Open
Bug 1655517
Opened 4 years ago
Updated 2 years ago
Assertion failure: !mToken (Must disconnect the listener.), at /builds/worker/workspace/obj-build/dist/include/MediaEventSource.h:273
Categories
(Core :: Audio/Video, defect)
Core
Audio/Video
Tracking
()
NEW
| Tracking | Status | |
|---|---|---|
| firefox81 | --- | affected |
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, testcase, Whiteboard: [bugmon:confirmed])
Attachments
(1 file)
|
765 bytes,
text/html
|
Details |
Testcase found while fuzzing mozilla-central rev 798bdad605b9 (built with --enable-debug).
Assertion failure: !mToken (Must disconnect the listener.), at /builds/worker/workspace/obj-build/dist/include/MediaEventSource.h:273
==8465==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f8ba6c03d15 bp 0x7f8b981292e0 sp 0x7f8b981292c0 T8575)
==8465==The signal is caused by a WRITE memory access.
==8465==Hint: address points to the zero page.
#0 0x7f8ba6c03d14 in AnnotateMozCrashReason /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:42:19
#1 0x7f8ba6c03d14 in mozilla::MediaEventListener::operator=(mozilla::MediaEventListener&&) /builds/worker/checkouts/gecko/dom/media/MediaEventSource.h:273:5
#2 0x7f8ba6c29d26 in mozilla::MediaDecoderStateMachine::CreateAudioSink() /builds/worker/checkouts/gecko/dom/media/MediaDecoderStateMachine.cpp:2800:22
#3 0x7f8ba6c28f8a in mozilla::MediaDecoderStateMachine::CreateMediaSink() /builds/worker/checkouts/gecko/dom/media/MediaDecoderStateMachine.cpp:2823:33
#4 0x7f8ba6c32063 in mozilla::MediaDecoderStateMachine::ResumeMediaSink() /builds/worker/checkouts/gecko/dom/media/MediaDecoderStateMachine.cpp:3812:16
#5 0x7f8ba6d3493b in applyImpl<mozilla::MediaDecoderStateMachine, void (mozilla::MediaDecoderStateMachine::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1188:12
#6 0x7f8ba6d3493b in apply<mozilla::MediaDecoderStateMachine, void (mozilla::MediaDecoderStateMachine::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1194:12
#7 0x7f8ba6d3493b in mozilla::detail::RunnableMethodImpl<mozilla::MediaDecoderStateMachine*, void (mozilla::MediaDecoderStateMachine::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1240:13
#8 0x7f8ba31bfa5c in mozilla::AutoTaskDispatcher::TaskGroupRunnable::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/TaskDispatcher.h:228:35
#9 0x7f8ba31c43a1 in mozilla::TaskQueue::Runner::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskQueue.cpp:158:20
#10 0x7f8ba31ded65 in nsThreadPool::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:299:14
#11 0x7f8ba31d68f9 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1234:14
#12 0x7f8ba31dc41a in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:513:10
#13 0x7f8ba3ae9549 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:302:20
#14 0x7f8ba3a59733 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
#15 0x7f8ba3a5964d in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
#16 0x7f8ba3a5964d in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
#17 0x7f8ba31d2c8a in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:447:10
#18 0x7f8bbfc3353b in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
#19 0x7f8bbf8376da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
#20 0x7f8bbe815a3e in clone /build/glibc-2ORdQG/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
UndefinedBehaviorSanitizer can not provide additional info.
Flags: in-testsuite?
|
Reporter | |
Comment 1•4 years ago
|
||
Bugmon Analysis:
Unable to reproduce bug using the following builds:
> mozilla-central 20200803094100-84b257d07031
> mozilla-central 20200727033000-56082fc4acfa
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
|
||
Comment 2•4 years ago
|
||
A Pernosco session is available here: https://pernos.co/debug/IdosIiQvcyefKqsOa7krOg/index.html
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•