Closed Bug 1538194 Opened 5 years ago Closed 5 years ago

AddressSanitizer: SEGV /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:764:9 in mozilla::ipc::MessageChannel::Clear()

Categories

(Core :: Audio/Video, defect, P2)

Product:
Core
Component:
Audio/Video
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1540136
Tracking Flags:
Tracking Status
firefox68 --- affected

People

(Reporter: jkratzer, Assigned: bryce)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase, Whiteboard: [fuzzblocker] [keep hidden while bug 1540136 is])

Attachments

(1 file)

testcase.html
370 bytes, text/html
Details
Attached file testcase.html

Testcase found while fuzzing mozilla-central rev cc2984b1f9f2.

==14588==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7f47243acb96 bp 0x7f470f46ad90 sp 0x7f470f46ac60 T32)
==14588==The signal is caused by a WRITE memory access.
==14588==Hint: address points to the zero page.
#0 0x7f47243acb95 in mozilla::ipc::MessageChannel::Clear() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:764:9
#1 0x7f47243aa187 in mozilla::ipc::MessageChannel::~MessageChannel() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:628:3
#2 0x7f47243e1335 in mozilla::ipc::IToplevelProtocol::ToplevelState::~ToplevelState() /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ipc/ProtocolUtils.h:400:9
#3 0x7f47243e1b88 in mozilla::ipc::IToplevelProtocol::ToplevelState::~ToplevelState() /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ipc/ProtocolUtils.h:400:9
#4 0x7f47243d7e30 in operator() /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/UniquePtr.h:486:5
#5 0x7f47243d7e30 in reset /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/UniquePtr.h:323
#6 0x7f47243d7e30 in operator= /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/UniquePtr.h:296
#7 0x7f47243d7e30 in mozilla::ipc::IToplevelProtocol::~IToplevelProtocol() /builds/worker/workspace/build/src/ipc/glue/ProtocolUtils.cpp:567
#8 0x7f472bc842d8 in mozilla::gmp::GMPContentParent::~GMPContentParent() /builds/worker/workspace/build/src/dom/media/gmp/GMPContentParent.cpp:35:39
#9 0x7f472bd336a9 in Release /builds/worker/workspace/build/src/dom/media/gmp/GMPContentParent.h:25:3
#10 0x7f472bd336a9 in Release /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:45
#11 0x7f472bd336a9 in Release /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:362
#12 0x7f472bd336a9 in ~RefPtr /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:76
#13 0x7f472bd336a9 in ~CloseBlocker /builds/worker/workspace/build/src/dom/media/gmp/GMPContentParent.h:61
#14 0x7f472bd336a9 in Release /builds/worker/workspace/build/src/dom/media/gmp/GMPContentParent.h:53
#15 0x7f472bd336a9 in Release /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:45
#16 0x7f472bd336a9 in Release /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:362
#17 0x7f472bd336a9 in ~RefPtr /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:76
#18 0x7f472bd336a9 in InvokeMethod<(lambda at /builds/worker/workspace/build/src/dom/media/gmp/GMPService.cpp:241:11), void ((lambda at /builds/worker/workspace/build/src/dom/media/gmp/GMPService.cpp:241:11)::)(RefPtr<mozilla::gmp::GMPContentParent::CloseBlocker>) const, RefPtr<mozilla::gmp::GMPContentParent::CloseBlocker> > /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/MozPromise.h:502
#19 0x7f472bd336a9 in InvokeCallbackMethod<false, (lambda at /builds/worker/workspace/build/src/dom/media/gmp/GMPService.cpp:241:11), void ((lambda at /builds/worker/workspace/build/src/dom/media/gmp/GMPService.cpp:241:11)::)(RefPtr<mozilla::gmp::GMPContentParent::CloseBlocker>) const, RefPtr<mozilla::gmp::GMPContentParent::CloseBlocker>, RefPtr<mozilla::MozPromise<RefPtr<mozilla::gmp::GMPContentParent::CloseBlocker>, mozilla::MediaResult, true>::Private> > /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/MozPromise.h:534
#20 0x7f472bd336a9 in mozilla::MozPromise<RefPtr<mozilla::gmp::GMPContentParent::CloseBlocker>, mozilla::MediaResult, true>::ThenValue<mozilla::gmp::GeckoMediaPluginService::GetCDM(mozilla::gmp::NodeId const&, nsTArray<nsTString<char> >, mozilla::GMPCrashHelper*)::$_0, mozilla::gmp::GeckoMediaPluginService::GetCDM(mozilla::gmp::NodeId const&, nsTArray<nsTString<char> >, mozilla::GMPCrashHelper*)::$_1>::DoResolveOrRejectInternal(mozilla::MozPromise<RefPtr<mozilla::gmp::GMPContentParent::CloseBlocker>, mozilla::MediaResult, true>::ResolveOrRejectValue&) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/MozPromise.h:716
#21 0x7f472bccfe0c in mozilla::MozPromise<RefPtr<mozilla::gmp::GMPContentParent::CloseBlocker>, mozilla::MediaResult, true>::ThenValueBase::ResolveOrRejectRunnable::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/MozPromise.h:392:21
#22 0x7f47230bc448 in mozilla::EventTargetWrapper::Runner::Run() /builds/worker/workspace/build/src/xpcom/threads/AbstractThread.cpp:113:25
#23 0x7f47230ee901 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1180:14
#24 0x7f47230f6d0d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:482:10
#25 0x7f47243d0082 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:303:20
#26 0x7f47242a41be in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#27 0x7f47242a41be in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#28 0x7f47242a41be in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#29 0x7f47230e6b23 in nsThread::ThreadFunc(void*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:454:11
#30 0x7f4747ec75ad in _pt_root /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:201:5
#31 0x7f4747b0a6da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
#32 0x7f4746ae888e in clone /build/glibc-OTsEL5/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:764:9 in mozilla::ipc::MessageChannel::Clear()
Thread T32 (GMPThread) created by T0 (file:// Content) here:
#0 0x55c3b279067d in pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:210:3
#1 0x7f4747eb9613 in _PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:433:14
#2 0x7f4747ea309e in PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:518:12
#3 0x7f47230e9a99 in nsThread::Init(nsTSubstring<char> const&) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:661:8
#4 0x7f47230f59c5 in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /builds/worker/workspace/build/src/xpcom/threads/nsThreadManager.cpp:416:12
#5 0x7f47230faa74 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, nsIRunnable*, unsigned int) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:135:57
#6 0x7f472bcdaea9 in NS_NewNamedThread<10> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:71:10
#7 0x7f472bcdaea9 in mozilla::gmp::GeckoMediaPluginService::GetThread(nsIThread**) /builds/worker/workspace/build/src/dom/media/gmp/GMPService.cpp:317
#8 0x7f472bcd87dc in mozilla::gmp::GeckoMediaPluginService::Init() /builds/worker/workspace/build/src/dom/media/gmp/GMPService.cpp:217:10
#9 0x7f472bd2aebb in mozilla::gmp::GMPServiceCreateHelper::GetOrCreateOnMainThread() /builds/worker/workspace/build/src/dom/media/gmp/GMPService.cpp:108:18
#10 0x7f472bcd6756 in mozilla::gmp::GMPServiceCreateHelper::GetOrCreate() /builds/worker/workspace/build/src/dom/media/gmp/GMPService.cpp:76:17
#11 0x7f472305d61e in mozilla::xpcom::CreateInstanceImpl(mozilla::xpcom::ModuleID, nsISupports*, nsID const&, void**) /builds/worker/workspace/build/src/obj-firefox/xpcom/components/StaticComponents.cpp:8224:60
#12 0x7f472308bfb4 in CreateInstance /builds/worker/workspace/build/src/xpcom/components/nsComponentManager.cpp:220:46
#13 0x7f472308bfb4 in nsComponentManagerImpl::GetServiceLocked((anonymous namespace)::MutexLock&, (anonymous namespace)::EntryWrapper&, nsID const&, void**) /builds/worker/workspace/build/src/xpcom/components/nsComponentManager.cpp:1401
#14 0x7f472307e4a7 in nsComponentManagerImpl::GetServiceByContractID(char const*, nsID const&, void**) /builds/worker/workspace/build/src/xpcom/components/nsComponentManager.cpp:1588:10
#15 0x7f47230976d5 in CallGetService /builds/worker/workspace/build/src/xpcom/components/nsComponentManagerUtils.cpp:61:43
#16 0x7f47230976d5 in nsGetServiceByContractID::operator()(nsID const&, void**) const /builds/worker/workspace/build/src/xpcom/components/nsComponentManagerUtils.cpp:243
#17 0x7f4722e9b9b4 in nsCOMPtr_base::assign_from_gs_contractid(nsGetServiceByContractID, nsID const&) /builds/worker/workspace/build/src/xpcom/base/nsCOMPtr.cpp:82:7
#18 0x7f472bd1b6d0 in nsCOMPtr /builds/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:607:5
#19 0x7f472bd1b6d0 in mozilla::HaveGMPFor(nsTString<char> const&, nsTArray<nsTString<char> >&&) /builds/worker/workspace/build/src/dom/media/gmp/GMPUtils.cpp:179
#20 0x7f472bbd3943 in mozilla::dom::HavePluginForKeySystem(nsTString<char> const&) /builds/worker/workspace/build/src/dom/media/eme/MediaKeySystemAccess.cpp:94:21
#21 0x7f472bbb3ba8 in EnsureCDMInstalled /builds/worker/workspace/build/src/dom/media/eme/MediaKeySystemAccess.cpp:106:8
#22 0x7f472bbb3ba8 in mozilla::dom::MediaKeySystemAccess::GetKeySystemStatus(nsTSubstring<char16_t> const&, nsTSubstring<char>&) /builds/worker/workspace/build/src/dom/media/eme/MediaKeySystemAccess.cpp:120
#23 0x7f472bbc4b2e in mozilla::dom::MediaKeySystemAccessManager::Request(mozilla::dom::DetailedPromise*, nsTSubstring<char16_t> const&, mozilla::dom::Sequence<mozilla::dom::MediaKeySystemConfiguration> const&, mozilla::dom::MediaKeySystemAccessManager::RequestType) /builds/worker/workspace/build/src/dom/media/eme/MediaKeySystemAccessManager.cpp:119:7
#24 0x7f472756bf7c in mozilla::dom::Navigator::RequestMediaKeySystemAccess(nsTSubstring<char16_t> const&, mozilla::dom::Sequence<mozilla::dom::MediaKeySystemConfiguration> const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/Navigator.cpp:1792:33
#25 0x7f47283bd096 in requestMediaKeySystemAccess /builds/worker/workspace/build/src/obj-firefox/dom/bindings/NavigatorBinding.cpp:1856:45
#26 0x7f47283bd096 in mozilla::dom::Navigator_Binding::requestMediaKeySystemAccess_promiseWrapper(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Navigator*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/NavigatorBinding.cpp:1872
#27 0x7f472a85dea3 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ConvertExceptionsToPromises>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3144:13
#28 0x7f4731fc9f27 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:442:13
#29 0x7f4731fc9f27 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:534
#30 0x7f4731fb236a in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:593:10
#31 0x7f4731fb236a in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3075
#32 0x7f4731f943f8 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:422:10
#33 0x7f4731fca896 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:562:13
#34 0x7f4731fcc4e2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:605:8
#35 0x7f4732becc09 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2623:10
#36 0x7f472a073ff4 in mozilla::dom::Function::Call(JSContext*, JS::Handle<JS::Value>, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/FunctionBinding.cpp:41:8
#37 0x7f47271e0a89 in void mozilla::dom::Function::Call<nsCOMPtr<nsISupports> >(nsCOMPtr<nsISupports> const&, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/FunctionBinding.h:73:12
#38 0x7f47271deeb2 in nsGlobalWindowInner::RunTimeoutHandler(mozilla::dom::Timeout*, nsIScriptContext*) /builds/worker/workspace/build/src/dom/base/nsGlobalWindowInner.cpp:5640:17
#39 0x7f4727623b4d in mozilla::dom::TimeoutManager::RunTimeout(mozilla::TimeStamp const&, mozilla::TimeStamp const&, bool) /builds/worker/workspace/build/src/dom/base/TimeoutManager.cpp:980:21
#40 0x7f472762247f in mozilla::dom::TimeoutExecutor::MaybeExecute() /builds/worker/workspace/build/src/dom/base/TimeoutExecutor.cpp:177:11
#41 0x7f472762745c in Notify /builds/worker/workspace/build/src/dom/base/TimeoutExecutor.cpp:244:5
#42 0x7f472762745c in non-virtual thunk to mozilla::dom::TimeoutExecutor::Notify(nsITimer*) /builds/worker/workspace/build/src/dom/base/TimeoutExecutor.cpp
#43 0x7f47230d6e25 in nsTimerImpl::Fire(int) /builds/worker/workspace/build/src/xpcom/threads/nsTimerImpl.cpp:562:40
#44 0x7f47230d6255 in nsTimerEvent::Run() /builds/worker/workspace/build/src/xpcom/threads/TimerThread.cpp:260:11
#45 0x7f4723114ae2 in mozilla::ThrottledEventQueue::Inner::ExecuteRunnable() /builds/worker/workspace/build/src/xpcom/threads/ThrottledEventQueue.cpp:243:22
#46 0x7f472310d747 in mozilla::ThrottledEventQueue::Inner::Executor::Run() /builds/worker/workspace/build/src/xpcom/threads/ThrottledEventQueue.cpp:80:15
#47 0x7f47230aefb5 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:295:32
#48 0x7f47230ee901 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1180:14
#49 0x7f47230f6d0d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:482:10
#50 0x7f47243ce6a4 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:110:5
#51 0x7f47242a41be in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#52 0x7f47242a41be in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#53 0x7f47242a41be in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#54 0x7f472d6ff943 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
#55 0x7f4731ce27de in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:933:20
#56 0x7f47242a41be in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#57 0x7f47242a41be in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#58 0x7f47242a41be in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#59 0x7f4731ce196c in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:771:34
#60 0x55c3b27da834 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#61 0x55c3b27da834 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:263
#62 0x7f47469e8b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

Flags: in-testsuite?

Bryce, can you help me triage this?

Flags: needinfo?(bvandyk)
Assignee: nobody → bvandyk
Flags: needinfo?(bvandyk)
Priority: -- → P2
Group: core-security

Moving this to secure because I think it's related to bug 1540136 and want to be safe (possible dupe, will check once I have a fix). That bug has more detail, but I think the repro cases are similar, and it's possible you could get from this one to something more exciting like in that other bug.

Don't think I have the access to get this into sec-media, but I think that's where it belongs.

Whiteboard: [fuzzblocker] → [fuzzblocker] [keep hidden while bug 1540136 is]

Testing my WIP fix for bug 1540136 also appears to fix this. Based on that, the testcase being similar, and that the same assertion failure can occur from the case in bug 1540136 I'm going to mark this as a dupe and continue work in the other bug.

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: