Closed
Bug 1502899
Opened 6 years ago
Closed 6 years ago
Assertion failure: false, at /builds/worker/workspace/build/src/media/webrtc/signaling/src/jsep/JsepSessionImpl.cpp:813
Categories
(Core :: WebRTC: Signaling, defect, P2)
Core
WebRTC: Signaling
Tracking
()
RESOLVED
FIXED
mozilla66
People
(Reporter: jkratzer, Assigned: bwc)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, testcase)
Attachments
(3 files)
Testcase found while fuzzing mozilla-central rev f7a97b344fa5. Assertion failure: false, at /builds/worker/workspace/build/src/media/webrtc/signaling/src/jsep/JsepSessionImpl.cpp:813 rax = 0x0000000000000000 rdx = 0x0000000000000000 rcx = 0x0000000000000b40 rbx = 0x00007fd04c18fc00 rsi = 0x00007fd06623a8b0 rdi = 0x00007fd066239680 rbp = 0x00007ffc575ba650 rsp = 0x00007ffc575ba320 r8 = 0x00007fd06623a8b0 r9 = 0x00007fd0673ab740 r10 = 0x0000000000000002 r11 = 0x0000000000000000 r12 = 0x00007ffc575ba350 r13 = 0x0000000000000000 r14 = 0x0000000000000000 r15 = 0x0000000000000000 rip = 0x00007fd055241cc5 OS|Linux|0.0.0 Linux 4.15.0-36-generic #39-Ubuntu SMP Mon Sep 24 16:19:09 UTC 2018 x86_64 CPU|amd64|family 6 model 78 stepping 3|1 GPU||| Crash|SIGSEGV /SEGV_MAPERR|0x0|0 0|0|libxul.so|mozilla::JsepSessionImpl::SetLocalDescription(mozilla::JsepSdpType, std::string const&)|hg:hg.mozilla.org/mozilla-central:media/webrtc/signaling/src/jsep/JsepSessionImpl.cpp:f7a97b344fa59bd3b01ea81ebd5b150aa63bfb12|813|0x18 0|1|libxul.so|mozilla::PeerConnectionImpl::SetLocalDescription(int, char const*)|hg:hg.mozilla.org/mozilla-central:media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp:f7a97b344fa59bd3b01ea81ebd5b150aa63bfb12|1461|0x17 0|2|libxul.so|mozilla::dom::PeerConnectionImpl_Binding::setLocalDescription|hg:hg.mozilla.org/mozilla-central:media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.h:f7a97b344fa59bd3b01ea81ebd5b150aa63bfb12|285|0x1e 0|3|libxul.so|bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*)|hg:hg.mozilla.org/mozilla-central:dom/bindings/BindingUtils.cpp:f7a97b344fa59bd3b01ea81ebd5b150aa63bfb12|3314|0x9 0|4|libxul.so|CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:f7a97b344fa59bd3b01ea81ebd5b150aa63bfb12|468|0x3 0|5|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:f7a97b344fa59bd3b01ea81ebd5b150aa63bfb12|560|0xf 0|6|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:f7a97b344fa59bd3b01ea81ebd5b150aa63bfb12|614|0xd 0|7|libxul.so|Interpret|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:f7a97b344fa59bd3b01ea81ebd5b150aa63bfb12|620|0xf 0|8|libxul.so|js::RunScript(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:f7a97b344fa59bd3b01ea81ebd5b150aa63bfb12|447|0xb 0|9|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:f7a97b344fa59bd3b01ea81ebd5b150aa63bfb12|587|0xf 0|10|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:f7a97b344fa59bd3b01ea81ebd5b150aa63bfb12|614|0xd 0|11|libxul.so|js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:f7a97b344fa59bd3b01ea81ebd5b150aa63bfb12|633|0x5 0|12|libxul.so|js::PromiseObject::create(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, bool)|hg:hg.mozilla.org/mozilla-central:js/src/builtin/Promise.cpp:f7a97b344fa59bd3b01ea81ebd5b150aa63bfb12|2161|0x20 0|13|libxul.so|PromiseConstructor|hg:hg.mozilla.org/mozilla-central:js/src/builtin/Promise.cpp:f7a97b344fa59bd3b01ea81ebd5b150aa63bfb12|2082|0x5 0|14|libxul.so|CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:f7a97b344fa59bd3b01ea81ebd5b150aa63bfb12|468|0x3 0|15|libxul.so|CallJSNativeConstructor(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:f7a97b344fa59bd3b01ea81ebd5b150aa63bfb12|485|0xf 0|16|libxul.so|InternalConstruct|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:f7a97b344fa59bd3b01ea81ebd5b150aa63bfb12|661|0x10 0|17|libxul.so|Interpret|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:f7a97b344fa59bd3b01ea81ebd5b150aa63bfb12|3453|0xf 0|18|libxul.so|js::RunScript(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:f7a97b344fa59bd3b01ea81ebd5b150aa63bfb12|447|0xb 0|19|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:f7a97b344fa59bd3b01ea81ebd5b150aa63bfb12|587|0xf 0|20|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:f7a97b344fa59bd3b01ea81ebd5b150aa63bfb12|614|0xd 