Closed Bug 1601430 Opened 5 years ago Closed 3 years ago

AddressSanitizer: SEGV /builds/worker/workspace/build/src/obj-firefox/dist/include/js/RootingAPI.h in exposeToActiveJS

Categories

(Core :: WebRTC, defect, P2)

Product:
Core
Component:
WebRTC
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox73 --- affected

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: crash, testcase)

Attachments

(1 file)

testcase.html
506 bytes, text/html
Details
Attached file testcase.html

Testcase found while fuzzing mozilla-central rev 6989fcd6bab3.

==22013==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000028 (pc 0x7fed7334c86f bp 0x7fffdc9f6ad0 sp 0x7fffdc9f6aa0 T0)
==22013==The signal is caused by a READ memory access.
==22013==Hint: address points to the zero page.
    #0 0x7fed7334c86e in exposeToActiveJS /builds/worker/workspace/build/src/obj-firefox/dist/include/js/RootingAPI.h
    #1 0x7fed7334c86e in get /builds/worker/workspace/build/src/obj-firefox/dist/include/js/RootingAPI.h:340:5
    #2 0x7fed7334c86e in operator JSObject *const & /builds/worker/workspace/build/src/obj-firefox/dist/include/js/RootingAPI.h:333:3
    #3 0x7fed7334c86e in PromiseObj /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/Promise.h:254:41
    #4 0x7fed7334c86e in mozilla::dom::ToJSValue(JSContext*, mozilla::dom::Promise&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/dom/bindings/ToJSValue.cpp:60:31
    #5 0x7fed71bc5bdb in ToJSValue<mozilla::dom::Promise> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/ToJSValue.h:238:10
    #6 0x7fed71bc5bdb in getStats /builds/worker/workspace/build/src/obj-firefox/dom/bindings/PeerConnectionImplBinding.cpp:334:8
    #7 0x7fed71bc5bdb in mozilla::dom::PeerConnectionImpl_Binding::getStats_promiseWrapper(JSContext*, JS::Handle<JSObject*>, mozilla::PeerConnectionImpl*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/PeerConnectionImplBinding.cpp:343:13
    #8 0x7fed73318a89 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ConvertExceptionsToPromises>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3153:13
    #9 0x7fed79f0d8ba in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:457:13
    #10 0x7fed79f0d8ba in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:549:12
    #11 0x7fed79ef30e8 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:622:10
    #12 0x7fed79ef30e8 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3118:16
    #13 0x7fed79ed2cdf in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:424:10
    #14 0x7fed79f0de48 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:590:13
    #15 0x7fed79f10859 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:635:8
    #16 0x7fed7a108f3e in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2752:10
    #17 0x7fed71d45f1f in mozilla::dom::RTCPeerConnectionJSImpl::GetStats(mozilla::dom::MediaStreamTrack*, mozilla::ErrorResult&, JS::Realm*) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/RTCPeerConnectionBinding.cpp:8471:8
    #18 0x7fed71df4494 in GetStats /builds/worker/workspace/build/src/obj-firefox/dom/bindings/RTCPeerConnectionBinding.cpp:10409:17
    #19 0x7fed71df4494 in getStats /builds/worker/workspace/build/src/obj-firefox/dom/bindings/RTCPeerConnectionBinding.cpp:5398:60
    #20 0x7fed71df4494 in mozilla::dom::RTCPeerConnection_Binding::getStats_promiseWrapper(JSContext*, JS::Handle<JSObject*>, mozilla::dom::RTCPeerConnection*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/RTCPeerConnectionBinding.cpp:5412:13
    #21 0x7fed73318a89 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ConvertExceptionsToPromises>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3153:13
    #22 0x7fed79f0d8ba in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:457:13
    #23 0x7fed79f0d8ba in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:549:12
    #24 0x7fed79ef30e8 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:622:10
    #25 0x7fed79ef30e8 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3118:16
    #26 0x7fed79ed2cdf in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:424:10
    #27 0x7fed79f0de48 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:590:13
    #28 0x7fed79f10859 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:635:8
    #29 0x7fed7a108f3e in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2752:10
    #30 0x7fed72c192e8 in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventListenerBinding.cpp:52:8
    #31 0x7fed73a36f00 in HandleEvent<mozilla::dom::EventTarget *> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:66:12
    #32 0x7fed73a36f00 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1072:43
    #33 0x7fed73a389d3 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1270:17
    #34 0x7fed73a1fdc6 in HandleEvent /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/EventListenerManager.h:355:5
    #35 0x7fed73a1fdc6 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:355:17
    #36 0x7fed73a1dffd in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:557:16
    #37 0x7fed73a237cd in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:1055:11
    #38 0x7fed73a2a0c9 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp
    #39 0x7fed739e68d5 in mozilla::DOMEventTargetHelper::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/events/DOMEventTargetHelper.cpp:169:17
    #40 0x7fed72dcefa8 in mozilla::dom::EventTarget_Binding::dispatchEvent(JSContext*, JS::Handle<JSObject*>, mozilla::dom::EventTarget*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventTargetBinding.cpp:775:36
    #41 0x7fed7331bec5 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::MaybeCrossOriginObjectThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3153:13
    #42 0x7fed79f0d8ba in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:457:13
    #43 0x7fed79f0d8ba in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:549:12
    #44 0x7fed79ef30e8 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:622:10
    #45 0x7fed79ef30e8 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3118:16
    #46 0x7fed79ed2cdf in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:424:10
    #47 0x7fed79f0de48 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:590:13
    #48 0x7fed79f10859 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:635:8
    #49 0x7fed7a108f3e in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2752:10
    #50 0x7fed71b5b71c in mozilla::dom::PeerConnectionObserverJSImpl::OnStateChange(mozilla::dom::PCObserverStateType, mozilla::ErrorResult&, JS::Realm*) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/PeerConnectionObserverBinding.cpp:2189:8
    #51 0x7fed6f4d266c in mozilla::PeerConnectionImpl::SetSignalingState_m(mozilla::dom::RTCSignalingState, bool) /builds/worker/workspace/build/src/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp:2290:16
    #52 0x7fed6f4d1d16 in mozilla::PeerConnectionImpl::Close() /builds/worker/workspace/build/src/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp:2067:3
    #53 0x7fed71bd1428 in Close /builds/worker/workspace/build/src/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.h:429:38
    #54 0x7fed71bd1428 in mozilla::dom::PeerConnectionImpl_Binding::close(JSContext*, JS::Handle<JSObject*>, mozilla::PeerConnectionImpl*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/PeerConnectionImplBinding.cpp:1209:24
    #55 0x7fed73317e6d in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3153:13
    #56 0x7fed79f0d8ba in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:457:13
    #57 0x7fed79f0d8ba in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:549:12
    #58 0x7fed79ef30e8 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:622:10
    #59 0x7fed79ef30e8 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3118:16
    #60 0x7fed79ed2cdf in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:424:10
    #61 0x7fed79f0de48 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:590:13
    #62 0x7fed79f10859 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:635:8
    #63 0x7fed7a108f3e in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2752:10
    #64 0x7fed71d455ad in mozilla::dom::RTCPeerConnectionJSImpl::Close(mozilla::ErrorResult&, JS::Realm*) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/RTCPeerConnectionBinding.cpp:8426:8
    #65 0x7fed71df3814 in Close /builds/worker/workspace/build/src/obj-firefox/dom/bindings/RTCPeerConnectionBinding.cpp:10306:17
    #66 0x7fed71df3814 in mozilla::dom::RTCPeerConnection_Binding::close(JSContext*, JS::Handle<JSObject*>, mozilla::dom::RTCPeerConnection*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/RTCPeerConnectionBinding.cpp:4409:24
    #67 0x7fed73317e6d in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3153:13
    #68 0x7fed79f0d8ba in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:457:13
    #69 0x7fed79f0d8ba in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:549:12
    #70 0x7fed79ef30e8 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:622:10
    #71 0x7fed79ef30e8 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3118:16
    #72 0x7fed79ed2cdf in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:424:10
    #73 0x7fed79f0de48 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:590:13
    #74 0x7fed79f10859 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:635:8
    #75 0x7fed7a39129d in Call /builds/worker/workspace/build/src/js/src/vm/Interpreter.h:103:10
    #76 0x7fed7a39129d in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/src/builtin/Promise.cpp:1813:10
    #77 0x7fed79f0d8ba in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:457:13
    #78 0x7fed79f0d8ba in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:549:12
    #79 0x7fed79f10859 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:635:8
    #80 0x7fed7a108f3e in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2752:10
    #81 0x7fed71ccb1cc in mozilla::dom::PromiseJobCallback::Call(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/PromiseBinding.cpp:26:8
    #82 0x7fed6cb47467 in Call /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/PromiseBinding.h:91:12
    #83 0x7fed6cb47467 in Call /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/PromiseBinding.h:104:12
    #84 0x7fed6cb47467 in mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) /builds/worker/workspace/build/src/xpcom/base/CycleCollectedJSContext.cpp:208:18
    #85 0x7fed6cb227e4 in mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) /builds/worker/workspace/build/src/xpcom/base/CycleCollectedJSContext.cpp:626:17
    #86 0x7fed6cb237ef in mozilla::CycleCollectedJSContext::AfterProcessTask(unsigned int) /builds/worker/workspace/build/src/xpcom/base/CycleCollectedJSContext.cpp:455:3
    #87 0x7fed6f1923bd in XPCJSContext::AfterProcessTask(unsigned int) /builds/worker/workspace/build/src/js/xpconnect/src/XPCJSContext.cpp:1329:28
    #88 0x7fed6cd1a301 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1313:24
    #89 0x7fed6cd20a81 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
    #90 0x7fed6df623ff in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21
    #91 0x7fed6de6a412 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #92 0x7fed6de6a412 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308:3
    #93 0x7fed6de6a412 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290:3
    #94 0x7fed75bc7628 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
    #95 0x7fed79c8dd76 in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:932:20
    #96 0x7fed6de6a412 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #97 0x7fed6de6a412 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308:3
    #98 0x7fed6de6a412 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290:3
    #99 0x7fed79c8d5ff in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:767:34
    #100 0x55a5f3fb85cc in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #101 0x55a5f3fb85cc in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:272:18
    #102 0x7fed90009b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #103 0x55a5f3f0d9dc in _start (/home/user/builds/mc-asan/firefox+0x559dc)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/obj-firefox/dist/include/js/RootingAPI.h in exposeToActiveJS
Flags: in-testsuite?

Nico, could you help me triage this? I don't think I understand the domain well enough to know how scary or not the crash is.

Flags: needinfo?(na-g)

This crash is near null so it is probably not exploitable. It looks like this is triggered by calling getStat() from within the signaling state change observer during Close. Byron, does this ring any bells for you?

Flags: needinfo?(na-g) → needinfo?(docfaraday)

I'm pretty sure the work in progress on bug 1591199 fixes this.

Flags: needinfo?(docfaraday)

The attached test case no longer reproduces the issue.

There has been a recent spike in crashes found while fuzzing that are similar to this signature but I'll open a new bug instead of hijacking this one.

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: