Closed Bug 1489169 Opened 6 years ago Closed 4 years ago

AddressSanitizer: heap-use-after-free src/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/4.9.4/../../../../include/c++/4.9.4/bits/atomic_base.h:478:2 in store

Categories

(Core :: Audio/Video: MediaStreamGraph, defect)

Product:
Core
Component:
Audio/Video: MediaStreamGraph
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox64 --- affected

People

(Reporter: jkratzer, Assigned: pehrsons)

References

(Blocks 1 open bug)

Details

(4 keywords)

Found while fuzzing mozilla-central rev df61bdb0bc83 (20180903). The testcase that originally triggered this issue only reproduces the following assertion for me: Assertion failure: IsVideoSeeking() || mSeekPromise.IsEmpty() (No sample requests allowed while seeking), at /builds/worker/workspace/build/src/dom/media/MediaFormatReader.cpp:1736 I will update this bug if a working testcase becomes available. ==27588==ERROR: AddressSanitizer: heap-use-after-free on address 0x6150001589b0 at pc 0x7f3fff178cfa bp 0x7f3fce6e8b40 sp 0x7f3fce6e8b38 WRITE of size 4 at 0x6150001589b0 thread T3300 (MediaPl~back #2) #0 0x7f3fff178cf9 in store src/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/4.9.4/../../../../include/c++/4.9.4/bits/atomic_base.h:478:2 #1 0x7f3fff178cf9 in store src/obj-firefox/dist/include/mozilla/Atomics.h:228 #2 0x7f3fff178cf9 in operator= src/obj-firefox/dist/include/mozilla/Atomics.h:361 #3 0x7f3fff178cf9 in operator= src/obj-firefox/dist/include/mozilla/Atomics.h:581 #4 0x7f3fff178cf9 in EnsureNextIteration src/dom/media/MediaStreamGraphImpl.h:563 #5 0x7f3fff178cf9 in mozilla::SourceMediaStream::AdvanceKnownTracksTime(long) src/dom/media/MediaStreamGraph.cpp:3355 #6 0x7f3fff4586d2 in mozilla::DecodedStream::SendData() src/dom/media/mediasink/DecodedStream.cpp:713:3 #7 0x7f3ffef6b8cb in applyImpl<mozilla::detail::Listener<RefPtr<mozilla::AudioData> >, void (mozilla::detail::Listener<RefPtr<mozilla::AudioData> >::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1168:12 #8 0x7f3ffef6b8cb in apply<mozilla::detail::Listener<RefPtr<mozilla::AudioData> >, void (mozilla::detail::Listener<RefPtr<mozilla::AudioData> >::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1174 #9 0x7f3ffef6b8cb in mozilla::detail::RunnableMethodImpl<mozilla::detail::Listener<RefPtr<mozilla::AudioData> >*, void (mozilla::detail::Listener<RefPtr<mozilla::AudioData> >::*)(), true, (mozilla::RunnableKind)0>::Run() src/obj-firefox/dist/include/nsThreadUtils.h:1219 #10 0x7f3ff6f36571 in mozilla::AutoTaskDispatcher::TaskGroupRunnable::Run() src/obj-firefox/dist/include/mozilla/TaskDispatcher.h:214:37 #11 0x7f3ff6f40cf0 in mozilla::TaskQueue::Runner::Run() src/xpcom/threads/TaskQueue.cpp:235:12 #12 0x7f3ff6f745d2 in nsThreadPool::Run() src/xpcom/threads/nsThreadPool.cpp:231:14 #13 0x7f3ff6f75274 in non-virtual thunk to nsThreadPool::Run() src/xpcom/threads/nsThreadPool.cpp #14 0x7f3ff6f66e90 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1161:14 #15 0x7f3ff6f6fba5 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:519:10 #16 0x7f3ff81567bf in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:334:20 #17 0x7f3ff80569cc in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10 #18 0x7f3ff80569cc in RunHandler src/ipc/chromium/src/base/message_loop.cc:318 #19 0x7f3ff80569cc in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298 #20 0x7f3ff6f5efa9 in nsThread::ThreadFunc(void*) src/xpcom/threads/nsThread.cpp:464:11 #21 0x7f401a3598c8 in _pt_root src/nsprpub/pr/src/pthreads/ptthread.c:201:5 #22 0x7f4019fa26b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9) #23 0x7f401901f41c in clone /build/glibc-Cl5G7W/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109 0x6150001589b0 is located 176 bytes inside of 464-byte region [0x615000158900,0x615000158ad0) freed by thread T0 (file:// Content) here: #0 0x4c6342 in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:68:3 #1 0x7f3fff18070b in mozilla::MediaStreamGraphImpl::Release() src/dom/media/MediaStreamGraph.cpp:3907:1 #2 0x7f3fff1957a5 in Release src/obj-firefox/dist/include/mozilla/RefPtr.h:42:11 #3 0x7f3fff1957a5 in Release src/obj-firefox/dist/include/mozilla/RefPtr.h:407 #4 0x7f3fff1957a5 in ~RefPtr src/obj-firefox/dist/include/mozilla/RefPtr.h:80 #5 0x7f3fff1957a5 in ~MediaStreamGraphShutDownRunnable src/dom/media/MediaStreamGraph.cpp:1577 #6 0x7f3fff1957a5 in mozilla::(anonymous namespace)::MediaStreamGraphShutDownRunnable::~MediaStreamGraphShutDownRunnable() src/dom/media/MediaStreamGraph.cpp:1577 #7 0x7f3ff6f772db in mozilla::Runnable::Release() src/xpcom/threads/nsThreadUtils.cpp:50:1 #8 0x7f3ff6f36a42 in ~nsCOMPtr_base src/obj-firefox/dist/include/nsCOMPtr.h:313:7 #9 0x7f3ff6f36a42 in Destruct src/obj-firefox/dist/include/nsTArray.h:545 #10 0x7f3ff6f36a42 in DestructRange src/obj-firefox/dist/include/nsTArray.h:2339 #11 0x7f3ff6f36a42 in ClearAndRetainStorage src/obj-firefox/dist/include/nsTArray.h:1370 #12 0x7f3ff6f36a42 in ~nsTArray_Impl src/obj-firefox/dist/include/nsTArray.h:925 #13 0x7f3ff6f36a42 in mozilla::AutoTaskDispatcher::PerThreadTaskGroup::~PerThreadTaskGroup() src/obj-firefox/dist/include/mozilla/TaskDispatcher.h:183 #14 0x7f3ff6f36905 in operator() src/obj-firefox/dist/include/mozilla/UniquePtr.h:528:5 #15 0x7f3ff6f36905 in reset src/obj-firefox/dist/include/mozilla/UniquePtr.h:343 #16 0x7f3ff6f36905 in ~UniquePtr src/obj-firefox/dist/include/mozilla/UniquePtr.h:288 #17 0x7f3ff6f36905 in ~TaskGroupRunnable src/obj-firefox/dist/include/mozilla/TaskDispatcher.h:190 #18 0x7f3ff6f36905 in mozilla::AutoTaskDispatcher::TaskGroupRunnable::~TaskGroupRunnable() src/obj-firefox/dist/include/mozilla/TaskDispatcher.h:190 #19 0x7f3ff6f772db in mozilla::Runnable::Release() src/xpcom/threads/nsThreadUtils.cpp:50:1 #20 0x7f3ff6f32c64 in Release src/obj-firefox/dist/include/mozilla/RefPtr.h:42:11 #21 0x7f3ff6f32c64 in Release src/obj-firefox/dist/include/mozilla/RefPtr.h:407 #22 0x7f3ff6f32c64 in ~RefPtr src/obj-firefox/dist/include/mozilla/RefPtr.h:80 #23 0x7f3ff6f32c64 in ~Runner src/xpcom/threads/AbstractThread.cpp:114 #24 0x7f3ff6f32c64 in mozilla::EventTargetWrapper::Runner::~Runner() src/xpcom/threads/AbstractThread.cpp:114 #25 0x7f3ff6f7789b in Release src/xpcom/threads/nsThreadUtils.cpp:50:1 #26 0x7f3ff6f7789b in mozilla::CancelableRunnable::Release() src/xpcom/threads/nsThreadUtils.cpp:74 #27 0x7f3ff6f2a02e in assign_assuming_AddRef src/obj-firefox/dist/include/nsCOMPtr.h:355:7 #28 0x7f3ff6f2a02e in operator= src/obj-firefox/dist/include/nsCOMPtr.h:638 #29 0x7f3ff6f2a02e in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:341 #30 0x7f3ff6f66e90 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1161:14 #31 0x7f3ff6f64b41 in NS_ProcessNextEvent src/xpcom/threads/nsThreadUtils.cpp:519:10 #32 0x7f3ff6f64b41 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:871:22)> src/obj-firefox/dist/include/nsThreadUtils.h:324 #33 0x7f3ff6f64b41 in nsThread::Shutdown() src/xpcom/threads/nsThread.cpp:871 #34 0x7f3ff6f76408 in nsThreadPool::Shutdown() src/xpcom/threads/nsThreadPool.cpp:347:17 #35 0x7f3ff6f3c22b in applyImpl<nsIThreadPool, nsresult (nsIThreadPool::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1168:12 #36 0x7f3ff6f3c22b in apply<nsIThreadPool, nsresult (nsIThreadPool::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1174 #37 0x7f3ff6f3c22b in mozilla::detail::RunnableMethodImpl<nsCOMPtr<nsIThreadPool>, nsresult (nsIThreadPool::*)(), true, (mozilla::RunnableKind)0>::Run() src/obj-firefox/dist/include/nsThreadUtils.h:1219 #38 0x7f3ff6f66e90 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1161:14 #39 0x7f3ff6f64b41 in NS_ProcessNextEvent src/xpcom/threads/nsThreadUtils.cpp:519:10 #40 0x7f3ff6f64b41 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:871:22)> src/obj-firefox/dist/include/nsThreadUtils.h:324 #41 0x7f3ff6f64b41 in nsThread::Shutdown() src/xpcom/threads/nsThread.cpp:871 #42 0x7f3ffee89ca1 in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() src/dom/media/GraphDriver.cpp:180:14 #43 0x7f3ff6f29fc2 in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:337:32 #44 0x7f3ff6f66e90 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1161:14 #45 0x7f3ff6f6fba5 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:519:10 previously allocated by thread T0 (file:// Content) here: #0 0x4c6683 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3 #1 0x4f7a3d in moz_xmalloc src/memory/mozalloc/mozalloc.cpp:70:17 #2 0x7f3fff17ff23 in operator new src/obj-firefox/dist/include/mozilla/mozalloc.h:139:12 #3 0x7f3fff17ff23 in mozilla::MediaStreamGraph::GetInstance(mozilla::MediaStreamGraph::GraphDriverType, nsPIDOMWindowInner*, int) src/dom/media/MediaStreamGraph.cpp:3861 #4 0x7f3ffeb57bb8 in mozilla::dom::HTMLMediaElement::MozCaptureStreamUntilEnded(mozilla::ErrorResult&) src/dom/html/HTMLMediaElement.cpp:3674:29 #5 0x7f3ffdb7465e in mozilla::dom::HTMLMediaElement_Binding::mozCaptureStreamUntilEnded(JSContext*, JS::Handle<JSObject*>, mozilla::dom::HTMLMediaElement*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/HTMLMediaElementBinding.cpp:2152:61 #6 0x7f3ffdf38bb9 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3296:13 #7 0x7f400522953b in CallJSNative src/js/src/vm/Interpreter.cpp:449:15 #8 0x7f400522953b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:537 #9 0x7f400547b576 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) src/js/src/jit/BaselineIC.cpp:3608:14 #10 0x25d1b0d69db7 (<unknown module>) #11 0x621007605ecf (<unknown module>) #12 0x25d1b0d644e1 (<unknown module>) #13 0x7f40054b233d in EnterBaseline src/js/src/jit/BaselineJIT.cpp:159:9 #14 0x7f40054b233d in js::jit::EnterBaselineAtBranch(JSContext*, js::InterpreterFrame*, unsigned char*) src/js/src/jit/BaselineJIT.cpp:236 #15 0x7f400521c0c3 in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:2210:28 #16 0x7f40051f8a0e in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:429:12 #17 0x7f400522a04e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:561:15 #18 0x7f400522bde2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:607:10 #19 0x7f4005cc4eed in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2917:12 #20 0x7f3ffd541f9e in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) src/obj-firefox/dom/bindings/EventListenerBinding.cpp:51:8 #21 0x7f3ffe7aac1e in HandleEvent<mozilla::dom::EventTarget *> src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:66:12 #22 0x7f3ffe7aac1e in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1108 #23 0x7f3ffe7acda7 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) src/dom/events/EventListenerManager.cpp:1342:20 Thread T3300 (MediaPl~back #2) created by T0 (file:// Content) here: #0 0x4af70d in __interceptor_pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:204:3 #1 0x7f401a356605 in _PR_CreateThread src/nsprpub/pr/src/pthreads/ptthread.c:433:14 #2 0x7f401a3561ee in PR_CreateThread src/nsprpub/pr/src/pthreads/ptthread.c:518:12 #3 0x7f3ff6f62303 in nsThread::Init(nsTSubstring<char> const&) src/xpcom/threads/nsThread.cpp:659:8 #4 0x7f3ff6f6e67e in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) src/xpcom/threads/nsThreadManager.cpp:518:22 #5 0x7f3ff6f72d9a in NS_NewNamedThread src/xpcom/threads/nsThreadUtils.cpp:143:45 #6 0x7f3ff6f72d9a in nsThreadPool::PutEvent(already_AddRefed<nsIRunnable>, unsigned int) src/xpcom/threads/nsThreadPool.cpp:109 #7 0x7f3ff6f754c6 in nsThreadPool::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) src/xpcom/threads/nsThreadPool.cpp:280:5 #8 0x7f3ff6f3f2cd in mozilla::TaskQueue::DispatchLocked(nsCOMPtr<nsIRunnable>&, mozilla::AbstractThread::DispatchReason) src/xpcom/threads/TaskQueue.cpp:125:26 #9 0x7f3ff6f7b56f in mozilla::TaskQueue::Dispatch(already_AddRefed<nsIRunnable>, mozilla::AbstractThread::DispatchReason) src/obj-firefox/dist/include/mozilla/TaskQueue.h:75:14 #10 0x7f3ff6f3413d in DispatchTaskGroup src/obj-firefox/dist/include/mozilla/TaskDispatcher.h:265:20 #11 0x7f3ff6f3413d in mozilla::AutoTaskDispatcher::~AutoTaskDispatcher() src/obj-firefox/dist/include/mozilla/TaskDispatcher.h:90 #12 0x7f3ff6f33738 in reset src/obj-firefox/dist/include/mozilla/Maybe.h:498:17 #13 0x7f3ff6f33738 in mozilla::EventTargetWrapper::FireTailDispatcher() src/xpcom/threads/AbstractThread.cpp:75 #14 0x7f3ff6f3888b in applyImpl<mozilla::EventTargetWrapper, void (mozilla::EventTargetWrapper::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1168:12 #15 0x7f3ff6f3888b in apply<mozilla::EventTargetWrapper, void (mozilla::EventTargetWrapper::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1174 #16 0x7f3ff6f3888b in mozilla::detail::RunnableMethodImpl<mozilla::EventTargetWrapper*, void (mozilla::EventTargetWrapper::*)(), true, (mozilla::RunnableKind)0>::Run() src/obj-firefox/dist/include/nsThreadUtils.h:1219 #17 0x7f3ff6d254b6 in mozilla::CycleCollectedJSContext::ProcessStableStateQueue() src/xpcom/base/CycleCollectedJSContext.cpp:338:12 #18 0x7f3ff6d28082 in mozilla::CycleCollectedJSContext::AfterProcessTask(unsigned int) src/xpcom/base/CycleCollectedJSContext.cpp:403:3 #19 0x7f3ff90b6bf5 in XPCJSContext::AfterProcessTask(unsigned int) src/js/xpconnect/src/XPCJSContext.cpp:1236:30 #20 0x7f3ff6f67940 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1196:24 #21 0x7f3ff6f64b41 in NS_ProcessNextEvent src/xpcom/threads/nsThreadUtils.cpp:519:10 #22 0x7f3ff6f64b41 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:871:22)> src/obj-firefox/dist/include/nsThreadUtils.h:324 #23 0x7f3ff6f64b41 in nsThread::Shutdown() src/xpcom/threads/nsThread.cpp:871 #24 0x7f3ff6f76408 in nsThreadPool::Shutdown() src/xpcom/threads/nsThreadPool.cpp:347:17 #25 0x7f3ff6f3c22b in applyImpl<nsIThreadPool, nsresult (nsIThreadPool::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1168:12 #26 0x7f3ff6f3c22b in apply<nsIThreadPool, nsresult (nsIThreadPool::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1174 #27 0x7f3ff6f3c22b in mozilla::detail::RunnableMethodImpl<nsCOMPtr<nsIThreadPool>, nsresult (nsIThreadPool::*)(), true, (mozilla::RunnableKind)0>::Run() src/obj-firefox/dist/include/nsThreadUtils.h:1219 #28 0x7f3ff6f66e90 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1161:14 #29 0x7f3ff6f64b41 in NS_ProcessNextEvent src/xpcom/threads/nsThreadUtils.cpp:519:10 #30 0x7f3ff6f64b41 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:871:22)> src/obj-firefox/dist/include/nsThreadUtils.h:324 #31 0x7f3ff6f64b41 in nsThread::Shutdown() src/xpcom/threads/nsThread.cpp:871 #32 0x7f3ff6f76408 in nsThreadPool::Shutdown() src/xpcom/threads/nsThreadPool.cpp:347:17 #33 0x7f3ff6f3c22b in applyImpl<nsIThreadPool, nsresult (nsIThreadPool::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1168:12 #34 0x7f3ff6f3c22b in apply<nsIThreadPool, nsresult (nsIThreadPool::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1174 #35 0x7f3ff6f3c22b in mozilla::detail::RunnableMethodImpl<nsCOMPtr<nsIThreadPool>, nsresult (nsIThreadPool::*)(), true, (mozilla::RunnableKind)0>::Run() src/obj-firefox/dist/include/nsThreadUtils.h:1219 #36 0x7f3ff6f66e90 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1161:14 #37 0x7f3ff6f64b41 in NS_ProcessNextEvent src/xpcom/threads/nsThreadUtils.cpp:519:10 #38 0x7f3ff6f64b41 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:871:22)> src/obj-firefox/dist/include/nsThreadUtils.h:324 #39 0x7f3ff6f64b41 in nsThread::Shutdown() src/xpcom/threads/nsThread.cpp:871 #40 0x7f3ffee57945 in mozilla::ThreadedDriver::Shutdown() src/dom/media/GraphDriver.cpp:287:14 #41 0x7f3fff194bed in mozilla::(anonymous namespace)::MediaStreamGraphShutDownRunnable::Run() src/dom/media/MediaStreamGraph.cpp:1602:22 #42 0x7f3ff6f36571 in mozilla::AutoTaskDispatcher::TaskGroupRunnable::Run() src/obj-firefox/dist/include/mozilla/TaskDispatcher.h:214:37 #43 0x7f3ff6f322e8 in mozilla::EventTargetWrapper::Runner::Run() src/xpcom/threads/AbstractThread.cpp:150:32 #44 0x7f3ff6f29fc2 in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:337:32 #45 0x7f3ff6f66e90 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1161:14 #46 0x7f3ff6f6fba5 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:519:10 #47 0x7f4000752955 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:2937:31)> src/obj-firefox/dist/include/nsThreadUtils.h:324:25 #48 0x7f4000752955 in mozilla::dom::XMLHttpRequestMainThread::SendInternal(mozilla::dom::BodyExtractorBase const*) src/dom/xhr/XMLHttpRequestMainThread.cpp:2937 #49 0x7f40007506fe in mozilla::dom::XMLHttpRequestMainThread::Send(JSContext*, mozilla::dom::Nullable<mozilla::dom::DocumentOrBlobOrArrayBufferViewOrArrayBufferOrFormDataOrURLSearchParamsOrUSVString> const&, mozilla::ErrorResult&) src/dom/xhr/XMLHttpRequestMainThread.cpp:2724:11 #50 0x7f3ffd24a21f in mozilla::dom::XMLHttpRequest_Binding::send(JSContext*, JS::Handle<JSObject*>, mozilla::dom::XMLHttpRequest*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/XMLHttpRequestBinding.cpp:1275:9 #51 0x7f3ffdf38bb9 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3296:13 #52 0x7f400522953b in CallJSNative src/js/src/vm/Interpreter.cpp:449:15 #53 0x7f400522953b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:537 #54 0x7f4005212e83 in CallFromStack src/js/src/vm/Interpreter.cpp:594:12 #55 0x7f4005212e83 in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3266 #56 0x7f40051f8a0e in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:429:12 #57 0x7f400522a04e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:561:15 #58 0x7f400522bde2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:607:10 #59 0x7f4005cc4eed in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2917:12 #60 0x7f3ffd541f9e in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) src/obj-firefox/dom/bindings/EventListenerBinding.cpp:51:8 #61 0x7f3ffe7aac1e in HandleEvent<mozilla::dom::EventTarget *> src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:66:12 #62 0x7f3ffe7aac1e in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1108 #63 0x7f3ffe7acda7 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) src/dom/events/EventListenerManager.cpp:1342:20 #64 0x7f3ffe790839 in HandleEvent src/obj-firefox/dist/include/mozilla/EventListenerManager.h:390:5 #65 0x7f3ffe790839 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:420 #66 0x7f3ffe78eaf3 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:637:16 #67 0x7f3ffe7952de in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:1112:9 #68 0x7f40013ed30f in nsDocumentViewer::LoadComplete(nsresult) src/layout/base/nsDocumentViewer.cpp:1168:7 #69 0x7f400415d9fc in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) src/docshell/base/nsDocShell.cpp:7054:21 #70 0x7f400415868a in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp:6847:7 #71 0x7f4004162307 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp #72 0x7f3ff9708765 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) src/uriloader/base/nsDocLoader.cpp:1313:3 #73 0x7f3ff970738c in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp:856:14 #74 0x7f3ff9702e91 in nsDocLoader::DocLoaderIsEmpty(bool) src/uriloader/base/nsDocLoader.cpp:745:9 #75 0x7f3ff9705978 in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) src/uriloader/base/nsDocLoader.cpp:631:5 #76 0x7f3ff9706eb4 in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) src/uriloader/base/nsDocLoader.cpp #77 0x7f3ff71d3a07 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) src/netwerk/base/nsLoadGroup.cpp:629:28 #78 0x7f3ffaff5d97 in DoUnblockOnload src/dom/base/nsDocument.cpp:8300:18 #79 0x7f3ffaff5d97 in nsDocument::UnblockOnload(bool) src/dom/base/nsDocument.cpp:8222 #80 0x7f3ffafcf670 in nsIDocument::DispatchContentLoadedEvents() src/dom/base/nsDocument.cpp:5094:3 #81 0x7f3ffb136cbb in applyImpl<nsIDocument, void (nsIDocument::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1168:12 #82 0x7f3ffb136cbb in apply<nsIDocument, void (nsIDocument::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1174 #83 0x7f3ffb136cbb in mozilla::detail::RunnableMethodImpl<nsIDocument*, void (nsIDocument::*)(), true, (mozilla::RunnableKind)0>::Run() src/obj-firefox/dist/include/nsThreadUtils.h:1219 #84 0x7f3ff6f29fc2 in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:337:32 #85 0x7f3ff6f66e90 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1161:14 #86 0x7f3ff6f6fba5 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:519:10 #87 0x7f3ff815512e in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21 #88 0x7f3ff80569cc in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10 #89 0x7f3ff80569cc in RunHandler src/ipc/chromium/src/base/message_loop.cc:318 #90 0x7f3ff80569cc in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298 #91 0x7f4000b74946 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:158:27 #92 0x7f4004f02aee in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:944:22 #93 0x7f3ff80569cc in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10 #94 0x7f3ff80569cc in RunHandler src/ipc/chromium/src/base/message_loop.cc:318 #95 0x7f3ff80569cc in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298 #96 0x7f4004f01ba5 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:770:34 #97 0x4f6b61 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30 #98 0x4f6b61 in main src/browser/app/nsBrowserApp.cpp:287 #99 0x7f4018f3882f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 SUMMARY: AddressSanitizer: heap-use-after-free src/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/4.9.4/../../../../include/c++/4.9.4/bits/atomic_base.h:478:2 in store Shadow bytes around the buggy address: 0x0c2a800230e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2a800230f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2a80023100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2a80023110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2a80023120: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd =>0x0c2a80023130: fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd 0x0c2a80023140: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2a80023150: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa 0x0c2a80023160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2a80023170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2a80023180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==27588==ABORTING
Even the assertion testcase might be useful, please attach it. sec-high, looks like a UAF on the refcount maybe. But if we can't repro we'll eventually have to close it.
Group: core-security → media-core-security
Flags: needinfo?(jkratzer)
Keywords: csectype-uaf, sec-high
