Closed Bug 1990536 Opened 6 months ago Closed 6 months ago

Crash [@ MOZ_CrashSequence]

Categories

(Core :: WebRTC: Audio/Video, defect)

Product:
Core
Component:
WebRTC: Audio/Video
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1991494
Tracking Flags:
Tracking Status
firefox145 --- affected

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Attachments

(1 file)

Testcase
442 bytes, text/html
Details

Testcase found while fuzzing mozilla-central rev 7a0ce20629fc (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch --build 7a0ce20629fc --debug --fuzzing  -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

[@ MOZ_CrashSequence]

    ==2543450==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7cd6776efa4e bp 0x7cd66805a880 sp 0x7cd66805a410 T2543514)
    ==2543450==The signal is caused by a WRITE memory access.
    ==2543450==Hint: address points to the zero page.
        #0 0x7cd6776efa4e in MOZ_CrashSequence /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:248:3
        #1 0x7cd6776efa4e in AssertedCast<int, double> /builds/worker/workspace/obj-build/dist/include/mozilla/Casting.h:256:5
        #2 0x7cd6776efa4e in mozilla::CalculateDesiredSize(mozilla::DesiredSizeInput) /dom/media/webrtc/MediaEngineRemoteVideoSource.cpp:158:17
        #3 0x7cd6776f1f51 in mozilla::MediaEngineRemoteVideoSource::Reconfigure(mozilla::dom::MediaTrackConstraints const&, mozilla::MediaEnginePrefs const&, char const**) /dom/media/webrtc/MediaEngineRemoteVideoSource.cpp:535:26
        #4 0x7cd676f1b2dd in mozilla::LocalMediaDevice::Reconfigure(mozilla::dom::MediaTrackConstraints const&, mozilla::MediaEnginePrefs const&, char const**) /dom/media/MediaManager.cpp:1223:20
        #5 0x7cd677067254 in operator() /dom/media/MediaManager.cpp:4751:21
        #6 0x7cd677067254 in mozilla::detail::ProxyFunctionRunnable<mozilla::DeviceListener::ApplyConstraints(mozilla::dom::MediaTrackConstraints const&, mozilla::dom::CallerType)::$_0, mozilla::MozPromise<bool, RefPtr<mozilla::MediaMgrError>, false>>::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:1838:29
        #7 0x7cd672ea32b9 in mozilla::TaskQueue::Runner::Run() /xpcom/threads/TaskQueue.cpp:275:20
        #8 0x7cd672ec781e in nsThreadPool::Run() /xpcom/threads/nsThreadPool.cpp:450:14
        #9 0x7cd672ebe76a in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1151:16
        #10 0x7cd672ec4d4f in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:462:10
        #11 0x7cd673a9c628 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:299:20
        #12 0x7cd6739f5df1 in RunHandler /ipc/chromium/src/base/message_loop.cc:366:3
        #13 0x7cd6739f5df1 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:348:3
        #14 0x7cd672eba3ce in nsThread::ThreadFunc(void*) /xpcom/threads/nsThread.cpp:366:10
        #15 0x7cd683d4ca1f in _pt_root /nsprpub/pr/src/pthreads/ptthread.c:191:3
        #16 0x7cd683df1aa3 in start_thread ./nptl/pthread_create.c:447:8
        #17 0x7cd683e7ec6b in clone3 ./misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78:0
    
    ==2543450==Register values:
    rax = 0x0000000000000100  rbx = 0x00007cd66805a450  rcx = 0x0000634557c51320  rdx = 0x00007cd683f59563
    rdi = 0x00007cd683f5a700  rsi = 0x0000000000000000  rbp = 0x00007cd66805a880  rsp = 0x00007cd66805a410
     r8 = 0x0000000000000000   r9 = 0x0000000000000003  r10 = 0x0000000000000000  r11 = 0x0000000000000293
    r12 = 0x0000000080000001  r13 = 0x0000000000000280  r14 = 0x0000000000000000  r15 = 0x0000000000000280
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV (/home/jkratzer/builds/m-c-20250924094045-fuzzing-debug/libxul.so+0x8b65a4e) (BuildId: 13a52bcabca4f771d3c4d9719716dbc923453aac)
    ==2543450==ABORTING
Attached file Testcase
Attachment #9515372 - Attachment filename: testcase.html.undefined → testcase.html
Attachment #9515372 - Attachment mime type: text/plain → text/html

Verified bug as reproducible on mozilla-central 20250924212023-c3628eec879d.
The bug appears to have been introduced in the following build range:

Start: 791aa9e079a26ef1917ec8b83fa2f3c7dde49593 (20250829132804)
End: 0d7ae4c7f831989237613a491b990ff72b57d519 (20250829093033)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=791aa9e079a26ef1917ec8b83fa2f3c7dde49593&tochange=0d7ae4c7f831989237613a491b990ff72b57d519

Keywords: regression
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

This bug has been marked as a regression. Setting status flag for Nightly to affected.

status-firefox145: --- → affected

Is that a dupe of bug 1991494 ?

Flags: needinfo?(jkratzer)

:pascalc, it appears to. Marking this as a duplicate.

Status: NEW → RESOLVED
Closed: 6 months ago
Duplicate of bug: 1991494
Flags: needinfo?(jkratzer)
Resolution: --- → DUPLICATE

No valid actions for resolution (DUPLICATE).
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: