Closed Bug 1608466 Opened 5 years ago Closed 5 years ago

AddressSanitizer: heap-use-after-free z:/build/build/src/ipc/chromium/src/chrome/common/ipc_channel_win.cc:589 in IPC::Channel::Unsound_IsClosed

Categories

(Core :: Audio/Video: GMP, defect)

Product:
Core
Component:
Audio/Video: GMP
Platform:
Unspecified
Windows
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1557739

People

(Reporter: bc, Unassigned)

References

(
URL
)

Details

(Keywords: csectype-uaf)

Attachments

(1 file)

log
57.05 KB, text/plain
Details
Attached file log
  1. https://www.horizon.tv/pl_pl/tv/channel-asset.html/627522599363/location/572226599340.html#action=watch&searchChannel=euro then Shutdown?

Reproduced in Bughunter once on a Windows 10 x86_64 Nightly Debug Asan build. I have not been able to reproduce manually. Filing in case this will help find the problem.

See bug 1478849 for a similar issue.

  1. AddressSanitizer: heap-use-after-free z:/build/build/src/ipc/chromium/src/chrome/common/ipc_channel_win.cc:589 in IPC::Channel::Unsound_IsClosed
    #0 0x7fff76ead568 in IPC::Channel::Unsound_IsClosed z:/build/build/src/ipc/chromium/src/chrome/common/ipc_channel_win.cc:589
    #1 0x7fff76f8b96e in mozilla::ipc::MessageChannel::Clear z:/build/build/src/ipc/glue/MessageChannel.cpp:753
    #2 0x7fff76f8ac73 in mozilla::ipc::MessageChannel::~MessageChannel z:/build/build/src/ipc/glue/MessageChannel.cpp:648
    #3 0x7fff76fb9d3b in mozilla::ipc::IToplevelProtocol::~IToplevelProtocol z:/build/build/src/ipc/glue/ProtocolUtils.cpp:593
    #4 0x7fff7de3527f in mozilla::gmp::GMPContentParent::~GMPContentParent z:/build/build/src/dom/media/gmp/GMPContentParent.cpp:35
    #5 0x7fff7de4e878 in mozilla::gmp::GMPContentParent::Release z:/build/build/src/dom/media/gmp/GMPContentParent.h:25
    #6 0x7fff7de6ad07 in mozilla::gmp::GMPContentParent::CloseBlocker::Release z:/build/build/src/dom/media/gmp/GMPContentParent.h:53
    #7 0x7fff7dec9116 in mozilla::gmp::GeckoMediaPluginService::GetCDM::<unnamed-tag>::operator() z:/build/build/src/dom/media/gmp/GMPService.cpp:248
    #8 0x7fff7dec8374 in mozilla::MozPromise<RefPtr<mozilla::gmp::GMPContentParent::CloseBlocker>,mozilla::MediaResult,1>::ThenValue<`lambda at z:/build/build/src/dom/media/gmp/GMPService.cpp:232:11',`lambda at z:/build/build/src/dom/media/gmp/GMPService.cpp:249:11'>::DoResolveOrRejectInternal z:/build/build/src/obj-firefox/dist/include/mozilla/MozPromise.h:727
    #9 0x7fff7de6ca43 in mozilla::MozPromise<RefPtr<mozilla::gmp::GMPContentParent::CloseBlocker>,mozilla::MediaResult,1>::ThenValueBase::ResolveOrRejectRunnable::Run z:/build/build/src/obj-firefox/dist/include/mozilla/MozPromise.h:403
    #10 0x7fff75a3a75a in mozilla::EventTargetWrapper::Runner::Run z:/build/build/src/xpcom/threads/AbstractThread.cpp:113
Group: core-security → media-core-security
Component: IPC → Audio/Video: GMP

Maybe this is something that could be fixed by making the PGMPContent protocol refcounted? It looks like there's a local RefPtr<> inside a closure in GeckoMediaPluginService::GetCDM that is getting Release called on it, but the channel for the GMPContentParent was already destroyed?

Nika, does my comment 1 sound right to you?

Flags: needinfo?(nika)

I'm going to dupe this over to bug 1557739, which looks like the same issue.

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
Flags: needinfo?(nika)
Group: media-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: