Closed Bug 1832176 Opened 1 year ago Closed 1 year ago

Assertion failure: isSome(), at /builds/worker/workspace/obj-build/dist/include/mozilla/Maybe.h:783

Categories

(Core :: WebRTC, defect)

defect

Tracking

()

RESOLVED FIXED
115 Branch
Tracking Status
firefox-esr102 --- unaffected
firefox113 --- unaffected
firefox114 --- wontfix
firefox115 --- verified

People

(Reporter: tsmith, Assigned: bwc)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed][fuzzblocker])

Attachments

(3 files)

Attached file testcase.html

Found while fuzzing m-c 20230504-f4a38c1b661a (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: isSome(), at /builds/worker/workspace/obj-build/dist/include/mozilla/Maybe.h:783

#0 0x7f35e1cb1168 in operator-> /builds/worker/workspace/obj-build/dist/include/mozilla/Maybe.h:783:3
#1 0x7f35e1cb1168 in mozilla::dom::RTCRtpSender::SyncToJsep(mozilla::JsepTransceiver&) const /builds/worker/checkouts/gecko/dom/media/webrtc/jsapi/RTCRtpSender.cpp:1324:33
#2 0x7f35e1c87aad in operator() /builds/worker/checkouts/gecko/dom/media/webrtc/jsapi/RTCRtpTransceiver.cpp:512:18
#3 0x7f35e1c87aad in ApplyToTransceiver<(lambda at /builds/worker/checkouts/gecko/dom/media/webrtc/jsapi/RTCRtpTransceiver.cpp:509:23)> /builds/worker/checkouts/gecko/dom/media/webrtc/jsep/JsepSession.h:136:9
#4 0x7f35e1c87aad in mozilla::dom::RTCRtpTransceiver::SyncToJsep(mozilla::JsepSession&) const /builds/worker/checkouts/gecko/dom/media/webrtc/jsapi/RTCRtpTransceiver.cpp:508:12
#5 0x7f35e1c85ac8 in mozilla::PeerConnectionImpl::SyncToJsep() /builds/worker/checkouts/gecko/dom/media/webrtc/jsapi/PeerConnectionImpl.cpp:1360:18
#6 0x7f35e1d02cce in operator() /builds/worker/checkouts/gecko/dom/media/webrtc/jsapi/PeerConnectionImpl.cpp:1575:9
#7 0x7f35e1d02cce in mozilla::detail::RunnableFunction<mozilla::PeerConnectionImpl::CreateOffer(mozilla::JsepOfferOptions const&)::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:548:5
#8 0x7f35dd8b67a7 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:555:16
#9 0x7f35dd8b19aa in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:879:26
#10 0x7f35dd8b0487 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:702:15
#11 0x7f35dd8b0805 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:491:36
#12 0x7f35dd8b9d56 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:218:37
#13 0x7f35dd8b9d56 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#14 0x7f35dd8d012a in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1239:16
#15 0x7f35dd8d674d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:479:10
#16 0x7f35de517c55 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#17 0x7f35de4397d1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:362:3
#18 0x7f35de4397d1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:344:3
#19 0x7f35e2b7a6f8 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#20 0x7f35e4e0918b in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:738:20
#21 0x7f35de518b06 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#22 0x7f35de4397d1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:362:3
#23 0x7f35de4397d1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:344:3
#24 0x7f35e4e08a52 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:673:34
#25 0x55ba52985396 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#26 0x55ba52985396 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
#27 0x7f35f1029d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#28 0x7f35f1029e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#29 0x55ba5295c618 in _start (/home/user/workspace/browsers/m-c-20230509151822-fuzzing-debug/firefox-bin+0x58618) (BuildId: 4a58b5e36378db118e70e2bd49018bcd65bf7e86)
Flags: in-testsuite?

Verified bug as reproducible on mozilla-central 20230509215006-44770d5c9e91.
The bug appears to have been introduced in the following build range:

Start: bd107f09ed2dcd61988c23e777d4938e040c013e (20230504142124)
End: 17b2e6c715e0dc097d876a5cd0f4eb7816e7a170 (20230504164242)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=bd107f09ed2dcd61988c23e777d4938e040c013e&tochange=17b2e6c715e0dc097d876a5cd0f4eb7816e7a170

Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]
Regressed by: 1830724

Set release status flags based on info from the regressing bug 1830724

:bwc, since you are the author of the regressor, bug 1830724, could you take a look? Also, could you set the severity field?

For more information, please visit BugBot documentation.

Flags: needinfo?(docfaraday)
Assignee: nobody → docfaraday
Flags: needinfo?(docfaraday)

This is a release assert, so maybe we can unhide it?

(In reply to Andrew McCreight [:mccr8] from comment #3)

This is a release assert, so maybe we can unhide it?

Agreed.

Group: media-core-security

This could cause a crash if the timing was just right.

Depends on D177647

Attachment #9332660 - Attachment description: Bug 1832176: Fix bug where we could set mPendingRidChangeFromCompatMode without sett mPendingParameters. r?jib → Bug 1832176: Fix bug where we could set mPendingRidChangeFromCompatMode without setting mPendingParameters. r?jib
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed][fuzzblocker]

Try looks about like usual.

bwc: A friendly reminder so this doesn't get forgotten, it is currently our top fuzzblocker for the DOM fuzzers.

Flags: needinfo?(docfaraday)

^

Flags: needinfo?(docfaraday) → needinfo?(jib)
Flags: needinfo?(jib)
Pushed by bcampen@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/b1b84f596747 Test-case for bug. r=jib https://hg.mozilla.org/integration/autoland/rev/86fc44eac540 Fix bug where we could set mPendingRidChangeFromCompatMode without setting mPendingParameters. r=jib
Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → 115 Branch

Bug appears to be fixed on mozilla-central 20230526215433-fc6056442a0f but BugMon was unable to find a usable build for f4a38c1b661a.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: