Closed Bug 1819130 Opened 2 years ago Closed 2 years ago

Assertion failure: mForceSilence, at /builds/worker/checkouts/gecko/dom/media/webrtc/transportbridge/MediaPipeline.cpp:1294

Categories

(Core :: WebRTC: Signaling, defect, P2)

Product:
Core
Component:
WebRTC: Signaling
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
112 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox110 --- unaffected
firefox111 --- fixed
firefox112 --- verified

People

(Reporter: tsmith, Assigned: pehrsons)

References

(Blocks 1 open bug, Regression)

Details

(4 keywords, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Attachments

(3 files)

testcase.html
422 bytes, text/html
Details
Bug 1819130 - Add audio case to crashtest. r?bwc!
48 bytes, text/x-phabricator-request
Details | Review
Bug 1819130 - For audio remove assertion assuming a non-private->private principal is the result of a network privacy request. r?bwc!
48 bytes, text/x-phabricator-request
dmeehan
: approval-mozilla-beta+
Details | Review
Attached file testcase.html

Found while fuzzing m-c 20230209-0d8b0133822d (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: mForceSilence, at /builds/worker/checkouts/gecko/dom/media/webrtc/transportbridge/MediaPipeline.cpp:1294

#0 0x7fa09f4774c4 in mozilla::MediaPipelineReceiveAudio::PipelineListener::SetPrivatePrincipal(nsMainThreadPtrHandle<nsIPrincipal>) /builds/worker/checkouts/gecko/dom/media/webrtc/transportbridge/MediaPipeline.cpp:1294:5
#1 0x7fa09f4772a9 in mozilla::MediaPipelineReceiveAudio::SetPrivatePrincipal(nsMainThreadPtrHandle<nsIPrincipal>) /builds/worker/checkouts/gecko/dom/media/webrtc/transportbridge/MediaPipeline.cpp:1467:16
#2 0x7fa09f3140c2 in UpdatePrincipalPrivacy /builds/worker/checkouts/gecko/dom/media/webrtc/jsapi/RTCRtpReceiver.cpp:827:14
#3 0x7fa09f3140c2 in mozilla::dom::RTCRtpTransceiver::UpdatePrincipalPrivacy(mozilla::PrincipalPrivacy) /builds/worker/checkouts/gecko/dom/media/webrtc/jsapi/RTCRtpTransceiver.cpp:410:14
#4 0x7fa09f308624 in mozilla::PeerConnectionImpl::UpdateMediaPipelines() /builds/worker/checkouts/gecko/dom/media/webrtc/jsapi/PeerConnectionImpl.cpp:3715:18
#5 0x7fa09f3744e5 in operator() /builds/worker/checkouts/gecko/dom/media/webrtc/jsapi/PeerConnectionImpl.cpp:2693:15
#6 0x7fa09f3744e5 in mozilla::detail::RunnableFunction<mozilla::PeerConnectionImpl::DoSetDescriptionSuccessPostProcessing(mozilla::dom::RTCSdpType, bool, RefPtr<mozilla::dom::Promise> const&)::$_88>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:546:5
#7 0x7fa09af28c05 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:541:16
#8 0x7fa09af23d58 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:855:26
#9 0x7fa09af2292a in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:686:15
#10 0x7fa09af22c85 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:464:36
#11 0x7fa09af2c6b6 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:188:37
#12 0x7fa09af2c6b6 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_2>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:546:5
#13 0x7fa09af42777 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1225:16
#14 0x7fa09af48c2d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477:10
#15 0x7fa09bb971a3 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#16 0x7fa09bab8fb8 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#17 0x7fa09bab8ec1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#18 0x7fa09bab8ec1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#19 0x7fa0a0244e68 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#20 0x7fa0a24c823b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:742:20
#21 0x7fa09bb98069 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#22 0x7fa09bab8fb8 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#23 0x7fa09bab8ec1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#24 0x7fa09bab8ec1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#25 0x7fa0a24c7d98 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:675:34
#26 0x5635fb44dd80 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#27 0x5635fb44dd80 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:353:18
#28 0x7fa0aeb51d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#29 0x7fa0aeb51e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#30 0x5635fb4243e8 in _start (/home/user/workspace/browsers/m-c-20230227092207-fuzzing-debug/firefox-bin+0x5b3e8) (BuildId: 35f67b512bd2b6ddfcb1f87c1e5ec05318defd2a)
Flags: in-testsuite?

Verified bug as reproducible on mozilla-central 20230227214733-226423354980.
Unable to bisect testcase (Unable to launch the start build!):

Start: 824a733ba426052574c05117f6f77eb89dfd2f13 (20220301094029)
End: 0d8b0133822d3dcd3120a681c4a71916e15507db (20230209213208)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)

Whiteboard: [bugmon:bisected,confirmed]

Got a crash from the testcase: https://crash-stats.mozilla.org/report/index/21a43fbc-c699-4969-85e4-8d4320230228

Crash Signature: [@ mozilla::MediaPipelineReceiveAudio::PipelineListener::SetPrivatePrincipal ]
Keywords: crash

It looks like this is new code added in Bug 1813468. Andreas, can you please take a look?

Severity: -- → S3
Flags: needinfo?(apehrson)
Priority: -- → P2

This is the audio variant of bug 1816708.

Assignee: nobody → apehrson
Status: NEW → ASSIGNED
Flags: needinfo?(apehrson)
Severity: S3 → S4
Pushed by pehrsons@gmail.com: https://hg.mozilla.org/integration/autoland/rev/6a95f72242b6 Add audio case to crashtest. r=bwc https://hg.mozilla.org/integration/autoland/rev/0681bdf9275f For audio remove assertion assuming a non-private->private principal is the result of a network privacy request. r=bwc
Regressions: 1819674

https://hg.mozilla.org/mozilla-central/rev/6a95f72242b6
https://hg.mozilla.org/mozilla-central/rev/0681bdf9275f

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox112: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 112 Branch
status-firefox110: --- → unaffected
status-firefox111: --- → affected
status-firefox-esr102: --- → unaffected
Keywords: regression
Regressed by: 1813468
See Also: → 1816708

Comment on attachment 9320522 [details]
Bug 1819130 - For audio remove assertion assuming a non-private->private principal is the result of a network privacy request. r?bwc!

Beta/Release Uplift Approval Request

  • User impact if declined: potential fuzzblocker (identical to bug 1816708 except this is for audio)
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): trivial, removes an assertion so does not affect release
  • String changes made/needed:
  • Is Android affected?: Yes
Attachment #9320522 - Flags: approval-mozilla-beta?

Verified bug as fixed on rev mozilla-central 20230302045723-da5d9cb0388f.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox112: fixedverified
Keywords: bugmon

Comment on attachment 9320522 [details]
Bug 1819130 - For audio remove assertion assuming a non-private->private principal is the result of a network privacy request. r?bwc!

Approved for 111.0b8

Attachment #9320522 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: