1764940 - Crash [@ Stopped]

Status: RESOLVED FIXED

(Core :: WebRTC, defect, P1)

Description

[Jason Kratzer [:jkratzer]]

Testcase found while fuzzing mozilla-central rev 7f6fc25d231f (built with: --enable-address-sanitizer --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 7f6fc25d231f --asan --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

[@ Stopped]

    =================================================================
    ==2378477==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000000e0 (pc 0x7ff792a54cc3 bp 0x7ffe74df6c90 sp 0x7ffe74df6880 T0)
    ==2378477==The signal is caused by a READ memory access.
    ==2378477==Hint: address points to the zero page.
        #0 0x7ff792a54cc3 in Stopped /dom/media/webrtc/jsapi/TransceiverImpl.h:96:33
        #1 0x7ff792a54cc3 in mozilla::dom::RTCRtpSender::SetParameters(mozilla::dom::RTCRtpParameters const&) /dom/media/webrtc/jsapi/RTCRtpSender.cpp:399:25
        #2 0x7ff78fdb8666 in setParameters /builds/worker/workspace/obj-build/dom/bindings/RTCRtpSenderBinding.cpp:139:60
        #3 0x7ff78fdb8666 in mozilla::dom::RTCRtpSender_Binding::setParameters_promiseWrapper(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/RTCRtpSenderBinding.cpp:150:13
        #4 0x7ff790e9510a in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ConvertExceptionsToPromises>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3270:13
        #5 0x7ff79aeb35b4 in CallJSNative /js/src/vm/Interpreter.cpp:420:13
        #6 0x7ff79aeb35b4 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:507:12
        #7 0x7ff79ae9fcfb in CallFromStack /js/src/vm/Interpreter.cpp:571:10
        #8 0x7ff79ae9fcfb in Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3293:16
        #9 0x7ff79ae84df1 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:389:13
        #10 0x7ff79aeb36ef in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:539:13
        #11 0x7ff79aeb52db in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:584:8
        #12 0x7ff7995fd37d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:117:10
        #13 0x7ff790ba5b2d in mozilla::dom::Function::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/FunctionBinding.cpp:50:8
        #14 0x7ff78f1b5b21 in void mozilla::dom::Function::Call<nsCOMPtr<nsIGlobalObject> >(nsCOMPtr<nsIGlobalObject> const&, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/FunctionBinding.h:71:12
        #15 0x7ff78f1b5703 in mozilla::dom::CallbackTimeoutHandler::Call(char const*) /dom/base/TimeoutHandler.cpp:167:29
        #16 0x7ff78ed23896 in nsGlobalWindowInner::RunTimeoutHandler(mozilla::dom::Timeout*, nsIScriptContext*) /dom/base/nsGlobalWindowInner.cpp:6390:38
        #17 0x7ff78f1caf99 in mozilla::dom::TimeoutManager::RunTimeout(mozilla::TimeStamp const&, mozilla::TimeStamp const&, bool) /dom/base/TimeoutManager.cpp:902:44
        #18 0x7ff78f1b2145 in mozilla::dom::TimeoutExecutor::MaybeExecute() /dom/base/TimeoutExecutor.cpp:179:11
        #19 0x7ff78f1b2cec in Notify /dom/base/TimeoutExecutor.cpp:246:5
        #20 0x7ff78f1b2cec in non-virtual thunk to mozilla::dom::TimeoutExecutor::Notify(nsITimer*) /dom/base/TimeoutExecutor.cpp
        #21 0x7ff78bf3a5bc in operator() /xpcom/threads/nsTimerImpl.cpp:663:44
        #22 0x7ff78bf3a5bc in matchN<mozilla::Variant<nsTimerImpl::UnknownCallback, nsCOMPtr<nsITimerCallback>, nsCOMPtr<nsIObserver>, nsTimerImpl::FuncCallback, nsTimerImpl::ClosureCallback> &, (lambda at /xpcom/threads/nsTimerImpl.cpp:663:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:664:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:667:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:668:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:309:16
        #23 0x7ff78bf3a5bc in matchN<mozilla::Variant<nsTimerImpl::UnknownCallback, nsCOMPtr<nsITimerCallback>, nsCOMPtr<nsIObserver>, nsTimerImpl::FuncCallback, nsTimerImpl::ClosureCallback> &, (lambda at /xpcom/threads/nsTimerImpl.cpp:662:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:663:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:664:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:667:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:668:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:318:14
        #24 0x7ff78bf3a5bc in matchN<mozilla::Variant<nsTimerImpl::UnknownCallback, nsCOMPtr<nsITimerCallback>, nsCOMPtr<nsIObserver>, nsTimerImpl::FuncCallback, nsTimerImpl::ClosureCallback> &, (lambda at /xpcom/threads/nsTimerImpl.cpp:662:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:663:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:664:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:667:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:668:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:902:12
        #25 0x7ff78bf3a5bc in match<(lambda at /xpcom/threads/nsTimerImpl.cpp:662:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:663:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:664:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:667:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:668:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:857:12
        #26 0x7ff78bf3a5bc in nsTimerImpl::Fire(int) /xpcom/threads/nsTimerImpl.cpp:661:22
        #27 0x7ff78bee38cf in nsTimerEvent::Run() /xpcom/threads/TimerThread.cpp:265:11
        #28 0x7ff78bf1b3f2 in mozilla::ThrottledEventQueue::Inner::ExecuteRunnable() /xpcom/threads/ThrottledEventQueue.cpp:254:22
        #29 0x7ff78bf0ebcf in mozilla::ThrottledEventQueue::Inner::Executor::Run() /xpcom/threads/ThrottledEventQueue.cpp:81:15
        #30 0x7ff78bf10a62 in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:467:16
        #31 0x7ff78bed706d in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:780:26
        #32 0x7ff78bed4568 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:612:15
        #33 0x7ff78bed4c99 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:390:36
        #34 0x7ff78bf1d6a4 in operator() /xpcom/threads/TaskController.cpp:127:37
        #35 0x7ff78bf1d6a4 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_1>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
        #36 0x7ff78bef73e7 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1180:16
        #37 0x7ff78bf0114c in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:465:10
        #38 0x7ff78d611984 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:107:5
        #39 0x7ff78d48b971 in RunInternal /ipc/chromium/src/base/message_loop.cc:380:10
        #40 0x7ff78d48b971 in RunHandler /ipc/chromium/src/base/message_loop.cc:373:3
        #41 0x7ff78d48b971 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:355:3
        #42 0x7ff794311fa7 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:137:27
        #43 0x7ff7991a80af in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:870:20
        #44 0x7ff78d48b971 in RunInternal /ipc/chromium/src/base/message_loop.cc:380:10
        #45 0x7ff78d48b971 in RunHandler /ipc/chromium/src/base/message_loop.cc:373:3
        #46 0x7ff78d48b971 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:355:3
        #47 0x7ff7991a72d3 in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:729:34
        #48 0x558c2b0b147d in content_process_main(mozilla::Bootstrap*, int, char**) /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #49 0x558c2b0b18b0 in main /browser/app/nsBrowserApp.cpp:327:18
        #50 0x7ff7b0c710b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
        #51 0x558c2b000569 in _start (/home/jkratzer/builds/mc-asan/firefox+0x5e569)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /dom/media/webrtc/jsapi/TransceiverImpl.h:96:33 in Stopped
    ==2378477==ABORTING

