826/diff/6/ might fix this?
Component: Audio/Video → Audio/Video: MediaStreamGraph
Flags: needinfo?(karlt) → needinfo?(achronop)
From a quick look it does not look the same case. This one is happening when MSG shutdowns. The MSG has been destroyed by a MediaStreamGraphShutDownRunnable but the ThreadedDriver is still alive, and destroyed by the MediaStreamGraphInitThreadRunnable object. The ~ThreadedDriver attempts to touch the graph here [1]

The MediaStreamGraphInitThreadRunnable class handles the switching of the drivers from AudioCallbackDriver to Threaded driver. I would not expect to stay alive for so long after the switch.

One solution could be to hold a raw pointer of the driver in MediaStreamGraphInitThreadRunnable class so it will not be possible to keep the driver alive. Or we can clear the MediaStreamGraphInitThreadRunnable::mDriver at the end of MediaStreamGraphInitThreadRunnable::Run(). Let me know what you think.

[1] https://searchfox.org/mozilla-central/source/dom/media/GraphDriver.cpp#165
Flags: needinfo?(achronop)
Clearing NI. Alex, can you fix this?
Flags: needinfo?(padenot)
Yeah, I'll give it a try. After the discussion in IRC I will have a second look.
Ah, thanks.  So ~OfflineClockDriver is misleading.  This is not an offline
driver because it is a SystemClockDriver() but I assume ~OfflineClockDriver is
just ~ThreadedDriver.

~ThreadedDriver is a very risky place to be assuming that mGraphImpl is still
valid, because, at this point, a different driver may own the graph.

This seems to be a regression from
https://hg.mozilla.org/mozilla-central/rev/38615ea10314#l3.13

I'm not so keen on trying to be careful to release the SystemClockDriver at a
safe time (e.g. changing MediaStreamGraphInitThreadRunnable::mDriver).  It is
too risky that another reference (existing or future) may extend the life of
the SystemClockDriver.

If we need the graph to label the runnable to shut down ThreadedDriver, then I
think we need to do that explicitly at the right moment.

  One conceptually appealing place to dispatch the shutdown event for the old
  driver may be from SwitchToNextDriver() before the SetCurrentDriver() hands
  ownership of the graph to the new driver.

  Alternatively, dispatching the SystemClockDriver shutdown event is
  conceptually similar to the AsyncCubebOperation::SHUTDOWN task dispatched
  from AudioCallbackDriver::Start(), and so AudioCallbackDriver::Start() may
  be a good place.

However, I don't think this runnable is observable from web content
(destructors generally should not be observable), which means that
SystemGroup::Dispatch() should be sufficient, and there is no need to
reference mGraphImpl.  (The Quantum DOM project has pretty much been abandoned
now, and so I doubt the kind of dispatch even matters much.)

Clearing mGraphImpl from SetCurrentDriver() or SwitchToNextDriver() may be
good defense in depth.
sec-critical for virtual function call on freed object.
Perhaps difficulty in scheduling may mitigate.
Assignee: nobody → karlt
Priority: P3 → P1
See Also: → 1472925
The shutdown of the thread is not observable from content, and so its
order wrt other tasks is not important.

This would address this bug, but not bug 1472925.

Even if we take a solution for bug 1472925 that fixes this bug, I think that the SystemGroup is still appropriate for thread shutdown.
Attachment #8989335 - Flags: review?(padenot)
Keywords: testcase-wanted
I'm having difficulty reproducing this issue reliably.  I will update once a reliable testcase becomes available.
Attachment #8989335 - Flags: review?(padenot) → review+
Comment on attachment 8989335 [details] [diff] [review]
use SystemGroup for ThreadedDriver thread shutdown task

[Security approval request comment]
How easily could an exploit be constructed based on the patch?
Not easily.  We don't have a reliable mechanism to reproduce a crash.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
No.

Which older supported branches are affected by this flaw?
56 and more recent.

If not all supported branches, which bug introduced the flaw?
Bug 1378067.

Do you have backports for the affected branches? If not, how different, hard
to create, and risky will they be?
Patch should apply cleanly to affected branches.

How likely is this patch to cause regressions; how much testing does it need?
Very unlikely.  No testing required.

Note that this patch is not required to fix this bug if
https://bugzilla.mozilla.org/attachment.cgi?id=8989339
lands.  If landing in combination with that patch, then this patch would add
unnecessary additional information for constructing an exploit.
Attachment #8989335 - Flags: sec-approval?
sec-approval+. I'd like to see a beta branch and ESR60 version nominated (especially since it should apply cleanly).
Attachment #8989335 - Flags: sec-approval? → sec-approval+
Comment on attachment 8989335 [details] [diff] [review]
use SystemGroup for ThreadedDriver thread shutdown task

Approval Request Comment
[Feature/Bug causing the regression]:
Bug 1378067.
[User impact if declined]:
sec-critical
[Is this code covered by automated tests?]:
The code is exercised by automated tests,
but we do not have a reproducer for the issue that the patch fixes.
[Has the fix been verified in Nightly?]:
No.
[Needs manual test from QE? If yes, steps to reproduce]:
No.
[List of other uplifts needed for the feature/fix]:
None.
[Is the change risky?]:
No.
[Why is the change risky/not risky?]:
Simple change.
[String changes made/needed]:
No.

[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration:
sec-critical
Fix Landed on Version:
63.
Attachment #8989335 - Flags: approval-mozilla-esr60?
Attachment #8989335 - Flags: approval-mozilla-beta?
https://hg.mozilla.org/mozilla-central/rev/3da753ca1fb1
Status: NEW → RESOLVED
Closed: Last year
Resolution: --- → FIXED
Target Milestone: --- → mozilla63
There are uplift requests here and in bug 1472925, and it sounds like maybe we should land one or the other. Karl, which is preferable?   The patch in bug 1472925 would fix this issue.... would the patch in this bug fix the problem in bug 1472925 ?
Flags: needinfo?(karlt)
"Note that this patch is not required to fix this bug if
https://bugzilla.mozilla.org/attachment.cgi?id=8989339
lands.  If landing in combination with that patch, then this patch would add
unnecessary additional information for constructing an exploit." 

Note, both patches already landed on trunk.
Holding off here on branches after talking with Karl - we will give the patch from bug 1472925 a try.
Flags: needinfo?(karlt)
Comment on attachment 8989335 [details] [diff] [review]
use SystemGroup for ThreadedDriver thread shutdown task

Removing uplift approval requests because affect branches are now fixed by changes for bug 1472925.
Attachment #8989335 - Flags: approval-mozilla-esr60?
Attachment #8989335 - Flags: approval-mozilla-beta?
esr60 and 62 are now fixed by these changesets:
https://hg.mozilla.org/releases/mozilla-esr60/rev/511fca97fb60
https://hg.mozilla.org/releases/mozilla-beta/rev/47b9b8ecc3f1

Those are not directly related to the patch here, but good enough.
Group: media-core-security → core-security-release
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main62+][adv-esr60.2+]
Lowering severity a notch because it's a racy issue in the child process.
Keywords: sec-criticalsec-high
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.