Closed Bug 1571004 Opened 5 years ago Closed 5 years ago

AddressSanitizer: heap-use-after-free [@ load] with READ of size 4

Categories

(Core :: Audio/Video, defect, P1)

Product:
Core
Component:
Audio/Video
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla70
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox-esr68 --- unaffected
firefox68 --- unaffected
firefox69 --- unaffected
firefox70 --- fixed

People

(Reporter: jkratzer, Assigned: pehrsons)

References

(Blocks 2 open bugs, Regression)

Details

(5 keywords, Whiteboard: [post-critsmash-triage])

Attachments

(2 files)

Bug 1571004 - Release resources last. r?karlt
47 bytes, text/x-phabricator-request
Details | Review
Bug 1571004 - Check that AddStream() is not too late. r?karlt
47 bytes, text/x-phabricator-request
Details | Review

Found while fuzzing mozilla-central rev b0124f065629. I'm currently trying to reduce the testcase and will update once complete.

==54680==ERROR: AddressSanitizer: heap-use-after-free on address 0x615000f9a2e8 at pc 0x7fe0073dda89 bp 0x7ffccae317b0 sp 0x7ffccae317a8
READ of size 4 at 0x615000f9a2e8 thread T0
    #0 0x7fe0073dda88 in load /src/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/6.4.0/../../../../include/c++/6.4.0/bits/atomic_base.h:396:9
    #1 0x7fe0073dda88 in load /src/obj-firefox/dist/include/mozilla/Atomics.h:220
    #2 0x7fe0073dda88 in operator bool /src/obj-firefox/dist/include/mozilla/Atomics.h:535
    #3 0x7fe0073dda88 in mozilla::MediaStreamGraphImpl::AppendMessage(mozilla::UniquePtr<mozilla::ControlMessage, mozilla::DefaultDelete<mozilla::ControlMessage> >) /src/dom/media/MediaStreamGraph.cpp:1818
    #4 0x7fe00740f5f4 in Destroy /src/dom/media/MediaStreamGraph.cpp:3010:16
    #5 0x7fe00740f5f4 in mozilla::dom::MediaStreamTrack::SetReadyState(mozilla::dom::MediaStreamTrackState) /src/dom/media/MediaStreamTrack.cpp:518
    #6 0x7fe00740dcb0 in mozilla::dom::MediaStreamTrack::Destroy() /src/dom/media/MediaStreamTrack.cpp:224:3
    #7 0x7fe00740c6c8 in mozilla::dom::MediaStreamTrack::~MediaStreamTrack() /src/dom/media/MediaStreamTrack.cpp:221:41
    #8 0x7fe006fea808 in mozilla::dom::AudioStreamTrack::~AudioStreamTrack() /src/dom/media/AudioStreamTrack.h:15:7
    #9 0x7fdfff885142 in MaybeKillObject /src/xpcom/base/nsCycleCollector.cpp:2429:29
    #10 0x7fdfff885142 in SnowWhiteKiller::Visit(nsPurpleBuffer&, nsPurpleBufferEntry*) /src/xpcom/base/nsCycleCollector.cpp:2459
    #11 0x7fdfff862d92 in void nsPurpleBuffer::VisitEntries<SnowWhiteKiller>(SnowWhiteKiller&) /src/xpcom/base/nsCycleCollector.cpp:941:23
    #12 0x7fdfff863fd9 in nsCycleCollector::FreeSnowWhiteWithBudget(js::SliceBudget&) /src/xpcom/base/nsCycleCollector.cpp:2624:14
    #13 0x7fe001d25218 in AsyncFreeSnowWhite::Run() /src/js/xpconnect/src/XPCJSRuntime.cpp:146:9
    #14 0x7fdfffa3f84a in IdleRunnableWrapper::Run() /src/xpcom/threads/nsThreadUtils.cpp:331:22
    #15 0x7fdfffa260c0 in nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1224:14
    #16 0x7fdfffa2c4d8 in NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:486:10
    #17 0x7fe000c1517f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /src/ipc/glue/MessagePump.cpp:88:21
    #18 0x7fe000b12702 in RunInternal /src/ipc/chromium/src/base/message_loop.cc:315:10
    #19 0x7fe000b12702 in RunHandler /src/ipc/chromium/src/base/message_loop.cc:308
    #20 0x7fe000b12702 in MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:290
    #21 0x7fe008d49bc9 in nsBaseAppShell::Run() /src/widget/nsBaseAppShell.cpp:137:27
    #22 0x7fe00c966f90 in nsAppStartup::Run() /src/toolkit/components/startup/nsAppStartup.cpp:276:30
    #23 0x7fe00cc0d903 in XREMain::XRE_mainRun() /src/toolkit/xre/nsAppRunner.cpp:4636:22
    #24 0x7fe00cc0fa20 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /src/toolkit/xre/nsAppRunner.cpp:4771:8
    #25 0x7fe00cc1142e in XRE_main(int, char**, mozilla::BootstrapConfig const&) /src/toolkit/xre/nsAppRunner.cpp:4852:21
    #26 0x564e20b5cdd4 in do_main /src/browser/app/nsBrowserApp.cpp:213:22
    #27 0x564e20b5cdd4 in main /src/browser/app/nsBrowserApp.cpp:295
    #28 0x7fe0211fcb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #29 0x564e20a7e6ac in _start (/home/worker/builds/m-c-20190731215544-fuzzing-asan-opt/firefox+0x456ac)

