Closed Bug 1683489 Opened 4 years ago Closed 3 years ago

Crash in [@ mozilla::ipc::IProtocol::ActorDealloc] from PMediaTransportParent.cpp mozilla::dom::NotReallyMovableButLetsPretendItIsRTCStatsCollection

Categories

(Core :: WebRTC, defect)

Product:
Core
Component:
WebRTC
Type:
defect

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: aryx, Unassigned)

References

Details

(Keywords: crash, csectype-uaf, sec-high)

Crash Data

Crash report: https://crash-stats.mozilla.org/report/index/0b6ae5aa-051d-48c5-8830-448270201219

Reason: EXCEPTION_ACCESS_VIOLATION_READ

Top 10 frames of crashing thread:

0 xul.dll mozilla::ipc::IProtocol::ActorDealloc ipc/glue/ProtocolUtils.h:335
1 xul.dll mozilla::ipc::ActorLifecycleProxy::~ActorLifecycleProxy ipc/glue/ProtocolUtils.cpp:277
2 xul.dll std::_Func_impl_no_alloc<`lambda at /builds/worker/workspace/obj-build/ipc/ipdl/PMediaTransportParent.cpp:1116:44', void, const mozilla::dom::NotReallyMovableButLetsPretendItIsRTCStatsCollection&>::_Delete_this vs2017_15.8.4/VC/include/functional:1240
3 xul.dll mozilla::Maybe<`lambda at /builds/worker/checkouts/gecko/dom/ipc/ContentChild.cpp:1364:7'>::reset mfbt/Maybe.h:658
4 xul.dll mozilla::MozPromise<mozilla::UniquePtr<mozilla::dom::RTCStatsCollection, mozilla::DefaultDelete<mozilla::dom::RTCStatsCollection> >, nsresult, 1>::ThenValue<`lambda at /builds/worker/checkouts/gecko/dom/media/webrtc/jsapi/MediaTransportParent.cpp:221:11'>::DoResolveOrRejectInternal xpcom/threads/MozPromise.h:911
5 xul.dll mozilla::MozPromise<CopyableTArray<mozilla::MozPromise<bool, nsresult, 1>::ResolveOrRejectValue>, bool, 1>::ThenValueBase::DoResolveOrReject xpcom/threads/MozPromise.h:597
6 xul.dll mozilla::MozPromise<CopyableTArray<mozilla::MozPromise<bool, nsresult, 1>::ResolveOrRejectValue>, bool, 1>::ThenValueBase::ResolveOrRejectRunnable::Run xpcom/threads/MozPromise.h:476
7 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:1200
8 xul.dll mozilla::ipc::MessagePumpForNonMainThreads::Run ipc/glue/MessagePump.cpp:332
9 xul.dll MessageLoop::RunHandler ipc/chromium/src/base/message_loop.cc:327
Summary: Crash in [@ mozilla::ipc::IProtocol::ActorDealloc] → Crash in [@ mozilla::ipc::IProtocol::ActorDealloc] from PMediaTransportParent.cpp mozilla::dom::NotReallyMovableButLetsPretendItIsRTCStatsCollection

Some kind of actor lifetime issue. Nika, does this look like anything that would be helped by some of your actor lifecycle work?

Flags: needinfo?(nika)
Keywords: csectype-uaf, sec-high

Maybe this is a dupe of bug 1683490? Same signature, also crashing on the IPDL background thread. The MozPromise looks different, but maybe it is the same underlying issue.

Flags: needinfo?(nika) → needinfo?(bugmail)

What remains here isn't related to the same issue fixed in bug 1683490. What's left may not be a sec bug at all.

https://crash-stats.mozilla.org/report/index/670cd964-a2b2-459f-9789-2b3b80210413

Depends on: 1683490
Flags: needinfo?(bugmail)
Keywords: stalled
Severity: -- → S3

The severity field for this bug is set to S3. However, the bug is flagged with the sec-high keyword.
:mjf, could you consider increasing the severity of this security bug?

For more information, please visit auto_nag documentation.

Flags: needinfo?(mfroman)

This bug is stalled, with no new input in 11 months. I'm closing as incomplete. We can reopen if new crash reports come in.

Status: NEW → RESOLVED
Closed: 3 years ago
Flags: needinfo?(mfroman)
Resolution: --- → INCOMPLETE

Since the bug is closed, the stalled keyword is now meaningless.
For more information, please visit auto_nag documentation.

Keywords: stalled
Group: media-core-security
You need to log in before you can comment on or make changes to this bug.