Closed Bug 1557392 Opened 6 years ago Closed 5 years ago

AddressSanitizer: unknown-crash near [@mozilla::ThreadedDriver::WaitForNextIteration]

Categories

(Core :: Audio/Video, defect, P2)

Product:
Core
Component:
Audio/Video
Type:
defect

Tracking

()

Status:
RESOLVED INCOMPLETE
Tracking Flags:
Tracking Status
firefox69 --- affected

People

(Reporter: jkratzer, Assigned: pehrsons)

References

(Blocks 1 open bug)

Details

(Keywords: crash, regression, testcase-wanted)

Found while fuzzing mozilla-central rev 3610622. I don't currently have a working testcase but will update if one becomes available.

Marking as S-S due to the crash address:

=================================================================
==717548==ERROR: AddressSanitizer: unknown-crash on address 0x602000285bf8 at pc 0x7fea33363046 bp 0x7fea001d1c30 sp 0x7fea001d1c28
READ of size 4 at 0x602000285bf8 thread T82 (MediaStreamGrph)
    #0 0x7fea33363045 in load /src/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/6.4.0/../../../../include/c++/6.4.0/atomic:236:2
    #1 0x7fea33363045 in load /src/obj-firefox/dist/include/mozilla/Atomics.h:220
    #2 0x7fea33363045 in operator mozilla::LogLevel /src/obj-firefox/dist/include/mozilla/Atomics.h:500
    #3 0x7fea33363045 in ShouldLog /src/obj-firefox/dist/include/mozilla/Logging.h:114
    #4 0x7fea33363045 in log_test /src/obj-firefox/dist/include/mozilla/Logging.h:197
    #5 0x7fea33363045 in mozilla::ThreadedDriver::WaitForNextIteration() /src/dom/media/GraphDriver.cpp:370
    #6 0x7fea336aa6be in mozilla::MediaStreamGraphImpl::UpdateMainThreadState() /src/dom/media/MediaStreamGraph.cpp:1357:20
    #7 0x7fea336aaabe in mozilla::MediaStreamGraphImpl::OneIterationImpl(long) /src/dom/media/MediaStreamGraph.cpp:1404:10
    #8 0x7fea33361eaa in mozilla::ThreadedDriver::RunThread() /src/dom/media/GraphDriver.cpp:311:41
    #9 0x7fea333763db in mozilla::MediaStreamGraphInitThreadRunnable::Run() /src/dom/media/GraphDriver.cpp:208:14
    #10 0x7fea2aa24647 in nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1176:14
    #11 0x7fea2aa2c284 in NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:486:10
    #12 0x7fea2be054d1 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /src/ipc/glue/MessagePump.cpp:303:20
    #13 0x7fea2bcdb83e in RunInternal /src/ipc/chromium/src/base/message_loop.cc:315:10
    #14 0x7fea2bcdb83e in RunHandler /src/ipc/chromium/src/base/message_loop.cc:308
    #15 0x7fea2bcdb83e in MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:290
    #16 0x7fea2aa1c893 in nsThread::ThreadFunc(void*) /src/xpcom/threads/nsThread.cpp:455:11
    #17 0x7fea502e10bd in _pt_root /src/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #18 0x7fea4ff236da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
    #19 0x7fea4ef0188e in clone /build/glibc-OTsEL5/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

0x602000285bf8 is located 8 bytes inside of 16-byte region [0x602000285bf0,0x602000285c00)
allocated by thread T0 (file:// Content) here:
    #0 0x55c4c966c773 in __interceptor_malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3
    #1 0x55c4c96a12ad in moz_xmalloc /src/memory/mozalloc/mozalloc.cpp:52:15
    #2 0x7fea2a7a9fa4 in operator new /src/obj-firefox/dist/include/mozilla/mozalloc.h:144:10
    #3 0x7fea2a7a9fa4 in mozilla::LogModuleManager::CreateOrGetModule(char const*) /src/xpcom/base/Logging.cpp:360
    #4 0x7fea336c424d in operator mozilla::LogModule * /src/obj-firefox/dist/include/mozilla/Logging.h:178:13
    #5 0x7fea336c424d in mozilla::MediaStreamGraph::GetInstance(mozilla::MediaStreamGraph::GraphDriverType, nsPIDOMWindowInner*, int) /src/dom/media/MediaStreamGraph.cpp:3331
    #6 0x7fea33332826 in mozilla::DOMMediaStream::Constructor(mozilla::dom::GlobalObject const&, mozilla::dom::Sequence<mozilla::OwningNonNull<mozilla::dom::MediaStreamTrack> > const&, mozilla::ErrorResult&) /src/dom/media/DOMMediaStream.cpp:304:31
    #7 0x7fea333321c1 in mozilla::DOMMediaStream::Constructor(mozilla::dom::GlobalObject const&, mozilla::ErrorResult&) /src/dom/media/DOMMediaStream.cpp:256:10
    #8 0x7fea2fcb7a30 in mozilla::dom::MediaStream_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /src/obj-firefox/dom/bindings/MediaStreamBinding.cpp:1659:59
    #9 0x7fea39d00c67 in CallJSNative /src/js/src/vm/Interpreter.cpp:448:13
    #10 0x7fea39d00c67 in CallJSNativeConstructor /src/js/src/vm/Interpreter.cpp:464
    #11 0x7fea39d00c67 in InternalConstruct(JSContext*, js::AnyConstructArgs const&) /src/js/src/vm/Interpreter.cpp:657
    #12 0x7fea39cdd5d4 in Interpret(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:3078:16
    #13 0x7fea39cc71e8 in js::RunScript(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:425:10
    #14 0x7fea39cfda7f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /src/js/src/vm/Interpreter.cpp:568:13
    #15 0x7fea39cffca2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /src/js/src/vm/Interpreter.cpp:611:8
    #16 0x7fea3a97e1a8 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /src/js/src/jsapi.cpp:2667:10
    #17 0x7fea31a00cc9 in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /src/obj-firefox/dom/bindings/EventListenerBinding.cpp:52:8
    #18 0x7fea32c92352 in HandleEvent<mozilla::dom::EventTarget *> /src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:66:12
    #19 0x7fea32c92352 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /src/dom/events/EventListenerManager.cpp:1035
    #20 0x7fea32c94294 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /src/dom/events/EventListenerManager.cpp:1239:17
    #21 0x7fea32c74d11 in HandleEvent /src/obj-firefox/dist/include/mozilla/EventListenerManager.h:353:5
    #22 0x7fea32c74d11 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /src/dom/events/EventDispatcher.cpp:349
    #23 0x7fea32c72f46 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /src/dom/events/EventDispatcher.cpp:551:16
    #24 0x7fea32c79cb4 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /src/dom/events/EventDispatcher.cpp:1047:11
    #25 0x7fea35c90a29 in nsDocumentViewer::LoadComplete(nsresult) /src/layout/base/nsDocumentViewer.cpp:1107:7

Thread T82 (MediaStreamGrph) created by T0 (file:// Content) here:
    #0 0x55c4c9654d4d in __interceptor_pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:210:3
    #1 0x7fea502d31b8 in _PR_CreateThread /src/nsprpub/pr/src/pthreads/ptthread.c:433:14
    #2 0x7fea502bcd9e in PR_CreateThread /src/nsprpub/pr/src/pthreads/ptthread.c:518:12
    #3 0x7fea2aa1f819 in nsThread::Init(nsTSubstring<char> const&) /src/xpcom/threads/nsThread.cpp:662:8
    #4 0x7fea2aa2af3d in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /src/xpcom/threads/nsThreadManager.cpp:415:12
    #5 0x7fea2aa300c4 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, nsIRunnable*, unsigned int) /src/xpcom/threads/nsThreadUtils.cpp:139:57
    #6 0x7fea333607c4 in NS_NewNamedThread<16> /src/obj-firefox/dist/include/nsThreadUtils.h:71:10
    #7 0x7fea333607c4 in mozilla::ThreadedDriver::Start() /src/dom/media/GraphDriver.cpp:226
    #8 0x7fea336acf76 in mozilla::MediaStreamGraphImpl::RunInStableState(bool) /src/dom/media/MediaStreamGraph.cpp:1715:17
    #9 0x7fea336dc06e in mozilla::(anonymous namespace)::MediaStreamGraphStableStateRunnable::Run() /src/dom/media/MediaStreamGraph.cpp:1579:15
    #10 0x7fea2a7896e7 in mozilla::CycleCollectedJSContext::ProcessStableStateQueue() /src/xpcom/base/CycleCollectedJSContext.cpp:430:12
    #11 0x7fea2a78d942 in mozilla::CycleCollectedJSContext::AfterProcessTask(unsigned int) /src/xpcom/base/CycleCollectedJSContext.cpp:489:3
    #12 0x7fea2cf30dc5 in XPCJSContext::AfterProcessTask(unsigned int) /src/js/xpconnect/src/XPCJSContext.cpp:1274:28
    #13 0x7fea2aa2552e in nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1234:24
    #14 0x7fea2aa2c284 in NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:486:10
    #15 0x7fea2be03d6f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /src/ipc/glue/MessagePump.cpp:88:21
    #16 0x7fea2bcdb83e in RunInternal /src/ipc/chromium/src/base/message_loop.cc:315:10
    #17 0x7fea2bcdb83e in RunHandler /src/ipc/chromium/src/base/message_loop.cc:308
    #18 0x7fea2bcdb83e in MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:290
    #19 0x7fea353e2a53 in nsBaseAppShell::Run() /src/widget/nsBaseAppShell.cpp:137:27
    #20 0x7fea39a240ae in XRE_RunAppShell() /src/toolkit/xre/nsEmbedFunctions.cpp:911:20
    #21 0x7fea2bcdb83e in RunInternal /src/ipc/chromium/src/base/message_loop.cc:315:10
    #22 0x7fea2bcdb83e in RunHandler /src/ipc/chromium/src/base/message_loop.cc:308
    #23 0x7fea2bcdb83e in MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:290
    #24 0x7fea39a2321c in XRE_InitChildProcess(int, char**, XREChildData const*) /src/toolkit/xre/nsEmbedFunctions.cpp:749:34
    #25 0x55c4c969f66e in content_process_main /src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #26 0x55c4c969f66e in main /src/browser/app/nsBrowserApp.cpp:263
    #27 0x7fea4ee01b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: unknown-crash /src/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/6.4.0/../../../../include/c++/6.4.0/atomic:236:2 in load
Shadow bytes around the buggy address:
  0x0c0480048b20: fa fa fa fa fa fa 00 00 fa fa fd fd fa fa 00 00
  0x0c0480048b30: fa fa fd fd fa fa fa fa fa fa 00 00 fa fa fa fa
  0x0c0480048b40: fa fa fd fd fa fa fa fa fa fa fd fd fa fa 00 00
  0x0c0480048b50: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c0480048b60: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fa fa
=>0x0c0480048b70: fa fa 00 00 fa fa 00 03 fa fa 00 03 fa fa 00[00]
  0x0c0480048b80: fa fa fd fd fa fa fa fa fa fa fd fd fa fa 00 00
  0x0c0480048b90: fa fa 00 04 fa fa 00 04 fa fa 00 00 fa fa 00 00
  0x0c0480048ba0: fa fa fd fd fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c0480048bb0: fa fa 00 fa fa fa fa fa fa fa fa fa fa fa 00 00
  0x0c0480048bc0: fa fa fa fa fa fa 00 00 fa fa 00 06 fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==717548==ABORTING
Group: core-security → media-core-security

The priority flag is not set for this bug.
:drno, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(drno)

Andreas could you please have a look at this (feel free to change priority as needed)?

Assignee: nobody → apehrson
Flags: needinfo?(drno) → needinfo?(apehrson)
Priority: -- → P2

This crashed in a log module in GraphDriver. I find that odd in general because log modules tend to be static and lazy and should just work.

In this case it's GraphDriver's LOG macro, which uses MediaStreamGraph's log module, which seems to be used in a basic manner; a LazyLogModule statically declared with nothing funky going on.

Since it's crashing when loading an atomic, could it perhaps be a memory issue?

Anyhow, marking stalled until we have a testcase.

Flags: needinfo?(apehrson)
Keywords: stalled

Bugbug thinks this bug is a regression, but please revert this change in case of error.

Keywords: regression

Jason: have you seen this since? sounds like the devs aren't going to work on this unless we get more data so can you close this INCOMPLETE or add more evidence?

Flags: needinfo?(jkratzer)

I haven't seen this crash stack since I first reported it. Unfortunately, I don't have access to resolve as INCOMPLETE. Can you mark it for me?

Flags: needinfo?(jkratzer) → needinfo?(dveditz)

I can do that.

Status: NEW → RESOLVED
Closed: 5 years ago
Flags: needinfo?(dveditz)
Resolution: --- → INCOMPLETE

Since the bug is closed, the stalled keyword is now meaningless.
For more information, please visit auto_nag documentation.

Keywords: stalled
Group: media-core-security
You need to log in before you can comment on or make changes to this bug.