Closed Bug 1587248 Opened 4 years ago Closed 4 years ago

AddressSanitizer: SEGV /builds/worker/workspace/build/src/dom/html/HTMLMediaElement.cpp:448:9 in mozilla::dom::HTMLMediaElement::MediaStreamRenderer::Start()

Categories

(Core :: WebRTC: Audio/Video, defect, P2)

Product:
Core
Component:
WebRTC: Audio/Video
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla71
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox-esr68 --- unaffected
firefox67 --- unaffected
firefox68 --- unaffected
firefox69 --- unaffected
firefox70 --- wontfix
firefox71 --- fixed

People

(Reporter: jkratzer, Assigned: pehrsons)

References

(Blocks 2 open bugs, Regression)

Details

(Keywords: crash, regression, testcase)

Attachments

(4 files)

testcase.html
667 bytes, text/html
Details
Bug 1587248 - Add crashtest. r?bryce
47 bytes, text/x-phabricator-request
Details | Review
Bug 1587248 - Remove unnecessary legacy window guard. r?bryce
47 bytes, text/x-phabricator-request
Details | Review
Bug 1587248 - Adequately guard mMediaStreamRenderer usage. r?bryce
47 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

Testcase found while fuzzing mozilla-central rev 035f52aed442.

==701==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000028 (pc 0x7fc6a953990b bp 0x7ffc1a36aa80 sp 0x7ffc1a36a980 T0)
==701==The signal is caused by a READ memory access.
==701==Hint: address points to the zero page.
    #0 0x7fc6a953990a in mozilla::dom::HTMLMediaElement::MediaStreamRenderer::Start() /builds/worker/workspace/build/src/dom/html/HTMLMediaElement.cpp:448:9
    #1 0x7fc6a9523284 in mozilla::dom::HTMLMediaElement::UpdateSrcMediaStreamPlaying(unsigned int) /builds/worker/workspace/build/src/dom/html/HTMLMediaElement.cpp:4817:27
    #2 0x7fc6a95309d5 in mozilla::dom::HTMLMediaElement::PlayInternal(bool) /builds/worker/workspace/build/src/dom/html/HTMLMediaElement.cpp:3917:3
    #3 0x7fc6a952f271 in mozilla::dom::HTMLMediaElement::Play(mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/html/HTMLMediaElement.cpp:3831:5
    #4 0x7fc6a87fe303 in play /builds/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLMediaElementBinding.cpp:1236:60
    #5 0x7fc6a87fe303 in mozilla::dom::HTMLMediaElement_Binding::play_promiseWrapper(JSContext*, JS::Handle<JSObject*>, mozilla::dom::HTMLMediaElement*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLMediaElementBinding.cpp:1250
    #6 0x7fc6a8a8e2a3 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ConvertExceptionsToPromises>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3250:13
    #7 0x7fc6af6f38cc in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:457:13
    #8 0x7fc6af6f38cc in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:549
    #9 0x7fc6af6dbf50 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:622:10
    #10 0x7fc6af6dbf50 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3111
    #11 0x7fc6af6bd7af in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:424:10
    #12 0x7fc6af6f43d6 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:590:13
    #13 0x7fc6af6f6729 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:635:8
    #14 0x7fc6b02a8d1b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2722:10
    #15 0x7fc6a85307f2 in mozilla::dom::Function::Call(JSContext*, JS::Handle<JS::Value>, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/FunctionBinding.cpp:41:8
    #16 0x7fc6a629bfaf in void mozilla::dom::Function::Call<nsCOMPtr<nsIGlobalObject> >(nsCOMPtr<nsIGlobalObject> const&, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/FunctionBinding.h:73:12
    #17 0x7fc6a629b961 in mozilla::dom::CallbackTimeoutHandler::Call(char const*) /builds/worker/workspace/build/src/dom/base/TimeoutHandler.cpp:181:29
    #18 0x7fc6a5e56784 in nsGlobalWindowInner::RunTimeoutHandler(mozilla::dom::Timeout*, nsIScriptContext*) /builds/worker/workspace/build/src/dom/base/nsGlobalWindowInner.cpp:5922:38
    #19 0x7fc6a6295a7c in mozilla::dom::TimeoutManager::RunTimeout(mozilla::TimeStamp const&, mozilla::TimeStamp const&, bool) /builds/worker/workspace/build/src/dom/base/TimeoutManager.cpp:892:44
    #20 0x7fc6a62945d5 in mozilla::dom::TimeoutExecutor::MaybeExecute() /builds/worker/workspace/build/src/dom/base/TimeoutExecutor.cpp:179:11
    #21 0x7fc6a6298476 in Notify /builds/worker/workspace/build/src/dom/base/TimeoutExecutor.cpp:246:5
    #22 0x7fc6a6298476 in non-virtual thunk to mozilla::dom::TimeoutExecutor::Notify(nsITimer*) /builds/worker/workspace/build/src/dom/base/TimeoutExecutor.cpp
    #23 0x7fc6a1e8e60c in nsTimerImpl::Fire(int) /builds/worker/workspace/build/src/xpcom/threads/nsTimerImpl.cpp:564:39
    #24 0x7fc6a1e8ddb9 in nsTimerEvent::Run() /builds/worker/workspace/build/src/xpcom/threads/TimerThread.cpp:260:11
    #25 0x7fc6a1ebcb04 in mozilla::ThrottledEventQueue::Inner::ExecuteRunnable() /builds/worker/workspace/build/src/xpcom/threads/ThrottledEventQueue.cpp:252:22
    #26 0x7fc6a1eb77ff in mozilla::ThrottledEventQueue::Inner::Executor::Run() /builds/worker/workspace/build/src/xpcom/threads/ThrottledEventQueue.cpp:80:15
    #27 0x7fc6a1e6f5b1 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:295:32
    #28 0x7fc6a1ea0d79 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1225:14
    #29 0x7fc6a1ea79e8 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
    #30 0x7fc6a30f1954 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:110:5
    #31 0x7fc6a2fea622 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #32 0x7fc6a2fea622 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
    #33 0x7fc6a2fea622 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
    #34 0x7fc6ab4ef7a9 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
    #35 0x7fc6af43635f in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:934:20
    #36 0x7fc6a2fea622 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #37 0x7fc6a2fea622 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
    #38 0x7fc6a2fea622 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
    #39 0x7fc6af435c06 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:769:34
    #40 0x55f4944d9bfa in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #41 0x55f4944d9bfa in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:272
    #42 0x7fc6c4f52b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/dom/html/HTMLMediaElement.cpp:448:9 in mozilla::dom::HTMLMediaElement::MediaStreamRenderer::Start()
Flags: in-testsuite?
Component: DOM: Core & HTML → Audio/Video

Andreas looks like you have touched that code last, could you have a look at this please?

Flags: needinfo?(apehrson)
Priority: -- → P2
Assignee: nobody → apehrson
Status: NEW → ASSIGNED
Flags: needinfo?(apehrson)
Component: Audio/Video → WebRTC: Audio/Video

It can be unset by NotifyShutdown, to release the VideoFrameContainer in time.
This is unexpected for all paths assuming it will be unset by
EndSrcMediaStreamPlayback().

Depends on D49573

Bugbug thinks this bug is a regression, but please revert this change in case of error.

Keywords: regression
Pushed by pehrsons@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/643c477a36c0
Add crashtest. r=bryce
https://hg.mozilla.org/integration/autoland/rev/131a93988dcd
Remove unnecessary legacy window guard. r=bryce
https://hg.mozilla.org/integration/autoland/rev/721bbb99b98d
Adequately guard mMediaStreamRenderer usage. r=bryce
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.