Closed Bug 1766668 Opened 2 years ago Closed 2 years ago

Assertion failure: mState == kJsepStateStable, at /dom/media/webrtc/jsep/JsepSessionImpl.cpp:2403

Categories

(Core :: WebRTC: Signaling, defect, P2)

defect

Tracking

()

RESOLVED DUPLICATE of bug 1769802
Tracking Status
firefox-esr102 --- wontfix
firefox102 --- wontfix
firefox103 --- wontfix
firefox104 --- wontfix
firefox105 --- fixed

People

(Reporter: jkratzer, Assigned: bwc)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, crash, testcase, Whiteboard: [bugmon:bisected,confirmed][fuzzblocker])

Crash Data

Attachments

(1 file)

Testcase found while fuzzing mozilla-central rev 139c89a60b72 (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 139c89a60b72 --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
Assertion failure: mState == kJsepStateStable, at /dom/media/webrtc/jsep/JsepSessionImpl.cpp:2403

    ==1426213==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f6c22f60621 bp 0x7fffbab5dd80 sp 0x7fffbab5db90 T1426213)
    ==1426213==The signal is caused by a WRITE memory access.
    ==1426213==Hint: address points to the zero page.
        #0 0x7f6c22f60621 in mozilla::JsepSessionImpl::CheckNegotiationNeeded() const /dom/media/webrtc/jsep/JsepSessionImpl.cpp:2403:3
        #1 0x7f6c22f0fb27 in CheckNegotiationNeeded /dom/media/webrtc/jsapi/PeerConnectionImpl.cpp:990:24
        #2 0x7f6c22f0fb27 in operator() /dom/media/webrtc/jsapi/PeerConnectionImpl.cpp:1282:14
        #3 0x7f6c22f0fb27 in mozilla::detail::RunnableFunction<mozilla::PeerConnectionImpl::UpdateNegotiationNeeded()::$_75>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
        #4 0x7f6c1efe5e9e in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:467:16
        #5 0x7f6c1efc1283 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:780:26
        #6 0x7f6c1efbfe33 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:612:15
        #7 0x7f6c1efc00a3 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:390:36
        #8 0x7f6c1efeace6 in operator() /xpcom/threads/TaskController.cpp:124:37
        #9 0x7f6c1efeace6 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
        #10 0x7f6c1efd537f in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1180:16
        #11 0x7f6c1efdb76d in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:465:10
        #12 0x7f6c1fb7c176 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
        #13 0x7f6c1fa9add7 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:380:10
        #14 0x7f6c1fa9ace2 in RunHandler /ipc/chromium/src/base/message_loop.cc:373:3
        #15 0x7f6c1fa9ace2 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:355:3
        #16 0x7f6c23c3cca8 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:137:27
        #17 0x7f6c25d5458b in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:870:20
        #18 0x7f6c1fb7d06a in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:235:9
        #19 0x7f6c1fa9add7 in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:380:10
        #20 0x7f6c1fa9ace2 in RunHandler /ipc/chromium/src/base/message_loop.cc:373:3
        #21 0x7f6c1fa9ace2 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:355:3
        #22 0x7f6c25d53bac in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:729:34
        #23 0x5607a66f9e30 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #24 0x5607a66f9e30 in main /browser/app/nsBrowserApp.cpp:327:18
        #25 0x7f6c353a90b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
        #26 0x5607a66cfbdc in _start (/home/jkratzer/builds/mc-debug/firefox-bin+0x15bdc) (BuildId: 2fcce07dead1e9cf32ea2584da4367d7df857c74)
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /dom/media/webrtc/jsep/JsepSessionImpl.cpp:2403:3 in mozilla::JsepSessionImpl::CheckNegotiationNeeded() const
    ==1426213==ABORTING
Attached file Testcase
Crash Signature: [@ mozilla::JsepSessionImpl::CheckNegotiationNeeded ]
Keywords: crash
Assignee: nobody → docfaraday
Severity: -- → S3
Component: WebRTC → WebRTC: Signaling
Priority: -- → P3

Let's try bugmon again, seems like this should reproduce easily.

Keywords: assertion, bugmon
OS: Linux → Unspecified
Hardware: x86_64 → Unspecified

Non-debug builds crash with:

Hit MOZ_CRASH(Transceivers should not be associated if we're in stable before the first negotiation.) at /builds/worker/checkouts/gecko/dom/media/webrtc/jsep/JsepSessionImpl.cpp:2427

#0 0x7f09d5e6ac80 in mozilla::JsepSessionImpl::CheckNegotiationNeeded() const /gecko/dom/media/webrtc/jsep/JsepSessionImpl.cpp:2425:7
#1 0x7f09d5dce124 in operator() /gecko/dom/media/webrtc/jsapi/PeerConnectionImpl.cpp:1297:14
#2 0x7f09d5dce124 in mozilla::detail::RunnableFunction<mozilla::PeerConnectionImpl::UpdateNegotiationNeeded()::$_75>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#3 0x7f09cf170562 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:475:16
#4 0x7f09cf1365b5 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:788:26
#5 0x7f09cf133768 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:620:15
#6 0x7f09cf133e90 in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:398:36
#7 0x7f09cf1790e4 in operator() /gecko/xpcom/threads/TaskController.cpp:127:37
#8 0x7f09cf1790e4 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_1>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#9 0x7f09cf156f27 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1180:16
#10 0x7f09cf16108c in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:465:10
#11 0x7f09d71788d2 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/checkouts/gecko/dom/xhr/XMLHttpRequestMainThread.cpp:3073:29)> /builds/worker/workspace/obj-build/dist/include/mozilla/SpinEventLoopUntil.h:176:25
#12 0x7f09d71788d2 in mozilla::dom::XMLHttpRequestMainThread::SendInternal(mozilla::dom::BodyExtractorBase const*, bool, mozilla::ErrorResult&) /gecko/dom/xhr/XMLHttpRequestMainThread.cpp:3072:10
#13 0x7f09d7176709 in mozilla::dom::XMLHttpRequestMainThread::Send(mozilla::dom::Nullable<mozilla::dom::DocumentOrBlobOrArrayBufferViewOrArrayBufferOrFormDataOrURLSearchParamsOrUSVString> const&, mozilla::ErrorResult&) /gecko/dom/xhr/XMLHttpRequestMainThread.cpp:2817:5
#14 0x7f09d3a1606b in mozilla::dom::XMLHttpRequest_Binding::send(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/XMLHttpRequestBinding.cpp:1349:24
#15 0x7f09d415339d in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /gecko/dom/bindings/BindingUtils.cpp:3271:13
#16 0x7f09de245b34 in CallJSNative /gecko/js/src/vm/Interpreter.cpp:420:13
#17 0x7f09de245b34 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:507:12
#18 0x7f09de232e1e in InternalCall /gecko/js/src/vm/Interpreter.cpp:574:10
#19 0x7f09de232e1e in CallFromStack /gecko/js/src/vm/Interpreter.cpp:578:10
#20 0x7f09de232e1e in Interpret(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:3314:16
#21 0x7f09de2179a1 in js::RunScript(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:389:13
#22 0x7f09de245c6f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:539:13
#23 0x7f09de2477fa in InternalCall /gecko/js/src/vm/Interpreter.cpp:574:10
#24 0x7f09de2477fa in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:605:8
#25 0x7f09dcf885f3 in js::ForwardingProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /gecko/js/src/proxy/Wrapper.cpp:166:10
#26 0x7f09dcf597cd in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /gecko/js/src/proxy/CrossCompartmentWrapper.cpp:227:19
#27 0x7f09d0ac39d2 in xpc::JSXrayTraits::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&, js::Wrapper const&) /gecko/js/xpconnect/wrappers/XrayWrapper.h:216:27
#28 0x7f09dcf71036 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /gecko/js/src/proxy/Proxy.cpp:654:19
#29 0x7f09de245fb3 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:487:14
#30 0x7f09de232e1e in InternalCall /gecko/js/src/vm/Interpreter.cpp:574:10
#31 0x7f09de232e1e in CallFromStack /gecko/js/src/vm/Interpreter.cpp:578:10
#32 0x7f09de232e1e in Interpret(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:3314:16
#33 0x7f09de2179a1 in js::RunScript(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:389:13
#34 0x7f09de245c6f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:539:13
#35 0x7f09de2477fa in InternalCall /gecko/js/src/vm/Interpreter.cpp:574:10
#36 0x7f09de2477fa in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:605:8
#37 0x7f09dcd0c43c in js::CallSelfHostedFunction(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/SelfHosting.cpp:1590:10
#38 0x7f09dc943639 in AsyncFunctionResume(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject*>, ResumeKind, JS::Handle<JS::Value>) /gecko/js/src/vm/AsyncFunction.cpp:152:8
#39 0x7f09dcc15a7d in AsyncFunctionPromiseReactionJob /gecko/js/src/builtin/Promise.cpp:2118:10
#40 0x7f09dcc15a7d in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) /gecko/js/src/builtin/Promise.cpp:2176:12
#41 0x7f09de245b34 in CallJSNative /gecko/js/src/vm/Interpreter.cpp:420:13
#42 0x7f09de245b34 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:507:12
#43 0x7f09de2477fa in InternalCall /gecko/js/src/vm/Interpreter.cpp:574:10
#44 0x7f09de2477fa in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:605:8
#45 0x7f09dc97b80d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/CallAndConstruct.cpp:117:10
#46 0x7f09d2f59e1c in mozilla::dom::PromiseJobCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/PromiseBinding.cpp:35:8
#47 0x7f09cef44e87 in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:89:12
#48 0x7f09cef44e87 in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:102:12
#49 0x7f09cef44e87 in mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) /gecko/xpcom/base/CycleCollectedJSContext.cpp:213:18
#50 0x7f09cef248c7 in mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) /gecko/xpcom/base/CycleCollectedJSContext.cpp:674:17
#51 0x7f09d4176e06 in LeaveMicroTask /builds/worker/workspace/obj-build/dist/include/mozilla/CycleCollectedJSContext.h:243:7
#52 0x7f09d4176e06 in mozilla::dom::CallbackObject::CallSetup::~CallSetup() /gecko/dom/bindings/CallbackObject.cpp:393:11
#53 0x7f09d2dd27e2 in mozilla::dom::PeerConnectionObserverJSImpl::OnSetDescriptionSuccess(mozilla::ErrorResult&, JS::Realm*) /builds/worker/workspace/obj-build/dom/bindings/PeerConnectionObserverBinding.cpp:1848:1
#54 0x7f09d5dd4429 in operator() /gecko/dom/media/webrtc/jsapi/PeerConnectionImpl.cpp:2448:22
#55 0x7f09d5dd4429 in mozilla::detail::RunnableFunction<mozilla::PeerConnectionImpl::OnSetDescriptionSuccess(mozilla::JsepSdpType, bool)::$_84>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#56 0x7f09cf170562 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:475:16
#57 0x7f09cf1365b5 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:788:26
#58 0x7f09cf133768 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:620:15
#59 0x7f09cf133e90 in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:398:36
#60 0x7f09cf1790b1 in operator() /gecko/xpcom/threads/TaskController.cpp:124:37
#61 0x7f09cf1790b1 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#62 0x7f09cf156f27 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1180:16
#63 0x7f09cf16108c in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:465:10
#64 0x7f09d08892df in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:85:21
#65 0x7f09d06ff671 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:380:10
#66 0x7f09d06ff671 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:373:3
#67 0x7f09d06ff671 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:355:3
#68 0x7f09d764cc17 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:137:27
#69 0x7f09dc52859f in XRE_RunAppShell() /gecko/toolkit/xre/nsEmbedFunctions.cpp:874:20
#70 0x7f09d06ff671 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:380:10
#71 0x7f09d06ff671 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:373:3
#72 0x7f09d06ff671 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:355:3
#73 0x7f09dc52774b in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:733:34
#74 0x55a6e8dd6c1d in content_process_main(mozilla::Bootstrap*, int, char**) /gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#75 0x55a6e8dd7050 in main /gecko/browser/app/nsBrowserApp.cpp:329:18
#76 0x7f09f4db9082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#77 0x55a6e8d17069 in _start (/home/worker/builds/m-c-20220513160400-fuzzing-asan-opt/firefox+0x5f069) (BuildId: 00a3c126913da39a570fa7f5a8f7c67fb69e600f)

This is one of the top issues the browser fuzzers are hitting currently. Marking as fuzzblocker. Please prioritize appropriately.

Whiteboard: [bugmon:confirm] → [bugmon:confirm][fuzzblocker]

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220516095144-ef95d8712f18.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: 5de53d489b7d5613710a40b2c64693dbab31e8ee (20210517094928)
End: 139c89a60b7261a619deb3cb40a997cc6a295ec0 (20220427094429)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False)

Whiteboard: [bugmon:confirm][fuzzblocker] → [bugmon:bisected,confirmed][fuzzblocker]

I'm pretty sure I see the problem here. Once createOffer is done, we have cleared the PC's op chain. When this happens, we run the "update the negotiation-needed flag" logic, which enqueues a task to do the real work. However, the promise for createOffer has already resolved, which can allow a subsequent chained operation (in this case, setRemoteDescription) to start running, which updates the state in the JSEP engine.

There might be a spec bug here (particularly, the "update the negotiation-needed flag" may be racy as currently specified), but I am not sure. I will need some time to think about it. In the meantime, I think it makes sense to replace the MOZ_CRASH with an early return here; if a new JSEP operation has happened and the JSEP engine is not in stable anymore, that means that there will be another chance to update the negotiation needed flag soon.

Ok, there's one more necessary ingredient here. For this to happen, the JSEP sRD has to succeed, but the identity validation step has to fail, resulting in the JSEP engine being in a different state than the PeerConnection.

Depends on: 1769802

Adding ni? as a reminder, since this is one of the most frequent fuzzblockers.

Flags: needinfo?(docfaraday)

:bwc, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.

Flags: needinfo?(docfaraday)
Severity: S3 → S2
Flags: needinfo?(docfaraday)
Priority: P3 → P2
Keywords: bugmon

Bugmon Analysis
Unable to reproduce bug 1766668 using build mozilla-central 20220427094429-139c89a60b72. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.