Closed Bug 1783765 Opened 3 years ago Closed 3 years ago

Assertion failure: mUncommittedJsepSession, at /builds/worker/checkouts/gecko/dom/media/webrtc/jsapi/PeerConnectionImpl.cpp:2416

Categories

(Core :: WebRTC, defect, P2)

Product:
Core
Component:
WebRTC
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
105 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- unaffected
firefox-esr102 --- unaffected
firefox103 --- unaffected
firefox104 --- unaffected
firefox105 --- verified

People

(Reporter: tsmith, Assigned: bwc)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Attachments

(5 files)

testcase.html
598 bytes, text/html
Details
Bug 1783765: Test case for bug. r?jib
48 bytes, text/x-phabricator-request
Details | Review
Bug 1783765: Do implicit local offer rollback in sRD(offer) before trying identity stuff. r?jib
48 bytes, text/x-phabricator-request
Details | Review
Bug 1783765: Add a couple of assertions, and loosen the release assert that this bug was about. r?jib
48 bytes, text/x-phabricator-request
Details | Review
Bug 1783765: Make sure we clear out mUncommittedJsepSession when sRD/sLD fails in JS. r?jib
48 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

Found while fuzzing m-c 20220807-328d2ccc6eb9 (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: mUncommittedJsepSession, at /builds/worker/checkouts/gecko/dom/media/webrtc/jsapi/PeerConnectionImpl.cpp:2416

#0 0x7fb0fbbdf2fc in operator() /builds/worker/checkouts/gecko/dom/media/webrtc/jsapi/PeerConnectionImpl.cpp:2416:9
#1 0x7fb0fbbdf2fc in mozilla::detail::RunnableFunction<mozilla::PeerConnectionImpl::DoSetDescriptionSuccessPostProcessing(mozilla::dom::RTCSdpType, bool, RefPtr<mozilla::dom::Promise> const&)::$_84>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#2 0x7fb0f7b9e58e in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:538:16
#3 0x7fb0f7b76cb9 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:851:26
#4 0x7fb0f7b75843 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:683:15
#5 0x7fb0f7b75ab3 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:461:36
#6 0x7fb0f7ba1de6 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:187:37
#7 0x7fb0f7ba1de6 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#8 0x7fb0f7b8b6ff in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1205:16
#9 0x7fb0f7b91d0d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:465:10
#10 0x7fb0f8766f26 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#11 0x7fb0f868c437 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#12 0x7fb0f868c342 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#13 0x7fb0f868c342 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#14 0x7fb0fc962c58 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:150:27
#15 0x7fb0fea63cdb in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:877:20
#16 0x7fb0f8767e1a in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#17 0x7fb0f868c437 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#18 0x7fb0f868c342 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#19 0x7fb0f868c342 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#20 0x7fb0fea632fc in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:736:34
#21 0x55ffc12a1424 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#22 0x55ffc12a1424 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:356:18
#23 0x7fb10e2f7082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#24 0x55ffc12771cc in _start (/home/worker/builds/m-c-20220807214336-fuzzing-debug/firefox-bin+0x161cc) (BuildId: 34463d340880aff9d61f25e3b977b143cfd5fed5)
Flags: in-testsuite?

A Pernosco session is available here: https://pernos.co/debug/WS5mrfV-P-H8qZbC7opupg/index.html

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220808214423-fe257e8499ea.
The bug appears to have been introduced in the following build range:

Start: d2cf2ff27055bfabec354e3acfca59ce4d68ea64 (20220805134817)
End: 113f49c15b47806a1da3a834cca2e3a8ce1cea34 (20220805162407)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=d2cf2ff27055bfabec354e3acfca59ce4d68ea64&tochange=113f49c15b47806a1da3a834cca2e3a8ce1cea34

Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]
Regressed by: 1769802
Flags: needinfo?(docfaraday)

Set release status flags based on info from the regressing bug 1769802

status-firefox103: --- → unaffected
status-firefox104: --- → unaffected
status-firefox105: --- → affected
status-firefox-esr102: --- → unaffected
status-firefox-esr91: --- → unaffected

Got a crash : https://crash-stats.mozilla.org/report/index/2a0e6595-9a47-4bd3-8c03-1c9ed0220809#tab-bugzilla

Crash Signature: [@ mozilla::detail::RunnableFunction<T>::Run ]

Looking into it.

Assignee: nobody → docfaraday
Flags: needinfo?(docfaraday)

Ugh, some work from bug 1769802 never made it into phabricator somehow.

Actually, no, that's not true. Weird.

Ok, we seem to be getting tied in a knot with implicit local offer rollback due to a sRD(offer), combined with an identity validation failure. Looking for a good fix now.

Severity: -- → S2
Priority: -- → P2

Try looks about like usual.

Pushed by bcampen@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/bc8b6bb7f7e1 Test case for bug. r=jib https://hg.mozilla.org/integration/autoland/rev/c5664d69da6e Do implicit local offer rollback in sRD(offer) before trying identity stuff. r=jib https://hg.mozilla.org/integration/autoland/rev/3a19412322b2 Add a couple of assertions, and loosen the release assert that this bug was about. r=jib https://hg.mozilla.org/integration/autoland/rev/82e8c9ab71a3 Make sure we clear out mUncommittedJsepSession when sRD/sLD fails in JS. r=jib,webidl,smaug

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220812214215-fbae7216fa06.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox105: fixedverified
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: