Closed Bug 2017491 Opened 2 months ago Closed 2 months ago

crash near null in [@ mozilla::MediaChangeMonitor::DecodeFirstSample]

Categories

(Core :: Audio/Video: Web Codecs, defect)

Product:
Core
Component:
Audio/Video: Web Codecs
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
150 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox-esr140 --- unaffected
firefox148 --- wontfix
firefox149 --- wontfix
firefox150 --- verified

People

(Reporter: tsmith, Assigned: chunmin)

References

(Blocks 1 open bug)

Details

(Keywords: ai-involved, crash, testcase, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Attachments

(5 files)

testcase.html
1.50 KB, text/html
Details
Bug 2017491 - Add crashtest
48 bytes, text/x-phabricator-request
Details
Bug 2017491 - Disconnect mDecoderRequest in MediaChangeMonitor::Shutdown()
48 bytes, text/x-phabricator-request
Details
Bug 2017491 - Handle shutdown-during-creation race in MediaChangeMonitor::CreateDecoder()
48 bytes, text/x-phabricator-request
Details
Bug 2017491 - Rename mDecoderRequest to mCreateAndInitRequest
48 bytes, text/x-phabricator-request
Details
Attached file testcase.html

Found while fuzzing m-c 20260213-cabf73b570b5 (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

==230366==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000078 (pc 0x7853df3b9891 bp 0x7853a979db90 sp 0x7853a979db60 T24)
==230366==The signal is caused by a READ memory access.
==230366==Hint: address points to the zero page.
    #0 0x7853df3b9891 in void mozilla::MozPromise<nsTArray<RefPtr<mozilla::MediaData>>, mozilla::MediaResult, true>::Private::Resolve<nsTArray<RefPtr<mozilla::MediaData>>>(nsTArray<RefPtr<mozilla::MediaData>>&&, mozilla::StaticString) /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:1370:5
    #1 0x7853df99ab84 in Resolve<nsTArray<RefPtr<mozilla::MediaData> > > /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:1536:15
    #2 0x7853df99ab84 in mozilla::MediaChangeMonitor::DecodeFirstSample(mozilla::MediaRawData*) /builds/worker/checkouts/gecko/dom/media/platforms/wrappers/MediaChangeMonitor.cpp:1260:20
    #3 0x7853df9c2b72 in operator() /builds/worker/checkouts/gecko/dom/media/platforms/wrappers/MediaChangeMonitor.cpp:1214:23
    #4 0x7853df9c2b72 in InvokeMethod<(lambda at /builds/worker/checkouts/gecko/dom/media/platforms/wrappers/MediaChangeMonitor.cpp:1197:21), void ((lambda at /builds/worker/checkouts/gecko/dom/media/platforms/wrappers/MediaChangeMonitor.cpp:1197:21)::*)(mozilla::TrackInfo::TrackType) const, mozilla::TrackInfo::TrackType> /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:669:14
    #5 0x7853df9c2b72 in InvokeCallbackMethod<false, mozilla::MozPromise<mozilla::TrackInfo::TrackType, mozilla::MediaResult, true>, (lambda at /builds/worker/checkouts/gecko/dom/media/platforms/wrappers/MediaChangeMonitor.cpp:1197:21), void ((lambda at /builds/worker/checkouts/gecko/dom/media/platforms/wrappers/MediaChangeMonitor.cpp:1197:21)::*)(mozilla::TrackInfo::TrackType) const, mozilla::TrackInfo::TrackType> /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:683:7
    #6 0x7853df9c2b72 in mozilla::MozPromise<mozilla::TrackInfo::TrackType, mozilla::MediaResult, true>::ThenValue<mozilla::MediaChangeMonitor::CreateDecoderAndInit(mozilla::MediaRawData*)::$_0::operator()() const::'lambda'(mozilla::TrackInfo::TrackType), mozilla::MediaChangeMonitor::CreateDecoderAndInit(mozilla::MediaRawData*)::$_0::operator()() const::'lambda'(mozilla::MediaResult const&)>::DoResolveOrRejectInternal(mozilla::MozPromise<mozilla::TrackInfo::TrackType, mozilla::MediaResult, true>::ResolveOrRejectValue&) /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:874:17
    #7 0x7853df038715 in mozilla::MozPromise<mozilla::TrackInfo::TrackType, mozilla::MediaResult, true>::ThenValueBase::ResolveOrRejectRunnable::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:505:21
    #8 0x7853d7588995 in mozilla::TaskQueue::Runner::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskQueue.cpp:311:20
    #9 0x7853d75d0f97 in nsThreadPool::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:446:14
    #10 0x7853d75c41c0 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1162:16
    #11 0x7853d75cd019 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:461:10
    #12 0x7853d8d03871 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:299:20
    #13 0x7853d8be0a94 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:373:10
    #14 0x7853d8be0a94 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:366:3
    #15 0x7853d8be0a94 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:348:3
    #16 0x7853d75bd0c0 in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:373:10
    #17 0x7c53fcfc2aff in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:191:3
    #18 0x61f794ee9676 in asan_thread_start(void*) _asan_rtl_:28
    #19 0x7c53fd54cac2 in start_thread ./nptl/pthread_create.c:442:8
    #20 0x7c53fd5dda83 in __clone ./misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:100:0

Verified bug as reproducible on mozilla-central 20260218044552-96c5619a38c8.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: 06d540d058a12f54fed2eecd06083ed8bd3a1417 (20250219215346)
End: cabf73b570b5d185dbcd4d11de7bab9e6cfadea7 (20260213044212)
BuildFlags: BuildFlags(asan=True, tsan=False, debug=False, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False, searchfox=False, afl=False)

Whiteboard: [bugmon:bisected,confirmed]
Duplicate of this bug: 2017641
Crash Signature: [@ mozilla::MediaChangeMonitor::DecodeFirstSample ]

MediaChangeMonitor::Shutdown() disconnects six MozPromiseRequestHolders but
misses mDecoderRequest, which tracks the async PDMFactory::CreateDecoder()
call. When Shutdown() races with an in-flight decoder creation, the factory
callback still fires post-shutdown, initializes the decoder, and calls
DecodeFirstSample() which dereferences the already-rejected mDecodePromise,
causing a null-pointer crash.

See Also: → 1848451
Assignee: nobody → cchang
Attachment #9546664 - Attachment description: WIP: Bug 2017491 - Add crashtest → Bug 2017491 - Add crashtest
Status: NEW → ASSIGNED
Attachment #9546665 - Attachment description: WIP: Bug 2017491 - Disconnect mDecoderRequest in MediaChangeMonitor::Shutdown() → Bug 2017491 - Disconnect mDecoderRequest in MediaChangeMonitor::Shutdown()

Rewrite CreateDecoder() to track the factory call with MozPromiseRequestHolder
and use a MozPromiseHolder for deferred resolution, matching the pattern in
DecoderAgent::Configure(). When Shutdown() is called while the factory creation
is in-flight, the creation callback detects this via mShutdownWhileCreationPromise
and explicitly shuts down the newly created decoder before resolving the deferred
shutdown promise.

Keywords: ai-involved
Attachment #9546950 - Attachment description: WIP: Bug 2017491 - Handle shutdown-during-creation race in MediaChangeMonitor::CreateDecoder() → Bug 2017491 - Handle shutdown-during-creation race in MediaChangeMonitor::CreateDecoder()

Rename for clarity: mDecoderRequest was confusingly similar to
mCreateDecoderRequest (added in the previous commit). The new names map
directly to the methods they track:

  • mCreateDecoderRequest tracks the PDMFactory::CreateDecoder() call
    inside CreateDecoder().
  • mCreateAndInitRequest tracks the outer .Then() chain in
    CreateDecoderAndInit().
Pushed by cchang@mozilla.com: https://github.com/mozilla-firefox/firefox/commit/551ae4a7e2c4 https://hg.mozilla.org/integration/autoland/rev/600d35c6c39e Add crashtest r=media-playback-reviewers,padenot https://github.com/mozilla-firefox/firefox/commit/5a2e66306cb5 https://hg.mozilla.org/integration/autoland/rev/e733f254fde3 Disconnect mDecoderRequest in MediaChangeMonitor::Shutdown() r=media-playback-reviewers,padenot https://github.com/mozilla-firefox/firefox/commit/9013ee711e6d https://hg.mozilla.org/integration/autoland/rev/2b4b8439c4b9 Handle shutdown-during-creation race in MediaChangeMonitor::CreateDecoder() r=media-playback-reviewers,padenot https://github.com/mozilla-firefox/firefox/commit/12b30222ddbb https://hg.mozilla.org/integration/autoland/rev/575ca127a83a Rename mDecoderRequest to mCreateAndInitRequest r=media-playback-reviewers,padenot

The patch landed in nightly and beta is affected.
:chunmin, is this bug important enough to require an uplift?

For more information, please visit BugBot documentation.

Flags: needinfo?(cchang)

Verified bug as fixed on rev mozilla-central 20260226092447-a69469d257c5.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox150: fixedverified
Keywords: bugmon
Flags: needinfo?(cchang)
status-firefox149: affectedwontfix
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: