1646743 - AddressSanitizer: SEGV /builds/worker/checkouts/gecko/dom/media/MediaTrackGraph.cpp in mozilla::MediaTrackGraphImpl::CachedAudioOutputLatency()

Status: VERIFIED FIXED

(Core :: Web Audio, defect)

Description

[Jason Kratzer [:jkratzer]]

Attachment: testcase.zip

Testcase found while fuzzing mozilla-central rev f291dd9e075c.

==13415==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f95255caa30 bp 0x7fff328c2d70 sp 0x7fff328c2ca0 T0)
==13415==The signal is caused by a READ memory access.
==13415==Hint: address points to the zero page.
    #0 0x7f95255caa2f in mozilla::MediaTrackGraphImpl::CachedAudioOutputLatency() /builds/worker/checkouts/gecko/dom/media/MediaTrackGraph.cpp
    #1 0x7f9525c0f1ea in OutputLatency /builds/worker/checkouts/gecko/dom/media/webaudio/AudioContext.cpp:565:21
    #2 0x7f9525c0f1ea in mozilla::dom::AudioContext::GetOutputTimestamp(mozilla::dom::AudioTimestamp&) /builds/worker/checkouts/gecko/dom/media/webaudio/AudioContext.cpp:580:37
    #3 0x7f9522bfc0ba in mozilla::dom::AudioContext_Binding::getOutputTimestamp(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/AudioContextBinding.cpp:336:24
    #4 0x7f9524564e58 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3219:13
    #5 0x7f952ac340ab in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:484:13
    #6 0x7f952ac340ab in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:576:12
    #7 0x7f952ac36348 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:639:10
    #8 0x7f952ac1ce32 in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:643:10
    #9 0x7f952ac1ce32 in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3298:16
    #10 0x7f952ac00411 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:456:10
    #11 0x7f952ac3418d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:611:13
    #12 0x7f952ac36348 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:639:10
    #13 0x7f952ac36626 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:656:8
    #14 0x7f952add8d70 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jsapi.cpp:2846:10
    #15 0x7f952415c29e in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventListenerBinding.cpp:55:8
    #16 0x7f9524c6197d in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:66:12
    #17 0x7f9524c613a4 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1082:43
    #18 0x7f9524c62b0a in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1279:17
    #19 0x7f9524c50d0f in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:355:17
    #20 0x7f9524c4f4ad in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:557:16
    #21 0x7f9524c53a06 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1054:11
    #22 0x7f9524c58739 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp
    #23 0x7f9522ab7afe in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:1301:17
    #24 0x7f95225062f7 in nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:4028:28
    #25 0x7f9522506033 in nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:3998:10
    #26 0x7f95227c8109 in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:7173:3
    #27 0x7f9522896814 in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1185:12
    #28 0x7f9522896814 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1191:12
    #29 0x7f9522896814 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1237:13
    #30 0x7f951e7d7f1d in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:146:20
    #31 0x7f951e81308e in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1234:14
    #32 0x7f951e81e07c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:501:10
    #33 0x7f951fba30cf in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
    #34 0x7f951fa805e7 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:315:10
    #35 0x7f951fa805e7 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:308:3
    #36 0x7f951fa805e7 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:290:3
    #37 0x7f9526e0e058 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
    #38 0x7f952a9c6b56 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:913:20
    #39 0x7f951fa805e7 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:315:10
    #40 0x7f951fa805e7 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:308:3
    #41 0x7f951fa805e7 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:290:3
    #42 0x7f952a9c613f in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:744:34
    #43 0x55ffc5d24b43 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #44 0x55ffc5d24b43 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:303:18
    #45 0x7f95425efb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/checkouts/gecko/dom/media/MediaTrackGraph.cpp in mozilla::MediaTrackGraphImpl::CachedAudioOutputLatency()

Comment 1

[Jason Kratzer [:jkratzer]]

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200618094105-f291dd9e075c.
The bug appears to have been introduced in the following build range:
> Start: d8a19ca3ffd647dcbfdd47a19815cf95e51d6706 (20200613001800)
> End: b9704b943052b901c9fd614a5364dc52e77808a6 (20200613002509)
> Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=d8a19ca3ffd647dcbfdd47a19815cf95e51d6706&tochange=b9704b943052b901c9fd614a5364dc52e77808a6

Comment 2

[Paul Adenot (:padenot)]

Attachment: Bug 1646743 - Don't attempt to get the output latency from the graph after and AudioContext has been shutdown. r?karlt

Depends on D80696

Comment 3

[Pulsebot]

Pushed by padenot@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/9c66cfdb49c4
Don't attempt to get the output latency from the graph after and AudioContext has been shutdown. r=karlt

Comment 4

[Dorel Luca [:dluca]]

https://hg.mozilla.org/mozilla-central/rev/9c66cfdb49c4

Comment 5

[Jason Kratzer [:jkratzer]]

Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20200703215022-efa2336315ed.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.

Comment 6

[BugBot [:suhaib / :marco/ :calixte]]

The patch landed in nightly and beta is affected.
:padenot, is this bug important enough to require an uplift?
If not please set status_beta to wontfix.

For more information, please visit auto_nag documentation.

Comment 7

[Paul Adenot (:padenot)]

Comment on attachment 9158828 [details]
Bug 1646743 - Don't attempt to get the output latency from the graph after and AudioContext has been shutdown. r?karlt

Beta/Release Uplift Approval Request

• User impact if declined: Crash of a content process
• Is this code covered by automated tests?: No
• Has the fix been verified in Nightly?: Yes
• Needs manual test from QE?: No
• If yes, steps to reproduce:
• List of other uplifts needed: None
• Risk to taking this patch: Low
• Why is the change risky/not risky? (and alternatives if risky): This is just bailing out and returning 0.0 when the AudioContext is known to be in closed state instead of attempting to get the true output latency, that needs to reach out to various objects.
• String changes made/needed: none

Comment 8

[Ryan VanderMeulen [:RyanVM]]

Can we land a test for this?

Comment 9

[Ryan VanderMeulen [:RyanVM]]

Comment on attachment 9158828 [details]
Bug 1646743 - Don't attempt to get the output latency from the graph after and AudioContext has been shutdown. r?karlt

Approved for 79.0b5.

Comment 10

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-beta/rev/7760ed31c3a3

Comment 11

[Paul Adenot (:padenot)]

(In reply to Ryan VanderMeulen [:RyanVM] from comment #8)

Can we land a test for this?

The test case is too weird and unreliable to be able to write a test and the amount of work necessary to make it reliable would be too high for the benefit. https://bugzilla.mozilla.org/show_bug.cgi?id=1650413 is a better solution that will make this safer.