1606507 - crash near null in [@ mozilla::MediaEngineTabVideoSource::Draw]

Status: RESOLVED FIXED

(Core :: WebRTC: Audio/Video, defect, P2)

Description

[Tyson Smith [:tsmith]]

Report from m-c 20191230-03ed5ed6cba7

This is being hit fairly frequently by the fuzzers but it is very difficult to reproduce consistently.

dom/media/webrtc/MediaEngineTabVideoSource.cpp:256:19: runtime error: member call on null pointer of type 'mozilla::MediaTrack'
    #0 0x7f18714072d3 in mozilla::MediaEngineTabVideoSource::Draw() dom/media/webrtc/MediaEngineTabVideoSource.cpp:256:19
    #1 0x7f1869bd76d0 in nsTimerImpl::Fire(int) xpcom/threads/nsTimerImpl.cpp:561:7
    #2 0x7f1869bd71cb in nsTimerEvent::Run() xpcom/threads/TimerThread.cpp:259:11
    #3 0x7f1869be4f54 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:1241:14
    #4 0x7f1869beba7e in NS_ProcessNextEvent(nsIThread*, bool) xpcom/threads/nsThreadUtils.cpp:486:10
    #5 0x7f1871a8bb58 in bool mozilla::SpinEventLoopUntil<(mozilla::ProcessFailureBehavior)1, mozilla::dom::ContentChild::ProvideWindowCommon(mozilla::dom::BrowserChild*, mozIDOMWindowProxy*, bool, unsigned int, bool, bool, bool, nsIURI*, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, bool, bool, nsDocShellLoadState*, bool*, mozilla::dom::BrowsingContext**)::$_7>(mozilla::dom::ContentChild::ProvideWindowCommon(mozilla::dom::BrowserChild*, mozIDOMWindowProxy*, bool, unsigned int, bool, bool, bool, nsIURI*, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, bool, bool, nsDocShellLoadState*, bool*, mozilla::dom::BrowsingContext**)::$_7&&, nsIThread*) objdir-ff-ubsan/dist/include/nsThreadUtils.h:348:25
    #6 0x7f1871a88fc8 in mozilla::dom::ContentChild::ProvideWindowCommon(mozilla::dom::BrowserChild*, mozIDOMWindowProxy*, bool, unsigned int, bool, bool, bool, nsIURI*, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, bool, bool, nsDocShellLoadState*, bool*, mozilla::dom::BrowsingContext**) dom/ipc/ContentChild.cpp:1251:5
    #7 0x7f1871b12aae in mozilla::dom::BrowserChild::ProvideWindow(mozIDOMWindowProxy*, unsigned int, bool, bool, bool, nsIURI*, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, bool, bool, nsDocShellLoadState*, bool*, mozilla::dom::BrowsingContext**) dom/ipc/BrowserChild.cpp:936:14
    #8 0x7f18764103f0 in nsWindowWatcher::OpenWindowInternal(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool, nsIArray*, bool, bool, bool, nsDocShellLoadState*, mozilla::dom::BrowsingContext**) toolkit/components/windowwatcher/nsWindowWatcher.cpp:804:24
    #9 0x7f187641384d in nsWindowWatcher::OpenWindow2(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool, nsISupports*, bool, bool, bool, nsDocShellLoadState*, mozilla::dom::BrowsingContext**) toolkit/components/windowwatcher/nsWindowWatcher.cpp:375:10
    #10 0x7f186df78193 in nsGlobalWindowOuter::OpenInternal(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, bool, bool, bool, bool, bool, nsIArray*, nsISupports*, nsDocShellLoadState*, bool, mozilla::dom::BrowsingContext**) dom/base/nsGlobalWindowOuter.cpp:7197:21
    #11 0x7f186df7761c in nsGlobalWindowOuter::OpenJS(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::dom::BrowsingContext**) dom/base/nsGlobalWindowOuter.cpp:5740:10
    #12 0x7f186df7743f in nsGlobalWindowOuter::OpenOuter(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) dom/base/nsGlobalWindowOuter.cpp:5713:12
    #13 0x7f186df1b297 in nsGlobalWindowInner::Open(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) dom/base/nsGlobalWindowInner.cpp:3708:3
    #14 0x7f186f3a6dec in mozilla::dom::Window_Binding::open(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) objdir-ff-ubsan/dom/bindings/WindowBinding.cpp:2643:59
    #15 0x7f186fb9eeda in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::MaybeCrossOriginObjectThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) dom/bindings/BindingUtils.cpp:3151:13
    #16 0x7f18767a2262 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) js/src/vm/Interpreter.cpp:452:13
    #17 0x7f18767a2262 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) js/src/vm/Interpreter.cpp:544:12
    #18 0x7f18767a329a in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) js/src/vm/Interpreter.cpp:608:10
    #19 0x7f187678cf96 in Interpret(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:3037:16
    #20 0x7f1876770615 in js::RunScript(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:424:10
    #21 0x7f18767a20ed in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) js/src/vm/Interpreter.cpp:580:13
    #22 0x7f18767a329a in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) js/src/vm/Interpreter.cpp:608:10
    #23 0x7f18767a348d in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) js/src/vm/Interpreter.cpp:625:8
    #24 0x7f1876a11e2b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) js/src/jsapi.cpp:2753:10
    #25 0x7f186f858d45 in mozilla::dom::Function::Call(JSContext*, JS::Handle<JS::Value>, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) objdir-ff-ubsan/dom/bindings/FunctionBinding.cpp:41:8
    #26 0x7f186e2cffbf in void mozilla::dom::Function::Call<nsCOMPtr<nsIGlobalObject> >(nsCOMPtr<nsIGlobalObject> const&, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) objdir-ff-ubsan/dist/include/mozilla/dom/FunctionBinding.h:73:12
    #27 0x7f186e2bdff0 in mozilla::dom::CallbackTimeoutHandler::Call(char const*) dom/base/TimeoutHandler.cpp:167:29
    #28 0x7f186df267d4 in nsGlobalWindowInner::RunTimeoutHandler(mozilla::dom::Timeout*, nsIScriptContext*) dom/base/nsGlobalWindowInner.cpp:5866:38
    #29 0x7f186e2bb11d in mozilla::dom::TimeoutManager::RunTimeout(mozilla::TimeStamp const&, mozilla::TimeStamp const&, bool) dom/base/TimeoutManager.cpp:891:44
    #30 0x7f186e2ba27b in mozilla::dom::TimeoutExecutor::MaybeExecute() dom/base/TimeoutExecutor.cpp:179:11
    #31 0x7f186e2bc524 in mozilla::dom::TimeoutExecutor::Run() dom/base/TimeoutExecutor.cpp:234:5
    #32 0x7f1869c1b643 in mozilla::ThrottledEventQueue::Inner::ExecuteRunnable() xpcom/threads/ThrottledEventQueue.cpp:252:22
    #33 0x7f1869c0fd1e in mozilla::ThrottledEventQueue::Inner::Executor::Run() xpcom/threads/ThrottledEventQueue.cpp:80:15
    #34 0x7f1869bb281c in mozilla::SchedulerGroup::Runnable::Run() xpcom/threads/SchedulerGroup.cpp:282:20
    #35 0x7f1869be4f54 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:1241:14
    #36 0x7f1869beba7e in NS_ProcessNextEvent(nsIThread*, bool) xpcom/threads/nsThreadUtils.cpp:486:10
    #37 0x7f186afeaa9e in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:87:21
    #38 0x7f186ae2cc54 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:290:3
    #39 0x7f18723a318a in nsBaseAppShell::Run() widget/nsBaseAppShell.cpp:137:27
    #40 0x7f187649e269 in XRE_RunAppShell() toolkit/xre/nsEmbedFunctions.cpp:946:20
    #41 0x7f186afec0b1 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:237:9
    #42 0x7f186ae2cc54 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:290:3
    #43 0x7f187649d6b7 in XRE_InitChildProcess(int, char**, XREChildData const*) toolkit/xre/nsEmbedFunctions.cpp:781:34
    #44 0x561c165b21c5 in content_process_main(mozilla::Bootstrap*, int, char**) browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #45 0x561c165b23ef in main browser/app/nsBrowserApp.cpp:303:18

Comment 1

[Dan Minor [:dminor]]

This probably just needs a check to see if mMainTrack is non-null here [1], but I'm I'm not familiar enough with the code to know if this is a symptom of a deeper problem. :jib, could you please have a look?

[1] https://searchfox.org/mozilla-central/rev/9b99e1d9c6cf83539674cb016c7373f549ba59ca/dom/media/webrtc/MediaEngineTabVideoSource.cpp#256

Comment 2

[Jan-Ivar Bruaroey [:jib] (needinfo? me)]

Attachment: Bug 1606507 - Null-check on mTrackMain to avoid race.

Comment 3

[Pulsebot]

Pushed by jbruaroey@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/097558e2d628
Null-check on mTrackMain to avoid race. r=dminor

Comment 4

[Noemi Erli[:noemi_erli]]

https://hg.mozilla.org/mozilla-central/rev/097558e2d628

Comment 5

[Ryan VanderMeulen [:RyanVM]]

Not seeing this signature hitting in the wild, so I think we can just let this fix ride the trains. Feel free to nominate for Beta uplift if you feel otherwise, though.

Comment 6

[Jan-Ivar Bruaroey [:jib] (needinfo? me)]

Yeah that's the right call. Sorry, I should have mentioned this code (tab sharing) is behind a pref (media.getusermedia.browser.enabled).