Closed Bug 1583463 Opened 5 years ago Closed 5 years ago

Intermittent SUMMARY: AddressSanitizer: heap-use-after-free z:\build\build\src\dom\media\MediaStreamGraph.cpp:2759 in mozilla::SourceMediaStream::AppendToTrack

Categories

(Core :: Audio/Video, defect, P2)

Product:
Core
Component:
Audio/Video
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla71
Tracking Flags:
Tracking Status
firefox-esr60 --- disabled
firefox-esr68 70+ fixed
firefox69 --- wontfix
firefox70 + fixed
firefox71 + fixed

People

(Reporter: cbrindusan, Assigned: pehrsons)

References

(Blocks 1 open bug, Regression)

Details

(4 keywords, Whiteboard: [adv-main70+][adv-main70+r][adv-esr68.2+][adv-esr68.2+r][post-critsmash-triage])

Attachments

(5 files)

Bug 1583463 - Lock SourceMediaStream's mMutex also during shutdown. r?padenot
47 bytes, text/x-phabricator-request
lizzard
: approval-mozilla-beta+
lizzard
: approval-mozilla-esr68+
tjr
: sec-approval+
Details | Review
Bug 1583463 - Merge the tab source's InitRunnable and StartRunnable to avoid checking mWindow on the media thread. r?jib
47 bytes, text/x-phabricator-request
tjr
: sec-approval+
Details | Review
Bug 1583463 - Move all usage of the tab source's mWindowId usage from media to main thread. r?jib
47 bytes, text/x-phabricator-request
tjr
: sec-approval+
Details | Review
Bug 1583463 - Don't allocate and append frames when the tab source's stream has been destroyed. r?jib
47 bytes, text/x-phabricator-request
tjr
: sec-approval+
Details | Review
Bug 1583463 - End the tab source's track when the draw timer is guaranteed to have stopped. r?jib
47 bytes, text/x-phabricator-request
tjr
: sec-approval+
Details | Review

https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=268123735&repo=autoland&lineNumber=12368

[task 2019-09-24T10:15:02.368Z] 10:15:02 INFO - TEST-OK | dom/media/tests/mochitest/test_getUserMedia_basicScreenshare.html | took 10673ms
[task 2019-09-24T10:15:02.417Z] 10:15:02 INFO - TEST-START | dom/media/tests/mochitest/test_getUserMedia_basicTabshare.html
[task 2019-09-24T10:15:02.559Z] 10:15:02 INFO - GECKO(100) | TEST DEVICES: No test device found in media.audio_loopback_dev, using fake audio streams.
[task 2019-09-24T10:15:02.559Z] 10:15:02 INFO - GECKO(100) | TEST DEVICES: No test device found in media.video_loopback_dev, using fake video streams.
[task 2019-09-24T10:15:02.902Z] 10:15:02 INFO - GECKO(100) | TEST DEVICES: No test device found in media.audio_loopback_dev, using fake audio streams.
[task 2019-09-24T10:15:02.902Z] 10:15:02 INFO - GECKO(100) | TEST DEVICES: No test device found in media.video_loopback_dev, using fake video streams.
[task 2019-09-24T10:15:02.952Z] 10:15:02 INFO - GECKO(100) | =================================================================
[task 2019-09-24T10:15:02.952Z] 10:15:02 ERROR - GECKO(100) | ==4204==ERROR: AddressSanitizer: heap-use-after-free on address 0x121334002920 at pc 0x7ffe7e5c5746 bp 0x00399b9fce60 sp 0x00399b9fcea8
[task 2019-09-24T10:15:02.953Z] 10:15:02 INFO - GECKO(100) | READ of size 4 at 0x121334002920 thread T0
[task 2019-09-24T10:15:02.984Z] 10:15:02 INFO - GECKO(100) | ==4204==WARNING: Failed to use and restart external symbolizer!
[task 2019-09-24T10:15:03.360Z] 10:15:03 INFO - GECKO(100) | #0 0x7ffe7e5c5745 in mozilla::SourceMediaStream::AppendToTrack z:\build\build\src\dom\media\MediaStreamGraph.cpp:2759
[task 2019-09-24T10:15:03.370Z] 10:15:03 INFO - GECKO(100) | #1 0x7ffe7ed82b67 in mozilla::MediaEngineTabVideoSource::Draw z:\build\build\src\dom\media\webrtc\MediaEngineTabVideoSource.cpp:386
[task 2019-09-24T10:15:03.375Z] 10:15:03 INFO - GECKO(100) | #2 0x7ffe75837d60 in nsTimerImpl::Fire z:\build\build\src\xpcom\threads\nsTimerImpl.cpp:561
[task 2019-09-24T10:15:03.375Z] 10:15:03 INFO - GECKO(100) | #3 0x7ffe75837447 in nsTimerEvent::Run z:\build\build\src\xpcom\threads\TimerThread.cpp:260
[task 2019-09-24T10:15:03.375Z] 10:15:03 INFO - GECKO(100) | #4 0x7ffe7584e26e in nsThread::ProcessNextEvent z:\build\build\src\xpcom\threads\nsThread.cpp:1225
[task 2019-09-24T10:15:03.375Z] 10:15:03 INFO - GECKO(100) | #5 0x7ffe75855ee8 in NS_ProcessNextEvent z:\build\build\src\xpcom\threads\nsThreadUtils.cpp:486
[task 2019-09-24T10:15:03.384Z] 10:15:03 INFO - GECKO(100) | #6 0x7ffe76aa756f in mozilla::ipc::MessagePump::Run z:\build\build\src\ipc\glue\MessagePump.cpp:88
[task 2019-09-24T10:15:03.386Z] 10:15:03 INFO - GECKO(100) | #7 0x7ffe769dbfce in MessageLoop::RunHandler z:\build\build\src\ipc\chromium\src\base\message_loop.cc:308
[task 2019-09-24T10:15:03.386Z] 10:15:03 INFO - GECKO(100) | #8 0x7ffe769dbd65 in MessageLoop::Run z:\build\build\src\ipc\chromium\src\base\message_loop.cc:290
[task 2019-09-24T10:15:03.391Z] 10:15:03 INFO - GECKO(100) | #9 0x7ffe8020f34a in nsBaseAppShell::Run z:\build\build\src\widget\nsBaseAppShell.cpp:137
[task 2019-09-24T10:15:03.401Z] 10:15:03 INFO - GECKO(100) | #10 0x7ffe803a57e8 in nsAppShell::Run z:\build\build\src\widget\windows\nsAppShell.cpp:406
[task 2019-09-24T10:15:03.401Z] 10:15:03 INFO - GECKO(100) | #11 0x7ffe84516a0d in XRE_RunAppShell z:\build\build\src\toolkit\xre\nsEmbedFunctions.cpp:934
[task 2019-09-24T10:15:03.401Z] 10:15:03 INFO - GECKO(100) | #12 0x7ffe769dbfce in MessageLoop::RunHandler z:\build\build\src\ipc\chromium\src\base\message_loop.cc:308
[task 2019-09-24T10:15:03.401Z] 10:15:03 INFO - GECKO(100) | #13 0x7ffe769dbd65 in MessageLoop::Run z:\build\build\src\ipc\chromium\src\base\message_loop.cc:290
[task 2019-09-24T10:15:03.401Z] 10:15:03 INFO - GECKO(100) | #14 0x7ffe84515bf5 in XRE_InitChildProcess z:\build\build\src\toolkit\xre\nsEmbedFunctions.cpp:769
[task 2019-09-24T10:15:03.420Z] 10:15:03 INFO - GECKO(100) | #15 0x7ff6dcc820f0 in NS_internal_main z:\build\build\src\browser\app\nsBrowserApp.cpp:272
[task 2019-09-24T10:15:03.420Z] 10:15:03 INFO - GECKO(100) | #16 0x7ff6dcc814f2 in wmain z:\build\build\src\toolkit\xre\nsWindowsWMain.cpp:131
[task 2019-09-24T10:15:03.420Z] 10:15:03 INFO - GECKO(100) | #17 0x7ff6dcd7c087 in __scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:288
[task 2019-09-24T10:15:03.420Z] 10:15:03 INFO - GECKO(100) | #18 0x7ffeca353033 in BaseThreadInitThunk+0x13 (C:\Windows\System32\KERNEL32.DLL+0x180013033)
[task 2019-09-24T10:15:03.420Z] 10:15:03 INFO - GECKO(100) | #19 0x7ffecb071460 in RtlUserThreadStart+0x20 (C:\Windows\SYSTEM32\ntdll.dll+0x180071460)
[task 2019-09-24T10:15:03.420Z] 10:15:03 INFO - GECKO(100) | 0x121334002920 is located 0 bytes inside of 24-byte region [0x121334002920,0x121334002938)
[task 2019-09-24T10:15:03.420Z] 10:15:03 INFO - GECKO(100) | freed by thread T441 here:
[task 2019-09-24T10:15:03.446Z] 10:15:03 INFO - GECKO(100) | #0 0x7ffeb1dc4520 in free Z:\task_1568749159\fetches\llvm-project\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cc:53
[task 2019-09-24T10:15:03.446Z] 10:15:03 INFO - GECKO(100) | #1 0x7ffe7553b4db in nsTArray_base<nsTArrayInfallibleAllocator,nsTArray_CopyWithMemutils>::ShrinkCapacity z:\build\build\src\obj-firefox\dist\include\nsTArray-inl.h:236
[task 2019-09-24T10:15:03.448Z] 10:15:03 INFO - GECKO(100) | #2 0x7ffe7e5c83f0 in mozilla::SourceMediaStream::RemoveAllDirectListenersImpl z:\build\build\src\dom\media\MediaStreamGraph.cpp:2945
[task 2019-09-24T10:15:03.448Z] 10:15:03 INFO - GECKO(100) | #3 0x7ffe7e5bd82e in mozilla::MediaStream::RemoveAllListenersImpl z:\build\build\src\dom\media\MediaStreamGraph.cpp:2011
[task 2019-09-24T10:15:03.448Z] 10:15:03 INFO - GECKO(100) | #4 0x7ffe7e5eb35b in mozilla::MediaStream::Destroy()::Message::Run z:\build\build\src\dom\media\MediaStreamGraph.cpp:2030
[task 2019-09-24T10:15:03.448Z] 10:15:03 INFO - GECKO(100) | #5 0x7ffe7e5b257f in mozilla::MediaStreamGraphImpl::RunMessagesInQueue z:\build\build\src\dom\media\MediaStreamGraph.cpp:1167
[task 2019-09-24T10:15:03.448Z] 10:15:03 INFO - GECKO(100) | #6 0x7ffe7e5b747c in mozilla::MediaStreamGraphImpl::OneIterationImpl z:\build\build\src\dom\media\MediaStreamGraph.cpp:1400
[task 2019-09-24T10:15:03.453Z] 10:15:03 INFO - GECKO(100) | #7 0x7ffe7e2e4fab in mozilla::ThreadedDriver::RunThread z:\build\build\src\dom\media\GraphDriver.cpp:296
[task 2019-09-24T10:15:03.453Z] 10:15:03 INFO - GECKO(100) | #8 0x7ffe7e2f5e18 in mozilla::MediaStreamGraphInitThreadRunnable::Run z:\build\build\src\dom\media\GraphDriver.cpp:209
[task 2019-09-24T10:15:03.453Z] 10:15:03 INFO - GECKO(100) | #9 0x7ffe7584e26e in nsThread::ProcessNextEvent z:\build\build\src\xpcom\threads\nsThread.cpp:1225
[task 2019-09-24T10:15:03.454Z] 10:15:03 INFO - GECKO(100) | #10 0x7ffe75855ee8 in NS_ProcessNextEvent z:\build\build\src\xpcom\threads\nsThreadUtils.cpp:486[task 2019-09-24T10:15:03.454Z] 10:15:03 INFO - GECKO(100) | #11 0x7ffe76aa8801 in mozilla::ipc::MessagePumpForNonMainThreads::Run z:\build\build\src\ipc\glue\MessagePump.cpp:303
[task 2019-09-24T10:15:03.454Z] 10:15:03 INFO - GECKO(100) | #12 0x7ffe769dbfce in MessageLoop::RunHandler z:\build\build\src\ipc\chromium\src\base\message_loop.cc:308
[task 2019-09-24T10:15:03.456Z] 10:15:03 INFO - GECKO(100) | #13 0x7ffe769dbd65 in MessageLoop::Run z:\build\build\src\ipc\chromium\src\base\message_loop.cc:290
[task 2019-09-24T10:15:03.456Z] 10:15:03 INFO - GECKO(100) | #14 0x7ffe75846726 in nsThread::ThreadFunc z:\build\build\src\xpcom\threads\nsThread.cpp:458
[task 2019-09-24T10:15:03.474Z] 10:15:03 INFO - GECKO(100) | #15 0x7ffeb2c1b6ad in _PR_NativeRunThread z:\build\build\src\nsprpub\pr\src\threads\combined\pruthr.c:397
[task 2019-09-24T10:15:03.474Z] 10:15:03 INFO - GECKO(100) | #16 0x7ffeb2bea844 in pr_root z:\build\build\src\nsprpub\pr\src\md\windows\w95thred.c:137
[task 2019-09-24T10:15:03.479Z] 10:15:03 INFO - GECKO(100) | #17 0x7ffec7b9c4bd in o_ceil+0x4d (C:\Windows\System32\ucrtbase.dll+0x18001c4bd)
[task 2019-09-24T10:15:03.479Z] 10:15:03 INFO - GECKO(100) | #18 0x7ffeb1dce8c8 in __asan::AsanThread::ThreadStart Z:\task_1568749159\fetches\llvm-project\llvm\projects\compiler-rt\lib\asan\asan_thread.cc:264
[task 2019-09-24T10:15:03.479Z] 10:15:03 INFO - GECKO(100) | #19 0x7ffeca353033 in BaseThreadInitThunk+0x13 (C:\Windows\System32\KERNEL32.DLL+0x180013033)
[task 2019-09-24T10:15:03.489Z] 10:15:03 INFO - GECKO(100) | #20 0x7ffebdcd4dcb in patched_BaseThreadInitThunk z:\build\build\src\mozglue\dllservices\WindowsDllBlocklist.cpp:564
[task 2019-09-24T10:15:03.489Z] 10:15:03 INFO - GECKO(100) | #21 0x7ffecb071460 in RtlUserThreadStart+0x20 (C:\Windows\SYSTEM32\ntdll.dll+0x180071460)
[task 2019-09-24T10:15:03.489Z] 10:15:03 INFO - GECKO(100) | previously allocated by thread T441 here:
[task 2019-09-24T10:15:03.489Z] 10:15:03 INFO - GECKO(100) | #0 0x7ffeb1dc4610 in malloc Z:\task_1568749159\fetches\llvm-project\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cc:69
[task 2019-09-24T10:15:03.489Z] 10:15:03 INFO - GECKO(100) | #1 0x7ffebdcd16dd in moz_xmalloc z:\build\build\src\memory\mozalloc\mozalloc.cpp:52
[task 2019-09-24T10:15:03.489Z] 10:15:03 INFO - GECKO(100) | #2 0x7ffe7553c549 in nsTArray_base<nsTArrayInfallibleAllocator,nsTArray_CopyWithMemutils>::EnsureCapacity<nsTArrayInfallibleAllocator> z:\build\build\src\obj-firefox\dist\include\nsTArray-inl.h:144
[task 2019-09-24T10:15:03.490Z] 10:15:03 INFO - GECKO(100) | #3 0x7ffe7e5c5fab in mozilla::SourceMediaStream::AddDirectTrackListenerImpl z:\build\build\src\dom\media\MediaStreamGraph.cpp:2820
[task 2019-09-24T10:15:03.492Z] 10:15:03 INFO - GECKO(100) | #4 0x7ffe7e264f3d in mozilla::TrackUnionStream::AddDirectTrackListenerImpl z:\build\build\src\dom\media\TrackUnionStream.cpp:383
[task 2019-09-24T10:15:03.492Z] 10:15:03 INFO - GECKO(100) | #5 0x7ffe7e5ebdcb in mozilla::MediaStream::AddDirectTrackListener(mozilla::DirectMediaStreamTrackListener *, mozilla::TrackID)::Message::Run z:\build\build\src\dom\media\MediaStreamGraph.cpp:2233
[task 2019-09-24T10:15:03.492Z] 10:15:03 INFO - GECKO(100) | #6 0x7ffe7e5b257f in mozilla::MediaStreamGraphImpl::RunMessagesInQueue z:\build\build\src\dom\media\MediaStreamGraph.cpp:1167
[task 2019-09-24T10:15:03.492Z] 10:15:03 INFO - GECKO(100) | #7 0x7ffe7e5b747c in mozilla::MediaStreamGraphImpl::OneIterationImpl z:\build\build\src\dom\media\MediaStreamGraph.cpp:1400
[task 2019-09-24T10:15:03.492Z] 10:15:03 INFO - GECKO(100) | #8 0x7ffe7e2e4fab in mozilla::ThreadedDriver::RunThread z:\build\build\src\dom\media\GraphDriver.cpp:296
[task 2019-09-24T10:15:03.494Z] 10:15:03 INFO - GECKO(100) | #9 0x7ffe7e2f5e18 in mozilla::MediaStreamGraphInitThreadRunnable::Run z:\build\build\src\dom\media\GraphDriver.cpp:209
[task 2019-09-24T10:15:03.494Z] 10:15:03 INFO - GECKO(100) | #10 0x7ffe7584e26e in nsThread::ProcessNextEvent z:\build\build\src\xpcom\threads\nsThread.cpp:1225
[task 2019-09-24T10:15:03.496Z] 10:15:03 INFO - GECKO(100) | #11 0x7ffe75855ee8 in NS_ProcessNextEvent z:\build\build\src\xpcom\threads\nsThreadUtils.cpp:486
[task 2019-09-24T10:15:03.496Z] 10:15:03 INFO - GECKO(100) | #12 0x7ffe76aa8801 in mozilla::ipc::MessagePumpForNonMainThreads::Run z:\build\build\src\ipc\glue\MessagePump.cpp:303
[task 2019-09-24T10:15:03.498Z] 10:15:03 INFO - GECKO(100) | #13 0x7ffe769dbfce in MessageLoop::RunHandler z:\build\build\src\ipc\chromium\src\base\message_loop.cc:308
[task 2019-09-24T10:15:03.498Z] 10:15:03 INFO - GECKO(100) | #14 0x7ffe769dbd65 in MessageLoop::Run z:\build\build\src\ipc\chromium\src\base\message_loop.cc:290
[task 2019-09-24T10:15:03.499Z] 10:15:03 INFO - GECKO(100) | #15 0x7ffe75846726 in nsThread::ThreadFunc z:\build\build\src\xpcom\threads\nsThread.cpp:458
[task 2019-09-24T10:15:03.499Z] 10:15:03 INFO - GECKO(100) | #16 0x7ffeb2c1b6ad in _PR_NativeRunThread z:\build\build\src\nsprpub\pr\src\threads\combined\pruthr.c:397
[task 2019-09-24T10:15:03.500Z] 10:15:03 INFO - GECKO(100) | #17 0x7ffeb2bea844 in pr_root z:\build\build\src\nsprpub\pr\src\md\windows\w95thred.c:137
[task 2019-09-24T10:15:03.500Z] 10:15:03 INFO - GECKO(100) | #18 0x7ffec7b9c4bd in o_ceil+0x4d (C:\Windows\System32\ucrtbase.dll+0x18001c4bd)
[task 2019-09-24T10:15:03.500Z] 10:15:03 INFO - GECKO(100) | #19 0x7ffeb1dce8c8 in __asan::AsanThread::ThreadStart Z:\task_1568749159\fetches\llvm-project\llvm\projects\compiler-rt\lib\asan\asan_thread.cc:264
[task 2019-09-24T10:15:03.501Z] 10:15:03 INFO - GECKO(100) | #20 0x7ffeca353033 in BaseThreadInitThunk+0x13 (C:\Windows\System32\KERNEL32.DLL+0x180013033)
[task 2019-09-24T10:15:03.501Z] 10:15:03 INFO - GECKO(100) | #21 0x7ffebdcd4dcb in patched_BaseThreadInitThunk z:\build\build\src\mozglue\dllservices\WindowsDllBlocklist.cpp:564
[task 2019-09-24T10:15:03.502Z] 10:15:03 INFO - GECKO(100) | #22 0x7ffecb071460 in RtlUserThreadStart+0x20 (C:\Windows\SYSTEM32\ntdll.dll+0x180071460)
[task 2019-09-24T10:15:03.502Z] 10:15:03 INFO - GECKO(100) | Thread T441 created by T0 here:
[task 2019-09-24T10:15:03.502Z] 10:15:03 INFO - GECKO(100) | #0 0x7ffeb1dcf9f0 in __asan_wrap_CreateThread Z:\task_1568749159\fetches\llvm-project\llvm\projects\compiler-rt\lib\asan\asan_win.cc:146
[task 2019-09-24T10:15:03.503Z] 10:15:03 INFO - GECKO(100) | #1 0x7ffec7b9c0c6 in beginthreadex+0x56 (C:\Windows\System32\ucrtbase.dll+0x18001c0c6)
[task 2019-09-24T10:15:03.503Z] 10:15:03 INFO - GECKO(100) | #2 0x7ffeb2bea66d in _PR_MD_CREATE_THREAD z:\build\build\src\nsprpub\pr\src\md\windows\w95thred.c:151
[task 2019-09-24T10:15:03.503Z] 10:15:03 INFO - GECKO(100) | #3 0x7ffeb2c1c5bc in _PR_NativeCreateThread z:\build\build\src\nsprpub\pr\src\threads\combined\pruthr.c:1041
[task 2019-09-24T10:15:03.503Z] 10:15:03 INFO - GECKO(100) | #4 0x7ffeb2c1cf19 in _PR_CreateThread z:\build\build\src\nsprpub\pr\src\threads\combined\pruthr.c:1159
[task 2019-09-24T10:15:03.503Z] 10:15:03 INFO - GECKO(100) | #5 0x7ffeb2c0f96f in PR_CreateThread z:\build\build\src\nsprpub\pr\src\threads\combined\pruthr.c:1371
[task 2019-09-24T10:15:03.503Z] 10:15:03 INFO - GECKO(100) | #6 0x7ffe7584958a in nsThread::Init z:\build\build\src\xpcom\threads\nsThread.cpp:672
[task 2019-09-24T10:15:03.503Z] 10:15:03 INFO - GECKO(100) | #7 0x7ffe75854aac in nsThreadManager::NewNamedThread z:\build\build\src\xpcom\threads\nsThreadManager.cpp:414
[task 2019-09-24T10:15:03.503Z] 10:15:03 INFO - GECKO(100) | #8 0x7ffe75859582 in NS_NewNamedThread z:\build\build\src\xpcom\threads\nsThreadUtils.cpp:139
[task 2019-09-24T10:15:03.503Z] 10:15:03 INFO - GECKO(100) | #9 0x7ffe7e2e4259 in mozilla::ThreadedDriver::Start z:\build\build\src\dom\media\GraphDriver.cpp:227[task 2019-09-24T10:15:03.504Z] 10:15:03 INFO - GECKO(100) | #10 0x7ffe7e5b95da in mozilla::MediaStreamGraphImpl::RunInStableState z:\build\build\src\dom\media\MediaStreamGraph.cpp:1741
[task 2019-09-24T10:15:03.504Z] 10:15:03 INFO - GECKO(100) | #11 0x7ffe7e5e0cc5 in mozilla::`anonymous namespace'::MediaStreamGraphStableStateRunnable::Run z:\build\build\src\dom\media\MediaStreamGraph.cpp:1629
[task 2019-09-24T10:15:03.513Z] 10:15:03 INFO - GECKO(100) | #12 0x7ffe755d7290 in mozilla::CycleCollectedJSContext::ProcessStableStateQueue z:\build\build\src\xpcom\base\CycleCollectedJSContext.cpp:438
[task 2019-09-24T10:15:03.513Z] 10:15:03 INFO - GECKO(100) | #13 0x7ffe755dba76 in mozilla::CycleCollectedJSContext::AfterProcessTask z:\build\build\src\xpcom\base\CycleCollectedJSContext.cpp:497
[task 2019-09-24T10:15:03.523Z] 10:15:03 INFO - GECKO(100) | #14 0x7ffe777a1b49 in XPCJSContext::AfterProcessTask z:\build\build\src\js\xpconnect\src\XPCJSContext.cpp:1323
[task 2019-09-24T10:15:03.523Z] 10:15:03 INFO - GECKO(100) | #15 0x7ffe7584efce in nsThread::ProcessNextEvent z:\build\build\src\xpcom\threads\nsThread.cpp:1282
[task 2019-09-24T10:15:03.523Z] 10:15:03 INFO - GECKO(100) | #16 0x7ffe75855ee8 in NS_ProcessNextEvent z:\build\build\src\xpcom\threads\nsThreadUtils.cpp:486
[task 2019-09-24T10:15:03.524Z] 10:15:03 INFO - GECKO(100) | #17 0x7ffe76aa756f in mozilla::ipc::MessagePump::Run z:\build\build\src\ipc\glue\MessagePump.cpp:88
[task 2019-09-24T10:15:03.524Z] 10:15:03 INFO - GECKO(100) | #18 0x7ffe769dbfce in MessageLoop::RunHandler z:\build\build\src\ipc\chromium\src\base\message_loop.cc:308
[task 2019-09-24T10:15:03.524Z] 10:15:03 INFO - GECKO(100) | #19 0x7ffe769dbd65 in MessageLoop::Run z:\build\build\src\ipc\chromium\src\base\message_loop.cc:290
[task 2019-09-24T10:15:03.525Z] 10:15:03 INFO - GECKO(100) | #20 0x7ffe8020f34a in nsBaseAppShell::Run z:\build\build\src\widget\nsBaseAppShell.cpp:137
[task 2019-09-24T10:15:03.525Z] 10:15:03 INFO - GECKO(100) | #21 0x7ffe803a57e8 in nsAppShell::Run z:\build\build\src\widget\windows\nsAppShell.cpp:406
[task 2019-09-24T10:15:03.525Z] 10:15:03 INFO - GECKO(100) | #22 0x7ffe84516a0d in XRE_RunAppShell z:\build\build\src\toolkit\xre\nsEmbedFunctions.cpp:934
[task 2019-09-24T10:15:03.525Z] 10:15:03 INFO - GECKO(100) | #23 0x7ffe769dbfce in MessageLoop::RunHandler z:\build\build\src\ipc\chromium\src\base\message_loop.cc:308
[task 2019-09-24T10:15:03.527Z] 10:15:03 INFO - GECKO(100) | #24 0x7ffe769dbd65 in MessageLoop::Run z:\build\build\src\ipc\chromium\src\base\message_loop.cc:290
[task 2019-09-24T10:15:03.528Z] 10:15:03 INFO - GECKO(100) | #25 0x7ffe84515bf5 in XRE_InitChildProcess z:\build\build\src\toolkit\xre\nsEmbedFunctions.cpp:769
[task 2019-09-24T10:15:03.528Z] 10:15:03 INFO - GECKO(100) | #26 0x7ff6dcc820f0 in NS_internal_main z:\build\build\src\browser\app\nsBrowserApp.cpp:272
[task 2019-09-24T10:15:03.529Z] 10:15:03 INFO - GECKO(100) | #27 0x7ff6dcc814f2 in wmain z:\build\build\src\toolkit\xre\nsWindowsWMain.cpp:131
[task 2019-09-24T10:15:03.529Z] 10:15:03 INFO - GECKO(100) | #28 0x7ff6dcd7c087 in __scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:288
[task 2019-09-24T10:15:03.530Z] 10:15:03 INFO - GECKO(100) | #29 0x7ffeca353033 in BaseThreadInitThunk+0x13 (C:\Windows\System32\KERNEL32.DLL+0x180013033)
[task 2019-09-24T10:15:03.530Z] 10:15:03 INFO - GECKO(100) | #30 0x7ffecb071460 in RtlUserThreadStart+0x20 (C:\Windows\SYSTEM32\ntdll.dll+0x180071460)
[task 2019-09-24T10:15:03.531Z] 10:15:03 INFO - GECKO(100) | SUMMARY: AddressSanitizer: heap-use-after-free z:\build\build\src\dom\media\MediaStreamGraph.cpp:2759 in mozilla::SourceMediaStream::AppendToTrack[task 2019-09-24T10:15:03.532Z] 10:15:03 INFO - GECKO(100) | Shadow bytes around the buggy address:
[task 2019-09-24T10:15:03.532Z] 10:15:03 INFO - GECKO(100) | 0x044f9a3804d0: fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa
[task 2019-09-24T10:15:03.533Z] 10:15:03 INFO - GECKO(100) | 0x044f9a3804e0: fa fa fd fd fd fd fa fa fa fa fa fa fa fa fd fd
[task 2019-09-24T10:15:03.533Z] 10:15:03 INFO - GECKO(100) | 0x044f9a3804f0: fd fd fa fa fa fa fa fa fa fa fd fd fd fd fa fa
[task 2019-09-24T10:15:03.534Z] 10:15:03 INFO - GECKO(100) | 0x044f9a380500: fa fa fa fa fa fa fa fa fa fa fa fa 00 00 00 00
[task 2019-09-24T10:15:03.535Z] 10:15:03 INFO - GECKO(100) | 0x044f9a380510: fa fa 00 00 00 00 fa fa fd fd fd fd fa fa fd fd
[task 2019-09-24T10:15:03.535Z] 10:15:03 INFO - GECKO(100) | =>0x044f9a380520: fd fa fa fa[fd]fd fd fa fa fa fd fd fd fd fa fa
[task 2019-09-24T10:15:03.535Z] 10:15:03 INFO - GECKO(100) | 0x044f9a380530: fa fa fa fa fa fa 00 00 00 00 fa fa fa fa fa fa
[task 2019-09-24T10:15:03.536Z] 10:15:03 INFO - GECKO(100) | 0x044f9a380540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fd fd
[task 2019-09-24T10:15:03.536Z] 10:15:03 INFO - GECKO(100) | 0x044f9a380550: fd fd fa fa fa fa fa fa fa fa 00 00 00 fa fa fa
[task 2019-09-24T10:15:03.536Z] 10:15:03 INFO - GECKO(100) | 0x044f9a380560: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa
[task 2019-09-24T10:15:03.536Z] 10:15:03 INFO - GECKO(100) | 0x044f9a380570: fa fa fa fa fa fa fa fa fd fd fd fa fa fa 00 00
[task 2019-09-24T10:15:03.536Z] 10:15:03 INFO - GECKO(100) | Shadow byte legend (one shadow byte represents 8 application bytes):
[task 2019-09-24T10:15:03.536Z] 10:15:03 INFO - GECKO(100) | Addressable: 00
[task 2019-09-24T10:15:03.537Z] 10:15:03 INFO - GECKO(100) | Partially addressable: 01 02 03 04 05 06 07
[task 2019-09-24T10:15:03.537Z] 10:15:03 INFO - GECKO(100) | Heap left redzone: fa
[task 2019-09-24T10:15:03.537Z] 10:15:03 INFO - GECKO(100) | Freed heap region: fd
[task 2019-09-24T10:15:03.537Z] 10:15:03 INFO - GECKO(100) | Stack left redzone: f1
[task 2019-09-24T10:15:03.537Z] 10:15:03 INFO - GECKO(100) | Stack mid redzone: f2
[task 2019-09-24T10:15:03.537Z] 10:15:03 INFO - GECKO(100) | Stack right redzone: f3
[task 2019-09-24T10:15:03.537Z] 10:15:03 INFO - GECKO(100) | Stack after return: f5
[task 2019-09-24T10:15:03.537Z] 10:15:03 INFO - GECKO(100) | Stack use after scope: f8
[task 2019-09-24T10:15:03.537Z] 10:15:03 INFO - GECKO(100) | Global redzone: f9
[task 2019-09-24T10:15:03.538Z] 10:15:03 INFO - GECKO(100) | Global init order: f6
[task 2019-09-24T10:15:03.538Z] 10:15:03 INFO - GECKO(100) | Poisoned by user: f7
[task 2019-09-24T10:15:03.538Z] 10:15:03 INFO - GECKO(100) | Container overflow: fc
[task 2019-09-24T10:15:03.538Z] 10:15:03 INFO - GECKO(100) | Array cookie: ac
[task 2019-09-24T10:15:03.538Z] 10:15:03 INFO - GECKO(100) | Intra object redzone: bb
[task 2019-09-24T10:15:03.538Z] 10:15:03 INFO - GECKO(100) | ASan internal: fe
[task 2019-09-24T10:15:03.538Z] 10:15:03 INFO - GECKO(100) | Left alloca redzone: ca
[task 2019-09-24T10:15:03.538Z] 10:15:03 INFO - GECKO(100) | Right alloca redzone: cb
[task 2019-09-24T10:15:03.539Z] 10:15:03 INFO - GECKO(100) | Shadow gap: cc
[task 2019-09-24T10:15:03.539Z] 10:15:03 INFO - GECKO(100) | ==4204==ABORTING
[task 2019-09-24T10:15:03.619Z] 10:15:03 ERROR - GECKO(100) | A content process crashed and MOZ_CRASHREPORTER_SHUTDOWN is set, shutting down[task 2019-09-24T10:15:03.827Z] 10:15:03 INFO - GECKO(100) | JavaScript error: resource://services-settings/RemoteSettingsClient.jsm, line 149: Error: Unknown callback
[task 2019-09-24T10:15:03.866Z] 10:15:03 INFO - GECKO(100) | [Socket 2816, Chrome_ChildThread] WARNING: pipe error: 109: file z:/build/build/src/ipc/chromium/src/chrome/common/ipc_channel_win.cc, line 341
[task 2019-09-24T10:15:03.866Z] 10:15:03 INFO - GECKO(100) | [Parent 7808, Gecko_IOThread] WARNING: pipe error: 109: file z:/build/build/src/ipc/chromium/src/chrome/common/ipc_channel_win.cc, line 341
[task 2019-09-24T10:15:03.926Z] 10:15:03 INFO - GECKO(100) | [Parent 7808, Gecko_IOThread] WARNING: file z:/build/build/src/ipc/chromium/src/base/process_util_win.cc, line 160
[task 2019-09-24T10:15:03.926Z] 10:15:03 INFO - GECKO(100) | [Child 8824, Chrome_ChildThread] WARNING: pipe error: 109: file z:/build/build/src/ipc/chromium/src/chrome/common/ipc_channel_win.cc, line 341
[task 2019-09-24T10:15:03.926Z] 10:15:03 INFO - GECKO(100) | [Child 8824, Chrome_ChildThread] WARNING: pipe error: 109: file z:/build/build/src/ipc/chromium/src/chrome/common/ipc_channel_win.cc, line 341
[task 2019-09-24T10:15:03.936Z] 10:15:03 INFO - GECKO(100) | [Parent 7808, Gecko_IOThread] WARNING: pipe error: 109: file z:/build/build/src/ipc/chromium/src/chrome/common/ipc_channel_win.cc, line 341
[task 2019-09-24T10:15:03.936Z] 10:15:03 INFO - GECKO(100) | [GPU 2028, Chrome_ChildThread] WARNING: pipe error: 109: file z:/build/build/src/ipc/chromium/src/chrome/common/ipc_channel_win.cc, line 341
[task 2019-09-24T10:15:03.936Z] 10:15:03 INFO - GECKO(100) | [GPU 2028, Chrome_ChildThread] WARNING: pipe error: 109: file z:/build/build/src/ipc/chromium/src/chrome/common/ipc_channel_win.cc, line 341
[task 2019-09-24T10:15:03.936Z] 10:15:03 INFO - GECKO(100) | ###!!! [Parent][RunMessage] Error: Channel closing: too late to send/recv, messages will be lost
[task 2019-09-24T10:15:03.937Z] 10:15:03 INFO - GECKO(100) | [GPU 2028, Chrome_ChildThread] WARNING: pipe error: 109: file z:/build/build/src/ipc/chromium/src/chrome/common/ipc_channel_win.cc, line 341
[task 2019-09-24T10:15:03.937Z] 10:15:03 INFO - GECKO(100) | [GPU 2028, Chrome_ChildThread] WARNING: pipe error: 109: file z:/build/build/src/ipc/chromium/src/chrome/common/ipc_channel_win.cc, line 341
[task 2019-09-24T10:15:03.939Z] 10:15:03 INFO - GECKO(100) | [Parent 7808, Gecko_IOThread] WARNING: pipe error: 109: file z:/build/build/src/ipc/chromium/src/chrome/common/ipc_channel_win.cc, line 341
[task 2019-09-24T10:15:03.939Z] 10:15:03 INFO - GECKO(100) | [Parent 7808, Gecko_IOThread] WARNING: pipe error: 109: file z:/build/build/src/ipc/chromium/src/chrome/common/ipc_channel_win.cc, line 341
[task 2019-09-24T10:15:04.018Z] 10:15:04 INFO - GECKO(100) | [Socket 2816, Chrome_ChildThread] WARNING: pipe error: 109: file z:/build/build/src/ipc/chromium/src/chrome/common/ipc_channel_win.cc, line 341
[task 2019-09-24T10:15:04.018Z] 10:15:04 INFO - GECKO(100) | [Parent 7808, Gecko_IOThread] WARNING: pipe error: 109: file z:/build/build/src/ipc/chromium/src/chrome/common/ipc_channel_win.cc, line 341
[task 2019-09-24T10:15:04.018Z] 10:15:04 INFO - GECKO(100) | [Child 2552, Chrome_ChildThread] WARNING: pipe error: 109: file z:/build/build/src/ipc/chromium/src/chrome/common/ipc_channel_win.cc, line 341
[task 2019-09-24T10:15:04.023Z] 10:15:04 INFO - GECKO(100) | [Parent 7808, Gecko_IOThread] WARNING: pipe error: 109: file z:/build/build/src/ipc/chromium/src/chrome/common/ipc_channel_win.cc, line 341
[task 2019-09-24T10:15:04.023Z] 10:15:04 INFO - GECKO(100) | [GPU 2028, Chrome_ChildThread] WARNING: pipe error: 109: file z:/build/build/src/ipc/chromium/src/chrome/common/ipc_channel_win.cc, line 341
[task 2019-09-24T10:15:04.023Z] 10:15:04 INFO - GECKO(100) | [GPU 2028, Chrome_ChildThread] WARNING: pipe error: 109: file z:/build/build/src/ipc/chromium/src/chrome/common/ipc_channel_win.cc, line 341
[task 2019-09-24T10:15:04.023Z] 10:15:04 INFO - GECKO(100) | ###!!! [Parent][RunMessage] Error: Channel closing: too late to send/recv, messages will be lost
[task 2019-09-24T10:15:04.025Z] 10:15:04 INFO - GECKO(100) | [GPU 2028, Chrome_ChildThread] WARNING: pipe error: 109: file z:/build/build/src/ipc/chromium/src/chrome/common/ipc_channel_win.cc, line 341
[task 2019-09-24T10:15:04.025Z] 10:15:04 INFO - GECKO(100) | [GPU 2028, Chrome_ChildThread] WARNING: pipe error: 109: file z:/build/build/src/ipc/chromium/src/chrome/common/ipc_channel_win.cc, line 341
[task 2019-09-24T10:15:04.027Z] 10:15:04 INFO - GECKO(100) | [Parent 7808, Gecko_IOThread] WARNING: pipe error: 109: file z:/build/build/src/ipc/chromium/src/chrome/common/ipc_channel_win.cc, line 341
[task 2019-09-24T10:15:04.027Z] 10:15:04 INFO - GECKO(100) | [Parent 7808, Gecko_IOThread] WARNING: pipe error: 109: file z:/build/build/src/ipc/chromium/src/chrome/common/ipc_channel_win.cc, line 341
[task 2019-09-24T10:15:04.434Z] 10:15:04 INFO - GECKO(100) | 1569320104423 Marionette TRACE Received observer notification xpcom-will-shutdown
[task 2019-09-24T10:15:04.434Z] 10:15:04 INFO - GECKO(100) | 1569320104423 Marionette INFO Stopped listening on port 2828
[task 2019-09-24T10:15:04.434Z] 10:15:04 INFO - GECKO(100) | 1569320104423 Marionette DEBUG Remote service is inactive
[task 2019-09-24T10:15:04.453Z] 10:15:04 INFO - GECKO(100) | [GPU 2028, Chrome_ChildThread] WARNING: pipe error: 109: fil
[task 2019-09-24T10:15:04.453Z] 10:15:04 INFO - GECKO(100) | ###!!! [Child][RunMessage] Error: Channel closing: too late to send/recv, messages will be lost
[task 2019-09-24T10:15:04.453Z] 10:15:04 INFO - GECKO(100) | e z:/build/build/src/ipc/chromium/src/chrome/common/ipc_channel_win.cc, line 341
[task 2019-09-24T10:15:04.455Z] 10:15:04 INFO - GECKO(100) | [GPU 2028, Chrome_ChildThread] WARNING: pipe error: 109: file z:/build/build/src/ipc/chromium/src/chrome/common/ipc_channel_win.cc, line 341
[task 2019-09-24T10:15:04.455Z] 10:15:04 INFO - GECKO(100) | [Parent 7808, Gecko_IOThread] WARNING: pipe error: 109: file z:/build/build/src/ipc/chromium/src/chrome/common/ipc_channel_win.cc, line 341
[task 2019-09-24T10:15:04.455Z] 10:15:04 INFO - GECKO(100) | [Socket 2816, Chrome_ChildThread] WARNING: pipe error: 109: file z:/build/build/src/ipc/chromium/src/chrome/common/ipc_channel_win.cc, line 341
[task 2019-09-24T10:15:04.455Z] 10:15:04 INFO - GECKO(100) | [Parent 7808, Gecko_IOThread] WARNING: pipe error: 109: file z:/build/build/src/ipc/chromium/src/chrome/common/ipc_channel_win.cc, line 341
[task 2019-09-24T10:15:04.455Z] 10:15:04 INFO - GECKO(100) | [Parent 7808, Gecko_IOThread] WARNING: pipe error: 109: file z:/build/build/src/ipc/chromium/src/chrome/common/ipc_channel_win.cc, line 341
[task 2019-09-24T10:15:04.456Z] 10:15:04 INFO - GECKO(100) | [Parent 7808, Gecko_IOThread] WARNING: pipe error: 109: file z:/build/build/src/ipc/chromium/src/chrome/common/ipc_channel_win.cc, line 341
[task 2019-09-24T10:15:04.466Z] 10:15:04 INFO - GECKO(100) | [GPU 2028, Chrome_ChildThread] WARNING: pipe error: 109: file z:/build/build/src/ipc/chromium/src/chrome/common/ipc_channel_win.cc, line 341
[task 2019-09-24T10:15:05.480Z] 10:15:05 INFO - TEST-INFO | Main app process: exit 0[task 2019-09-24T10:15:05.480Z] 10:15:05 INFO - runtests.py | Application ran for: 0:00:51.191000
[task 2019-09-24T10:15:05.480Z] 10:15:05 INFO - zombiecheck | Reading PID log: c:\users\task_1569317134\appdata\local\temp\tmpdk0e0cpidlog
[task 2019-09-24T10:15:05.480Z] 10:15:05 INFO - ==> process 7808 launched child process 2816 ("Z:\task_1569317134\build\application\firefox\firefox.exe" -contentproc --channel="7808.0.1728725690\2041468767" -parentBuildID 20190924083321 -prefsHandle 1392 -prefMapHandle 1372 -prefsLen 1 -prefMapSize 222813 -greomni "Z:\task_1569317134\build\application\firefox\omni.ja" -appomni "Z:\task_1569317134\build\application\firefox\browser\omni.ja" -appdir "Z:\task_1569317134\build\application\firefox\browser" - 7808 socket)
[task 2019-09-24T10:15:05.481Z] 10:15:05 INFO - ==> process 7808 launched child process 2028 ("Z:\task_1569317134\build\application\firefox\firefox.exe" -contentproc --channel="7808.1.1887540401\104827896" -parentBuildID 20190924083321 -prefsHandle 1624 -prefMapHandle 1620 -prefsLen 120 -prefMapSize 222813 -greomni "Z:\task_1569317134\build\application\firefox\omni.ja" -appomni "Z:\task_1569317134\build\application\firefox\browser\omni.ja" -appdir "Z:\task_1569317134\build\application\firefox\browser" - 7808 gpu)
[task 2019-09-24T10:15:05.481Z] 10:15:05 INFO - ==> process 7808 launched child process 4204 ("Z:\task_1569317134\build\application\firefox\firefox.exe" -contentproc --channel="7808.5.1922859834\975601696" -childID 1 -isForBrowser -prefsHandle 2276 -prefMapHandle 2272 -prefsLen 198 -prefMapSize 222813 -parentBuildID 20190924083321 -greomni "Z:\task_1569317134\build\application\firefox\omni.ja" -appomni "Z:\task_1569317134\build\application\firefox\browser\omni.ja" -appdir "Z:\task_1569317134\build\application\firefox\browser" - 7808 tab)
[task 2019-09-24T10:15:05.481Z] 10:15:05 INFO - ==> process 7808 launched child process 8824 ("Z:\task_1569317134\build\application\firefox\firefox.exe" -contentproc --channel="7808.16.1873666921\928539728" -childID 2 -isForBrowser -prefsHandle 3760 -prefMapHandle 3756 -prefsLen 7037 -prefMapSize 222813 -parentBuildID 20190924083321 -greomni "Z:\task_1569317134\build\application\firefox\omni.ja" -appomni "Z:\task_1569317134\build\application\firefox\browser\omni.ja" -appdir "Z:\task_1569317134\build\application\firefox\browser" - 7808 tab)
[task 2019-09-24T10:15:05.481Z] 10:15:05 INFO - ==> process 7808 launched child process 2552 ("Z:\task_1569317134\build\application\firefox\firefox.exe" -contentproc --channel="7808.24.1656411145\2056798163" -childID 3 -isForBrowser -prefsHandle 4368 -prefMapHandle 4356 -prefsLen 7770 -prefMapSize 222813 -parentBuildID 20190924083321 -greomni "Z:\task_1569317134\build\application\firefox\omni.ja" -appomni "Z:\task_1569317134\build\application\firefox\browser\omni.ja" -appdir "Z:\task_1569317134\build\application\firefox\browser" - 7808 tab)
[task 2019-09-24T10:15:05.481Z] 10:15:05 INFO - zombiecheck | Checking for orphan process with PID: 2816
[task 2019-09-24T10:15:05.481Z] 10:15:05 INFO - zombiecheck | Checking for orphan process with PID: 4204
[task 2019-09-24T10:15:05.481Z] 10:15:05 INFO - zombiecheck | Checking for orphan process with PID: 2028
[task 2019-09-24T10:15:05.482Z] 10:15:05 INFO - zombiecheck | Checking for orphan process with PID: 2552
[task 2019-09-24T10:15:05.482Z] 10:15:05 INFO - zombiecheck | Checking for orphan process with PID: 8824
[task 2019-09-24T10:15:05.482Z] 10:15:05 INFO - Stopping web server
[task 2019-09-24T10:15:05.487Z] 10:15:05 INFO - Stopping web socket server
[task 2019-09-24T10:15:05.509Z] 10:15:05 INFO - Stopping ssltunnel
[task 2019-09-24T10:15:05.570Z] 10:15:05 INFO - Stopping websocket/process bridge
[task 2019-09-24T10:15:05.570Z] 10:15:05 WARNING - leakcheck | refcount logging is off, so leaks can't be detected!
[task 2019-09-24T10:15:05.570Z] 10:15:05 INFO - runtests.py | Running tests: end.
[task 2019-09-24T10:15:05.648Z] 10:15:05 INFO - Buffered messages logged at 10:15:02
[task 2019-09-24T10:15:05.648Z] 10:15:05 INFO - TEST-PASS | dom/media/tests/mochitest/test_getUserMedia_basicTabshare.html | A valid string reason is expected

Group: core-security → media-core-security

This appears to involve MediaEngineTabVideoSource, which is behind a pref, media.getusermedia.browser.enabled (off by default).

Andreas, would you say it seems safe to say this is unique to MediaEngineTabVideoSource? Or does it point to a problem that might affect other sources?

Flags: needinfo?(apehrson)

P1 based on sec-high.

Andreas does this look like fall out from the last changes to MSG?

Priority: -- → P1

My working theory is that this is unique to MediaEngineTabVideoSource, but I have yet to verify this.

Assignee: nobody → apehrson
Status: NEW → ASSIGNED

This seems to be a latent bug where we don't lock SourceMediaStream::mMutex in SourceMediaStream::RemoveAllDirectListenersImpl (I've audited SourceMediaStream for mMutex usage and this is the only access that should lock, but doesn't lock, the mutex).

My guess is this is triggered by MediaEngineTabVideoSource not stopping the production of data (i.e., calls to AppendToTrack) synchronously in Stop(). All other push-based sources do this. Pull-based ones (audio) are not affected. With that in mind I'd say this is unique to MediaEngineTabVideoSource and reduce this to a P2.

I'll work out a couple of overlapping fixes and still try to uplift the fix to the SourceMediaStream mutex. MediaEngineTabVideoSource fixes can ride the trains.

status-firefox69: --- → disabled
status-firefox70: --- → disabled
status-firefox71: --- → disabled
status-firefox-esr60: --- → disabled
status-firefox-esr68: --- → disabled
Flags: needinfo?(apehrson)
Priority: P1 → P2

A variant of this bug that doesn't trigger the UAF is easily triggered by running ./mach mochitest dom/media/tests/mochitest/test_getUserMedia_basicTabShare.html --verify. The UAF has much stricter timing constraints in that main thread has to append data to a track while the audio thread is at the same time clearing its members.

This simpler variant is triggered when entering shutdown just after finishing the basicTabShare mochitest.

The MediaStream is then destroyed on main thread before the tab source's draw timer is cancelled on main thread. The MediaStream is even destroyed (not destructed, note) on the audio thread before the tab source's draw timer is cancelled on main thread.

Because of this, the draw timer ends up firing and appending data to the stream after it was destroyed. This data is then not processed (already destroyed!), and only released in the dtor. This happens to be after XPCOM_Shutdown so a fatal gfx assert is triggered, and we crash.

I've verified that my local fixes also fix this simpler failure mode.

Regressed by: 1410829
Keywords: regression

Comment on attachment 9097487 [details]
Bug 1583463 - Lock SourceMediaStream's mMutex also during shutdown. r?padenot

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: Very hard, the only known trigger is disabled by default. The core issue is an old bug (58) but recent changes made it get triggered only now. I don't see how one could construct an exploit -- they'd have to find another way to trigger the bug, but that's a lifetime issue and we control those lifetimes. At shutdown (closing Firefox altogether) the lifetimes are looser so the risk is higher there.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Yes
  • Which older supported branches are affected by this flaw?: all
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: No
  • If not, how different, hard to create, and risky will they be?: They are trivial.
  • How likely is this patch to cause regressions; how much testing does it need?: None.
Attachment #9097487 - Flags: sec-approval?
Attachment #9097488 - Flags: sec-approval?
Attachment #9097489 - Flags: sec-approval?
Attachment #9097490 - Flags: sec-approval?
Attachment #9097491 - Flags: sec-approval?
Attachment #9097487 - Flags: sec-approval? → sec-approval+
Attachment #9097488 - Flags: sec-approval? → sec-approval+
Attachment #9097489 - Flags: sec-approval? → sec-approval+
Attachment #9097490 - Flags: sec-approval? → sec-approval+

Comment on attachment 9097491 [details]
Bug 1583463 - End the tab source's track when the draw timer is guaranteed to have stopped. r?jib

This is fine to ship given that the only known trigger is not disabled in shipping releases.

Attachment #9097491 - Flags: sec-approval? → sec-approval+

The security bug process only said to check for "unaffected" so I wanted to make sure. Thanks!

Comment on attachment 9097487 [details]
Bug 1583463 - Lock SourceMediaStream's mMutex also during shutdown. r?padenot

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration:
  • User impact if declined: Exposes a potential UAF bug, though without known (shipping) triggers.
  • Fix Landed on Version: 71
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Trivial, only adds a mutex lock
  • String or UUID changes made by this patch:

Beta/Release Uplift Approval Request

  • User impact if declined: Exposes a potential UAF bug, though without known (shipping) triggers.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Trivial, only adds a mutex lock
  • String changes made/needed:
Attachment #9097487 - Flags: approval-mozilla-esr68?
Attachment #9097487 - Flags: approval-mozilla-beta?

Dan do you have an opinion here on whether we should ship this fix to 70/esr?
I'm disinclined to uplift all of this with only 1 beta build left before release, unless you think it is necessary.

status-firefox69: disabledwontfix
status-firefox70: disabledfix-optional
Flags: needinfo?(dveditz)

Note that the uplift request is just for a single patch that adds a single line (locking a mutex). As far as simple go, I think this is the end of the road :-)

Ah OK. just the one patch is a bit less scary then.

Comment on attachment 9097487 [details]
Bug 1583463 - Lock SourceMediaStream's mMutex also during shutdown. r?padenot

Small fix to prevent a UAF. OK for beta 14 uplift.

Attachment #9097487 - Flags: approval-mozilla-esr68?
Attachment #9097487 - Flags: approval-mozilla-esr68+
Attachment #9097487 - Flags: approval-mozilla-beta?
Attachment #9097487 - Flags: approval-mozilla-beta+
Whiteboard: [adv-main70+][adv-main70-rollup]
Whiteboard: [adv-main70+][adv-main70-rollup] → [adv-main70+][adv-main70-rollup][adv-esr68.2+][adv-esr68.2-rollup]
Flags: qe-verify-
Whiteboard: [adv-main70+][adv-main70-rollup][adv-esr68.2+][adv-esr68.2-rollup] → [adv-main70+][adv-main70-rollup][adv-esr68.2+][adv-esr68.2-rollup][post-critsmash-triage]
Whiteboard: [adv-main70+][adv-main70-rollup][adv-esr68.2+][adv-esr68.2-rollup][post-critsmash-triage] → [adv-main70+][adv-main70+r][adv-esr68.2+][adv-esr68.2+r][post-critsmash-triage]
Regressions: 1606507
Group: core-security-release
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: