AddressSanitizer: SEGV /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ThreadLocal.h:158:33 in get
Categories
(Core :: Audio/Video, defect, P2)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr60 | --- | unaffected |
| firefox-esr68 | --- | fixed |
| firefox67 | --- | wontfix |
| firefox68 | --- | fixed |
| firefox69 | --- | fixed |
People
(Reporter: jkratzer, Assigned: pehrsons)
References
(Blocks 2 open bugs, Regression)
Details
(Keywords: crash, regression, testcase)
Attachments
(3 files)
|
1.01 KB,
text/html
|
Details | |
|
47 bytes,
text/x-phabricator-request
|
jcristau
:
approval-mozilla-release+
jcristau
:
approval-mozilla-esr68+
|
Details | Review |
|
47 bytes,
text/x-phabricator-request
|
jcristau
:
approval-mozilla-release+
jcristau
:
approval-mozilla-esr68+
|
Details | Review |
Testcase found while fuzzing mozilla-central rev 420e18a75314.
==28636==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000058 (pc 0x7fe5fa176130 bp 0x7ffc5d1087f0 sp 0x7ffc5d1087d0 T0)
==28636==The signal is caused by a READ memory access.
==28636==Hint: address points to the zero page.
#0 0x7fe5fa17612f in get /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ThreadLocal.h:158:33
#1 0x7fe5fa17612f in get /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ThreadLocal.h:203
#2 0x7fe5fa17612f in AutoEnter /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/AbstractThread.h:126
#3 0x7fe5fa17612f in mozilla::MediaDecoder::RemoveOutputStream(mozilla::DOMMediaStream*) /builds/worker/workspace/build/src/dom/media/MediaDecoder.cpp:261
#4 0x7fe5f9e4cc5c in mozilla::dom::HTMLMediaElement::PlaybackEnded() /builds/worker/workspace/build/src/dom/html/HTMLMediaElement.cpp:5102:19
#5 0x7fe5f9ea4d0f in mozilla::dom::HTMLMediaElement::MediaStreamTrackListener::NotifyInactive() /builds/worker/workspace/build/src/dom/html/HTMLMediaElement.cpp:4638:15
#6 0x7fe5fa104368 in mozilla::DOMMediaStream::NotifyInactive() /builds/worker/workspace/build/src/dom/media/DOMMediaStream.cpp:926:25
#7 0x7fe5fa11585f in mozilla::DOMMediaStream::PlaybackTrackListener::NotifyEnded(mozilla::dom::MediaStreamTrack*) /builds/worker/workspace/build/src/dom/media/DOMMediaStream.cpp:125:14
#8 0x7fe5fa49d021 in mozilla::dom::MediaStreamTrack::NotifyEnded() /builds/worker/workspace/build/src/dom/media/MediaStreamTrack.cpp:472:17
#9 0x7fe5fa4a21cb in mozilla::dom::MediaStreamTrack::OverrideEnded() /builds/worker/workspace/build/src/dom/media/MediaStreamTrack.cpp:558:3
#10 0x7fe5fa7cfbe4 in applyImpl<mozilla::dom::MediaStreamTrack, void (mozilla::dom::MediaStreamTrack::)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1122:12
#11 0x7fe5fa7cfbe4 in apply<mozilla::dom::MediaStreamTrack, void (mozilla::dom::MediaStreamTrack::)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1128
#12 0x7fe5fa7cfbe4 in mozilla::detail::RunnableMethodImpl<RefPtr<mozilla::dom::MediaStreamTrack>, void (mozilla::dom::MediaStreamTrack::)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1174
#13 0x7fe5f184f341 in nsThread::ProcessNextEvent(bool, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1180:14
#14 0x7fe5f1856f64 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
#15 0x7fe5f2bbd07f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21
#16 0x7fe5f2a95dfe in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#17 0x7fe5f2a95dfe in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#18 0x7fe5f2a95dfe in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#19 0x7fe5fc15aad3 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
#20 0x7fe600765d7e in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:919:20
#21 0x7fe5f2a95dfe in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#22 0x7fe5f2a95dfe in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#23 0x7fe5f2a95dfe in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#24 0x7fe600764eec in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:757:34
#25 0x5593a322472e in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#26 0x5593a322472e in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:263
#27 0x7fe615987b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
| Comment hidden (spam) |
|
||
Updated•5 years ago
|
|
||
Comment 2•5 years ago
|
||
Hi Nils, will this be fixed for 68? (asking in relation to regression triage) Thanks!
|
||
Updated•5 years ago
|
|
Assignee | |
Comment 3•5 years ago
|
||
This looks like mine, thanks Julien.
FWIW I disagree with P1. This can only happen when you use HTMLMediaElement.mozCaptureStream() (little use), and even so it's probably a race that comes up as a narrow corner case.
To answer Patricia, we should be able to have this fixed in 68. Hopefully that's also where we the regression stems from.
|
||
Comment 4•5 years ago
|
||
Updating flags for affected versions.
|
|
Assignee | |
Updated•5 years ago
|
|
|
Assignee | |
Comment 5•5 years ago
|
||
|
|
Assignee | |
Comment 6•5 years ago
|
||
This was done as a catch-all in PlaybackEnded(), but playback might not end if
the source changes in the middle of playback. This catches those cases too.
Depends on D35320
|
|
Assignee | |
Comment 7•5 years ago
|
||
|
||
Updated•5 years ago
|
Pushed by pehrsons@gmail.com: https://hg.mozilla.org/integration/autoland/rev/d307df237d65 Add crashtest. r=jib https://hg.mozilla.org/integration/autoland/rev/b31c7c9f1920 Discard output streams also when playback is aborted. r=jib
|
||
Comment 9•5 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/d307df237d65
https://hg.mozilla.org/mozilla-central/rev/b31c7c9f1920
|
|
Assignee | |
Comment 10•5 years ago
|
||
Comment on attachment 9072823 [details]
Bug 1547899 - Discard output streams also when playback is aborted. r?jib
Beta/Release Uplift Approval Request
- User impact if declined: A null pointer de-referencing crash could be triggered at will.
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Simple enough.
- String changes made/needed:
|
|
Assignee | |
Updated•5 years ago
|
|
|
||
Updated•5 years ago
|
|
|
||
Comment 11•5 years ago
|
||
Comment on attachment 9072823 [details]
Bug 1547899 - Discard output streams also when playback is aborted. r?jib
alright let's take this for 68 rc1
|
|
||
Updated•5 years ago
|
|
||
Comment 12•5 years ago
|
||
| bugherder uplift | ||
|
|
||
Comment 13•5 years ago
|
||
| bugherder uplift | ||
https://hg.mozilla.org/releases/mozilla-esr68/rev/478af069d3f6
https://hg.mozilla.org/releases/mozilla-esr68/rev/561858d2d2a9
|
||
Comment 14•5 years ago
|
||
(In reply to Andreas Pehrson [:pehrsons] from comment #10)
- Is this code covered by automated tests?: Yes
- Needs manual test from QE?: No
Marking this as qe-verify- per Andreas' assessment.
|
||
Updated•4 years ago
|
|
|
||
Updated•2 years ago
|
Description
•