1518744 - Crash in __39-[DeviceInfoIosObjC configureObservers]_block_invoke

Status: RESOLVED FIXED

(Core :: WebRTC: Audio/Video, defect, P2)

Description

[Calixte Denizet (:calixte)]

This bug was filed from the Socorro interface and is
report bp-c4a0c859-cfc9-4df1-9b0c-4ce9d0190109.

Top 10 frames of crashing thread:

0 XUL __39-[DeviceInfoIosObjC configureObservers]_block_invoke media/webrtc/trunk/webrtc/modules/video_capture/objc/device_info_objc.mm:117
1 Foundation Foundation@0x56a62
2 CoreFoundation CoreFoundation@0x9f711
3 CoreFoundation CoreFoundation@0x9f68b
4 CoreFoundation CoreFoundation@0x9f5ac
5 CoreFoundation CoreFoundation@0xa7a08
6 CoreFoundation CoreFoundation@0xf1a9
7 CoreFoundation CoreFoundation@0xe56c
8 Foundation Foundation@0x11a7a
9 Foundation Foundation@0xb1baa

=============================================================

There is 1 crash in nightly 66 with buildid 20190108215840. In analyzing the backtrace, the regression may have been introduced by patch [1] to fix bug 1439997.

[1] https://hg.mozilla.org/mozilla-central/rev?node=7924a0ccd7a3

Comment 1

[Dan Minor [:dminor]]

Unfortunately, it looks like I introduced a UAF by forgetting to set _owner to nil in ~DeviceInfoIOS.

Comment 2

[Dan Minor [:dminor]]

Attachment: Bug 1518744 - Deregister owner in DeviceInfoIos destructor; r=jib!

Comment 3

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

https://hg.mozilla.org/integration/mozilla-inbound/rev/998ab57c13668895fc962260071b714cce36efdd
https://hg.mozilla.org/mozilla-central/rev/998ab57c1366

Comment 4

[Dan Minor [:dminor]]

Marcia, was adding @mozilla::dom::FragmentOrElement::nsDOMSlots::Traverse to the crash signature an accident? I'm not sure how it relates to this bug.

Comment 5

[Marcia Knous [:marcia]]

(In reply to Dan Minor [:dminor] from comment #4)

Marcia, was adding @mozilla::dom::FragmentOrElement::nsDOMSlots::Traverse to the crash signature an accident? I'm not sure how it relates to this bug.

There were 2 Mac crashes on nightly - both with Build ID 20190108215840. The second line in the signature is __39-[DeviceInfoIosObjC configureObservers]_block_invoke. So I assumed those 2 crashes were the same as this one.

Comment 6

[Dan Minor [:dminor]]

(In reply to Marcia Knous [:marcia - needinfo? me] from comment #5)

(In reply to Dan Minor [:dminor] from comment #4)

Marcia, was adding @mozilla::dom::FragmentOrElement::nsDOMSlots::Traverse to the crash signature an accident? I'm not sure how it relates to this bug.

There were 2 Mac crashes on nightly - both with Build ID 20190108215840. The second line in the signature is __39-[DeviceInfoIosObjC configureObservers]_block_invoke. So I assumed those 2 crashes were the same as this one.

That makes sense, thank you.

I'm not seeing any crashes later than Build ID 20190109163702, so I think the fix here is good.

Comment 7

[Marcia Knous [:marcia]]

Hello Dan: While going through nightly crash stats today, I spotted this crash which is in 20190110093854: https://crash-stats.mozilla.com/report/index/a61fb8d4-1591-4b51-aa44-34bbf0190111. It has some of the same type of source as in the other crashes. If I need to file a new bug let me know. Thanks!

Comment 8

[Dan Minor [:dminor]]

Hi Marcia, please do file a new bug, at first glance this looks like a separate issue to me. Thanks!

Comment 9

[Ryan VanderMeulen [:RyanVM]]

Comment on attachment 9035313 [details]
Bug 1518744 - Deregister owner in DeviceInfoIos destructor; r=jib!

[Triage Comment]
Fixes a regression introduced by the patches in bug 1439997 (which is being uplifted to 65). Approved for 65.0b11.

Comment 10

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-beta/rev/c0445e5ce388