Closed Bug 1575271 Opened 8 months ago Closed 7 months ago

AddressSanitizer: SEGV /builds/worker/workspace/build/src/dom/media/encoder/MediaEncoder.cpp:449:5 in mozilla::MediaEncoder::RunOnGraph(already_AddRefed<mozilla::Runnable>)

Categories

(Core :: Audio/Video: Recording, defect, P2, critical)

defect

Tracking

()

RESOLVED FIXED
mozilla71
Tracking Status
firefox-esr60 --- unaffected
firefox-esr68 --- wontfix
firefox69 --- wontfix
firefox70 --- fixed
firefox71 --- fixed

People

(Reporter: jkratzer, Assigned: pehrsons)

References

(Blocks 3 open bugs, Regression)

Details

(Keywords: crash, regression, testcase)

Attachments

(4 files)

Testcase found while fuzzing mozilla-central rev e7e658ec1e98.

Testcase bisects to the following range:
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=cc2984b1f9f28bc2ab198efd1378db80db36f4d6&tochange=e66a2b59914df9ac0ac6bad9887dc8585575bede

CC'ing :apehrson as it appears he touched the affected file during this range.

==16301==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7f8e11afd2ad bp 0x7ffdf9741390 sp 0x7ffdf97412e0 T0)
==16301==The signal is caused by a WRITE memory access.
==16301==Hint: address points to the zero page.
    #0 0x7f8e11afd2ac in mozilla::MediaEncoder::RunOnGraph(already_AddRefed<mozilla::Runnable>) /builds/worker/workspace/build/src/dom/media/encoder/MediaEncoder.cpp:449:5
    #1 0x7f8e118b2b0f in mozilla::dom::MediaRecorder::Session::Resume() /builds/worker/workspace/build/src/dom/media/MediaRecorder.cpp:467:15
    #2 0x7f8e118b287f in mozilla::dom::MediaRecorder::Resume(mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/media/MediaRecorder.cpp:1326:42
    #3 0x7f8e0ebd819c in mozilla::dom::MediaRecorder_Binding::resume(JSContext*, JS::Handle<JSObject*>, mozilla::dom::MediaRecorder*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/MediaRecorderBinding.cpp:1128:24
    #4 0x7f8e109a4aad in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3163:13
    #5 0x7f8e17567577 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447:13
    #6 0x7f8e17567577 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:539
    #7 0x7f8e1754f81c in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:598:10
    #8 0x7f8e1754f81c in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3084
    #9 0x7f8e17530ebf in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:424:10
    #10 0x7f8e1756807f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:567:13
    #11 0x7f8e1756a2a2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:610:8
    #12 0x7f8e180760d8 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2722:10
    #13 0x7f8e1020de10 in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventListenerBinding.cpp:52:8
    #14 0x7f8e111313b5 in HandleEvent<mozilla::dom::EventTarget *> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:66:12
    #15 0x7f8e111313b5 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1033
    #16 0x7f8e11132e30 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1231:17
    #17 0x7f8e1111998a in HandleEvent /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/EventListenerManager.h:353:5
    #18 0x7f8e1111998a in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:349
    #19 0x7f8e111181a2 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:551:16
    #20 0x7f8e1111db6b in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:1047:11
    #21 0x7f8e13ac7144 in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1169:7
    #22 0x7f8e166f4f49 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6519:20
    #23 0x7f8e166f41ee in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6319:7
    #24 0x7f8e166f8d3f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp
    #25 0x7f8e0ca8b65c in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1333:3
    #26 0x7f8e0ca8a6fc in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:892:14
    #27 0x7f8e0ca8631b in nsDocLoader::DocLoaderIsEmpty(bool) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:726:9
    #28 0x7f8e0ca89176 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:614:5
    #29 0x7f8e0ca8a2dc in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp
    #30 0x7f8e0a31c870 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:568:22
    #31 0x7f8e0e21a3b1 in DoUnblockOnload /builds/worker/workspace/build/src/dom/base/Document.cpp:10671:18
    #32 0x7f8e0e21a3b1 in mozilla::dom::nsUnblockOnloadEvent::Run() /builds/worker/workspace/build/src/dom/base/Document.cpp:10627
    #33 0x7f8e0a0355d1 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:295:32
    #34 0x7f8e0a067520 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1225:14
    #35 0x7f8e0a06d568 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
    #36 0x7f8e0b261fef in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21
    #37 0x7f8e0b15d052 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #38 0x7f8e0b15d052 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
    #39 0x7f8e0b15d052 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
    #40 0x7f8e133daad9 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
    #41 0x7f8e172aef7f in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:934:20
    #42 0x7f8e0b15d052 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #43 0x7f8e0b15d052 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
    #44 0x7f8e0b15d052 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
    #45 0x7f8e172ae826 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:769:34
    #46 0x5603d0820d73 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #47 0x5603d0820d73 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:267
    #48 0x7f8e2b77bb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
Flags: in-testsuite?
Attached file testcase.html
Priority: -- → P2

Bugbug thinks this bug is a regression, but please revert this change in case of error.

Keywords: regression
Assignee: nobody → apehrson
Status: NEW → ASSIGNED
Pushed by pehrsons@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/9e517b69b1b6
Add crashtest. r=karlt
https://hg.mozilla.org/integration/autoland/rev/7a17b2a9a3d4
Keep a SharedDummyStream in MediaEncoder for access to the MediaStreamGraph. r=karlt
Status: ASSIGNED → RESOLVED
Closed: 7 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla71

Comment on attachment 9091450 [details]
Bug 1575271 - Keep a SharedDummyStream in MediaEncoder for access to the MediaStreamGraph. r?karlt

Beta/Release Uplift Approval Request

  • User impact if declined: Firefox can be crashed at the will of an attacker
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Simple enough
  • String changes made/needed:
Attachment #9091450 - Flags: approval-mozilla-beta?
Attachment #9091449 - Flags: approval-mozilla-beta?

Comment on attachment 9091450 [details]
Bug 1575271 - Keep a SharedDummyStream in MediaEncoder for access to the MediaStreamGraph. r?karlt

Avoids a potential crash, let's try it on beta 7.

Attachment #9091450 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Attachment #9091449 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Flags: in-testsuite? → in-testsuite+

There have been considerable changes since 68, making this hard to uplift to esr68. Most notably bug 1014393, which is too big and risky to uplift.

You need to log in before you can comment on or make changes to this bug.