Assertion failure: isSome(), at /builds/worker/workspace/obj-build/dist/include/mozilla/Maybe.h:783
Categories
(Core :: WebRTC, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr102 | --- | unaffected |
firefox113 | --- | unaffected |
firefox114 | --- | wontfix |
firefox115 | --- | verified |
People
(Reporter: tsmith, Assigned: bwc)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed][fuzzblocker])
Attachments
(3 files)
Found while fuzzing m-c 20230504-f4a38c1b661a (--enable-debug --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
Assertion failure: isSome(), at /builds/worker/workspace/obj-build/dist/include/mozilla/Maybe.h:783
#0 0x7f35e1cb1168 in operator-> /builds/worker/workspace/obj-build/dist/include/mozilla/Maybe.h:783:3
#1 0x7f35e1cb1168 in mozilla::dom::RTCRtpSender::SyncToJsep(mozilla::JsepTransceiver&) const /builds/worker/checkouts/gecko/dom/media/webrtc/jsapi/RTCRtpSender.cpp:1324:33
#2 0x7f35e1c87aad in operator() /builds/worker/checkouts/gecko/dom/media/webrtc/jsapi/RTCRtpTransceiver.cpp:512:18
#3 0x7f35e1c87aad in ApplyToTransceiver<(lambda at /builds/worker/checkouts/gecko/dom/media/webrtc/jsapi/RTCRtpTransceiver.cpp:509:23)> /builds/worker/checkouts/gecko/dom/media/webrtc/jsep/JsepSession.h:136:9
#4 0x7f35e1c87aad in mozilla::dom::RTCRtpTransceiver::SyncToJsep(mozilla::JsepSession&) const /builds/worker/checkouts/gecko/dom/media/webrtc/jsapi/RTCRtpTransceiver.cpp:508:12
#5 0x7f35e1c85ac8 in mozilla::PeerConnectionImpl::SyncToJsep() /builds/worker/checkouts/gecko/dom/media/webrtc/jsapi/PeerConnectionImpl.cpp:1360:18
#6 0x7f35e1d02cce in operator() /builds/worker/checkouts/gecko/dom/media/webrtc/jsapi/PeerConnectionImpl.cpp:1575:9
#7 0x7f35e1d02cce in mozilla::detail::RunnableFunction<mozilla::PeerConnectionImpl::CreateOffer(mozilla::JsepOfferOptions const&)::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:548:5
#8 0x7f35dd8b67a7 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:555:16
#9 0x7f35dd8b19aa in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:879:26
#10 0x7f35dd8b0487 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:702:15
#11 0x7f35dd8b0805 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:491:36
#12 0x7f35dd8b9d56 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:218:37
#13 0x7f35dd8b9d56 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#14 0x7f35dd8d012a in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1239:16
#15 0x7f35dd8d674d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:479:10
#16 0x7f35de517c55 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#17 0x7f35de4397d1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:362:3
#18 0x7f35de4397d1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:344:3
#19 0x7f35e2b7a6f8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#20 0x7f35e4e0918b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:738:20
#21 0x7f35de518b06 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#22 0x7f35de4397d1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:362:3
#23 0x7f35de4397d1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:344:3
#24 0x7f35e4e08a52 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:673:34
#25 0x55ba52985396 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#26 0x55ba52985396 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
#27 0x7f35f1029d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#28 0x7f35f1029e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#29 0x55ba5295c618 in _start (/home/user/workspace/browsers/m-c-20230509151822-fuzzing-debug/firefox-bin+0x58618) (BuildId: 4a58b5e36378db118e70e2bd49018bcd65bf7e86)
Comment 1•1 year ago
|
||
Verified bug as reproducible on mozilla-central 20230509215006-44770d5c9e91.
The bug appears to have been introduced in the following build range:
Start: bd107f09ed2dcd61988c23e777d4938e040c013e (20230504142124)
End: 17b2e6c715e0dc097d876a5cd0f4eb7816e7a170 (20230504164242)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=bd107f09ed2dcd61988c23e777d4938e040c013e&tochange=17b2e6c715e0dc097d876a5cd0f4eb7816e7a170
Comment 2•1 year ago
|
||
Set release status flags based on info from the regressing bug 1830724
:bwc, since you are the author of the regressor, bug 1830724, could you take a look? Also, could you set the severity field?
For more information, please visit BugBot documentation.
Assignee | ||
Updated•1 year ago
|
Comment 3•1 year ago
|
||
This is a release assert, so maybe we can unhide it?
Assignee | ||
Comment 4•1 year ago
|
||
(In reply to Andrew McCreight [:mccr8] from comment #3)
This is a release assert, so maybe we can unhide it?
Agreed.
Updated•1 year ago
|
Assignee | ||
Comment 5•1 year ago
|
||
Assignee | ||
Comment 6•1 year ago
|
||
This could cause a crash if the timing was just right.
Depends on D177647
Updated•1 year ago
|
Assignee | ||
Comment 7•1 year ago
|
||
Updated•1 year ago
|
Assignee | ||
Comment 8•1 year ago
|
||
Try looks about like usual.
Updated•1 year ago
|
Reporter | ||
Comment 9•1 year ago
|
||
bwc: A friendly reminder so this doesn't get forgotten, it is currently our top fuzzblocker for the DOM fuzzers.
Updated•1 year ago
|
Comment 11•1 year ago
|
||
Comment 12•1 year ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/b1b84f596747
https://hg.mozilla.org/mozilla-central/rev/86fc44eac540
Comment 13•1 year ago
|
||
Bug appears to be fixed on mozilla-central 20230526215433-fc6056442a0f but BugMon was unable to find a usable build for f4a38c1b661a.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Description
•