Component: Audio/Video → Audio/Video: MediaStreamGraph
If the MSG has removed its self-reference it must be empty, but MediaDecoder holds a strong reference to its SourceMediaStream. Holding a strong reference is however not enough. Calling Destroy() on the stream will remove that stream on the next graph iteration, possibly emptying the graph. DecodedStreamData claims that MediaDecoder is responsible for calling Destroy() on its SourceMediaStream, [1], however this seems wrong as DecodedStreamData creates and Destroy()s this stream itself, [2]. OutputStreamManager learns about its whereabouts too, but doesn't call Destroy(), [3]. The graph instance that DecodedStreamData uses to create the SourceMediaStream comes from a ProcessedMediaStream in OutputStreamData, [4], which comes from one of two AddOutputStream()s, [5]. It might be possible that the graph is told to destroy itself before it's told to add the SourceMediaStream from [2]. It would be interesting to see the test case that leads to this though, as there are a bunch of strong refs to streams that would keep the MediaStreamGraph alive, so the trigger to destroy the graph would have to happen before these are created as well. Part of the problem is also that the reference from MediaStreams to the MediaStreamGraph is a rawptr, [6]. [1] https://searchfox.org/mozilla-central/rev/d4ef4e9747133aa2914aca2a15cf9df1e42a6aa0/dom/media/mediasink/DecodedStream.cpp#163 [2] https://searchfox.org/mozilla-central/rev/d4ef4e9747133aa2914aca2a15cf9df1e42a6aa0/dom/media/mediasink/DecodedStream.cpp#185,217 [3] https://searchfox.org/mozilla-central/search?q=symbol:F_%3CT_mozilla%3A%3AOutputStreamManager%3E_1&redirect=false [4] https://searchfox.org/mozilla-central/rev/d4ef4e9747133aa2914aca2a15cf9df1e42a6aa0/dom/media/mediasink/OutputStreamManager.h#45 [5] https://searchfox.org/mozilla-central/rev/d4ef4e9747133aa2914aca2a15cf9df1e42a6aa0/dom/html/HTMLMediaElement.cpp#3541,5088 [6] https://searchfox.org/mozilla-central/rev/d4ef4e9747133aa2914aca2a15cf9df1e42a6aa0/dom/media/MediaStreamGraph.h#685-686
The release assertion mentioned in comment #1 can be found in bug 1483988. I've attached the testcase there as well as the steps needed to reproduce.
Flags: needinfo?(jkratzer)
I don't doubt that it triggers the release assert, but the stack for the UAF in comment 0 mentions DecodedStream which implies that HTMLMediaElement.mozCaptureStream() or a MediaElementAudioSourceNode is being used, and I see no trace of either in either testcase on bug 1483988.
Flags: needinfo?(jkratzer)
(In reply to Andreas Pehrson [:pehrsons] from comment #4) > I don't doubt that it triggers the release assert, but the stack for the UAF > in comment 0 mentions DecodedStream which implies that > HTMLMediaElement.mozCaptureStream() or a MediaElementAudioSourceNode is > being used, and I see no trace of either in either testcase on bug 1483988. Andreas, unfortunately I still haven't gotten a working testcase for the UAF issue. Dan asked in comment #2 for a copy of the testcase which produced the assert and unfortunately this was the best reduction I could get. If a working testcase comes along for the UAF issue, I will attach it here.
Flags: needinfo?(jkratzer)
(In reply to Andreas Pehrson [:pehrsons] from comment #4) > I don't doubt that it triggers the release assert, but the stack for the UAF > in comment 0 mentions DecodedStream which implies that > HTMLMediaElement.mozCaptureStream() or a MediaElementAudioSourceNode is > being used, and I see no trace of either in either testcase on bug 1483988. It also says mozCaptureStream directly.
I don't quite understand this. How can the graph can be destroyed if it has a stream, even just a stream that's just been added.
Assignee: nobody → apehrson
Priority: -- → P1

Andreas is this bug stalled, or is there anything left to investigate more?

Flags: needinfo?(apehrson)

This is stalled until we can get a test case, or any other way of gathering data on what is happening.

Flags: needinfo?(apehrson)
Keywords: stalled
Priority: P1 → --

Removing employee no longer with company from CC list of private bugs.

The fuzzing team's last trace of this bug is on m-c 6c10213a8924.

Bug 1509548 landed on m-c 23h20min later and removed the line that caused the UAF per the stack in comment 0.

Bug 1483988 (the assert mentioned in comment 0) was last seen by the fuzzing team on the same build. The root cause of that doesn't seem to me like it would be fixed by bug 1509548. I have been looking at patches touching dom/media in the days following 20181126 and the only thing coming up even remotely matching something I can relate to the assert is bug 1509956. Alastor, do you think it could be related to fixing bug 1483988?

Either way, with the absence of reproductions of this bug for the last two years, and the removal of the last bit of code that led up to the UAF, I consider this overtaken by events.

Status: NEW → RESOLVED
Closed: 4 years ago
Flags: needinfo?(alwu)
Keywords: stalled
Resolution: --- → WORKSFORME

Yes, it's possible. As the bug 1509956 is a follow-up for bug 1508484 that aimed to fix the assertion [1] in RequestAudioData() which is as same as where the assertion failure [2] happens in bug 1483988.

[1] https://searchfox.org/mozilla-central/rev/ff82c973f8ccb0475ec32439e9ec07014b3a681f/dom/media/MediaFormatReader.cpp#1503
[2] https://searchfox.org/mozilla-central/source/dom/media/MediaFormatReader.cpp#1504-1505

Flags: needinfo?(alwu)

Thanks!

Group: media-core-security
You need to log in before you can comment on or make changes to this bug.