0|21|libxul.so|js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:f7a97b344fa59bd3b01ea81ebd5b150aa63bfb12|633|0x5 0|22|libxul.so|js::CallSelfHostedFunction(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/vm/SelfHosting.cpp:f7a97b344fa59bd3b01ea81ebd5b150aa63bfb12|1874|0x17 0|23|libxul.so|js::jit::InterpretResume(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/jit/VMFunctions.cpp:f7a97b344fa59bd3b01ea81ebd5b150aa63bfb12|962|0x5 0|24|||||0x14d452afb38f 0|25|||||0x14d452ae5ad7 0|26|libxul.so|EnterJit|hg:hg.mozilla.org/mozilla-central:js/src/jit/Jit.cpp:f7a97b344fa59bd3b01ea81ebd5b150aa63bfb12|105|0x22 0|27|libxul.so|js::RunScript(JSContext*, js::RunState&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:f7a97b344fa59bd3b01ea81ebd5b150aa63bfb12|432|0xb 0|28|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:f7a97b344fa59bd3b01ea81ebd5b150aa63bfb12|587|0xf 0|29|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:f7a97b344fa59bd3b01ea81ebd5b150aa63bfb12|614|0xd 0|30|libxul.so|js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:f7a97b344fa59bd3b01ea81ebd5b150aa63bfb12|633|0x5 0|31|libxul.so|js::CallSelfHostedFunction(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/vm/SelfHosting.cpp:f7a97b344fa59bd3b01ea81ebd5b150aa63bfb12|1874|0x17 0|32|libxul.so|AsyncFunctionResume|hg:hg.mozilla.org/mozilla-central:js/src/vm/AsyncFunction.cpp:f7a97b344fa59bd3b01ea81ebd5b150aa63bfb12|200|0x5 0|33|libxul.so|PromiseReactionJob|hg:hg.mozilla.org/mozilla-central:js/src/builtin/Promise.cpp:f7a97b344fa59bd3b01ea81ebd5b150aa63bfb12|1464|0x5 0|34|libxul.so|CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:f7a97b344fa59bd3b01ea81ebd5b150aa63bfb12|468|0x3 0|35|libxul.so|js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:f7a97b344fa59bd3b01ea81ebd5b150aa63bfb12|560|0xf 0|36|libxul.so|InternalCall|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:f7a97b344fa59bd3b01ea81ebd5b150aa63bfb12|614|0xd 0|37|libxul.so|js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:f7a97b344fa59bd3b01ea81ebd5b150aa63bfb12|633|0x5 0|38|libxul.so|JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/jsapi.cpp:f7a97b344fa59bd3b01ea81ebd5b150aa63bfb12|2975|0x1c 0|39|libxul.so|mozilla::dom::PromiseJobCallback::Call(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&)|s3:gecko-generated-sources:ea2fb5e212ba7f9e2cc600ca60fbfd8ef070d244a98ada55e8cf297eb2096a14deeab48ed1d4b2d9b412e771629e07bee5fda7aeea29f2c9106efcf8825b391f/dom/bindings/PromiseBinding.cpp:|26|0x5 0|40|libxul.so|mozilla::dom::PromiseJobCallback::Call(mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*)|s3:gecko-generated-sources:a259d1cc4bba87d8ef5762b6cc675afe78e103a58e8d17ab4a2f376b3269f9bffc3015bd6f51f524485eae44afbb840ebf0c57578a272ffdba7a2c2fcbc90554/dist/include/mozilla/dom/PromiseBinding.h:|91|0x12 0|41|libxul.so|mozilla::dom::PromiseJobCallback::Call(char const*)|s3:gecko-generated-sources:a259d1cc4bba87d8ef5762b6cc675afe78e103a58e8d17ab4a2f376b3269f9bffc3015bd6f51f524485eae44afbb840ebf0c57578a272ffdba7a2c2fcbc90554/dist/include/mozilla/dom/PromiseBinding.h:|104|0x13 0|42|libxul.so|mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&)|hg:hg.mozilla.org/mozilla-central:xpcom/base/CycleCollectedJSContext.cpp:f7a97b344fa59bd3b01ea81ebd5b150aa63bfb12|247|0x17 0|43|libxul.so|mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool)|hg:hg.mozilla.org/mozilla-central:xpcom/base/CycleCollectedJSContext.cpp:f7a97b344fa59bd3b01ea81ebd5b150aa63bfb12|603|0x17 0|44|libxul.so|mozilla::CycleCollectedJSContext::AfterProcessTask(unsigned int)|hg:hg.mozilla.org/mozilla-central:xpcom/base/CycleCollectedJSContext.cpp:f7a97b344fa59bd3b01ea81ebd5b150aa63bfb12|428|0x7 0|45|libxul.so|XPCJSContext::AfterProcessTask(unsigned int)|hg:hg.mozilla.org/mozilla-central:js/xpconnect/src/XPCJSContext.cpp:f7a97b344fa59bd3b01ea81ebd5b150aa63bfb12|1288|0xb 0|46|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:f7a97b344fa59bd3b01ea81ebd5b150aa63bfb12|1301|0xc 0|47|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:f7a97b344fa59bd3b01ea81ebd5b150aa63bfb12|530|0x11 0|48|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:f7a97b344fa59bd3b01ea81ebd5b150aa63bfb12|97|0xa 0|49|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:f7a97b344fa59bd3b01ea81ebd5b150aa63bfb12|325|0x17 0|50|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:f7a97b344fa59bd3b01ea81ebd5b150aa63bfb12|318|0x8 0|51|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:f7a97b344fa59bd3b01ea81ebd5b150aa63bfb12|158|0xd 0|52|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:f7a97b344fa59bd3b01ea81ebd5b150aa63bfb12|939|0x11 0|53|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:f7a97b344fa59bd3b01ea81ebd5b150aa63bfb12|269|0x5 0|54|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:f7a97b344fa59bd3b01ea81ebd5b150aa63bfb12|325|0x17 0|55|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:f7a97b344fa59bd3b01ea81ebd5b150aa63bfb12|318|0x8 0|56|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:f7a97b344fa59bd3b01ea81ebd5b150aa63bfb12|765|0x8 0|57|firefox-bin|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:f7a97b344fa59bd3b01ea81ebd5b150aa63bfb12|50|0x14 0|58|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:f7a97b344fa59bd3b01ea81ebd5b150aa63bfb12|301|0x11 0|59|libc-2.27.so||||0x21b97 0|60|firefox-bin|MOZ_ReportAssertionFailure|hg:hg.mozilla.org/mozilla-central:mfbt/Assertions.h:f7a97b344fa59bd3b01ea81ebd5b150aa63bfb12|164|0x5
Flags: in-testsuite?
|
Assignee | |
Comment 1•6 years ago
|
||
I can't reproduce this using the test-case. Looking at the test-case, I see only one call to SetLocalDescription, it is right at the beginning of the test, and is not an unusual case.
Flags: needinfo?(jkratzer)
|
Reporter | |
Comment 2•6 years ago
|
||
Flags: needinfo?(jkratzer)
|
|
Reporter | |
Comment 3•6 years ago
|
||
(In reply to Byron Campen [:bwc] from comment #1) > I can't reproduce this using the test-case. Looking at the test-case, I see > only one call to SetLocalDescription, it is right at the beginning of the > test, and is not an unusual case. The testcase reproduces reliably for me on Ubuntu 18 (64) using the attached prefs.
|
|
Assignee | |
Comment 4•6 years ago
|
||
It seems like this must be timing-sensitive somehow. I could see something going wrong if the steps are executed in the following order: let offer2 = await pc2.createOffer(args); let offer1 = await pc1.createOffer(args); await pc2.setRemoteDescription(offer1); await pc2.setRemoteDescription(rollback); await pc2.setLocalDescription(offer2); Let me try this out.
|
|
Assignee | |
Comment 5•6 years ago
|
||
Yep, that does seem to hit that failure case: https://jsfiddle.net/23vwh6dk/
Assignee: nobody → docfaraday
|
|
Assignee | |
Comment 6•6 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=2fbeb73c860f197faa23b85c2b5951506133f2f5
|
|
Assignee | |
Comment 7•6 years ago
|
||
Bug 1502899: Allow provisional transceiver level assignments to be recovered by rollback.
|
|
Assignee | |
Comment 8•6 years ago
|
||
Can you check whether your test-case still reproduces for you with a binary from comment 6?
Flags: needinfo?(jkratzer)
|
|
Reporter | |
Comment 9•6 years ago
|
||
(In reply to Byron Campen [:bwc] from comment #8) > Can you check whether your test-case still reproduces for you with a binary > from comment 6? I can confirm that the issue does not trigger using the binary from comment 6.
Flags: needinfo?(jkratzer)
|
||
Updated•6 years ago
|
Rank: 15
Priority: -- → P2
|
||
Comment 10•6 years ago
|
||
Just noticed this bug has patches that look ready to land, but haven't.
Flags: needinfo?(docfaraday)
|
|
Assignee | |
Comment 11•6 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=8525e2b9f8130ff8cab5f600f24db1eebbbaea0c
|
||
Comment 12•6 years ago
|
||
Pushed by bcampen@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/03f596ee1683 Allow provisional transceiver level assignments to be recovered by rollback. r=jib,mjf
|
||
Comment 13•6 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox66:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla66
|
||
Updated•6 years ago
|
Blocks: 1290948
status-firefox64:
--- → wontfix
status-firefox-esr60:
--- → wontfix
Flags: needinfo?(docfaraday)
Flags: in-testsuite?
Flags: in-testsuite+
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/14840 for changes under testing/web-platform/tests
You need to log in
before you can comment on or make changes to this bug.
Description
•