crash near null in [@ nsIGlobalObject::GetRTPCallerType]
Categories
(Core :: Web Audio, defect)
Tracking
()
People
(Reporter: tsmith, Assigned: karlt)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: crash, regression, testcase, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])
Crash Data
Attachments
(2 files)
|
311 bytes,
text/html
|
Details | |
|
48 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-beta+
|
Details | Review |
Found while fuzzing 20221208-5b38548871de (--enable-address-sanitizer --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
==144500==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000000e0 (pc 0x7fb4d4804b3e bp 0x7ffc990599d0 sp 0x7ffc990599b0 T0)
==144500==The signal is caused by a READ memory access.
==144500==Hint: address points to the zero page.
#0 0x7fb4d4804b3e in nsIGlobalObject::GetRTPCallerType() const /builds/worker/checkouts/gecko/dom/base/nsIGlobalObject.cpp:409:7
#1 0x7fb4d80778b4 in mozilla::dom::AudioContext::CurrentTime() /builds/worker/checkouts/gecko/dom/media/webaudio/AudioContext.cpp:742:61
#2 0x7fb4d49a6d46 in mozilla::dom::AudioParam::LinearRampToValueAtTime(float, double, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/AudioParam.h:104:54
#3 0x7fb4d49a69aa in mozilla::dom::AudioParam_Binding::linearRampToValueAtTime(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/AudioParamBinding.cpp:326:77
#4 0x7fb4d64c0695 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3287:13
#5 0x7fb4def29eaf in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:459:13
#6 0x7fb4def29eaf in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:547:12
#7 0x7fb4dfdef2c3 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jit/BaselineIC.cpp:1591:10
#8 0x1a7331de8da8 (<unknown module>)
|
Reporter | |
Updated•2 years ago
|
|
||
Comment 1•2 years ago
|
||
Hmm, can reproduce in nightly. Hopefully won't be hard to track down. Karl, can you take a look?
|
|
||
Updated•2 years ago
|
|
||
Comment 2•2 years ago
|
||
Pernosco link here. https://pernos.co/debug/JYCI7oKPGCIHua9M2brT1A/index.html#f{m[BZkH,AA_,t[5Q,BLfO_,f{e[BKY2,xG4_,s{afzaI7CAA,bAZA,uEpEBeA,oEpq1FQ___/
Probably just a nullcheck indeed.
|
Assignee | |
Comment 3•2 years ago
|
||
Thank you for the pernosco trace!
The assumption of a non-null GetParentObject() dates back to https://hg.mozilla.org/mozilla-central/rev/8d554870dce84fbcfefd842c235efcaa5aae23db#l1.21, but that would have caused a crash only when "privacy.resistFingerprinting.reduceTimerPrecision.microseconds" or "privacy.resistFingerprinting" were at non-default values.
The crash occurs with default values since https://hg.mozilla.org/mozilla-central/rev/c89df8e0e89db0780aceeb8d1daf62ac9965812a#l1.12
https://treeherder.mozilla.org/jobs?repo=try&revision=674e361c0a7c443b4961dc1d1d508abf191e5550
|
|
Assignee | |
Comment 4•2 years ago
|
||
This is a similar approach to that used in PerformanceMainThread.
https://searchfox.org/mozilla-central/rev/2d24d893669ad0fe8d76b0427b25369d35fcc19b/dom/performance/PerformanceMainThread.cpp#99
|
||
Comment 5•2 years ago
|
||
Verified bug as reproducible on mozilla-central 20221213165020-300b0ac8eb7b.
The bug appears to have been introduced in the following build range:
Start: 2383d2a30a60e87499a64f3e91e05d16f0802294 (20221129130216)
End: ef54714c8e48232c2786c90ecc29b5fdc58d4e70 (20221129152011)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=2383d2a30a60e87499a64f3e91e05d16f0802294&tochange=ef54714c8e48232c2786c90ecc29b5fdc58d4e70
Pushed by ktomlinson@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/60e0588ec62c get RTPCallerType in AudioContext constructor where window is known non-null r=padenot
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/37493 for changes under testing/web-platform/tests
|
||
Comment 8•2 years ago
|
||
| bugherder | ||
|
||
Comment 9•2 years ago
|
||
The patch landed in nightly and beta is affected.
:karlt, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- If no, please set
status-firefox109towontfix.
For more information, please visit auto_nag documentation.
|
|
Assignee | |
Comment 10•2 years ago
|
||
Comment on attachment 9307930 [details]
Bug 1804963 get RTPCallerType in AudioContext constructor where window is known non-null r?padenot
Beta/Release Uplift Approval Request
- User impact if declined: Potential crash with some unusual Web Audio usage, which does seem to have happened on Nightly.
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Small change. Usual use-cases well covered by tests.
- String changes made/needed: None.
- Is Android affected?: Yes
|
||
Comment 11•2 years ago
|
||
Comment on attachment 9307930 [details]
Bug 1804963 get RTPCallerType in AudioContext constructor where window is known non-null r?padenot
Approved for 109.0b4.
|
|
||
Comment 12•2 years ago
|
||
| bugherder uplift | ||
|
|
||
Comment 13•2 years ago
|
||
Verified bug as fixed on rev mozilla-central 20221214162411-7ff758e0d08b.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Upstream PR was closed without merging
Upstream PR merged by moz-wptsync-bot
Description
•