Closed Bug 1935079 Opened 2 months ago Closed 2 months ago

Crash in [@ __delayLoadHelper2 | _tailMerge_ole32.dll | (anonymous namespace)::get_default_endpoint((anonymous namespace)::com_ptr<T>&, __MIDL___MIDL_itf_mmdeviceapi_0000_0000_0001, __MIDL___MIDL_itf_mmdeviceapi_0000_0000_0002)]

Categories

(Core :: Audio/Video: cubeb, defect, P3)

Product:
Core
Component:
Audio/Video: cubeb
Version:
Firefox 133
Platform:
Desktop
Windows 10
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
135 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox-esr128 --- unaffected
firefox133 --- unaffected
firefox134 --- verified
firefox135 --- verified

People

(Reporter: bobowen, Assigned: kinetik)

References

Details

(Keywords: crash)

Crash Data

Attachments

(2 files, 1 obsolete file)

Bug 1935079 - Ignore `media.cubeb.sandbox` when content sandbox is enabled. r?#cubeb-reviewers
48 bytes, text/x-phabricator-request
Details | Review
Bug 1935079 - Ignore `media.cubeb.sandbox` when content sandbox is enabled.
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-beta+
Details | Review

I found this while monitoring the USER_RESTRICTED roll-out.
In Fx133 on crash-stats there are currently 29 crashes from 5 clients, all of which have USER_RESTRICTED.
However, looking back to previous versions we have crashes with both content sandbox level 7 and 8, so it's not clear that this is directly related.
We currently have a rule to allow loads from system32 for the webcodec encoding, so also not clear why it is failing to load.
Loading ole32.dll is not something we want to be doing in the content process.

Crash report: https://crash-stats.mozilla.org/report/index/3a5265ee-fd6a-4fa3-b380-7af090241122

Reason:

FACILITY_VISUALCPP / ERROR_MOD_NOT_FOUND

Top 10 frames:

0  KERNELBASE.dll  RaiseException
1  xul.dll  __delayLoadHelper2(ImgDelayDescr const*, long long (**)())  /builds/worker/workspace/obj-build/toolkit/library/build/D:/a/_work/1/s/src/vctools/delayimp/delayhlp.cpp:301
2  xul.dll  _tailMerge_ole32.dll
3  xul.dll  (anonymous namespace)::get_default_endpoint((anonymous namespace)::com_ptr<IM...  media/libcubeb/src/cubeb_wasapi.cpp:1635
4  xul.dll  wasapi_init(cubeb**, char const*)  media/libcubeb/src/cubeb_wasapi.cpp:1731
5  xul.dll  cubeb_init(cubeb**, char const*, char const*)  media/libcubeb/src/cubeb.c:276
6  xul.dll  mozilla::CubebUtils::GetCubebUnlocked::<lambda_6>::operator()() const  dom/media/CubebUtils.cpp:606
6  xul.dll  mozilla::mscom::EnsureMTA::EnsureMTA(mozilla::CubebUtils::GetCubebUnlocked::<...  ipc/mscom/EnsureMTA.h:66
6  xul.dll  mozilla::CubebUtils::GetCubebUnlocked()  dom/media/CubebUtils.cpp:603
7  xul.dll  mozilla::CubebUtils::InitPreferredSampleRate()  dom/media/CubebUtils.cpp:380

Maybe Mathew has some ideas. Doesn't look serious though.

Flags: needinfo?(kinetik)

These crashes are the result of initializing libcubeb directly in the content process. The default configuration uses remoting (AudioIPC) to deal with this, so these crashes are produced by systems with the media.cubeb.sandbox pref explicitly set to false.

Confirmed with a local test that media.cubeb.sandbox = false produces the same crash stack when opening an audio stream. This pref only exists for debugging purposes and no longer functions with the default content sandbox restrictions, so I think the pref should be removed. It may be useful to retain some other way to disable audio remoting for debugging, but it would need to be tied to lowering the content sandbox level.

Assignee: nobody → kinetik
Severity: -- → S3
Status: NEW → ASSIGNED
Flags: needinfo?(kinetik)
Priority: -- → P3
Hardware: Unspecified → Desktop
Version: unspecified → Firefox 133

Thanks for the quick fix kinetik.
I did try flipping that pref, but for me it just broke sound rather than crashed.
To be honest I thought that we would already break with the pref flipped, which is possibly correct in a small number of cases given that we already see this crash even without USER_RESTRICTED.

We're probably only at about 8% roll-out.
Difficult to predict with such small numbers, but it does mean that we could easily see this increase more than 10x.
We're also seeing bug 1929333 despite attempting to block the DLL, so the blocking isn't working all the time.
Given this I'm going to hold the roll-out at 10% for Fx133, so I can continue to monitor.

It would be good to get this uplifted to Beta though, so I can attempt to roll-out again in Fx134.

Forgot to mention that I noticed you have to flip the crash graph settings to "Like Match" to pick up the crashes for some reason.

Pushed by mgregan@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/1c7e2d98ff28 Ignore `media.cubeb.sandbox` when content sandbox is enabled. r=cubeb-reviewers,pehrsons
Attachment #9442812 - Flags: approval-mozilla-beta?

beta Uplift Approval Request

  • User impact if declined: Crashes for users with audio sandboxing disabled
  • Code covered by automated testing: no
  • Fix verified in Nightly: yes
  • Needs manual QE test: yes
  • Steps to reproduce for manual QE testing: Test Firefox audio with "media.cubeb.sandbox" pref set to both "true" and "false" (must restart Firefox after changing pref)
  • Risk associated with taking this patch: very low
  • Explanation of risk level: only affect users with non-default pref setting
  • String changes made/needed: N/A
  • Is Android affected?: no
Flags: qe-verify+

This just needs a MOZ_SANDBOX ifdef check added, I'll update the patch shortly.

Attachment #9442837 - Flags: approval-mozilla-beta?
Attachment #9442812 - Attachment is obsolete: true
Attachment #9442812 - Flags: approval-mozilla-beta?

beta Uplift Approval Request

  • User impact if declined: crashes for users with audio sandboxing disabled
  • Code covered by automated testing: no
  • Fix verified in Nightly: yes
  • Needs manual QE test: no
  • Steps to reproduce for manual QE testing: Test audio with "media.cubeb.sandbox" pref set to "true" and "false" (requires Firefox restart)
  • Risk associated with taking this patch: low
  • Explanation of risk level: only affects users with non-default "media.cubeb.sandbox" pref
  • String changes made/needed: N/A
  • Is Android affected?: no
Flags: needinfo?(kinetik)
Blocks: 1403931
Pushed by mgregan@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/fb9339c19565 Ignore `media.cubeb.sandbox` when content sandbox is enabled. r=cubeb-reviewers,pehrsons

https://hg.mozilla.org/mozilla-central/rev/fb9339c19565

Status: ASSIGNED → RESOLVED
Closed: 2 months ago
status-firefox135: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 135 Branch
Attachment #9442837 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
QA Whiteboard: [qa-triaged]

I was able to reproduce the crash on Win11x64 using FF build 135.0a1(20241204092616) and having pref 'media.cubeb.sandbox'=false, while loading reddit.com.
Verified as fixed on Win11x64/Mac 12.6 using FF builds 135.0a1(20241212212433)and 134.b9.

Status: RESOLVED → VERIFIED
status-firefox134: fixedverified
status-firefox135: fixedverified
Flags: qe-verify+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: