Closed
Bug 1550540
Opened 6 years ago
Closed 6 years ago
Crash with failed "@mozilla.org/peerconnection;1" instance
Categories
(Core :: WebRTC: Networking, defect, P2)
Tracking
()
VERIFIED
FIXED
mozilla68
| Tracking | Status | |
|---|---|---|
| firefox-esr60 | --- | unaffected |
| firefox66 | --- | unaffected |
| firefox67 | --- | unaffected |
| firefox68 | --- | verified |
People
(Reporter: Oriol, Assigned: bwc)
References
(Regression)
Details
(Keywords: crash, regression, testcase)
Attachments
(1 file)
Run this code in the browser console:
Cc["@mozilla.org/peerconnection;1"].createInstance(Ci.nsIArray)
Expected: it throws a JS exception like
[Exception... "ComponentManager::CreateInstance returned failure code:" nsresult: "0x80570015 (NS_ERROR_XPC_CI_RETURNED_FAILURE)" location: "JS frame :: debugger eval code :: <TOP_LEVEL> :: line 1" data: no]
Result: Firefox crashes
==9886==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000038 (pc 0x7f9ca4dbef98 bp 0x7fff0624a570 sp 0x7fff0624a570 T0)
==9886==The signal is caused by a READ memory access.
==9886==Hint: address points to the zero page.
#0 0x7f9ca4dbef97 in get /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:268:27
#1 0x7f9ca4dbef97 in operator-> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:298
#2 0x7f9ca4dbef97 in mozilla::dom::PeerConnectionObserver::OnStateChange(mozilla::dom::PCObserverStateType, mozilla::ErrorResult&, JS::Realm*) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/PeerConnectionObserverBinding.cpp:2863
#3 0x7f9ca29eb57a in mozilla::PeerConnectionImpl::SetSignalingState_m(mozilla::dom::PCImplSignalingState, bool) /builds/worker/workspace/build/src/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp:2317:16
#4 0x7f9ca29ce90a in Close /builds/worker/workspace/build/src/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp:2100:3
#5 0x7f9ca29ce90a in mozilla::PeerConnectionImpl::~PeerConnectionImpl() /builds/worker/workspace/build/src/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp:367
#6 0x7f9ca29cf8ed in mozilla::PeerConnectionImpl::~PeerConnectionImpl() /builds/worker/workspace/build/src/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp:338:43
#7 0x7f9ca29cd63c in mozilla::PeerConnectionImpl::Release() /builds/worker/workspace/build/src/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp:230:1
#8 0x7f9ca0b04e4a in mozilla::xpcom::CreateInstanceImpl(mozilla::xpcom::ModuleID, nsISupports*, nsID const&, void**) /builds/worker/workspace/build/src/obj-firefox/xpcom/components/StaticComponents.cpp
#9 0x7f9ca0b2d1eb in CreateInstance /builds/worker/workspace/build/src/xpcom/components/nsComponentManager.cpp:224:46
#10 0x7f9ca0b2d1eb in nsComponentManagerImpl::GetServiceLocked((anonymous namespace)::MutexLock&, (anonymous namespace)::EntryWrapper&, nsID const&, void**) /builds/worker/workspace/build/src/xpcom/components/nsComponentManager.cpp:1387
#11 0x7f9ca0b2181b in nsComponentManagerImpl::GetServiceByContractID(char const*, nsID const&, void**) /builds/worker/workspace/build/src/xpcom/components/nsComponentManager.cpp:1574:10
#12 0x7f9ca26f74f6 in xpc::CIGSHelper(JSContext*, unsigned int, JS::Value*, bool) /builds/worker/workspace/build/src/js/xpconnect/src/XPCJSID.cpp:512:10
#13 0x7f9cacf79640 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:443:13
#14 0x7f9cacf79640 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:535
#15 0x7f9cae14b643 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jit/BaselineIC.cpp:3763:10
#16 0x7f9c190568f7 (<unknown module>)
Regression window: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=b98bad3d505ebd093c06c74bf0b4d17b33174d6c&tochange=d8aabb74946258bdaa6964e7e41fdd409604ae73
|
Assignee | |
Comment 1•6 years ago
|
||
Looks like mPCObserver is null here.
|
|
Assignee | |
Updated•6 years ago
|
Assignee: nobody → docfaraday
Priority: -- → P2
|
|
Assignee | |
Comment 2•6 years ago
|
||
Honestly, I do not like that we're calling Close in the d'tor. Seems sketchy.
|
|
Assignee | |
Comment 3•6 years ago
|
||
|
|
Assignee | |
Comment 4•6 years ago
|
||
Pushed by bcampen@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/59841dabe8e1
Don't call Close() in PC's d'tor. r=mjf
|
||
Comment 6•6 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla68
|
||
Updated•6 years ago
|
Keywords: regression
|
||
Updated•6 years ago
|
Flags: qe-verify+
|
||
Comment 7•6 years ago
|
||
I have managed to reproduce this issue using Firefox 68.0a1 (BuildID:20190509214305). This issue is verified fixed using Firefox 68.0b7 (BuildId:20190603181408) on Windows 10 64bit, macOS 10.11.6 and Ubuntu 16.04 64bit.
|
||
Updated•4 years ago
|
Has Regression Range: --- → yes
You need to log in
before you can comment on or make changes to this bug.
Description
•