Closed Bug 1553213 Opened 5 years ago Closed 5 years ago

AddressSanitizer: SEGV /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:268:27 in get near [mozilla::dom::MediaDevices::GetDisplayMedia]

Categories

(Core :: WebRTC, defect, P1)

defect

Tracking

()

RESOLVED FIXED
mozilla69
Tracking Status
firefox-esr60 --- unaffected
firefox67 --- unaffected
firefox68 --- fixed
firefox69 --- fixed

People

(Reporter: jkratzer, Assigned: ng)

References

(Blocks 2 open bugs, Regression)

Details

(Keywords: crash, regression, testcase, Whiteboard: [fuzzblocker])

Attachments

(2 files)

Attached file testcase.html

Testcase found while fuzzing mozilla-central rev b74e5737da64.

==24512==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x7f3d15ae9ce6 bp 0x7ffcf9892fb0 sp 0x7ffcf9892ec0 T0)
==24512==The signal is caused by a READ memory access.
==24512==Hint: address points to the zero page.
#0 0x7f3d15ae9ce5 in get /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:268:27
#1 0x7f3d15ae9ce5 in operator mozilla::dom::Document * /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:281
#2 0x7f3d15ae9ce5 in GetExtantDoc /builds/worker/workspace/build/src/obj-firefox/dist/include/nsPIDOMWindow.h:355
#3 0x7f3d15ae9ce5 in mozilla::dom::MediaDevices::GetDisplayMedia(mozilla::dom::DisplayMediaStreamConstraints const&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/media/MediaDevices.cpp:175
#4 0x7f3d12153409 in getDisplayMedia /builds/worker/workspace/build/src/obj-firefox/dom/bindings/MediaDevicesBinding.cpp:269:45
#5 0x7f3d12153409 in mozilla::dom::MediaDevices_Binding::getDisplayMedia_promiseWrapper(JSContext*, JS::Handle<JSObject*>, mozilla::dom::MediaDevices*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/MediaDevicesBinding.cpp:284
#6 0x7f3d14a151de in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ConvertExceptionsToPromises>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3165:13
#7 0x7f3d1c2acaf0 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:443:13
#8 0x7f3d1c2acaf0 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:535
#9 0x7f3d1c28d390 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:594:10
#10 0x7f3d1c28d390 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3082
#11 0x7f3d1c276f68 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:423:10
#12 0x7f3d1c2ad463 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:563:13
#13 0x7f3d1c2af0e2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:606:8
#14 0x7f3d1cfe9dee in js::ForwardingProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /builds/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:162:10
#15 0x7f3d1cfa3a21 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /builds/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:237:19
#16 0x7f3d0f448e30 in xpc::JSXrayTraits::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&, js::Wrapper const&) /builds/worker/workspace/build/src/js/xpconnect/wrappers/XrayWrapper.h:213:27
#17 0x7f3d1cfc9d5d in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:504:19
#18 0x7f3d1c2adb5a in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:509:14
#19 0x7f3d1c28d390 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:594:10
#20 0x7f3d1c28d390 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3082
#21 0x7f3d1c276f68 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:423:10
#22 0x7f3d1c2ad463 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:563:13
#23 0x7f3d1c2af0e2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:606:8
#24 0x7f3d1cb36be0 in js::CallSelfHostedFunction(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/SelfHosting.cpp:1966:10
#25 0x7f3d1d52b594 in js::jit::InterpretResume(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jit/VMFunctions.cpp:992:10
#26 0x282897cb27b3 (<unknown module>)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:268:27 in get

Flags: in-testsuite?

Hi, Nico,
Because you have worked on this file recently, would you mind to take a look at this issue?

Flags: needinfo?(na-g)

Sure.

Assignee: nobody → na-g
Status: NEW → ASSIGNED
Flags: needinfo?(na-g)
Priority: -- → P1
Attachment #9066606 - Attachment description: Bug 1553213 - correct new MediaAccess telemetry probes - r?jib → Bug 1553213 - correct new MediaAccess telemetry probes
Pushed by na-g@nostrum.com:
https://hg.mozilla.org/integration/autoland/rev/656d0a81f97e
correct new MediaAccess telemetry probes r=mjf
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla69

The patches here don't seem to address the reported RefPtr bug. Are they on the right bug? I don't see a fix for the bug reported, so should it be reopened?

Flags: needinfo?(na-g)
Attachment #9066606 - Attachment is obsolete: true
Flags: needinfo?(na-g)

Jan-Ivar, the correct patch set landed for this bug (check the pulse bot link above). I have now obsoleted the patch that I mistakenly uploaded later. We don't need to reopen this bug.

Is this something which can ride the trains or should we consider it for Beta backport?

Flags: needinfo?(na-g)
Flags: in-testsuite?
Flags: in-testsuite-
Regressed by: 1528078

It should be considered for back port. As noted above, I did some how manage to update the differential review with a different patch after it hit autoland. I'll re-upload the original patch as a new review, and request Beta uplift.

Attachment #9066606 - Attachment is obsolete: false

Comment on attachment 9066606 [details]
Bug 1553213 - correct new MediaAccess telemetry probes

Beta/Release Uplift Approval Request

  • User impact if declined: This could cause crashes when a website requests audio or video capture.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): This is a low complexity patch that doesn't introduce any new code paths.
  • String changes made/needed: None
Flags: needinfo?(na-g)
Attachment #9066606 - Flags: approval-mozilla-beta?

Comment on attachment 9066606 [details]
Bug 1553213 - correct new MediaAccess telemetry probes

regression fix, approved for 68.0b10

Attachment #9066606 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: