Crash in [@ mozilla::dom::MediaKeySystemAccessManager::CheckDoesWindowSupportProtectedMedia]
Categories
(Core :: Audio/Video: GMP, defect, P2)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr68 | --- | unaffected |
| firefox72 | --- | wontfix |
| firefox73 | --- | verified |
| firefox74 | --- | fixed |
People
(Reporter: philipp, Assigned: thomasmo)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: crash, regression)
Crash Data
Attachments
(1 file)
|
47 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-beta+
|
Details | Review |
This bug is for crash report bp-32f05d12-ef37-4cc8-bfcb-f117d0200109.
Top 10 frames of crashing thread:
0 xul.dll void mozilla::dom::MediaKeySystemAccessManager::CheckDoesWindowSupportProtectedMedia dom/media/eme/MediaKeySystemAccessManager.cpp:137
1 xul.dll mozilla::dom::MediaKeySystemAccessManager::Request dom/media/eme/MediaKeySystemAccessManager.cpp:119
2 xul.dll mozilla::dom::Navigator::RequestMediaKeySystemAccess dom/base/Navigator.cpp:1968
3 xul.dll static bool mozilla::dom::Navigator_Binding::requestMediaKeySystemAccess_promiseWrapper dom/bindings/NavigatorBinding.cpp:2070
4 xul.dll mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ConvertExceptionsToPromises> dom/bindings/BindingUtils.cpp:3153
5 xul.dll js::InternalCallOrConstruct js/src/vm/Interpreter.cpp:548
6 xul.dll static bool Interpret js/src/vm/Interpreter.cpp:3117
7 xul.dll static bool js::RunScript js/src/vm/Interpreter.cpp:423
8 xul.dll js::InternalCallOrConstruct js/src/vm/Interpreter.cpp:589
9 xul.dll static bool js::jit::InvokeFunction js/src/jit/VMFunctions.cpp:261
this low volume crash signature is starting to show up in firefox 72, with MOZ_CRASH(BrowserChild should only be unavailable with e10s off) that was added in bug 1594794.
|
||
Comment 1•6 years ago
|
||
Thomas or Bryce, do one of you have cycles to look at this new crash appearing in Fx72?
I don't have a lot of cycles at the moment. Thomas, do you have time to look further into this?
My thoughts based on looking at a few reports and the crash site:
browseris null.- Our assumption is this should only be the case in non-e10s mode. However, we appear to be hitting the crash in e10s builds based upon the reports.
- There is something else that leads to
browserbeing null. It's not clear to me what. I wonder if we're racing the request against destroying the the window/tab the request came from.
Yes-- I can take a look for now
The crash metadata indicates that it is a content process and that e10s is on, so I agree that this could be a race.
@bz, Any initial guesses as to how we end up with !browser?
|
||
Comment 4•6 years ago
|
||
Hmm. So I thought I'd checked BrowserChild::GetFrom for being able to return null, but clearly I hadn't. It can absolutely return null if the window has been removed from its docshell.
I suspect something like this will crash on Windows:
<iframe></iframe>
<script>
var i = document.querySelector("iframe");
var nav = i.contentWindow.navigator;
i.remove();
nav.requestMediaKeySystemAccess("", []);
</script>
Yes-- can confirm that the above repro hits the crash!
Working on a fix
|
||
Updated•6 years ago
|
This changes fixes a failfast in a call to Navigator.requestMediaKeySystemAccess for the case where there is no browser available from a window when e10s is on. This can happen when a document is disconnected from the DOM.
The fix is to reject the promise in this case.
|
||
Updated•6 years ago
|
|
Reporter | |
Comment 7•6 years ago
|
||
the signature is spiking up in volume during the past 48 hours on release.
|
||
Comment 9•6 years ago
|
||
Backed out changeset b71a801eabd4 (Bug 1608286) on tmo's request
Backout link: https://hg.mozilla.org/integration/autoland/rev/c17aeb197b4b77cca7ac857a499263e621f64632
|
||
Comment 10•6 years ago
|
||
There's some discussion on the review that I think is worth distilling out here: the EME spec is not clear about what should be done if we're requesting media keysystem access in certain scenarios, like the one that arises from the code in comment 4. Thomas has created bug 1610866 to follow up around getting a consistent behaviour specified.
|
||
Comment 12•6 years ago
|
||
| bugherder | ||
|
|
||
Comment 13•6 years ago
|
||
Please nominate this for Beta approval when you get a chance. It grafts cleanly as-landed.
|
Assignee | |
Comment 14•6 years ago
|
||
Comment on attachment 9121061 [details]
Bug 1608286 - Crash in [@ mozilla::dom::MediaKeySystemAccessManager::CheckDoesWindowSupportProtectedMedia]
Beta/Release Uplift Approval Request
- User impact if declined: If declined, tabs crash in the bug's scenario. Crash hits started trending up recently.
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce: If manual testing performed, crash test added here: https://searchfox.org/mozilla-central/source/dom/media/test/crashtests/1608286.html
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): TL;DR: The risk is with site compat; where the behavior would have been to either crash, the promise is now rejected.
This crash is a release assert, introduced in Bug 1594794 (Fx 72), to catch what was originally thought to be an unsupported condition. The unsupported condition is to call Navigator.requestMediaKeySystemAccess with a document that is disconnected from the DOM.
Bug 1594794 fixes a regression from Bug 1581855, in which case there would have been a NULL crash in the repro from both this bug and 1594794. Prior to the work in Bug 1581855 (< Fx71), the result was to not resolve the promise at all.
The risk, then, is that sites that provided a callback for rejection will execute code that hadn't before in this condition (which would be a crashed tab otherwise).
- String changes made/needed:
|
|
||
Comment 15•6 years ago
|
||
Comment on attachment 9121061 [details]
Bug 1608286 - Crash in [@ mozilla::dom::MediaKeySystemAccessManager::CheckDoesWindowSupportProtectedMedia]
Fixes a crash spiking in Fx72. Approved for 73.0b10.
|
||
Comment 16•6 years ago
|
||
| bugherder uplift | ||
|
||
Updated•6 years ago
|
Description
•