Comment 1

[Jason Kratzer [:jkratzer]]

Attachment: Testcase

Comment 2

[Mayank Bansal]

got a slightly different crash signature: https://crash-stats.mozilla.org/report/index/f059d19e-d14a-45e8-b2cf-1cfd00220416#tab-bugzilla

Comment 3

[Bugmon [:jkratzer for issues]]

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220415213125-86271ddb1099.
The bug appears to have been introduced in the following build range:

Start: 7fac8607d414d792f4530b726f68ad36afb3c545 (20220405212313)
End: 5135fb6675eacd4e4aa46983b4c7821f678544a6 (20220405205608)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=7fac8607d414d792f4530b726f68ad36afb3c545&tochange=5135fb6675eacd4e4aa46983b4c7821f678544a6

Comment 4

[Jan-Ivar Bruaroey [:jib] (needinfo? me)]

Byron, this looks like fallout from the move of RTCRtpSender bits to c++. Can you take a look?

Comment 5

[Jan-Ivar Bruaroey [:jib] (needinfo? me)]

I'm raising the severity on all of these to S2 given their potential to introduce intermittent crashes in regular WebRTC calls. Probably the only reason they're not causing more regular crashes in the field, is that sites generally hold onto their peer connections longer. However, trackers may not.

E.g. this one tab-crashed reliably for me with http://jsfiddle.net/jib1/oLpyLn9v/867/ in Nightly without any special address sanitizer flags: bp-8c3a8394-1a27-4eb0-98c5-778d10220418

Comment 6

[Byron Campen [:bwc]]

Attachment: Bug 1764940: Test-case for bug. r?jib

Depends on D144046

Comment 7

[Byron Campen [:bwc]]

The fix for bug 1764933 also fixes this. I still would like to land the test-case though.

Comment 8

[Bugmon [:jkratzer for issues]]

Bugmon Analysis
Testcase crashes using the initial build (mozilla-central 20220415092909-7f6fc25d231f) but not with tip (mozilla-central 20220422212846-93ecd130a241.)
The bug appears to have been fixed in the following build range:

Start: c61b0792dfa65e79b9781b1eea6dd9d240644e55 (20220420151620)
End: a33cd50e2f73a5626864cd88e14d9fbd2ab158c2 (20220420215300)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=c61b0792dfa65e79b9781b1eea6dd9d240644e55&tochange=a33cd50e2f73a5626864cd88e14d9fbd2ab158c2
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 9

[Pulsebot]

Pushed by bcampen@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/897ac2ccfba6
Test-case for bug. r=jib

Comment 10

[Marian-Vasile Laza]

https://hg.mozilla.org/mozilla-central/rev/897ac2ccfba6