Closed
Bug 1560207
Opened 6 years ago
Closed 6 years ago
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Maybe.h:525:3 in emplace<const long &>
Categories
(Core :: WebRTC, defect, P3)
Core
WebRTC
Tracking
()
RESOLVED
FIXED
mozilla70
| Tracking | Status | |
|---|---|---|
| firefox-esr60 | --- | unaffected |
| firefox-esr68 | --- | unaffected |
| firefox68 | --- | unaffected |
| firefox69 | --- | disabled |
| firefox70 | --- | fixed |
People
(Reporter: jkratzer, Assigned: pehrsons)
References
(Blocks 2 open bugs)
Details
(Keywords: crash, regression, testcase)
Attachments
(4 files)
Testcase found while fuzzing mozilla-central rev 19cf79b6f07d.
==13252==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7f650e9ed043 bp 0x7fffb0fbce70 sp 0x7fffb0fbce00 T0)
==13252==The signal is caused by a WRITE memory access.
==13252==Hint: address points to the zero page.
#0 0x7f650e9ed042 in emplace<const long &> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Maybe.h:525:3
#1 0x7f650e9ed042 in Construct<const long &> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/BindingDeclarations.h:153
#2 0x7f650e9ed042 in operator() /builds/worker/workspace/build/src/dom/media/webrtc/MediaEngineTabVideoSource.cpp:223
#3 0x7f650e9ed042 in mozilla::detail::RunnableFunction<mozilla::MediaEngineTabVideoSource::Reconfigure(mozilla::dom::MediaTrackConstraints const&, mozilla::MediaEnginePrefs const&, nsTString<char16_t> const&, char const**)::$_8>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:564
#4 0x7f6505460b33 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1215:14
#5 0x7f65054688f4 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
#6 0x7f6506871b7f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21
#7 0x7f6506748ace in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#8 0x7f6506748ace in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#9 0x7f6506748ace in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#10 0x7f650fe5a563 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
#11 0x7f6514158b40 in nsAppStartup::Run() /builds/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:276:30
#12 0x7f65144987fa in XREMain::XRE_mainRun() /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4639:22
#13 0x7f651449b064 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4778:8
#14 0x7f651449ca59 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4859:21
#15 0x56473a58fb14 in do_main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:213:22
#16 0x56473a58fb14 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:295
#17 0x7f652a171b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Maybe.h:525:3 in emplace<const long &>
Flags: in-testsuite?
|
||
Comment 1•6 years ago
|
||
Bugbug thinks this bug is a regression, but please revert this change in case of error.
Keywords: regression
|
Assignee | |
Comment 2•6 years ago
|
||
P3 because we do not ship MediaEngineTabVideoSource.
Assignee: nobody → apehrson
Priority: -- → P3
|
|
Assignee | |
Updated•6 years ago
|
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 3•6 years ago
|
||
|
|
Assignee | |
Comment 4•6 years ago
|
||
Depends on D36191
|
|
Assignee | |
Comment 5•6 years ago
|
||
Depends on D36192
|
|
Assignee | |
Comment 6•6 years ago
|
||
Test-only: https://treeherder.mozilla.org/#/jobs?repo=try&revision=27c9beaba737f45f687f0f5ece07f1ca393ea4ee
With fix: https://treeherder.mozilla.org/#/jobs?repo=try&revision=f4e39aaa335e1fb4a503aa8c4c66f2bae2f04fb4
These were before I added the skip-if(Android) to crashtests.list, hence the orange on the try run with the fix.
Pushed by pehrsons@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/928298bb94ab
Add crashtest. r=jib
https://hg.mozilla.org/integration/autoland/rev/610512647088
Give Refcountable assignment operators. r=jib
https://hg.mozilla.org/integration/autoland/rev/7b22a378b511
Reset all settings on every settings update, to avoid double-constructing. r=jib
|
||
Comment 8•6 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/928298bb94ab
https://hg.mozilla.org/mozilla-central/rev/610512647088
https://hg.mozilla.org/mozilla-central/rev/7b22a378b511
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
status-firefox70:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla70
|
||
Updated•6 years ago
|
status-firefox68:
--- → unaffected
status-firefox69:
--- → disabled
status-firefox-esr60:
--- → unaffected
status-firefox-esr68:
--- → unaffected
Flags: in-testsuite? → in-testsuite+
|
||
Updated•6 years ago
|
Blocks: asan-maintenance
You need to log in
before you can comment on or make changes to this bug.
Description
•