Closed Bug 1550955 Opened 5 years ago Closed 5 years ago

Crash in [@ mozilla::SourceListener::StopSharing]

Categories

(Core :: WebRTC: Audio/Video, defect, P1)

Product:
Core
Component:
WebRTC: Audio/Video
Version:
68 Branch
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla68
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox66 --- unaffected
firefox67 --- unaffected
firefox67.0.1 --- unaffected
firefox68 --- fixed

People

(Reporter: philipp, Assigned: jib)

References

Details

(4 keywords, Whiteboard: [post-critsmash-triage])

Crash Data

Attachments

(1 file)

Bug 1550955 - Make StopTrack() API require a hard reference.
47 bytes, text/x-phabricator-request
Details | Review

This bug is for crash report bp-240cd7fb-e555-4bd7-9c93-82e780190511.

Top 10 frames of crashing thread:

0 xul.dll void mozilla::SourceListener::StopSharing dom/media/MediaManager.cpp:4449
1 xul.dll void mozilla::GetUserMediaWindowListener::StopSharing dom/media/MediaManager.cpp:4596
2 xul.dll static void mozilla::MediaManager::IterateWindowListeners<`lambda at z:/task_1557522085/build/src/dom/media/MediaManager.cpp:3910:15'> dom/media/MediaManager.cpp:3925
3 xul.dll nsresult mozilla::MediaManager::Observe dom/media/MediaManager.cpp:3783
4 xul.dll nsObserverList::NotifyObservers xpcom/ds/nsObserverList.cpp:66
5 xul.dll nsObserverService::NotifyObservers xpcom/ds/nsObserverService.cpp:295
6 xul.dll NS_InvokeByIndex 
7 xul.dll static bool XPCWrappedNative::CallMethod js/xpconnect/src/XPCWrappedNative.cpp:1157
8 xul.dll static bool XPC_WN_CallMethod js/xpconnect/src/XPCWrappedNativeJSOps.cpp:943
9 xul.dll js::InternalCallOrConstruct js/src/vm/Interpreter.cpp:535

this crash signature is starting to show up in the 68.0a1 nightly cycle - the first affected build was 20190430121130.

Group: core-security → media-core-security

On 4/30 Bug 1335740 landed in MediaManager.cpp. Jan-Ivar can you please have a look what is going on here?

Assignee: nobody → jib
Flags: needinfo?(jib)
Priority: -- → P1

This looks like the same kind of problem as bug 1547381. In short, the StopTrack() API is a footgun. I'll add a patch.

Flags: needinfo?(jib)

I don't know why this ref-count hazard wasn't a problem before 4/30, but maybe other code kept these ref-counts > 1.

See Also: → 1551452
See Also: → 1552571
See Also: 1551452

There's some STR in bug 1551452.

https://hg.mozilla.org/integration/autoland/rev/f12fb7f69d5180c2c133b441e23b0b8b8d4fe123
https://hg.mozilla.org/mozilla-central/rev/f12fb7f69d51

Group: media-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox68: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla68
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: