Closed Bug 1991492 Opened 6 months ago Closed 6 months ago

Crash [@ linux-gate.so.1+0x579]

Categories

(Core :: WebRTC, defect, P2)

Product:
Core
Component:
WebRTC
Platform:
Desktop
All
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
145 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox-esr140 --- unaffected
firefox143 --- unaffected
firefox144 --- fixed
firefox145 --- verified

People

(Reporter: jkratzer, Assigned: pehrsons)

References

(Blocks 1 open bug, Regressed 1 open bug, Regression)

Details

(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])

Crash Data

Attachments

(7 files)

Testcase
408 bytes, text/html
Details
Bug 1991492 - Add crashtests. r?jib
48 bytes, text/x-phabricator-request
Details | Review
Bug 1991492 - In MERVS::ChooseCapability check for invalid constraints. r?jib
48 bytes, text/x-phabricator-request
Details | Review
Bug 1991492 - Add WPT for impossible constraints in gDM-applyConstraints. r?jib
48 bytes, text/x-phabricator-request
Details | Review
Bug 1991492 - Add crashtests. r?jib
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-release+
Details | Review
Bug 1991492 - Add WPT for impossible constraints in gDM-applyConstraints. r?jib
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-release+
Details | Review
Bug 1991492 - In MERVS::ChooseCapability check for invalid constraints. r?jib
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-release+
Details | Review

Testcase found while fuzzing mozilla-central rev cca03a5f7adf (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch --build cca03a5f7adf --debug --fuzzing --cpu x86 -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

[@ linux-gate.so.1+0x579]

    ==514253==ERROR: UndefinedBehaviorSanitizer: ABRT on unknown address 0x0007d8cd (pc 0xf0402579 bp 0xcfbffb40 sp 0xcfbfd600 T514465)
        #0 0xf0402579  (linux-gate.so.1+0x579) (BuildId: e8b6b6bb5c1f06b9fe91bb92321a386bfd39a317)
        #1 0xefe17f86 in __pthread_kill_implementation ./nptl/pthread_kill.c:43:17
        #2 0xefdc50b4 in raise ./signal/../sysdeps/posix/raise.c:26:13
        #3 0xefdac2be in abort ./stdlib/abort.c:79:7
        #4 0xe47c1f96 in mozilla::MediaEngineRemoteVideoSource::ChooseCapability(mozilla::NormalizedConstraints const&, mozilla::MediaEnginePrefs const&, webrtc::VideoCaptureCapability&, mozilla::DistanceCalculation) /dom/media/webrtc/MediaEngineRemoteVideoSource.cpp:0:0
        #5 0xe47bf006 in mozilla::MediaEngineRemoteVideoSource::Allocate(mozilla::dom::MediaTrackConstraints const&, mozilla::MediaEnginePrefs const&, unsigned long long, char const**) /dom/media/webrtc/MediaEngineRemoteVideoSource.cpp:246:8
        #6 0xe3fcc53b in mozilla::LocalMediaDevice::Allocate(mozilla::dom::MediaTrackConstraints const&, mozilla::MediaEnginePrefs const&, unsigned long long, char const**) /dom/media/MediaManager.cpp:1179:20
        #7 0xe400ef79 in mozilla::GetUserMediaStreamTask::AllocateDevices() /dom/media/MediaManager.cpp:1522:26
        #8 0xe400f8d2 in operator()<> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1083:18
        #9 0xe400f8d2 in __invoke_impl<void, (lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1082:9)> /builds/worker/fetches/sysroot-i686-linux-gnu/usr/lib/gcc/i586-linux-gnu/10/../../../../include/c++/10/bits/invoke.h:60:14
        #10 0xe400f8d2 in __invoke<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1082:9)> /builds/worker/fetches/sysroot-i686-linux-gnu/usr/lib/gcc/i586-linux-gnu/10/../../../../include/c++/10/bits/invoke.h:95:14
        #11 0xe400f8d2 in __apply_impl<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1082:9), std::tuple<> &> /builds/worker/fetches/sysroot-i686-linux-gnu/usr/lib/gcc/i586-linux-gnu/10/../../../../include/c++/10/tuple:1740:14
        #12 0xe400f8d2 in apply<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1082:9), std::tuple<> &> /builds/worker/fetches/sysroot-i686-linux-gnu/usr/lib/gcc/i586-linux-gnu/10/../../../../include/c++/10/tuple:1751:14
        #13 0xe400f8d2 in apply<mozilla::GetUserMediaStreamTask, void (mozilla::GetUserMediaStreamTask::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1081:12
        #14 0xe400f8d2 in mozilla::detail::RunnableMethodImpl<mozilla::GetUserMediaStreamTask*, void (mozilla::GetUserMediaStreamTask::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1132:13
        #15 0xdfeaf7c2 in mozilla::TaskQueue::Runner::Run() /xpcom/threads/TaskQueue.cpp:275:20
        #16 0xdfed4ba4 in nsThreadPool::Run() /xpcom/threads/nsThreadPool.cpp:450:14
        #17 0xdfecb817 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1151:16
        #18 0xdfed200a in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:462:10
        #19 0xe0aad3b3 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:299:20
        #20 0xe0a0874e in MessageLoop::RunInternal() /ipc/chromium/src/base/message_loop.cc:373:10
        #21 0xe0a0865a in RunHandler /ipc/chromium/src/base/message_loop.cc:366:3
        #22 0xe0a0865a in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:348:3
        #23 0xdfec75f6 in nsThread::ThreadFunc(void*) /xpcom/threads/nsThread.cpp:366:10
        #24 0xefd804fe in _pt_root /nsprpub/pr/src/pthreads/ptthread.c:191:3
        #25 0xefe15fe6 in start_thread ./nptl/pthread_create.c:447:8
        #26 0xefead587 in clone3 ./misc/../sysdeps/unix/sysv/linux/i386/clone3.S:111:0
    
    ==514253==Register values:
    eax = 0x00000000  ebx = 0x0007d8cd  ecx = 0x0007d9a1  edx = 0x00000006
    edi = 0xcf40ed40  esi = 0x0007d9a1  ebp = 0xcfbffb40  esp = 0xcfbfd600
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: ABRT (linux-gate.so.1+0x579) (BuildId: e8b6b6bb5c1f06b9fe91bb92321a386bfd39a317)
    ==514253==ABORTING
Attached file Testcase
Attachment #9516987 - Attachment filename: testcase.html.undefined → testcase.html
Attachment #9516987 - Attachment mime type: text/plain → text/html

Verified bug as reproducible on mozilla-central 20250918213023-cca03a5f7adf.
The bug appears to have been introduced in the following build range:

Start: b47c86a32e89337661529937d6dc2917e97d2734 (20250829122240)
End: 0d7ae4c7f831989237613a491b990ff72b57d519 (20250829093033)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=b47c86a32e89337661529937d6dc2917e97d2734&tochange=0d7ae4c7f831989237613a491b990ff72b57d519

Keywords: regression
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]

This bug has been marked as a regression. Setting status flag for Nightly to affected.

status-firefox145: --- → affected

Making an educated guess based on comment 2 and the test case. Andreas, is this a dup of any of the other simiar regressions you've fixed recently?

Flags: needinfo?(apehrson)
Regressed by: 1286945

Set release status flags based on info from the regressing bug 1286945

status-firefox143: --- → unaffected
status-firefox144: --- → affected
status-firefox-esr140: --- → unaffected
Severity: -- → S4

I don't recognize this failure mode.

Assignee: nobody → apehrson
Severity: S4 → S3
Status: NEW → ASSIGNED
Flags: needinfo?(apehrson)
OS: Linux → All
Priority: -- → P2
Hardware: x86 → Desktop
Regressions: 1993093
Attachment #9518877 - Flags: approval-mozilla-beta?
Attachment #9518878 - Flags: approval-mozilla-beta?

firefox-beta Uplift Approval Request

  • User impact if declined: Content process crash when requesting display media (screen/window capture)
  • Code covered by automated testing: yes
  • Fix verified in Nightly: no
  • Needs manual QE test: no
  • Steps to reproduce for manual QE testing:
  • Risk associated with taking this patch: low
  • Explanation of risk level: trivial; adding some guard checks
  • String changes made/needed: none
  • Is Android affected?: no
Attachment #9518879 - Flags: approval-mozilla-beta?

https://hg.mozilla.org/mozilla-central/rev/13b6af431b69
https://hg.mozilla.org/mozilla-central/rev/913af16594fa
https://hg.mozilla.org/mozilla-central/rev/47d69e810804

Status: ASSIGNED → RESOLVED
Closed: 6 months ago
status-firefox145: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 145 Branch
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/55301 for changes under testing/web-platform/tests
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed], [wptsync upstream]
Upstream PR merged by moz-wptsync-bot

Verified bug as fixed on rev mozilla-central 20251008091336-9af212a90b49.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox145: fixedverified
Keywords: bugmon

Comment on attachment 9518877 [details]
Bug 1991492 - Add crashtests. r?jib

We are in RC week. Moving request to release for dot release or respin consideration

Attachment #9518877 - Flags: approval-mozilla-beta? → approval-mozilla-release?
Attachment #9518878 - Flags: approval-mozilla-beta? → approval-mozilla-release?
Attachment #9518879 - Flags: approval-mozilla-beta? → approval-mozilla-release?
Flags: in-testsuite+
Attachment #9518879 - Flags: approval-mozilla-release? → approval-mozilla-release+
Attachment #9518878 - Flags: approval-mozilla-release? → approval-mozilla-release+
Attachment #9518877 - Flags: approval-mozilla-release? → approval-mozilla-release+
See Also: → 2009411
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: