Closed Bug 1633493 Opened 5 years ago Closed 5 years ago

Crash [@ EnsureNextIteration]

Categories

(Core :: Audio/Video: MediaStreamGraph, defect, P2)

Product:
Core
Component:
Audio/Video: MediaStreamGraph
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla78
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox76 --- wontfix
firefox77 --- wontfix
firefox78 --- verified

People

(Reporter: jkratzer, Assigned: karlt)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(2 files)

testcase.html
389 bytes, text/html
Details
Bug 1633493 don't EnsureNextIteration() in SourceMediaTrack::End() after forced shutdown r?padenot
47 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

Testcase found while fuzzing mozilla-central rev c9955025d4a5.

==18189==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fbaeba1b2f2 bp 0x7fbacfe95ed0 sp 0x7fbacfe95de0 T34)
==18189==The signal is caused by a READ memory access.
==18189==Hint: address points to the zero page.
    #0 0x7fbaeba1b2f1 in EnsureNextIteration /builds/worker/checkouts/gecko/dom/media/MediaTrackGraphImpl.h
    #1 0x7fbaeba1b2f1 in mozilla::SourceMediaTrack::End() /builds/worker/checkouts/gecko/dom/media/MediaTrackGraph.cpp:2752:12
    #2 0x7fbaec1571c5 in mozilla::MediaEngineDefaultAudioSource::Deallocate() /builds/worker/checkouts/gecko/dom/media/webrtc/MediaEngineDefault.cpp:423:13
    #3 0x7fbaeb9babdf in Deallocate /builds/worker/checkouts/gecko/dom/media/MediaManager.cpp:1108:19
    #4 0x7fbaeb9babdf in operator() /builds/worker/checkouts/gecko/dom/media/MediaManager.cpp:4254:13
    #5 0x7fbaeb9babdf in mozilla::media::LambdaTask<mozilla::SourceListener::StopTrack(mozilla::MediaTrack*)::$_33>::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/media/MediaTaskUtils.h:32:5
    #6 0x7fbae4db04f6 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1200:14
    #7 0x7fbae4dbac5c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:481:10
    #8 0x7fbae60c6e8e in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:302:20
    #9 0x7fbae5fb2127 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:315:10
    #10 0x7fbae5fb2127 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:308:3
    #11 0x7fbae5fb2127 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:290:3
    #12 0x7fbae5fd1aee in base::Thread::ThreadMain() /builds/worker/checkouts/gecko/ipc/chromium/src/base/thread.cc:192:16
    #13 0x7fbae5fc34ec in ThreadFunc(void*) /builds/worker/checkouts/gecko/ipc/chromium/src/base/platform_thread_posix.cc:40:13
    #14 0x7fbb0915d6da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
    #15 0x7fbb0813b88e in clone /build/glibc-OTsEL5/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/checkouts/gecko/dom/media/MediaTrackGraphImpl.h in EnsureNextIteration
Thread T34 (MediaManager) created by T0 (file:// Content) here:
    #0 0x562123bd46aa in pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:209:3
    #1 0x7fbae5fbe74c in CreateThread /builds/worker/checkouts/gecko/ipc/chromium/src/base/platform_thread_posix.cc:123:14
    #2 0x7fbae5fbe74c in PlatformThread::Create(unsigned long, PlatformThread::Delegate*, unsigned long*) /builds/worker/checkouts/gecko/ipc/chromium/src/base/platform_thread_posix.cc:134:10
    #3 0x7fbae5fd12bd in base::Thread::StartWithOptions(base::Thread::Options const&) /builds/worker/checkouts/gecko/ipc/chromium/src/base/thread.cc:97:8
    #4 0x7fbaeb8d9980 in mozilla::MediaManager::Get() /builds/worker/checkouts/gecko/dom/media/MediaManager.cpp:2005:25
    #5 0x7fbaeb75043b in mozilla::dom::MediaDevices::GetUserMedia(mozilla::dom::MediaStreamConstraints const&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/media/MediaDevices.cpp:66:3
    #6 0x7fbae94fed79 in getUserMedia /builds/worker/workspace/obj-build/dom/bindings/MediaDevicesBinding.cpp:224:60
    #7 0x7fbae94fed79 in mozilla::dom::MediaDevices_Binding::getUserMedia_promiseWrapper(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/MediaDevicesBinding.cpp:239:13
    #8 0x7fbaeaa31ed5 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ConvertExceptionsToPromises>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3203:13
    #9 0x7fbaf0ff654b in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:493:13
    #10 0x7fbaf0ff654b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:585:12
    #11 0x7fbaf0ff879a in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:648:10
    #12 0x7fbaf0fdef9f in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:652:10
    #13 0x7fbaf0fdef9f in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3323:16
    #14 0x7fbaf0fc231e in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:465:10
    #15 0x7fbaf0ff662d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:620:13
    #16 0x7fbaf0ff879a in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:648:10
    #17 0x7fbaf0ff8a76 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:665:8
    #18 0x7fbaf119b140 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jsapi.cpp:2833:10
    #19 0x7fbaea626876 in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventListenerBinding.cpp:54:8
    #20 0x7fbaeb11445d in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:66:12
    #21 0x7fbaeb113e84 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1073:43
    #22 0x7fbaeb115587 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1271:17
    #23 0x7fbaeb1038af in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:356:17
    #24 0x7fbaeb10204d in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:558:16
    #25 0x7fbaeb1065d6 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1055:11
    #26 0x7fbaed7ce85e in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:1145:7
    #27 0x7fbaf0330dbb in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5918:20
    #28 0x7fbaf032ff65 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5661:7
    #29 0x7fbaf033599f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp
    #30 0x7fbae7799300 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:1345:3
    #31 0x7fbae77982cc in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:905:14
    #32 0x7fbae77945a0 in nsDocLoader::DocLoaderIsEmpty(bool) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:725:9
    #33 0x7fbae7796dd3 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:613:5
    #34 0x7fbae7797e5c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp
    #35 0x7fbae504a187 in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:610:22
    #36 0x7fbae504d397 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:517:10
    #37 0x7fbae8cfafaf in mozilla::dom::Document::DoUnblockOnload() /builds/worker/checkouts/gecko/dom/base/Document.cpp:10723:18
    #38 0x7fbae8cb12e6 in mozilla::dom::Document::UnblockOnload(bool) /builds/worker/checkouts/gecko/dom/base/Document.cpp:10655:9
    #39 0x7fbae8cd649f in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:7322:3
    #40 0x7fbae8da5594 in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1168:12
    #41 0x7fbae8da5594 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1174:12
    #42 0x7fbae8da5594 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1220:13
    #43 0x7fbae4d7795d in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:146:20
    #44 0x7fbae4db04f6 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1200:14
    #45 0x7fbae4dbac5c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:481:10
    #46 0x7fbae60c50ff in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
    #47 0x7fbae5fb2127 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:315:10
    #48 0x7fbae5fb2127 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:308:3
    #49 0x7fbae5fb2127 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:290:3
    #50 0x7fbaed2086c8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
    #51 0x7fbaf0d95b26 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:909:20
    #52 0x7fbae5fb2127 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:315:10
    #53 0x7fbae5fb2127 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:308:3
    #54 0x7fbae5fb2127 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:290:3
    #55 0x7fbaf0d951da in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:740:34
    #56 0x562123c1cbd3 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #57 0x562123c1cbd3 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:303:18
    #58 0x7fbb0803bb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

==18189==ABORTING
Flags: in-testsuite?
Priority: -- → P2
See Also: → 1618444
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
Bugmon Analysis: Verified bug as reproducible on mozilla-central 20200428100141-a99c73301874. The bug appears to have been introduced in the following build range: > Start: 6663d3dc883b6ad0d0dfa9346f9ceabf2b2c7967 (20200408033650) > End: acc1632e35c7afc826d16bea8e1dd812b4f5117c (20200408214238) > Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=6663d3dc883b6ad0d0dfa9346f9ceabf2b2c7967&tochange=acc1632e35c7afc826d16bea8e1dd812b4f5117c

The severity field is not set for this bug.
:achronop, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(achronop)
Severity: normal → S3
Flags: needinfo?(achronop)

Same as https://bugzilla.mozilla.org/show_bug.cgi?id=1618444#c1

Assignee: nobody → karlt
Status: NEW → ASSIGNED
Regressed by: 1586370
Has Regression Range: --- → yes

Same crash caught in pernosco, while trying to reproduce different failures.

Blocks: 1625372

I haven't been able adjust the testcase to reproduce locally, but with patches for bug 1625372, I've seen this triggered on try under two different tests:
dom/media/tests/mochitest/test_getUserMedia_basicAudio.html
dom/media/tests/mochitest/test_dataChannel_basicAudioVideoNoBundle.html

Most EnsureNextIteration() callers don't need this check, because they are
either on the graph thread or otherwise know the graph has not shut down.

(Regression in 73, wontfix 77, the fix can ride the 78 train)

status-firefox76: --- → wontfix
status-firefox77: affectedwontfix
status-firefox78: --- → affected
status-firefox-esr68: --- → unaffected
Pushed by ktomlinson@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/55a7262c0f6d don't EnsureNextIteration() in SourceMediaTrack::End() after forced shutdown r=padenot

https://hg.mozilla.org/mozilla-central/rev/55a7262c0f6d

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox78: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla78
Status: RESOLVED → VERIFIED
status-firefox78: fixedverified
Keywords: bugmon
Bugmon Analysis: Verified bug as fixed on rev mozilla-central 20200527161431-a1dd9afbfdf5. Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Blocks: 1642849
No longer blocks: 1625372
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: