Closed Bug 1540434 Opened 5 years ago Closed 5 years ago

Crash in [@ mozilla::GetUserMediaWindowListener::Remove]

Categories

(Core :: WebRTC: Audio/Video, defect, P2)

Product:
Core
Component:
WebRTC: Audio/Video
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla68
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox66 --- unaffected
firefox67 --- unaffected
firefox68 --- fixed

People

(Reporter: calixte, Assigned: pehrsons)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: crash, regression)

Crash Data

Attachments

(1 file)

Bug 1540434 - Convert a bunch of rawptrs related to MediaManager to RefPtr. r?jib
47 bytes, text/x-phabricator-request
Details | Review

This bug is for crash report bp-21f24066-8c6c-46e1-9ec1-597480190330.

Top 10 frames of crashing thread:

0 XUL mozilla::GetUserMediaWindowListener::Remove mfbt/RefPtr.h:267
1 XUL mozilla::SourceListener::Stop dom/media/MediaManager.cpp:4249
2 XUL void mozilla::MediaManager::IterateWindowListeners<mozilla::MediaManager::OnDeviceChange dom/media/MediaManager.cpp:4635
3 XUL mozilla::MozPromise<bool, RefPtr<mozilla::MediaMgrError>, true>::ThenValue<mozilla::MediaManager::OnDeviceChange dom/media/MediaManager.cpp:2219
4 XUL mozilla::MozPromise<bool, RefPtr<mozilla::MediaMgrError>, true>::ThenValueBase::ResolveOrRejectRunnable::Run xpcom/threads/MozPromise.h:392
5 XUL nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:1180
6 XUL NS_ProcessNextEvent xpcom/threads/nsThreadUtils.cpp:482
7 XUL mozilla::ipc::MessagePump::Run ipc/glue/MessagePump.cpp:110
8 XUL nsBaseAppShell::Run ipc/chromium/src/base/message_loop.cc:315
9 XUL nsAppShell::Run widget/cocoa/nsAppShell.mm:702

There are 2 crashes (from 1 installation) in nightly 68 with buildid 20190330093331. In analyzing the backtrace, the regression may have been introduced by patch [1] to fix bug 1494675.

[1] https://hg.mozilla.org/mozilla-central/rev?node=be0fbe76851f

Flags: needinfo?(apehrson)
Regressed by: 1494675

Adjusting platform since this affects all three. In the last 7 days we have 18 crashes, 16 installs. Here are a few URLs:

OS: Unspecified → All
Hardware: Unspecified → All
Assignee: nobody → apehrson
Status: NEW → ASSIGNED
Flags: needinfo?(apehrson)
Priority: -- → P2

We see a crash due to a local rawptr that's we remove from an nsRefPtrHashTable.
As that removal also removed the last reference to the object, the local rawptr
now points to a destroyed object. Forcing the method in question to take a
RefPtr instead of a rawptr solves this issue. I'm also converting other similar
rawptrs for good measure.

Pushed by pehrsons@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/904d371bd450
Convert a bunch of rawptrs related to MediaManager to RefPtr. r=jib

https://hg.mozilla.org/mozilla-central/rev/904d371bd450

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox68: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla68
Crash Signature: [@ mozilla::GetUserMediaWindowListener::Remove] → [@ mozilla::GetUserMediaWindowListener::Remove] [@ InvalidArrayIndex_CRASH | mozilla::GetUserMediaWindowListener::StopRawID] [@ InvalidArrayIndex_CRASH | void mozilla::MediaManager::IterateWindowListeners<T>(nsPIDOMWindowInner*, mozilla::MediaManager::OnD…
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: