1679799 - Assertion failure: false (Stopping a started capture failed), at /builds/worker/checkouts/gecko/dom/media/webrtc/MediaEngineRemoteVideoSource.cpp:362

Status: NEW

(Core :: WebRTC: Audio/Video, defect, P2)

Description

[Jason Kratzer [:jkratzer]]

Attachment: testcase.html

Testcase found while fuzzing mozilla-central rev b0865ea58462 (built with --enable-debug).

Assertion failure: false (Stopping a started capture failed), at /builds/worker/checkouts/gecko/dom/media/webrtc/MediaEngineRemoteVideoSource.cpp:362

==27432==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7ff3ecdb6bba bp 0x7ff3d4b24e00 sp 0x7ff3d4b24d40 T29)
==27432==The signal is caused by a WRITE memory access.
==27432==Hint: address points to the zero page.
    #0 0x7ff3ecdb6bba in mozilla::MediaEngineRemoteVideoSource::Stop() /builds/worker/checkouts/gecko/dom/media/webrtc/MediaEngineRemoteVideoSource.cpp:362:5
    #1 0x7ff3ec61776c in Stop /builds/worker/checkouts/gecko/dom/media/MediaManager.cpp:1171:19
    #2 0x7ff3ec61776c in operator() /builds/worker/checkouts/gecko/dom/media/MediaManager.cpp:4215:13
    #3 0x7ff3ec61776c in mozilla::media::LambdaTask<mozilla::SourceListener::StopTrack(mozilla::MediaTrack*)::$_103>::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/media/MediaTaskUtils.h:32:5
    #4 0x7ff3e6155be5 in mozilla::TaskQueue::Runner::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskQueue.cpp:158:20
    #5 0x7ff3e61809ea in nsThreadPool::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:299:14
    #6 0x7ff3e6171787 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1194:14
    #7 0x7ff3e617c81c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:513:10
    #8 0x7ff3e7471832 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:302:20
    #9 0x7ff3e7368181 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #10 0x7ff3e7368181 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #11 0x7ff3e7368181 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #12 0x7ff3e616a892 in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:439:10
    #13 0x7ff40a9a742e in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #14 0x7ff40a5e16da in start_thread /build/glibc-2ORdQG/glibc-2.27/nptl/pthread_create.c:463
    #15 0x7ff4095bfa3e in clone /build/glibc-2ORdQG/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/checkouts/gecko/dom/media/webrtc/MediaEngineRemoteVideoSource.cpp:362:5 in mozilla::MediaEngineRemoteVideoSource::Stop()
Thread T29 (MediaSu~isor #1) created by T0 (Web Content) here:
    #0 0x564a539497fa in pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cpp:214:3
    #1 0x7ff40a9976a4 in _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:458:14
    #2 0x7ff40a9887ee in PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:533:12
    #3 0x7ff3e616d4bb in nsThread::Init(nsTSubstring<char> const&) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:656:8
    #4 0x7ff3e617ac28 in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadManager.cpp:640:12
    #5 0x7ff3e6186388 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:161:57
    #6 0x7ff3e617f2ce in NS_NewNamedThread /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:152:10
    #7 0x7ff3e617f2ce in nsThreadPool::PutEvent(already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:115:17
    #8 0x7ff3e6181b58 in nsThreadPool::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:350:5
    #9 0x7ff3e6154a22 in mozilla::TaskQueue::DispatchLocked(nsCOMPtr<nsIRunnable>&, unsigned int, mozilla::AbstractThread::DispatchReason) /builds/worker/checkouts/gecko/xpcom/threads/TaskQueue.cpp:65:26
    #10 0x7ff3e618eca3 in mozilla::TaskQueue::Dispatch(already_AddRefed<nsIRunnable>, mozilla::AbstractThread::DispatchReason) /builds/worker/workspace/obj-build/dist/include/mozilla/TaskQueue.h:86:14
    #11 0x7ff3ec3f3a50 in mozilla::MediaManager::Dispatch(already_AddRefed<mozilla::Runnable>) /builds/worker/checkouts/gecko/dom/media/MediaManager.cpp:2168:3
    #12 0x7ff3ec3f2de2 in mozilla::MediaManager::EnumerateRawDevices(unsigned long, mozilla::dom::MediaSourceEnum, mozilla::dom::MediaSourceEnum, mozilla::MediaSinkEnum, mozilla::MediaManager::DeviceEnumerationType, mozilla::MediaManager::DeviceEnumerationType, bool, RefPtr<mozilla::media::Refcountable<nsTArray<RefPtr<mozilla::MediaDevice> > > > const&) /builds/worker/checkouts/gecko/dom/media/MediaManager.cpp:1958:5
    #13 0x7ff3ec6063a3 in mozilla::MediaManager::EnumerateDevicesImpl(unsigned long, mozilla::dom::MediaSourceEnum, mozilla::dom::MediaSourceEnum, mozilla::MediaSinkEnum, mozilla::MediaManager::DeviceEnumerationType, mozilla::MediaManager::DeviceEnumerationType, bool, RefPtr<mozilla::media::Refcountable<nsTArray<RefPtr<mozilla::MediaDevice> > > > const&)::$_81::operator()(nsTString<char> const&) const /builds/worker/checkouts/gecko/dom/media/MediaManager.cpp:3006:25
    #14 0x7ff3ec60554a in InvokeMethod<(lambda at /builds/worker/checkouts/gecko/dom/media/MediaManager.cpp:2994:11), RefPtr<mozilla::MozPromise<bool, RefPtr<mozilla::MediaMgrError>, true> > ((lambda at /builds/worker/checkouts/gecko/dom/media/MediaManager.cpp:2994:11)::*)(const nsTString<char> &) const, const nsTString<char> &> /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:553:12
    #15 0x7ff3ec60554a in InvokeCallbackMethod<true, (lambda at /builds/worker/checkouts/gecko/dom/media/MediaManager.cpp:2994:11), RefPtr<mozilla::MozPromise<bool, RefPtr<mozilla::MediaMgrError>, true> > ((lambda at /builds/worker/checkouts/gecko/dom/media/MediaManager.cpp:2994:11)::*)(const nsTString<char> &) const, const nsTString<char> &, RefPtr<mozilla::MozPromise<bool, RefPtr<mozilla::MediaMgrError>, true>::Private> > /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:569:14
    #16 0x7ff3ec60554a in mozilla::MozPromise<nsTString<char>, nsresult, false>::ThenValue<mozilla::MediaManager::EnumerateDevicesImpl(unsigned long, mozilla::dom::MediaSourceEnum, mozilla::dom::MediaSourceEnum, mozilla::MediaSinkEnum, mozilla::MediaManager::DeviceEnumerationType, mozilla::MediaManager::DeviceEnumerationType, bool, RefPtr<mozilla::media::Refcountable<nsTArray<RefPtr<mozilla::MediaDevice> > > > const&)::$_81, mozilla::MediaManager::EnumerateDevicesImpl(unsigned long, mozilla::dom::MediaSourceEnum, mozilla::dom::MediaSourceEnum, mozilla::MediaSinkEnum, mozilla::MediaManager::DeviceEnumerationType, mozilla::MediaManager::DeviceEnumerationType, bool, RefPtr<mozilla::media::Refcountable<nsTArray<RefPtr<mozilla::MediaDevice> > > > const&)::$_82>::DoResolveOrRejectInternal(mozilla::MozPromise<nsTString<char>, nsresult, false>::ResolveOrRejectValue&) /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:769:9
    #17 0x7ff3ec6030de in mozilla::MozPromise<nsTString<char>, nsresult, false>::ThenValueBase::ResolveOrRejectRunnable::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:410:21
    #18 0x7ff3e61490f9 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:450:16
    #19 0x7ff3e6145bb7 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:720:26
    #20 0x7ff3e6143af7 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:579:15
    #21 0x7ff3e6143f4d in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:373:36
    #22 0x7ff3e6150be1 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:120:37
    #23 0x7ff3e6150be1 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:577:5
    #24 0x7ff3e617161b in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1194:14
    #25 0x7ff3e617c81c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:513:10
    #26 0x7ff3e747029f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
    #27 0x7ff3e7368181 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #28 0x7ff3e7368181 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #29 0x7ff3e7368181 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #30 0x7ff3ee1c5047 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
    #31 0x7ff3f1ee9c2f in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:913:20
    #32 0x7ff3e7368181 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #33 0x7ff3e7368181 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #34 0x7ff3e7368181 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #35 0x7ff3f1ee91cc in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:744:34
    #36 0x564a5399155d in content_process_main(mozilla::Bootstrap*, int, char**) /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #37 0x564a53991997 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:304:18
    #38 0x7ff4094bfb96 in __libc_start_main /build/glibc-2ORdQG/glibc-2.27/csu/../csu/libc-start.c:310

Comment 1

[Jason Kratzer [:jkratzer]]

Bugmon Analysis:
Unable to reproduce bug using the following builds:

mozilla-central 20201130093031-b0865ea58462
mozilla-central 20201130093031-b0865ea58462
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.

Comment 2

[Jan-Ivar Bruaroey [:jib] (needinfo? me)]

Assert is here, and Andreas, are you able to intuit anything from this and the test case?

Comment 3

[Jan-Ivar Bruaroey [:jib] (needinfo? me)]

It's tempting to make stop idempotent here, if this is stop racing with teardown, and we can learn this is what's happening somehow, but we also don't want to risk leaving capture running on failure...

Comment 4

[Andreas Pehrson [:pehrsons]]

(In reply to Jan-Ivar Bruaroey [:jib] (needinfo? me) from comment #3)

It's tempting to make stop idempotent here, if this is stop racing with teardown, and we can learn this is what's happening somehow, but we also don't want to risk leaving capture running on failure...

Not sure what you mean. Stop is idempotent.

My analysis is in bug 1648368 comment 3. That bug is (most likely) this one in the wild.