Crash [@ mozilla::MozPromise::ThenInternal] through [@ mozilla::MediaTransportHandlerSTS::SetIceConfig]
Categories
(Core :: Audio/Video, defect)
Tracking
()
People
(Reporter: decoder, Assigned: decoder)
Details
(4 keywords, Whiteboard: [post-critsmash-triage][adv-main101-])
Crash Data
Attachments
(2 files)
In experimental IPC fuzzing, we found the following crash on mozilla-central revision 4d80f4e1809a+:
==1698==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000006c (pc 0x7fffdad20c4b bp 0x7fffb82bb970 sp 0x7fffb82bb8a0 T6)
#0 0x7fffdad20c4b in mozilla::MozPromise<...>::ThenValueBase>, char const*) dist/include/mozilla/MozPromise.h:935:5
#1 0x7fffdaa9f5c4 in mozilla::MozPromise<...>::ThenCommand<...>, false>::ThenValue<mozilla::MediaTransportHandlerSTS::SetIceConfig(nsTArray<mozilla::dom::RTCIceServer> const&, mozilla::dom::RTCIceTransportPolicy)::$_1> >::~ThenCommand() dist/include/mozilla/MozPromise.h:983:20
#2 0x7fffdaa9f5c4 in mozilla::MediaTransportHandlerSTS::SetIceConfig(nsTArray<mozilla::dom::RTCIceServer> const&, mozilla::dom::RTCIceTransportPolicy) dom/media/webrtc/jsapi/MediaTransportHandler.cpp:629:3
#3 0x7fffdaad5ae9 in mozilla::MediaTransportParent::RecvSetIceConfig(nsTArray<mozilla::dom::RTCIceServer>&&, mozilla::dom::RTCIceTransportPolicy const&) dom/media/webrtc/jsapi/MediaTransportParent.cpp:135:34
#4 0x7fffda9b4d3c in mozilla::dom::PMediaTransportParent::OnMessageReceived(IPC::Message const&) objdir-ff-asan/ipc/ipdl/PMediaTransportParent.cpp:625:64
#5 0x7fffcceab84a in mozilla::ipc::PBackgroundParent::OnMessageReceived(IPC::Message const&) objdir-ff-asan/ipc/ipdl/PBackgroundParent.cpp:3445:32
#6 0x7fffcccdb960 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) ipc/glue/MessageChannel.cpp:1830:25
#7 0x7fffcccd488a in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message&&) ipc/glue/MessageChannel.cpp:1752:9
#8 0x7fffcccd66d8 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) ipc/glue/MessageChannel.cpp:1474:3
#9 0x7fffcccd8d00 in mozilla::ipc::MessageChannel::MessageTask::Run() ipc/glue/MessageChannel.cpp:1588:14
#10 0x7fffc93937ec in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:1167:16
#11 0x7fffc93ae188 in NS_ProcessNextEvent(nsIThread*, bool) xpcom/threads/nsThreadUtils.cpp:467:10
#12 0x7fffcccedc56 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:300:20
#13 0x7fffcc928f4f in MessageLoop::RunInternal() ipc/chromium/src/base/message_loop.cc:331:10
[...]
It looks like there is simply a MOZ_RELEASE_ASSERT missing, looking at the other methods using mInitPromise. I'll add that. In general, it would of course be nice to have better error handling here, but it doesn't look trivial to do. Leaving s-s until the IPC fuzzing bug is public.
|
Assignee | |
Comment 1•2 years ago
|
||
|
|
Assignee | |
Comment 2•2 years ago
|
||
|
||
Updated•2 years ago
|
|
||
Comment 3•2 years ago
|
||
Oh, so this is IPC fuzzing, which means you're hitting the API surface directly without going through PeerConnectionImpl?
|
|
Assignee | |
Comment 4•2 years ago
|
||
(In reply to Byron Campen [:bwc] from comment #3)
Oh, so this is IPC fuzzing, which means you're hitting the API surface directly without going through PeerConnectionImpl?
Yes.
|
||
Comment 5•2 years ago
|
||
Add missing null checks to MediaTransportHandler. r=bwc
https://hg.mozilla.org/integration/autoland/rev/4e8cebc1059379e420be6afc9f84432249208c26
https://hg.mozilla.org/mozilla-central/rev/4e8cebc10593
|
||
Comment 6•2 years ago
|
||
The patch landed in nightly and beta is affected.
:decoder, is this bug important enough to require an uplift?
If not please set status_beta to wontfix.
For more information, please visit auto_nag documentation.
|
|
Assignee | |
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
||
Updated•1 year ago
|
Description
•