Closed Bug 1571705 Opened 5 years ago Closed 5 years ago

AddressSanitizer: heap-use-after-free [@ IsFinishedOnGraphThread] with READ of size 1

Categories

(Core :: Audio/Video, defect, P2)

Product:
Core
Component:
Audio/Video
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla70
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox-esr68 --- unaffected
firefox68 --- unaffected
firefox69 --- unaffected
firefox70 --- fixed

People

(Reporter: jkratzer, Assigned: pehrsons)

References

(Blocks 2 open bugs, Regression)

Details

(5 keywords, Whiteboard: [post-critsmash-triage])

Attachments

(2 files, 1 obsolete file)

Bug 1571705 - Clarify mInputStream guarantees in MediaStreamTrack. r?karlt
47 bytes, text/x-phabricator-request
Details | Review
Bug 1571705 - Allow allocating an input port from a destroyed source. r?karlt
47 bytes, text/x-phabricator-request
Details | Review

Found while fuzzing mozilla-central rev 6e3e96412fd9. I don't currently have a reproducible testcase but will update if one becomes available.

==2302==ERROR: AddressSanitizer: heap-use-after-free on address 0x61200022fbec at pc 0x7f9d923182a1 bp 0x7f9ce0b24590 sp 0x7f9ce0b24588
READ of size 1 at 0x61200022fbec thread T111 (MediaStreamGrph)
    #0 0x7f9d923182a0 in IsFinishedOnGraphThread /src/obj-firefox/dist/include/MediaStreamGraph.h:482:49
    #1 0x7f9d923182a0 in mozilla::TrackUnionStream::ProcessInput(long, long, unsigned int) /src/dom/media/TrackUnionStream.cpp:86
    #2 0x7f9d9270272c in mozilla::MediaStreamGraphImpl::Process() /src/dom/media/MediaStreamGraph.cpp:1304:15
    #3 0x7f9d92703ac8 in mozilla::MediaStreamGraphImpl::OneIterationImpl(long) /src/dom/media/MediaStreamGraph.cpp:1402:3
    #4 0x7f9d923b7cda in mozilla::ThreadedDriver::RunThread() /src/dom/media/GraphDriver.cpp:312:41
    #5 0x7f9d923ccafa in mozilla::MediaStreamGraphInitThreadRunnable::Run() /src/dom/media/GraphDriver.cpp:209:14
    #6 0x7f9d8ad090e0 in nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1224:14
    #7 0x7f9d8ad0f4f8 in NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:486:10
    #8 0x7f9d8bf17f11 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /src/ipc/glue/MessagePump.cpp:303:20
    #9 0x7f9d8be13852 in RunInternal /src/ipc/chromium/src/base/message_loop.cc:315:10
    #10 0x7f9d8be13852 in RunHandler /src/ipc/chromium/src/base/message_loop.cc:308
    #11 0x7f9d8be13852 in MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:290
    #12 0x7f9d8ad02a2a in nsThread::ThreadFunc(void*) /src/xpcom/threads/nsThread.cpp:458:11
    #13 0x7f9dada070bd in _pt_root /src/nsprpub/pr/src/pthreads/ptthread.c:198:5
    #14 0x7f9dad64a6da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
    #15 0x7f9dac62888e in clone /build/glibc-OTsEL5/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

0x61200022fbec is located 172 bytes inside of 288-byte region [0x61200022fb40,0x61200022fc60)
freed by thread T0 (file:// Content) here:
    #0 0x55fefb65ad42 in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:124:3
    #1 0x7f9d926af75b in Release /src/dom/media/MediaStreamGraph.h:269:3
    #2 0x7f9d926af75b in Release /src/obj-firefox/dist/include/mozilla/RefPtr.h:48
    #3 0x7f9d926af75b in Release /src/obj-firefox/dist/include/mozilla/RefPtr.h:373
    #4 0x7f9d926af75b in ~RefPtr /src/obj-firefox/dist/include/mozilla/RefPtr.h:79
    #5 0x7f9d926af75b in mozilla::LocalTrackSource::~LocalTrackSource() /src/dom/media/MediaManager.cpp:786
    #6 0x7f9d926af1fd in ~AudioCaptureTrackSource /src/dom/media/MediaManager.cpp:835:3
    #7 0x7f9d926af1fd in mozilla::AudioCaptureTrackSource::~AudioCaptureTrackSource() /src/dom/media/MediaManager.cpp:832
    #8 0x7f9d8ab46586 in SnowWhiteKiller::~SnowWhiteKiller() /src/xpcom/base/nsCycleCollector.cpp:2416:7
    #9 0x7f9d8ab4526e in nsCycleCollector::FreeSnowWhite(bool) /src/xpcom/base/nsCycleCollector.cpp:2609:3
    #10 0x7f9d8ab4ea28 in nsCycleCollector::BeginCollection(ccType, nsICycleCollectorListener*) /src/xpcom/base/nsCycleCollector.cpp:3584:3
    #11 0x7f9d8ab4e010 in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /src/xpcom/base/nsCycleCollector.cpp:3413:9
    #12 0x7f9d8ab51b7c in nsCycleCollector_collect(nsICycleCollectorListener*) /src/xpcom/base/nsCycleCollector.cpp:3949:21
    #13 0x7f9d8f078eec in nsJSContext::CycleCollectNow(nsICycleCollectorListener*) /src/dom/base/nsJSEnvironment.cpp:1423:3
    #14 0x7f9d91101342 in mozilla::dom::FuzzingFunctions_Binding::cycleCollect(JSContext*, unsigned int, JS::Value*) /src/obj-firefox/dom/bindings/FuzzingFunctionsBinding.cpp:66:3
    #15 0x7f9d98201347 in CallJSNative /src/js/src/vm/Interpreter.cpp:448:13
    #16 0x7f9d98201347 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /src/js/src/vm/Interpreter.cpp:540
    #17 0x7f9d981e9c03 in CallFromStack /src/js/src/vm/Interpreter.cpp:599:10
    #18 0x7f9d981e9c03 in Interpret(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:3084
    #19 0x7f9d981cb86f in js::RunScript(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:425:10
    #20 0x7f9d98201e4f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /src/js/src/vm/Interpreter.cpp:568:13
    #21 0x7f9d98204072 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /src/js/src/vm/Interpreter.cpp:611:8
    #22 0x7f9d98d0ef18 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /src/js/src/jsapi.cpp:2659:10
    #23 0x7f9d9102af82 in mozilla::dom::Function::Call(JSContext*, JS::Handle<JS::Value>, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /src/obj-firefox/dom/bindings/FunctionBinding.cpp:41:8
    #24 0x7f9d8ef32c3f in void mozilla::dom::Function::Call<nsCOMPtr<nsIGlobalObject> >(nsCOMPtr<nsIGlobalObject> const&, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /src/obj-firefox/dist/include/mozilla/dom/FunctionBinding.h:73:12
    #25 0x7f9d8ef325f1 in mozilla::dom::CallbackTimeoutHandler::Call(char const*) /src/dom/base/TimeoutHandler.cpp:181:29
    #26 0x7f9d8eaf9e2a in nsGlobalWindowInner::RunTimeoutHandler(mozilla::dom::Timeout*, nsIScriptContext*) /src/dom/base/nsGlobalWindowInner.cpp:5912:38

previously allocated by thread T0 (file:// Content) here:
    #0 0x55fefb65b0c3 in __interceptor_malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3
    #1 0x55fefb68fe2d in moz_xmalloc /src/memory/mozalloc/mozalloc.cpp:52:15
    #2 0x7f9d92720344 in operator new /src/obj-firefox/dist/include/mozilla/cxxalloc.h:33:10
    #3 0x7f9d92720344 in mozilla::MediaStreamGraph::CreateAudioCaptureStream(int) /src/dom/media/MediaStreamGraph.cpp:3509
    #4 0x7f9d926a7e23 in mozilla::GetUserMediaStreamRunnable::Run() /src/dom/media/MediaManager.cpp:1170:16
    #5 0x7f9d8ad090e0 in nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1224:14
    #6 0x7f9d8ad0f4f8 in NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:486:10
    #7 0x7f9d93630c73 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/dom/ipc/ContentChild.cpp:1191:24)> /src/obj-firefox/dist/include/nsThreadUtils.h:348:25
    #8 0x7f9d93630c73 in mozilla::dom::ContentChild::ProvideWindowCommon(mozilla::dom::BrowserChild*, mozIDOMWindowProxy*, bool, unsigned int, bool, bool, bool, nsIURI*, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, bool, bool, nsDocShellLoadState*, bool*, mozilla::dom::BrowsingContext**) /src/dom/ipc/ContentChild.cpp:1191
    #9 0x7f9d93690daa in mozilla::dom::BrowserChild::ProvideWindow(mozIDOMWindowProxy*, unsigned int, bool, bool, bool, nsIURI*, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, bool, bool, nsDocShellLoadState*, bool*, mozilla::dom::BrowsingContext**) /src/dom/ipc/BrowserChild.cpp:945:14
    #10 0x7f9d97e914d9 in nsWindowWatcher::OpenWindowInternal(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool, nsIArray*, bool, bool, bool, nsDocShellLoadState*, mozilla::dom::BrowsingContext**) /src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:767:24
    #11 0x7f9d97e96c85 in OpenWindow2 /src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:374:10
    #12 0x7f9d97e96c85 in non-virtual thunk to nsWindowWatcher::OpenWindow2(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool, nsISupports*, bool, bool, bool, nsDocShellLoadState*, mozilla::dom::BrowsingContext**) /src/toolkit/components/windowwatcher/nsWindowWatcher.cpp
    #13 0x7f9d8eb47421 in nsGlobalWindowOuter::OpenInternal(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, bool, bool, bool, bool, bool, nsIArray*, nsISupports*, nsDocShellLoadState*, bool, mozilla::dom::BrowsingContext**) /src/dom/base/nsGlobalWindowOuter.cpp:7281:21
    #14 0x7f9d8eb45d9c in OpenJS /src/dom/base/nsGlobalWindowOuter.cpp:5765:10
    #15 0x7f9d8eb45d9c in nsGlobalWindowOuter::OpenOuter(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /src/dom/base/nsGlobalWindowOuter.cpp:5738
    #16 0x7f9d8eae0c31 in nsGlobalWindowInner::Open(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /src/dom/base/nsGlobalWindowInner.cpp:3756:3
    #17 0x7f9d90a84829 in mozilla::dom::Window_Binding::open(JSContext*, JS::Handle<JSObject*>, nsGlobalWindowInner*, JSJitMethodCallArgs const&) /src/obj-firefox/dom/bindings/WindowBinding.cpp:2868:59
    #18 0x7f9d916c8247 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::MaybeGlobalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /src/dom/bindings/BindingUtils.cpp:3163:13
    #19 0x7f9d98201347 in CallJSNative /src/js/src/vm/Interpreter.cpp:448:13
    #20 0x7f9d98201347 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /src/js/src/vm/Interpreter.cpp:540
    #21 0x7f9d981e9c03 in CallFromStack /src/js/src/vm/Interpreter.cpp:599:10
    #22 0x7f9d981e9c03 in Interpret(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:3084
    #23 0x7f9d981cb86f in js::RunScript(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:425:10
    #24 0x7f9d98201e4f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /src/js/src/vm/Interpreter.cpp:568:13
    #25 0x7f9d98204072 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /src/js/src/vm/Interpreter.cpp:611:8

Thread T111 (MediaStreamGrph) created by T105 (CubebOp~tion #1) here:
    #0 0x55fefb64369d in __interceptor_pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:210:3
    #1 0x7f9dad9f91b8 in _PR_CreateThread /src/nsprpub/pr/src/pthreads/ptthread.c:430:14
    #2 0x7f9dad9e2d9e in PR_CreateThread /src/nsprpub/pr/src/pthreads/ptthread.c:503:12
    #3 0x7f9d8ad04f19 in nsThread::Init(nsTSubstring<char> const&) /src/xpcom/threads/nsThread.cpp:671:8
    #4 0x7f9d8ad0e640 in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /src/xpcom/threads/nsThreadManager.cpp:415:12
    #5 0x7f9d8ad1247a in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, nsIRunnable*, unsigned int) /src/xpcom/threads/nsThreadUtils.cpp:139:57
    #6 0x7f9d923b65f4 in NS_NewNamedThread<16> /src/obj-firefox/dist/include/nsThreadUtils.h:71:10
    #7 0x7f9d923b65f4 in mozilla::ThreadedDriver::Start() /src/dom/media/GraphDriver.cpp:227
    #8 0x7f9d923bdba6 in SwitchToNextDriver /src/dom/media/GraphDriver.cpp:109:17
    #9 0x7f9d923bdba6 in mozilla::AudioCallbackDriver::FallbackToSystemClockDriver() /src/dom/media/GraphDriver.cpp:1166
    #10 0x7f9d923bb641 in mozilla::AudioCallbackDriver::Init() /src/dom/media/GraphDriver.cpp:592:5
    #11 0x7f9d923b9dd7 in mozilla::AsyncCubebTask::Run() /src/dom/media/GraphDriver.cpp:438:21
    #12 0x7f9d8ad1319a in nsThreadPool::Run() /src/xpcom/threads/nsThreadPool.cpp:244:14
    #13 0x7f9d8ad13d5c in non-virtual thunk to nsThreadPool::Run() /src/xpcom/threads/nsThreadPool.cpp
    #14 0x7f9d8ad090e0 in nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1224:14
    #15 0x7f9d8ad0f4f8 in NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:486:10
    #16 0x7f9d8bf17f11 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /src/ipc/glue/MessagePump.cpp:303:20
    #17 0x7f9d8be13852 in RunInternal /src/ipc/chromium/src/base/message_loop.cc:315:10
    #18 0x7f9d8be13852 in RunHandler /src/ipc/chromium/src/base/message_loop.cc:308
    #19 0x7f9d8be13852 in MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:290
    #20 0x7f9d8ad02a2a in nsThread::ThreadFunc(void*) /src/xpcom/threads/nsThread.cpp:458:11
    #21 0x7f9dada070bd in _pt_root /src/nsprpub/pr/src/pthreads/ptthread.c:198:5
    #22 0x7f9dad64a6da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)

Thread T105 (CubebOp~tion #1) created by T0 (file:// Content) here:
    #0 0x55fefb64369d in __interceptor_pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:210:3
    #1 0x7f9dad9f91b8 in _PR_CreateThread /src/nsprpub/pr/src/pthreads/ptthread.c:430:14
    #2 0x7f9dad9e2d9e in PR_CreateThread /src/nsprpub/pr/src/pthreads/ptthread.c:503:12
    #3 0x7f9d8ad04f19 in nsThread::Init(nsTSubstring<char> const&) /src/xpcom/threads/nsThread.cpp:671:8
    #4 0x7f9d8ad0e640 in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /src/xpcom/threads/nsThreadManager.cpp:415:12
    #5 0x7f9d8ad1247a in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, nsIRunnable*, unsigned int) /src/xpcom/threads/nsThreadUtils.cpp:139:57
    #6 0x7f9d8ad11d5b in nsThreadPool::PutEvent(already_AddRefed<nsIRunnable>, unsigned int) /src/xpcom/threads/nsThreadPool.cpp:111:17
    #7 0x7f9d8ad13f0b in nsThreadPool::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) /src/xpcom/threads/nsThreadPool.cpp:290:5
    #8 0x7f9d923be879 in Dispatch /src/obj-firefox/dist/include/nsIEventTarget.h:37:14
    #9 0x7f9d923be879 in Dispatch /src/dom/media/GraphDriver.h:549
    #10 0x7f9d923be879 in mozilla::AudioCallbackDriver::Start() /src/dom/media/GraphDriver.cpp:723
    #11 0x7f9d92705fc6 in mozilla::MediaStreamGraphImpl::RunInStableState(bool) /src/dom/media/MediaStreamGraph.cpp:1726:17
    #12 0x7f9d92735a0e in mozilla::(anonymous namespace)::MediaStreamGraphStableStateRunnable::Run() /src/dom/media/MediaStreamGraph.cpp:1590:15
    #13 0x7f9d8aafc310 in mozilla::CycleCollectedJSContext::ProcessStableStateQueue() /src/xpcom/base/CycleCollectedJSContext.cpp:435:12
    #14 0x7f9d8aaffd77 in mozilla::CycleCollectedJSContext::AfterProcessTask(unsigned int) /src/xpcom/base/CycleCollectedJSContext.cpp:494:3
    #15 0x7f9d8cfe763d in XPCJSContext::AfterProcessTask(unsigned int) /src/js/xpconnect/src/XPCJSContext.cpp:1317:28
    #16 0x7f9d8ad09c5d in nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1282:24
    #17 0x7f9d8ad0f4f8 in NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:486:10
    #18 0x7f9d93630c73 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/dom/ipc/ContentChild.cpp:1191:24)> /src/obj-firefox/dist/include/nsThreadUtils.h:348:25
    #19 0x7f9d93630c73 in mozilla::dom::ContentChild::ProvideWindowCommon(mozilla::dom::BrowserChild*, mozIDOMWindowProxy*, bool, unsigned int, bool, bool, bool, nsIURI*, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, bool, bool, nsDocShellLoadState*, bool*, mozilla::dom::BrowsingContext**) /src/dom/ipc/ContentChild.cpp:1191
    #20 0x7f9d93690daa in mozilla::dom::BrowserChild::ProvideWindow(mozIDOMWindowProxy*, unsigned int, bool, bool, bool, nsIURI*, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, bool, bool, nsDocShellLoadState*, bool*, mozilla::dom::BrowsingContext**) /src/dom/ipc/BrowserChild.cpp:945:14
    #21 0x7f9d97e914d9 in nsWindowWatcher::OpenWindowInternal(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool, nsIArray*, bool, bool, bool, nsDocShellLoadState*, mozilla::dom::BrowsingContext**) /src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:767:24
    #22 0x7f9d97e96c85 in OpenWindow2 /src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:374:10
    #23 0x7f9d97e96c85 in non-virtual thunk to nsWindowWatcher::OpenWindow2(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool, nsISupports*, bool, bool, bool, nsDocShellLoadState*, mozilla::dom::BrowsingContext**) /src/toolkit/components/windowwatcher/nsWindowWatcher.cpp
    #24 0x7f9d8eb47421 in nsGlobalWindowOuter::OpenInternal(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, bool, bool, bool, bool, bool, nsIArray*, nsISupports*, nsDocShellLoadState*, bool, mozilla::dom::BrowsingContext**) /src/dom/base/nsGlobalWindowOuter.cpp:7281:21
    #25 0x7f9d8eb45d9c in OpenJS /src/dom/base/nsGlobalWindowOuter.cpp:5765:10
    #26 0x7f9d8eb45d9c in nsGlobalWindowOuter::OpenOuter(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /src/dom/base/nsGlobalWindowOuter.cpp:5738
    #27 0x7f9d8eae0c31 in nsGlobalWindowInner::Open(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /src/dom/base/nsGlobalWindowInner.cpp:3756:3
    #28 0x7f9d90a84829 in mozilla::dom::Window_Binding::open(JSContext*, JS::Handle<JSObject*>, nsGlobalWindowInner*, JSJitMethodCallArgs const&) /src/obj-firefox/dom/bindings/WindowBinding.cpp:2868:59
    #29 0x7f9d916c8247 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::MaybeGlobalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /src/dom/bindings/BindingUtils.cpp:3163:13
    #30 0x7f9d98201347 in CallJSNative /src/js/src/vm/Interpreter.cpp:448:13
    #31 0x7f9d98201347 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /src/js/src/vm/Interpreter.cpp:540
    #32 0x7f9d981e9c03 in CallFromStack /src/js/src/vm/Interpreter.cpp:599:10
    #33 0x7f9d981e9c03 in Interpret(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:3084
    #34 0x7f9d981cb86f in js::RunScript(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:425:10
    #35 0x7f9d98201e4f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /src/js/src/vm/Interpreter.cpp:568:13
    #36 0x7f9d98204072 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /src/js/src/vm/Interpreter.cpp:611:8
    #37 0x7f9d98d0ef18 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /src/js/src/jsapi.cpp:2659:10
    #38 0x7f9d9102af82 in mozilla::dom::Function::Call(JSContext*, JS::Handle<JS::Value>, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /src/obj-firefox/dom/bindings/FunctionBinding.cpp:41:8
    #39 0x7f9d8ef32c3f in void mozilla::dom::Function::Call<nsCOMPtr<nsIGlobalObject> >(nsCOMPtr<nsIGlobalObject> const&, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /src/obj-firefox/dist/include/mozilla/dom/FunctionBinding.h:73:12
    #40 0x7f9d8ef325f1 in mozilla::dom::CallbackTimeoutHandler::Call(char const*) /src/dom/base/TimeoutHandler.cpp:181:29
    #41 0x7f9d8eaf9e2a in nsGlobalWindowInner::RunTimeoutHandler(mozilla::dom::Timeout*, nsIScriptContext*) /src/dom/base/nsGlobalWindowInner.cpp:5912:38
    #42 0x7f9d8ef2c6cc in mozilla::dom::TimeoutManager::RunTimeout(mozilla::TimeStamp const&, mozilla::TimeStamp const&, bool) /src/dom/base/TimeoutManager.cpp:894:44
    #43 0x7f9d8ef2b2c5 in mozilla::dom::TimeoutExecutor::MaybeExecute() /src/dom/base/TimeoutExecutor.cpp:179:11
    #44 0x7f9d8ef2ef16 in Notify /src/dom/base/TimeoutExecutor.cpp:246:5
    #45 0x7f9d8ef2ef16 in non-virtual thunk to mozilla::dom::TimeoutExecutor::Notify(nsITimer*) /src/dom/base/TimeoutExecutor.cpp
    #46 0x7f9d8acf655c in nsTimerImpl::Fire(int) /src/xpcom/threads/nsTimerImpl.cpp:564:39
    #47 0x7f9d8acf5d09 in nsTimerEvent::Run() /src/xpcom/threads/TimerThread.cpp:260:11
    #48 0x7f9d8ad24704 in mozilla::ThrottledEventQueue::Inner::ExecuteRunnable() /src/xpcom/threads/ThrottledEventQueue.cpp:252:22
    #49 0x7f9d8ad1efcf in mozilla::ThrottledEventQueue::Inner::Executor::Run() /src/xpcom/threads/ThrottledEventQueue.cpp:80:15
    #50 0x7f9d8acd7191 in mozilla::SchedulerGroup::Runnable::Run() /src/xpcom/threads/SchedulerGroup.cpp:295:32
    #51 0x7f9d8ad090e0 in nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1224:14
    #52 0x7f9d8ad0f4f8 in NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:486:10
    #53 0x7f9d8bf167af in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /src/ipc/glue/MessagePump.cpp:88:21
    #54 0x7f9d8be13852 in RunInternal /src/ipc/chromium/src/base/message_loop.cc:315:10
    #55 0x7f9d8be13852 in RunHandler /src/ipc/chromium/src/base/message_loop.cc:308
    #56 0x7f9d8be13852 in MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:290
    #57 0x7f9d940694f9 in nsBaseAppShell::Run() /src/widget/nsBaseAppShell.cpp:137:27
    #58 0x7f9d97f4921f in XRE_RunAppShell() /src/toolkit/xre/nsEmbedFunctions.cpp:919:20
    #59 0x7f9d8be13852 in RunInternal /src/ipc/chromium/src/base/message_loop.cc:315:10
    #60 0x7f9d8be13852 in RunHandler /src/ipc/chromium/src/base/message_loop.cc:308
    #61 0x7f9d8be13852 in MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:290
    #62 0x7f9d97f48ac6 in XRE_InitChildProcess(int, char**, XREChildData const*) /src/toolkit/xre/nsEmbedFunctions.cpp:754:34
    #63 0x55fefb68e173 in content_process_main /src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #64 0x55fefb68e173 in main /src/browser/app/nsBrowserApp.cpp:267
    #65 0x7f9dac528b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: heap-use-after-free /src/obj-firefox/dist/include/MediaStreamGraph.h:482:49 in IsFinishedOnGraphThread
Shadow bytes around the buggy address:
  0x0c248003df20: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
  0x0c248003df30: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c248003df40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c248003df50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c248003df60: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c248003df70: fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd
  0x0c248003df80: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c248003df90: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c248003dfa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c248003dfb0: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c248003dfc0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2302==ABORTING
Group: core-security → media-core-security

Andreas, I'm guessing you are most likely to have an idea what might be happening with AudioCaptureStream ownership from LocalTrackSource.
https://hg.mozilla.org/mozilla-central/rev/c54cb3c109922bc15fb6d0ca67e5f2a05980c1a5#l16.229

Flags: needinfo?(apehrson)
Priority: -- → P1

Hopefully the assert in bug 1571004 will shed some light on where the offending MediaStream is coming from.

Assignee: nobody → apehrson
Status: NEW → ASSIGNED
Flags: needinfo?(apehrson)

The graph is running here, so I doubt it has been destroyed.

Right. I read Release in MSG.h and jumped the gun.

This is a TrackUnionStream accessing a destroyed input MediaStream through a MediaInputPort. That should not be possible.

Bug 1493613 is the likely regressor here. I'll also note that the AudioCaptureTrackSource that's destroying the object we're UAFing is part of a feature that's behind the pref "media.getusermedia.audiocapture.enabled", which is false by default.

status-firefox68: --- → unaffected
status-firefox69: --- → unaffected
status-firefox70: affecteddisabled
status-firefox-esr60: --- → unaffected
status-firefox-esr68: --- → unaffected
Regressed by: 1493613
Keywords: regression

The only case I see where it is possible that a TrackUnionStream is allocating a MediaInputPort from a Destroy()ed MediaStream outside of WebAudio is MediaStreamTrack -- if mInputStream is not null but is Destroy()ed.

I haven't looked at all callsites of MediaStreamTrack() yet.

Attachment #9084606 - Attachment description: Bug 1571705 - Avoid connecting streams when creating a MediaStreamTrack with a destroyed input stream. r?karlt → Bug 1571705 - Clarify mInputStream guarantees in MediaStreamTrack. r?karlt
Attachment #9084607 - Attachment description: Bug 1571705 - Assert that the source stream is not destroyed when allocating input port. r?karlt → Bug 1571705 - Make AllocateInputPort return null if input is unable to produce data. r?karlt

Decrementing priority based on the use of CreateAudioCaptureStream(), which should be hidden behind the media.getusermedia.audiocapture.enabled pref.

Jason, is it plausible that this pref was set?

Flags: needinfo?(jkratzer)
Priority: P1 → P2

(In reply to Karl Tomlinson (:karlt) from comment #9)

Decrementing priority based on the use of CreateAudioCaptureStream(), which should be hidden behind the media.getusermedia.audiocapture.enabled pref.

Jason, is it plausible that this pref was set?

Karl, that pref is indeed set.

Flags: needinfo?(jkratzer)
Attachment #9084607 - Attachment is obsolete: true

Landed:
https://hg.mozilla.org/integration/autoland/rev/decff7a230b771cf3ce8d07bd466f3799e04dcb9
https://hg.mozilla.org/integration/autoland/rev/3d33cae2d9f95d2119c0f98948ee85d3de9e3b39

Backed out for causing linux debug gtest assertion failures:

https://hg.mozilla.org/integration/autoland/rev/d7d0e994a9a30e9a63d93c991eb3a36de9a20286

Push which ran GTest on many platforms (please also check the Linux asan one): https://treeherder.mozilla.org/#/jobs?repo=autoland&group_state=expanded&selectedJob=262288274&resultStatus=testfailed%2Cbusted%2Cexception%2Cusercancel%2Cretry%2Csuperseded&revision=5a7e7f33a808b168f25a9bb935743d466d826f1a

Failure log Linux x64 debug assertion: https://treeherder.mozilla.org/logviewer.html#?job_id=262284758&repo=autoland

[task 2019-08-19T16:29:19.384Z] 16:29:19 INFO - TEST-START | MediaPipelineTest.TestAudioSendNoMux
[task 2019-08-19T16:29:19.384Z] 16:29:19 INFO - Assertion failure: mRawPtr != nullptr (You can't dereference a NULL RefPtr with operator->().), at /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:307
[task 2019-08-19T16:29:19.384Z] 16:29:19 INFO - #01: mozilla::dom::MediaStreamTrack::MediaStreamTrack(nsPIDOMWindowInner*, mozilla::MediaStream*, int, mozilla::dom::MediaStreamTrackSource*, mozilla::dom::MediaStreamTrackState, mozilla::dom::MediaTrackConstraints const&) [dom/media/MediaStreamTrack.cpp:189]
[task 2019-08-19T16:29:19.384Z] 16:29:19 INFO - #02: (anonymous namespace)::MediaPipelineTest::MediaPipelineTest() [media/webrtc/signaling/gtest/mediapipeline_unittest.cpp:367]
[task 2019-08-19T16:29:19.384Z] 16:29:19 INFO - #03: testing::internal::TestFactoryImpl<(anonymous namespace)::MediaPipelineTest_TestAudioSendNoMux_Test>::CreateTest() [testing/gtest/gtest/include/gtest/internal/gtest-internal.h:472]
[task 2019-08-19T16:29:19.384Z] 16:29:19 INFO - #04: testing::TestInfo::Run() [testing/gtest/gtest/src/gtest.cc:2686]
[task 2019-08-19T16:29:19.384Z] 16:29:19 INFO - #05: testing::TestCase::Run() [testing/gtest/gtest/src/gtest.cc:2812]
[task 2019-08-19T16:29:19.385Z] 16:29:19 INFO - #06: testing::internal::UnitTestImpl::RunAllTests() [testing/gtest/gtest/src/gtest.cc:5178]
[task 2019-08-19T16:29:19.385Z] 16:29:19 INFO - #07: testing::UnitTest::Run() [testing/gtest/gtest/src/gtest.cc:4788]
[task 2019-08-19T16:29:19.385Z] 16:29:19 INFO - #08: mozilla::RunGTestFunc(int*, char**) [testing/gtest/mozilla/GTestRunner.cpp:158]
[task 2019-08-19T16:29:19.385Z] 16:29:19 INFO - #09: XREMain::XRE_mainStartup(bool*) [toolkit/xre/nsAppRunner.cpp:3805]
[task 2019-08-19T16:29:19.385Z] 16:29:19 INFO - #10: XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) [toolkit/xre/nsAppRunner.cpp:4728]
[task 2019-08-19T16:29:19.385Z] 16:29:19 INFO - #11: XRE_main(int, char**, mozilla::BootstrapConfig const&) [toolkit/xre/nsAppRunner.cpp:4822]
[task 2019-08-19T16:29:19.385Z] 16:29:19 INFO - #12: _fini
[task 2019-08-19T16:29:19.386Z] 16:29:19 INFO - #13: libc.so.6 + 0x20830
[task 2019-08-19T16:29:19.386Z] 16:29:19 INFO - #14: _fini

Flags: needinfo?(apehrson)
Flags: needinfo?(apehrson)

https://hg.mozilla.org/mozilla-central/rev/5e01c1367809
https://hg.mozilla.org/mozilla-central/rev/6852b410b5c2

Group: media-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox70: disabledfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla70

Jason, did you manage to create a reduced testcase that we can use to verify this bug?

Flags: needinfo?(jkratzer)

(In reply to Brindusa Tot[:brindusat] from comment #15)

Jason, did you manage to create a reduced testcase that we can use to verify this bug?

Brindusa, no unfortunately not. I have not seen an occurrence of that crash since I first reported it.

Flags: needinfo?(jkratzer)
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Group: core-security-release
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: