1526044 - AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/dom/media/MediaStreamGraph.cpp:1263:28 in mozilla::MediaStreamGraphImpl::UpdateGraph(long)

Status: VERIFIED FIXED

(Core :: Web Audio, defect, P2)

Description

[Jason Kratzer [:jkratzer]]

Attachment: testcase.html

Testcase found while fuzzing mozilla-central rev 00432a450b3a. Testcase may take a minute or two to trigger.

Debug builds produce the following assertion:
Assertion failure: mStreams.Contains(aStream), at /builds/worker/workspace/build/src/dom/media/MediaStreamGraph.cpp:3546

ASAN Output:
==18954==ERROR: AddressSanitizer: heap-use-after-free on address 0x6140001856d8 at pc 0x7fe1b81250bb bp 0x7fe1973faad0 sp 0x7fe1973faac8
WRITE of size 8 at 0x6140001856d8 thread T46 (MediaStreamGrph)
#0 0x7fe1b81250ba in mozilla::MediaStreamGraphImpl::UpdateGraph(long) /builds/worker/workspace/build/src/dom/media/MediaStreamGraph.cpp:1263:28
#1 0x7fe1b8128552 in mozilla::MediaStreamGraphImpl::OneIteration(long) /builds/worker/workspace/build/src/dom/media/MediaStreamGraph.cpp:1395:3
#2 0x7fe1b7dee3ba in mozilla::ThreadedDriver::RunThread() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:306:41
#3 0x7fe1b7e1fe12 in mozilla::MediaStreamGraphInitThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:204:14
#4 0x7fe1af863456 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1162:14
#5 0x7fe1af86b21d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:474:10
#6 0x7fe1b0b19571 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:303:20
#7 0x7fe1b0a01f0e in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#8 0x7fe1b0a01f0e in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#9 0x7fe1b0a01f0e in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#10 0x7fe1af85b8f3 in nsThread::ThreadFunc(void*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:449:11
#11 0x7fe1d497c666 in _pt_root /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:201:5
#12 0x7fe1d45c06da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
#13 0x7fe1d359e88e in clone /build/glibc-OTsEL5/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

0x6140001856d8 is located 152 bytes inside of 440-byte region [0x614000185640,0x6140001857f8)
freed by thread T46 (MediaStreamGrph) here:
#0 0x561f549d6a22 in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:124:3
#1 0x7fe1b812394a in mozilla::MediaStreamGraphImpl::RunMessagesInQueue() /builds/worker/workspace/build/src/dom/media/MediaStreamGraph.cpp:1175:20
#2 0x7fe1b8128508 in mozilla::MediaStreamGraphImpl::OneIteration(long) /builds/worker/workspace/build/src/dom/media/MediaStreamGraph.cpp:1392:3
#3 0x7fe1b7dee3ba in mozilla::ThreadedDriver::RunThread() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:306:41
#4 0x7fe1b7e1fe12 in mozilla::MediaStreamGraphInitThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:204:14
#5 0x7fe1af863456 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1162:14
#6 0x7fe1af86b21d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:474:10
#7 0x7fe1b0b19571 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:303:20
#8 0x7fe1b0a01f0e in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#9 0x7fe1b0a01f0e in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#10 0x7fe1b0a01f0e in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#11 0x7fe1af85b8f3 in nsThread::ThreadFunc(void*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:449:11
#12 0x7fe1d497c666 in _pt_root /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:201:5
#13 0x7fe1d45c06da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)

previously allocated by thread T0 (file:// Content) here:
#0 0x561f549d6da3 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3
#1 0x561f54a0b63d in moz_xmalloc /builds/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:68:15
#2 0x7fe1b87c4fa7 in operator new /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:131:10
#3 0x7fe1b87c4fa7 in mozilla::AudioNodeStream::Create(mozilla::dom::AudioContext*, mozilla::AudioNodeEngine*, unsigned int, mozilla::MediaStreamGraph*) /builds/worker/workspace/build/src/dom/media/webaudio/AudioNodeStream.cpp:75
#4 0x7fe1b880ee75 in mozilla::dom::AudioParam::Stream() /builds/worker/workspace/build/src/dom/media/webaudio/AudioParam.cpp:85:13
#5 0x7fe1b880e79c in mozilla::dom::AudioNode::Connect(mozilla::dom::AudioParam&, unsigned int, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/media/webaudio/AudioNode.cpp:259:38
#6 0x7fe1b4183ccb in mozilla::dom::AudioNode_Binding::connect(JSContext*, JS::Handle<JSObject*>, mozilla::dom::AudioNode*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/AudioNodeBinding.cpp:384:17
#7 0x7fe1b6ec7c08 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3138:13
#8 0x7fe1beb53d9d in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:442:13
#9 0x7fe1beb53d9d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:534
#10 0x7fe1beb3d6b9 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:593:10
#11 0x7fe1beb3d6b9 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3069
#12 0x7fe1beb20608 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:422:10
#13 0x7fe1beb54741 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:562:13
#14 0x7fe1beb563c2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:605:8
#15 0x7fe1bf6e8336 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2620:10
#16 0x7fe1b64e2519 in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventListenerBinding.cpp:52:8
#17 0x7fe1b77247d2 in HandleEvent<mozilla::dom::EventTarget > /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:66:12
#18 0x7fe1b77247d2 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1041
#19 0x7fe1b7726e03 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1240:17
#20 0x7fe1b7706fa0 in HandleEvent /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/EventListenerManager.h:350:5
#21 0x7fe1b7706fa0 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:351
#22 0x7fe1b77051c8 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:553:16
#23 0x7fe1b770be13 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:1044:11
#24 0x7fe1ba579d1a in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1102:7

Thread T46 (MediaStreamGrph) created by T35 (AudioIPC1) here:
#0 0x561f549bf6bd in __interceptor_pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:210:3
#1 0x7fe1d4979395 in _PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:433:14
#2 0x7fe1d4978f7e in PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:518:12
#3 0x7fe1af85e849 in nsThread::Init(nsTSubstring<char> const&) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:655:8
#4 0x7fe1af869ed5 in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /builds/worker/workspace/build/src/xpcom/threads/nsThreadManager.cpp:410:12
#5 0x7fe1af86edd4 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, nsIRunnable*, unsigned int) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:127:57
#6 0x7fe1b7ded1cc in NS_NewNamedThread<16> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:71:10
#7 0x7fe1b7ded1cc in mozilla::ThreadedDriver::Start() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:222
#8 0x7fe1b7dec305 in mozilla::GraphDriver::SwitchToNextDriver() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:103:17
#9 0x7fe1b7df6904 in mozilla::AudioCallbackDriver::DataCallback(float const*, float*, long) /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:942:5
#10 0x7fe1c09a3989 in $LT$audioipc_client..stream..CallbackServer$u20$as$u20$audioipc..rpc..server..Server$GT$::process::$u7b$$u7b$closure$u7d$$u7d$::ha57146f434ce2c8e /builds/worker/workspace/build/src/media/audioipc/client/src/stream.rs:111:24
#11 0x7fe1c09a3989 in _$LT$futures..future..lazy..Lazy$LT$F$C$$u20$R$GT$$GT$::get::h03d4bd285f7ce52c /builds/worker/workspace/build/src/third_party/rust/futures/src/future/lazy.rs:64
#12 0x7fe1c09a3989 in $LT$futures..future..lazy..Lazy$LT$F$C$$u20$R$GT$$u20$as$u20$futures..future..Future$GT$::poll::hf28c3d995251f9d3 /builds/worker/workspace/build/src/third_party/rust/futures/src/future/lazy.rs:82
#13 0x7fe1c09a3989 in futures::future::catch_unwind::$LT$impl$u20$futures..future..Future$u20$for$u20$std..panic..AssertUnwindSafe$LT$F$GT$$GT$::poll::h0e487b23d00b8cac /builds/worker/workspace/build/src/third_party/rust/futures/src/future/catch_unwind.rs:49
#14 0x7fe1c09a3989 in $LT$futures..future..catch_unwind..CatchUnwind$LT$F$GT$$u20$as$u20$futures..future..Future$GT$::poll::$u7b$$u7b$closure$u7d$$u7d$::hb46957105e2da32d /builds/worker/workspace/build/src/third_party/rust/futures/src/future/catch_unwind.rs:32
#15 0x7fe1c09a3989 in std::panicking::try::do_call::ha593d122658e2c72 /rustc/9fda7c2237db910e41d6a712e9a2139b352e558b/src/libstd/panicking.rs:310
#16 0x7fe1c09a3989 in __rust_maybe_catch_panic /rustc/9fda7c2237db910e41d6a712e9a2139b352e558b/src/libpanic_abort/lib.rs:39
#17 0x7fe1c09a3989 in std::panicking::try::h3db927e3b4c2d18f /rustc/9fda7c2237db910e41d6a712e9a2139b352e558b/src/libstd/panicking.rs:289
#18 0x7fe1c09a3989 in std::panic::catch_unwind::h1775361c16e3d20d /rustc/9fda7c2237db910e41d6a712e9a2139b352e558b/src/libstd/panic.rs:398
#19 0x7fe1c09a3989 in _$LT$futures..future..catch_unwind..CatchUnwind$LT$F$GT$$u20$as$u20$futures..future..Future$GT$::poll::h732028f9ba8868d0 /builds/worker/workspace/build/src/third_party/rust/futures/src/future/catch_unwind.rs:32
#20 0x7fe1c09a3989 in _$LT$futures_cpupool..MySender$LT$F$C$$u20$core..result..Result$LT$$LT$F$u20$as$u20$futures..future..Future$GT$..Item$C$$u20$$LT$F$u20$as$u20$futures..future..Future$GT$..Error$GT$$GT$$u20$as$u20$futures..future..Future$GT$::poll::h5604525b0af5822d /builds/worker/workspace/build/src/third_party/rust/futures-cpupool/src/lib.rs:325

Thread T35 (AudioIPC1) created by T0 (file:// Content) here:
#0 0x561f549bf6bd in __interceptor_pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:210:3
#1 0x7fe1c0fba506 in std::sys::unix::thread::Thread::new::h6179c0ba07009a42 /rustc/9fda7c2237db910e41d6a712e9a2139b352e558b/src/libstd/sys/unix/thread.rs:78:18

SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/dom/media/MediaStreamGraph.cpp:1263:28 in mozilla::MediaStreamGraphImpl::UpdateGraph(long)
Shadow bytes around the buggy address:
0x0c2880028a80: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c2880028a90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2880028aa0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2880028ab0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
0x0c2880028ac0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c2880028ad0: fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd
0x0c2880028ae0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2880028af0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
0x0c2880028b00: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c2880028b10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2880028b20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==18954==ABORTING

Comment 1

[Jan-Ivar Bruaroey [:jib] (needinfo? me)]

Paul, wanna take a look?

Comment 2

[Paul Adenot (:padenot)]

I haven't tried to repro, but this looks like a fallout off of bug 1524026. Hopefully it's rr-able.

Comment 3

[Alastor Wu [:alwu]]

Attachment: Bug 1526044 - part3 : add crash test.

Different nodes might have same AudioParam, so we shouldn't append same stream multiple times.

Comment 4

[Alastor Wu [:alwu]]

Attachment: Bug 1526044 - part1 : do not append duplicated stream.

Different nodes might have same AudioParam, so we shouldn't append same stream multiple times.

Comment 5

[Alastor Wu [:alwu]]

Attachment: Bug 1526044 - part2 : resume from Chrome should only take effect when the AudioContext was suspended from Chrome.

If the AudioContext is suspended by content or by Autoplay policy, it shouldn't be resumed by chrome.

Comment 6

[Alastor Wu [:alwu]]

Try result : https://treeherder.mozilla.org/#/jobs?repo=try&revision=5fbb1ecd370a3274f27c10242b185a925b4ba1ca

Comment 7

[Julien Cristau [:jcristau]]

https://hg.mozilla.org/mozilla-central/rev/506828839f9f
https://hg.mozilla.org/mozilla-central/rev/53830102bf76
https://hg.mozilla.org/mozilla-central/rev/e4f973a6f8a0

Comment 8

[Cristian Baica [:cbaica], Release Desktop QA]

I have managed to reproduce the issue using Fx 67.0a1 buildID: 20190207214423.

The issue is verified fixed using Fx 67.0b8 (latest beta) and Fx 68.0a1 (latest nightly) on macOS 10.12, Ubuntu 16.04 x64 and Windows 10 x64. The crash no longer occurs even if the browser is left open, with the testcase.html running for more than 3 minutes.