0x615000f9a2e8 is located 360 bytes inside of 496-byte region [0x615000f9a180,0x615000f9a370)
freed by thread T0 here:
    #0 0x564e20b29d42 in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:124:3
    #1 0x7fe0074021db in mozilla::MediaStreamGraphImpl::Release() /src/dom/media/MediaStreamGraph.cpp:3363:1
    #2 0x7fe00741c7c6 in Release /src/obj-firefox/dist/include/mozilla/RefPtr.h:46:40
    #3 0x7fe00741c7c6 in Release /src/obj-firefox/dist/include/mozilla/RefPtr.h:363
    #4 0x7fe00741c7c6 in ~RefPtr /src/obj-firefox/dist/include/mozilla/RefPtr.h:77
    #5 0x7fe00741c7c6 in ~MSGListener /src/dom/media/MediaStreamTrack.cpp:79
    #6 0x7fe00741c7c6 in mozilla::dom::MediaStreamTrack::MSGListener::~MSGListener() /src/dom/media/MediaStreamTrack.cpp:79
    #7 0x7fe00740f4e5 in Release /src/dom/media/MediaStreamListener.h:40:3
    #8 0x7fe00740f4e5 in Release /src/obj-firefox/dist/include/mozilla/RefPtr.h:46
    #9 0x7fe00740f4e5 in Release /src/obj-firefox/dist/include/mozilla/RefPtr.h:363
    #10 0x7fe00740f4e5 in assign_assuming_AddRef /src/obj-firefox/dist/include/mozilla/RefPtr.h:65
    #11 0x7fe00740f4e5 in operator= /src/obj-firefox/dist/include/mozilla/RefPtr.h:156
    #12 0x7fe00740f4e5 in mozilla::dom::MediaStreamTrack::SetReadyState(mozilla::dom::MediaStreamTrackState) /src/dom/media/MediaStreamTrack.cpp:515
    #13 0x7fe00740dcb0 in mozilla::dom::MediaStreamTrack::Destroy() /src/dom/media/MediaStreamTrack.cpp:224:3
    #14 0x7fe00740c6c8 in mozilla::dom::MediaStreamTrack::~MediaStreamTrack() /src/dom/media/MediaStreamTrack.cpp:221:41
    #15 0x7fe006fea808 in mozilla::dom::AudioStreamTrack::~AudioStreamTrack() /src/dom/media/AudioStreamTrack.h:15:7
    #16 0x7fdfff885142 in MaybeKillObject /src/xpcom/base/nsCycleCollector.cpp:2429:29
    #17 0x7fdfff885142 in SnowWhiteKiller::Visit(nsPurpleBuffer&, nsPurpleBufferEntry*) /src/xpcom/base/nsCycleCollector.cpp:2459
    #18 0x7fdfff862d92 in void nsPurpleBuffer::VisitEntries<SnowWhiteKiller>(SnowWhiteKiller&) /src/xpcom/base/nsCycleCollector.cpp:941:23
    #19 0x7fdfff863fd9 in nsCycleCollector::FreeSnowWhiteWithBudget(js::SliceBudget&) /src/xpcom/base/nsCycleCollector.cpp:2624:14
    #20 0x7fe001d25218 in AsyncFreeSnowWhite::Run() /src/js/xpconnect/src/XPCJSRuntime.cpp:146:9
    #21 0x7fdfffa3f84a in IdleRunnableWrapper::Run() /src/xpcom/threads/nsThreadUtils.cpp:331:22
    #22 0x7fdfffa260c0 in nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1224:14
    #23 0x7fdfffa2c4d8 in NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:486:10
    #24 0x7fe000c1517f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /src/ipc/glue/MessagePump.cpp:88:21
    #25 0x7fe000b12702 in RunInternal /src/ipc/chromium/src/base/message_loop.cc:315:10
    #26 0x7fe000b12702 in RunHandler /src/ipc/chromium/src/base/message_loop.cc:308
    #27 0x7fe000b12702 in MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:290
    #28 0x7fe008d49bc9 in nsBaseAppShell::Run() /src/widget/nsBaseAppShell.cpp:137:27
    #29 0x7fe00c966f90 in nsAppStartup::Run() /src/toolkit/components/startup/nsAppStartup.cpp:276:30
    #30 0x7fe00cc0d903 in XREMain::XRE_mainRun() /src/toolkit/xre/nsAppRunner.cpp:4636:22
    #31 0x7fe00cc0fa20 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /src/toolkit/xre/nsAppRunner.cpp:4771:8

previously allocated by thread T0 here:
    #0 0x564e20b2a0c3 in __interceptor_malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3
    #1 0x564e20b5ee2d in moz_xmalloc /src/memory/mozalloc/mozalloc.cpp:52:15
    #2 0x7fe007401914 in operator new /src/obj-firefox/dist/include/mozilla/cxxalloc.h:33:10
    #3 0x7fe007401914 in mozilla::MediaStreamGraph::GetInstance(mozilla::MediaStreamGraph::GraphDriverType, nsPIDOMWindowInner*, int) /src/dom/media/MediaStreamGraph.cpp:3318
    #4 0x7fe006e1e9ae in mozilla::dom::HTMLMediaElement::MozCaptureStreamUntilEnded(mozilla::ErrorResult&) /src/dom/html/HTMLMediaElement.cpp:3458:29
    #5 0x7fe0060a4cd1 in mozilla::dom::HTMLMediaElement_Binding::mozCaptureStreamUntilEnded(JSContext*, JS::Handle<JSObject*>, mozilla::dom::HTMLMediaElement*, JSJitMethodCallArgs const&) /src/obj-firefox/dom/bindings/HTMLMediaElementBinding.cpp:2294:76
    #6 0x7fe0063a709d in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /src/dom/bindings/BindingUtils.cpp:3181:13
    #7 0x7fe00cecb967 in CallJSNative /src/js/src/vm/Interpreter.cpp:448:13
    #8 0x7fe00cecb967 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /src/js/src/vm/Interpreter.cpp:540
    #9 0x7fe00ceb4223 in CallFromStack /src/js/src/vm/Interpreter.cpp:599:10
    #10 0x7fe00ceb4223 in Interpret(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:3084
    #11 0x7fe00ce95e8f in js::RunScript(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:425:10
    #12 0x7fe00cecc46f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /src/js/src/vm/Interpreter.cpp:568:13
    #13 0x7fe00cece692 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /src/js/src/vm/Interpreter.cpp:611:8
    #14 0x7fe00d9df9b8 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /src/js/src/jsapi.cpp:2661:10
    #15 0x7fe005b49ef0 in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /src/obj-firefox/dom/bindings/EventListenerBinding.cpp:52:8
    #16 0x7fe006b34315 in HandleEvent<mozilla::dom::EventTarget *> /src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:66:12
    #17 0x7fe006b34315 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /src/dom/events/EventListenerManager.cpp:1025
    #18 0x7fe006b35c5b in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /src/dom/events/EventListenerManager.cpp:1223:17
    #19 0x7fe006b1ca0a in HandleEvent /src/obj-firefox/dist/include/mozilla/EventListenerManager.h:353:5
    #20 0x7fe006b1ca0a in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /src/dom/events/EventDispatcher.cpp:349
    #21 0x7fe006b1b222 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /src/dom/events/EventDispatcher.cpp:551:16
    #22 0x7fe006b20bf5 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /src/dom/events/EventDispatcher.cpp:1047:11
    #23 0x7fe006b27940 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /src/dom/events/EventDispatcher.cpp
    #24 0x7fe003d5df1a in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /src/dom/base/nsINode.cpp:1061:17

SUMMARY: AddressSanitizer: heap-use-after-free /src/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/6.4.0/../../../../include/c++/6.4.0/bits/atomic_base.h:396:9 in load
Shadow bytes around the buggy address:
  0x0c2a801eb400: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a801eb410: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c2a801eb420: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a801eb430: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a801eb440: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c2a801eb450: fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd
  0x0c2a801eb460: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
  0x0c2a801eb470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a801eb480: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a801eb490: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a801eb4a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==54680==ABORTING
Group: core-security → media-core-security
Keywords: csectype-uaf, sec-high

P1 based on sec high.

Andreas since this appears to involve MSG, maybe you have an idea what could cause this?

Assignee: nobody → apehrson
Priority: -- → P1

I do.

Status: NEW → ASSIGNED

Actually no, the graph is designed to handle this. It has a self-reference until the last MediaStream is destroyed by the main thread user.

For this UAF we're seeing the main thread user destroying a MediaStream with the graph already released, so the MediaStream must have been created in the graph after the graph had been Destroy()ed.

Reasoning about this is getting complicated so a testcase would certainly help.

I'm thinking of doing two things here:

  • Change the order in MediaStreamTrack::Destroy() so that mMSGListener is released last. This will avoid this particular UAF directly.
  • Add a diagnostic assert in MediaStreamGraph::AddStream() to catch cases where we're trying to add a MediaStream to a graph that can no longer be revived. This could help highlight the root cause of the issue.

70-only regression. Landing.

status-firefox68: --- → unaffected
status-firefox69: --- → unaffected
status-firefox-esr60: --- → unaffected
status-firefox-esr68: --- → unaffected
Regressed by: 1493613
Keywords: regression

Backed out 2 changesets (bug 1571004) for build bustage at MediaStreamGraph.cpp on a CLOSED TREE.

Backout link: https://hg.mozilla.org/integration/autoland/rev/f9b03bd4fc91fc116e4f7f2056ba70ec6ea6a853

Push with failures: https://treeherder.mozilla.org/#/jobs?repo=autoland&group_state=expanded&resultStatus=testfailed%2Cbusted%2Cexception&revision=3cdfea168207d3d56c363a596e60d95ae5bb76bc&selectedJob=260608977

Log link: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=260608977&repo=autoland&lineNumber=32555

Log snippet:

[task 2019-08-08T15:51:44.031Z] 15:51:44 INFO - dom/media/ipc/RemoteDecoderManagerParent.o
[task 2019-08-08T15:51:44.031Z] 15:51:44 INFO - make[4]: Leaving directory '/builds/worker/workspace/build/src/obj-firefox/dom/media/ipc'
[task 2019-08-08T15:51:44.879Z] 15:51:44 INFO - make[4]: Entering directory '/builds/worker/workspace/build/src/obj-firefox/dom/media'
[task 2019-08-08T15:51:44.882Z] 15:51:44 INFO - /builds/worker/workspace/build/src/sccache/sccache /builds/worker/workspace/build/src/clang/bin/clang++ -m32 -o Unified_cpp_dom_media7.o -c -I/builds/worker/workspace/build/src/obj-firefox/dist/stl_wrappers -I/builds/worker/workspace/build/src/obj-firefox/dist/system_wrappers -include /builds/worker/workspace/build/src/config/gcc_hidden.h -DDEBUG=1 -DHAVE_UINT64_T -DWEBRTC_POSIX -DWEBRTC_BUILD_LIBEVENT -DWEBRTC_LINUX -DMOZILLA_INTERNAL_API -DTRACING -DOS_POSIX=1 -DOS_LINUX=1 -DSTATIC_EXPORTABLE_JS_API -DMOZ_HAS_MOZGLUE -DMOZILLA_INTERNAL_API -DIMPL_LIBXUL -I/builds/worker/workspace/build/src/dom/media -I/builds/worker/workspace/build/src/obj-firefox/dom/media -I/builds/worker/workspace/build/src/caps -I/builds/worker/workspace/build/src/docshell/base -I/builds/worker/workspace/build/src/dom/base -I/builds/worker/workspace/build/src/layout/generic -I/builds/worker/workspace/build/src/layout/xul -I/builds/worker/workspace/build/src/media/libyuv/libyuv/include -I/builds/worker/workspace/build/src/netwerk/base -I/builds/worker/workspace/build/src/media/webrtc/signaling/src/common -I/builds/worker/workspace/build/src/media/webrtc/trunk -I/builds/worker/workspace/build/src/media/webrtc/trunk/webrtc -I/builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/_ipdlheaders -I/builds/worker/workspace/build/src/ipc/chromium/src -I/builds/worker/workspace/build/src/ipc/glue -I/builds/worker/workspace/build/src/obj-firefox/dist/include -I/builds/worker/workspace/build/src/obj-firefox/dist/include/nspr -I/builds/worker/workspace/build/src/obj-firefox/dist/include/nss -fPIC -DMOZILLA_CLIENT -include /builds/worker/workspace/build/src/obj-firefox/mozilla-config.h -Qunused-arguments -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -fstack-protector-strong -Qunused-arguments -Wall -Wbitfield-enum-conversion -Wempty-body -Wignored-qualifiers -Woverloaded-virtual -Wpointer-arith -Wshadow-field-in-constructor-modified -Wsign-compare -Wtype-limits -Wunreachable-code -Wunreachable-code-return -Wwrite-strings -Wno-invalid-offsetof -Wclass-varargs -Wfloat-overflow-conversion -Wfloat-zero-conversion -Wloop-analysis -Wc++1z-compat -Wc++2a-compat -Wcomma -Wimplicit-fallthrough -Werror=non-literal-null-conversion -Wstring-conversion -Wtautological-overlap-compare -Wtautological-unsigned-enum-zero-compare -Wtautological-unsigned-zero-compare -Wno-inline-new-delete -Wno-error=deprecated-declarations -Wno-error=array-bounds -Wno-error=backend-plugin -Wno-error=return-std-move -Wno-error=atomic-alignment -Wformat -Wformat-security -Wno-gnu-zero-variadic-macro-arguments -Wno-unknown-warning-option -Wno-return-type-c-linkage -D_GLIBCXX_USE_CXX11_ABI=0 -fno-sized-deallocation -fcrash-diagnostics-dir=/builds/worker/artifacts -march=pentium-m -msse -msse2 -mfpmath=sse -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fno-exceptions -fno-strict-aliasing -fno-rtti -ffunction-sections -fdata-sections -fno-exceptions -fno-math-errno -pthread -pipe -g -Xclang -load -Xclang /builds/worker/workspace/build/src/obj-firefox/build/clang-plugin/libclang-plugin.so -Xclang -add-plugin -Xclang moz-check -Os -fno-omit-frame-pointer -funwind-tables -Werror -Wno-error=shadow -Wno-error=attributes -Wno-error=shadow -MD -MP -MF .deps/Unified_cpp_dom_media7.o.pp /builds/worker/workspace/build/src/obj-firefox/dom/media/Unified_cpp_dom_media7.cpp
[task 2019-08-08T15:51:44.883Z] 15:51:44 INFO - In file included from /builds/worker/workspace/build/src/obj-firefox/dom/media/Unified_cpp_dom_media7.cpp:29:
[task 2019-08-08T15:51:44.884Z] 15:51:44 ERROR - /builds/worker/workspace/build/src/dom/media/MediaStreamGraph.cpp:3516:32: error: 'mSelfRef' is a private member of 'mozilla::MediaStreamGraphImpl'
[task 2019-08-08T15:51:44.884Z] 15:51:44 INFO - MOZ_DIAGNOSTIC_ASSERT(graph->mSelfRef, "Can't add stream to destroyed graph");
[task 2019-08-08T15:51:44.884Z] 15:51:44 INFO - ^
[task 2019-08-08T15:51:44.884Z] 15:51:44 INFO - /builds/worker/workspace/build/src/dom/media/MediaStreamGraphImpl.h:915:32: note: declared private here
[task 2019-08-08T15:51:44.884Z] 15:51:44 INFO - RefPtr<MediaStreamGraphImpl> mSelfRef;
[task 2019-08-08T15:51:44.884Z] 15:51:44 INFO - ^
[task 2019-08-08T15:51:44.884Z] 15:51:44 INFO - In file included from /builds/worker/workspace/build/src/obj-firefox/dom/media/Unified_cpp_dom_media7.cpp:29:
[task 2019-08-08T15:51:44.884Z] 15:51:44 ERROR - /builds/worker/workspace/build/src/dom/media/MediaStreamGraph.cpp:3516:32: error: 'mSelfRef' is a private member of 'mozilla::MediaStreamGraphImpl'
[task 2019-08-08T15:51:44.884Z] 15:51:44 INFO - MOZ_DIAGNOSTIC_ASSERT(graph->mSelfRef, "Can't add stream to destroyed graph");
[task 2019-08-08T15:51:44.884Z] 15:51:44 INFO - ^
[task 2019-08-08T15:51:44.884Z] 15:51:44 INFO - /builds/worker/workspace/build/src/dom/media/MediaStreamGraphImpl.h:915:32: note: declared private here
[task 2019-08-08T15:51:44.886Z] 15:51:44 INFO - RefPtr<MediaStreamGraphImpl> mSelfRef;
[task 2019-08-08T15:51:44.886Z] 15:51:44 INFO - ^
[task 2019-08-08T15:51:44.886Z] 15:51:44 INFO - 2 errors generated.
[task 2019-08-08T15:51:44.886Z] 15:51:44 INFO - /builds/worker/workspace/build/src/config/rules.mk:787: recipe for target 'Unified_cpp_dom_media7.o' failed
[task 2019-08-08T15:51:44.887Z] 15:51:44 ERROR - make[4]: *** [Unified_cpp_dom_media7.o] Error 1
[task 2019-08-08T15:51:44.887Z] 15:51:44 INFO - make[4]: Leaving directory '/builds/worker/workspace/build/src/obj-firefox/dom/media'
[task 2019-08-08T15:51:44.887Z] 15:51:44 INFO - make[4]: *** Waiting for unfinished jobs....
[task 2019-08-08T15:51:44.889Z] 15:51:44 INFO - make[4]: Entering directory '/builds/worker/workspace/build/src/obj-firefox/dom/media/ipc'
[task 2019-08-08T15:51:44.889Z] 15:51:44 INFO - dom/media/ipc/RemoteDecoderModule.o
[task 2019-08-08T15:51:44.889Z] 15:51:44 INFO - make[4]: Leaving directory '/builds/worker/workspace/build/src/obj-firefox/dom/media/ipc'
[task 2019-08-08T15:51:45.007Z] 15:51:45 INFO - make[4]: Entering directory '/builds/worker/workspace/build/src/obj-firefox/dom/bindings'
[task 2019-08-08T15:51:45.009Z] 15:51:45 INFO - /builds/worker/workspace/build/src/sccache/sccache /builds/worker/workspace/build/src/clang/bin/clang++ -m32 -o UnifiedBindings23.o -c -I/builds/worker/workspace/build/src/obj-firefox/dist/stl_wrappers -I/builds/worker/workspace/build/src/obj-firefox/dist/system_wrappers -include /builds/worker/workspace/build/src/config/gcc_hidden.h -DDEBUG=1 -DGOOGLE_PROTOBUF_NO_RTTI -DGOOGLE_PROTOBUF_NO_STATIC_INITIALIZER -DOS_POSIX=1 -DOS_LINUX=1 -DHAVE_SIDEBAR -DSTATIC_EXPORTABLE_JS_API -DMOZ_HAS_MOZGLUE -DMOZILLA_INTERNAL_API -DIMPL_LIBXUL -I/builds/worker/workspace/build/src/dom/bindings -I/builds/worker/workspace/build/src/obj-firefox/dom/bindings -I/builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom -I/builds/worker/workspace/build/src/dom/base -I/builds/worker/workspace/build/src/dom/battery -I/builds/worker/workspace/build/src/dom/canvas -I/builds/worker/workspace/build/src/dom/geolocation -I/builds/worker/workspace/build/src/dom/html -I/builds/worker/workspace/build/src/dom/indexedDB -I/builds/worker/workspace/build/src/dom/media/webaudio -I/builds/worker/workspace/build/src/dom/media/webspeech/recognition -I/builds/worker/workspace/build/src/dom/svg -I/builds/worker/workspace/build/src/dom/xbl -I/builds/worker/workspace/build/src/dom/xml -I/builds/worker/workspace/build/src/dom/xslt/base -I/builds/worker/workspace/build/src/dom/xslt/xpath -I/builds/worker/workspace/build/src/dom/xul -I/builds/worker/workspace/build/src/js/xpconnect/src -I/builds/worker/workspace/build/src/js/xpconnect/wrappers -I/builds/worker/workspace/build/src/layout/generic -I/builds/worker/workspace/build/src/layout/style -I/builds/worker/workspace/build/src/layout/xul/tree -I/builds/worker/workspace/build/src/media/mtransport -I/builds/worker/workspace/build/src/media/webrtc -I/builds/worker/workspace/build/src/media/webrtc/signaling/src/common/time_profiling -I/builds/worker/workspace/build/src/media/webrtc/signaling/src/peerconnection -I/builds/worker/workspace/build/src/media/webrtc/trunk -I/builds/worker/workspace/build/src/third_party/msgpack/include -I/builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/_ipdlheaders -I/builds/worker/workspace/build/src/ipc/chromium/src -I/builds/worker/workspace/build/src/ipc/glue -I/builds/worker/workspace/build/src/obj-firefox/dist/include -I/builds/worker/workspace/build/src/obj-firefox/dist/include/nspr -I/builds/worker/workspace/build/src/obj-firefox/dist/include/nss -fPIC -DMOZILLA_CLIENT -include /builds/worker/workspace/build/src/obj-firefox/mozilla-config.h -Qunused-arguments -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -fstack-protector-strong -Qunused-arguments -Wall -Wbitfield-enum-conversion -Wempty-body -Wignored-qualifiers -Woverloaded-virtual -Wpointer-arith -Wshadow-field-in-constructor-modified -Wsign-compare -Wtype-limits -Wunreachable-code -Wunreachable-code-return -Wwrite-strings -Wno-invalid-offsetof -Wclass-varargs -Wfloat-overflow-conversion -Wfloat-zero-conversion -Wloop-analysis -Wc++1z-compat -Wc++2a-compat -Wcomma -Wimplicit-fallthrough -Werror=non-literal-null-conversion -Wstring-conversion -Wtautological-overlap-compare -Wtautological-unsigned-enum-zero-compare -Wtautological-unsigned-zero-compare -Wno-inline-new-delete -Wno-error=deprecated-declarations -Wno-error=array-bounds -Wno-error=backend-plugin -Wno-error=return-std-move -Wno-error=atomic-alignment -Wformat -Wformat-security -Wno-gnu-zero-variadic-macro-arguments -Wno-unknown-warning-option -Wno-return-type-c-linkage -D_GLIBCXX_USE_CXX11_ABI=0 -fno-sized-deallocation -fcrash-diagnostics-dir=/builds/worker/artifacts -march=pentium-m -msse -msse2 -mfpmath=sse -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fno-exceptions -fno-strict-aliasing -fno-rtti -ffunction-sections -fdata-sections -fno-exceptions -fno-math-errno -pthread -pipe -g -Xclang -load -Xclang /builds/worker/workspace/build/src/obj-firefox/build/clang-plugin/libclang-plugin.so -Xclang -add-plugin -Xclang moz-check -Os -fno-omit-frame-pointer -funwind-tables -Werror -Wno-error=shadow -Wno-maybe-uninitialized -MD -MP -MF .deps/UnifiedBindings23.o.pp /builds/worker/workspace/build/src/obj-firefox/dom/bindings/UnifiedBindings23.cpp
[task 2019-08-08T15:51:45.009Z] 15:51:45 INFO - make[4]: Leaving directory '/builds/worker/workspace/build/src/obj-firefox/dom/bindings'
[task 2019-08-08T15:51:45.010Z] 15:51:45 INFO - make[4]: Entering directory '/builds/worker/workspace/build/src/obj-firefox/dom/media/ipc'
[task 2019-08-08T15:51:45.010Z] 15:51:45 INFO - dom/media/ipc/RemoteDecoderParent.o

Flags: needinfo?(apehrson)

Thanks. I've already re-landed this.

Flags: needinfo?(apehrson)
See Also: → 1573799

Jason, did you manage to create a reduced testcase that we can use to verify this bug?

Flags: needinfo?(jkratzer)

(In reply to Brindusa Tot[:brindusat] from comment #12)

Jason, did you manage to create a reduced testcase that we can use to verify this bug?

Brindusa, no unfortunately not. I do have a testcase that reproduces but intermittently. Due to it's low rate of occurrence, I was never able to reduce it further than a few thousand lines.

Flags: needinfo?(jkratzer)
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Group: core-security-release
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: