AddressSanitizer: SEGV /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:268:27 in get near [mozilla::dom::MediaDevices::GetDisplayMedia]
Categories
(Core :: WebRTC, defect, P1)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr60 | --- | unaffected |
firefox67 | --- | unaffected |
firefox68 | --- | fixed |
firefox69 | --- | fixed |
People
(Reporter: jkratzer, Assigned: ng)
References
(Blocks 2 open bugs, Regression)
Details
(Keywords: crash, regression, testcase, Whiteboard: [fuzzblocker])
Attachments
(2 files)
449 bytes,
text/html
|
Details | |
47 bytes,
text/x-phabricator-request
|
jcristau
:
approval-mozilla-beta+
|
Details | Review |
Testcase found while fuzzing mozilla-central rev b74e5737da64.
==24512==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x7f3d15ae9ce6 bp 0x7ffcf9892fb0 sp 0x7ffcf9892ec0 T0)
==24512==The signal is caused by a READ memory access.
==24512==Hint: address points to the zero page.
#0 0x7f3d15ae9ce5 in get /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:268:27
#1 0x7f3d15ae9ce5 in operator mozilla::dom::Document * /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:281
#2 0x7f3d15ae9ce5 in GetExtantDoc /builds/worker/workspace/build/src/obj-firefox/dist/include/nsPIDOMWindow.h:355
#3 0x7f3d15ae9ce5 in mozilla::dom::MediaDevices::GetDisplayMedia(mozilla::dom::DisplayMediaStreamConstraints const&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/media/MediaDevices.cpp:175
#4 0x7f3d12153409 in getDisplayMedia /builds/worker/workspace/build/src/obj-firefox/dom/bindings/MediaDevicesBinding.cpp:269:45
#5 0x7f3d12153409 in mozilla::dom::MediaDevices_Binding::getDisplayMedia_promiseWrapper(JSContext*, JS::Handle<JSObject*>, mozilla::dom::MediaDevices*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/MediaDevicesBinding.cpp:284
#6 0x7f3d14a151de in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ConvertExceptionsToPromises>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3165:13
#7 0x7f3d1c2acaf0 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:443:13
#8 0x7f3d1c2acaf0 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:535
#9 0x7f3d1c28d390 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:594:10
#10 0x7f3d1c28d390 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3082
#11 0x7f3d1c276f68 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:423:10
#12 0x7f3d1c2ad463 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:563:13
#13 0x7f3d1c2af0e2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:606:8
#14 0x7f3d1cfe9dee in js::ForwardingProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /builds/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:162:10
#15 0x7f3d1cfa3a21 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /builds/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:237:19
#16 0x7f3d0f448e30 in xpc::JSXrayTraits::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&, js::Wrapper const&) /builds/worker/workspace/build/src/js/xpconnect/wrappers/XrayWrapper.h:213:27
#17 0x7f3d1cfc9d5d in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:504:19
#18 0x7f3d1c2adb5a in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:509:14
#19 0x7f3d1c28d390 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:594:10
#20 0x7f3d1c28d390 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3082
#21 0x7f3d1c276f68 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:423:10
#22 0x7f3d1c2ad463 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:563:13
#23 0x7f3d1c2af0e2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:606:8
#24 0x7f3d1cb36be0 in js::CallSelfHostedFunction(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/SelfHosting.cpp:1966:10
#25 0x7f3d1d52b594 in js::jit::InterpretResume(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jit/VMFunctions.cpp:992:10
#26 0x282897cb27b3 (<unknown module>)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:268:27 in get
Comment 1•5 years ago
|
||
Hi, Nico,
Because you have worked on this file recently, would you mind to take a look at this issue?
Assignee | ||
Comment 2•5 years ago
|
||
Sure.
Assignee | ||
Updated•5 years ago
|
Assignee | ||
Comment 3•5 years ago
|
||
Updated•5 years ago
|
Updated•5 years ago
|
Pushed by na-g@nostrum.com: https://hg.mozilla.org/integration/autoland/rev/656d0a81f97e correct new MediaAccess telemetry probes r=mjf
Comment 5•5 years ago
|
||
bugherder |
Comment 6•5 years ago
|
||
The patches here don't seem to address the reported RefPtr bug. Are they on the right bug? I don't see a fix for the bug reported, so should it be reopened?
Assignee | ||
Updated•5 years ago
|
Assignee | ||
Comment 7•5 years ago
|
||
Jan-Ivar, the correct patch set landed for this bug (check the pulse bot link above). I have now obsoleted the patch that I mistakenly uploaded later. We don't need to reopen this bug.
Comment 8•5 years ago
|
||
Is this something which can ride the trains or should we consider it for Beta backport?
Assignee | ||
Comment 9•5 years ago
|
||
It should be considered for back port. As noted above, I did some how manage to update the differential review with a different patch after it hit autoland. I'll re-upload the original patch as a new review, and request Beta uplift.
Updated•5 years ago
|
Assignee | ||
Comment 10•5 years ago
•
|
||
Comment on attachment 9066606 [details]
Bug 1553213 - correct new MediaAccess telemetry probes
Beta/Release Uplift Approval Request
- User impact if declined: This could cause crashes when a website requests audio or video capture.
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): This is a low complexity patch that doesn't introduce any new code paths.
- String changes made/needed: None
Comment 11•5 years ago
|
||
Comment on attachment 9066606 [details]
Bug 1553213 - correct new MediaAccess telemetry probes
regression fix, approved for 68.0b10
Comment 12•5 years ago
|
||
bugherder uplift |
Updated•4 years ago
|
Updated•2 years ago
|
Description
•