Closed Bug 1804963 Opened 2 years ago Closed 2 years ago

crash near null in [@ nsIGlobalObject::GetRTPCallerType]

Categories

(Core :: Web Audio, defect)

defect

Tracking

()

VERIFIED FIXED
110 Branch
Tracking Status
firefox-esr102 --- wontfix
firefox108 --- wontfix
firefox109 --- verified
firefox110 --- verified

People

(Reporter: tsmith, Assigned: karlt)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: crash, regression, testcase, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])

Crash Data

Attachments

(2 files)

Attached file testcase.html

Found while fuzzing 20221208-5b38548871de (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
==144500==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000000e0 (pc 0x7fb4d4804b3e bp 0x7ffc990599d0 sp 0x7ffc990599b0 T0)
==144500==The signal is caused by a READ memory access.
==144500==Hint: address points to the zero page.
    #0 0x7fb4d4804b3e in nsIGlobalObject::GetRTPCallerType() const /builds/worker/checkouts/gecko/dom/base/nsIGlobalObject.cpp:409:7
    #1 0x7fb4d80778b4 in mozilla::dom::AudioContext::CurrentTime() /builds/worker/checkouts/gecko/dom/media/webaudio/AudioContext.cpp:742:61
    #2 0x7fb4d49a6d46 in mozilla::dom::AudioParam::LinearRampToValueAtTime(float, double, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/AudioParam.h:104:54
    #3 0x7fb4d49a69aa in mozilla::dom::AudioParam_Binding::linearRampToValueAtTime(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/AudioParamBinding.cpp:326:77
    #4 0x7fb4d64c0695 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3287:13
    #5 0x7fb4def29eaf in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:459:13
    #6 0x7fb4def29eaf in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:547:12
    #7 0x7fb4dfdef2c3 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jit/BaselineIC.cpp:1591:10
    #8 0x1a7331de8da8  (<unknown module>)
Flags: in-testsuite?
Crash Signature: [@ nsIGlobalObject::GetRTPCallerType]

Hmm, can reproduce in nightly. Hopefully won't be hard to track down. Karl, can you take a look?

Flags: needinfo?(karlt)
Severity: -- → S2

Thank you for the pernosco trace!

The assumption of a non-null GetParentObject() dates back to https://hg.mozilla.org/mozilla-central/rev/8d554870dce84fbcfefd842c235efcaa5aae23db#l1.21, but that would have caused a crash only when "privacy.resistFingerprinting.reduceTimerPrecision.microseconds" or "privacy.resistFingerprinting" were at non-default values.
The crash occurs with default values since https://hg.mozilla.org/mozilla-central/rev/c89df8e0e89db0780aceeb8d1daf62ac9965812a#l1.12

https://treeherder.mozilla.org/jobs?repo=try&revision=674e361c0a7c443b4961dc1d1d508abf191e5550

Assignee: nobody → karlt
Status: NEW → ASSIGNED
Flags: needinfo?(karlt)
Regressed by: 1586761, 1778510

Verified bug as reproducible on mozilla-central 20221213165020-300b0ac8eb7b.
The bug appears to have been introduced in the following build range:

Start: 2383d2a30a60e87499a64f3e91e05d16f0802294 (20221129130216)
End: ef54714c8e48232c2786c90ecc29b5fdc58d4e70 (20221129152011)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=2383d2a30a60e87499a64f3e91e05d16f0802294&tochange=ef54714c8e48232c2786c90ecc29b5fdc58d4e70

Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]
Pushed by ktomlinson@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/60e0588ec62c get RTPCallerType in AudioContext constructor where window is known non-null r=padenot
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/37493 for changes under testing/web-platform/tests
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed], [wptsync upstream]
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 110 Branch

The patch landed in nightly and beta is affected.
:karlt, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox109 to wontfix.

For more information, please visit auto_nag documentation.

Flags: needinfo?(karlt)

Comment on attachment 9307930 [details]
Bug 1804963 get RTPCallerType in AudioContext constructor where window is known non-null r?padenot

Beta/Release Uplift Approval Request

  • User impact if declined: Potential crash with some unusual Web Audio usage, which does seem to have happened on Nightly.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Small change. Usual use-cases well covered by tests.
  • String changes made/needed: None.
  • Is Android affected?: Yes
Flags: needinfo?(karlt)
Attachment #9307930 - Flags: approval-mozilla-beta?

Comment on attachment 9307930 [details]
Bug 1804963 get RTPCallerType in AudioContext constructor where window is known non-null r?padenot

Approved for 109.0b4.

Attachment #9307930 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

Verified bug as fixed on rev mozilla-central 20221214162411-7ff758e0d08b.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
Keywords: bugmon
Upstream PR was closed without merging
Upstream PR merged by moz-wptsync-bot
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: