Closed Bug 1972225 Opened 9 months ago Closed 9 months ago

Crash in [@ mozilla::NullPrincipal::Create]

Categories

(Firefox for Android :: Media, defect)

Product:
Firefox for Android
Component:
Media
Platform:
Unspecified
Android
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
141 Branch
Tracking Flags:
Tracking Status
firefox139 --- unaffected
firefox140 blocking verified
firefox141 blocking verified

People

(Reporter: dmeehan, Assigned: jhlin)

References

(Regression)

Details

(4 keywords)

Crash Data

Attachments

(1 file)

Bug 1972225 - create NullPrincipal without uri.
48 bytes, text/x-phabricator-request
dmeehan
: approval-mozilla-beta+
Details | Review

Crash report: https://crash-stats.mozilla.org/report/index/6992aaff-fdc2-4cc2-95c5-2302e0250615

MOZ_CRASH Reason:

MOZ_RELEASE_ASSERT(uri->SchemeIs("moz-nullprincipal"))

Top 10 frames:

0  libxul.so  MOZ_CrashSequence(void*, long)  mfbt/Assertions.h:253
0  libxul.so  mozilla::NullPrincipal::Create(mozilla::OriginAttributes const&, nsIURI*)  caps/NullPrincipal.cpp:60
1  libxul.so  mozilla::HLSDecoder::GetContentPrincipal(nsIURI*)  dom/media/hls/HLSDecoder.cpp:319
2  libxul.so  mozilla::HLSDecoder::UpdateCurrentPrincipal(nsIURI*)  dom/media/hls/HLSDecoder.cpp:288
3  libxul.so  mozilla::HLSDecoder::NotifyLoad(nsTString<char>)  dom/media/hls/HLSDecoder.cpp:265
4  libxul.so  mozilla::HLSResourceCallbacksSupport::OnLoad(mozilla::jni::StringParam const&...  dom/media/hls/HLSDecoder.cpp:75
4  libxul.so  mozilla::detail::RunnableFunction<mozilla::HLSResourceCallbacksSupport::OnLoa...  xpcom/threads/nsThreadUtils.h:548
5  libxul.so  mozilla::RunnableTask::Run()  xpcom/threads/TaskController.cpp:703
5  libxul.so  mozilla::TaskController::RunTask(mozilla::Task*)  xpcom/threads/TaskController.cpp:228
5  libxul.so  mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::det...  xpcom/threads/TaskController.cpp:1252

The crash in Bug 1971809 has been fixed, but there is now a crash spike here.
jolin, could you please take a look? We are in RC week for Fx140, and this blocks Fenix 140 RC1

Component: General → Media
Flags: needinfo?(jolin)
Regressed by: 1971809
No longer regressed by: CVE-2025-6427
See Also: 19718091814490

Passing the aMedaUri to NullPrincipal::Create was wrong. We should just use nullptr. Do we have zero test coverage for this function?

Keywords: sec-other

Sorry for the trouble. I will uploading a patch to remove the aMediaUri argument ASAP.

Flags: needinfo?(jolin)
Assignee: nobody → jolin
Status: NEW → ASSIGNED

Comment on attachment 9494788 [details]
Bug 1972225 - create NullPrincipal without uri.

Beta/Release Uplift Approval Request

  • User impact if declined/Reason for urgency: Fenix could crash when playing HLS contents.
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): The change fixes developer error.
  • String changes made/needed:
  • Is Android affected?: Yes
Attachment #9494788 - Flags: approval-mozilla-beta?

Hi Donal,

I am not familiar with the release process enough and not sure if requesting beta uplifting for this fix is needed or sufficient. Please let me know if you need further action from me. Thanks a lot and sorry again for my mistake.

Flags: needinfo?(dmeehan)

The bug is linked to a topcrash signature, which matches the following criterion:

  • Top 10 AArch64 and ARM crashes on beta

For more information, please visit BugBot documentation.

Keywords: topcrash

Comment on attachment 9494788 [details]
Bug 1972225 - create NullPrincipal without uri.

Approved for 140.0 RC1

Flags: needinfo?(dmeehan)
Attachment #9494788 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

We were able to reproduce this crash while navigating to this page https://developer.apple.com/streaming/examples/advanced-stream-hevc.html on Firefox for Android beta 140.0b9 with a Samsung Galaxy A14 (Android 14), Google Pixel 6 (Android 16), and a Google Pixel 8 (Android 15).

https://hg.mozilla.org/mozilla-central/rev/f2d901a48ed5

Status: ASSIGNED → RESOLVED
Closed: 9 months ago
status-firefox141: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 141 Branch

Verified using a page that we managed to reproduce the crash on: https://developer.apple.com/streaming/examples/advanced-stream-hevc.html

The crash no longer happens on the latest Beta 140.0b10 and latest RC 140.0 builds. Also verified on the latest Nightly build: 141.0a1.

There is a visual glitch issue that was separately documented in this ticket.

Devices used:

  • Google Pixel 7 (Android 16);
  • Google Pixel 9 Pro XL (Android 15);
  • Google Pixel 6 (Android 15);
  • Samsung Galaxy S23 Ultra (Android 14);
  • Samsung Galaxy A14 (Android 14);
  • Lenovo TB X606X (Android 10).

Marking the ticket as verified on 140 and 141.

Status: RESOLVED → VERIFIED
See Also: → 1972501
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: