Closed
Bug 793863
Opened 12 years ago
Closed 12 years ago
Signaling code: crash in fsmdef_release
Categories
(Core :: WebRTC: Signaling, defect, P2)
Core
WebRTC: Signaling
Tracking
()
RESOLVED
FIXED
People
(Reporter: ehugg, Assigned: ehugg)
References
Details
(Keywords: crash, Whiteboard: [asan], [WebRTC], [blocking-webrtc+] [qa-])
Attachments
(1 file, 1 obsolete file)
7.88 KB,
patch
|
Details | Diff | Splinter Review |
This crash happened with Asan more than once, but is not easily repeatable: ==43752== ERROR: AddressSanitizer crashed on unknown address 0x000000000138 (pc 0x00011e0bb1b4 sp 0x000153bf8700 bp 0x000153bf9270 T37) AddressSanitizer can not provide additional info. ABORTING #0 0x11e0bb1b3 in fsmdef_release fsmdef.c:1812 #1 0x11e0ec4f3 in fsmdef_ev_addstream fsmdef.c:3445 #2 0x11e2599fb in sm_process_event sm.c:83 #3 0x11e0625e3 in fim_process_event fim.c:671 #4 0x11e16e730 in gsm_process_msg gsm.c:167 #5 0x11e16fcfa in GSMTask gsm.c:359 #6 0x10003626a in __asan::AsanThread::ThreadStart() (in firefox) + 42 #7 0x7fff8b9f7181 in thread_start (in libsystem_c.dylib) + 13 Stats: 3533M malloced (3054M for red zones) by 4888867 calls Stats: 928M realloced by 120042 calls Stats: 3312M freed by 4643955 calls Stats: 3179M really freed by 4380448 calls Stats: 1493M (382210 full pages) mmaped in 352 calls mmaps by size class: 8:376809; 9:49146; 10:245700; 11:10235; 12:5120; 13:40448; 14:1280; 15:896; 16:512; 17:224; 18:240; 19:152; 20:172; 21:128; 22:3; 25:3; mallocs by size class: 8:1147717; 9:142267; 10:3481376; 11:21238; 12:26770; 13:47755; 14:9059; 15:5890; 16:2875; 17:1474; 18:1379; 19:350; 20:434; 21:270; 22:10; 25:3; frees by size class: 8:981607; 9:120848; 10:3472026; 11:17294; 12:23241; 13:8387; 14:8471; 15:5639; 16:2644; 17:1447; 18:1293; 19:346; 20:431; 21:268; 22:10; 25:3; rfrees by size class: 8:927622; 9:113512; 10:3273106; 11:16416; 12:22110; 13:7983; 14:8065; 15:5411; 16:2536; 17:1357; 18:1276; 19:345; 20:430; 21:267; 22:9; 25:3; Stats: malloc large: 4025 small slow: 38383
Assignee | ||
Updated•12 years ago
|
Assignee: nobody → ethanhugg
Updated•12 years ago
|
Updated•12 years ago
|
Blocks: fuzzing-webrtc
Assignee | ||
Comment 1•12 years ago
|
||
Assignee | ||
Comment 2•12 years ago
|
||
Comment on attachment 664262 [details] [diff] [review] Signaling code - check for fcb already released I found several instances of this check-for-null and double-return. I changed them to return SM_RC_CLEANUP which according to the comments should signal we're done with this data. I assume this is happening because it's already run through release, but I can't prove that. Also protected fsmdef_release from any other call with a dcb of null, and removed an instance of fname in favor of __FUNCTION__
Attachment #664262 -
Flags: feedback?(emannion)
Attachment #664262 -
Flags: feedback?(ekr)
Comment 3•12 years ago
|
||
Comment on attachment 664262 [details] [diff] [review] Signaling code - check for fcb already released Review of attachment 664262 [details] [diff] [review]: ----------------------------------------------------------------- lgtm with one nit ::: media/webrtc/signaling/src/sipcc/core/gsm/fsmdef.c @@ +2913,5 @@ > } > > if (dcb == NULL) { > FSM_DEBUG_SM(DEB_F_PREFIX"dcb is NULL.\n", DEB_F_PREFIX_ARGS(FSM, __FUNCTION__)); > + return SM_RC_CLEANUP; Funny indent.
Attachment #664262 -
Flags: feedback?(ekr) → feedback+
Assignee | ||
Comment 4•12 years ago
|
||
Assignee | ||
Updated•12 years ago
|
Attachment #664262 -
Attachment is obsolete: true
Attachment #664262 -
Flags: feedback?(emannion)
Assignee | ||
Comment 5•12 years ago
|
||
Comment on attachment 664276 [details] [diff] [review] Signaling code - check for fcb already released Pushed to Alder - http://hg.mozilla.org/projects/alder/rev/9145a0eed02d Leaving the bug open until confirmation from cdiehl that we didn't just move the problem elsewhere.
Comment 6•12 years ago
|
||
I am getting now the following crash: ==83659== ERROR: AddressSanitizer crashed on unknown address 0x000000000000 (pc 0x00011e4005d2 sp 0x000161f32800 bp 0x000161f32a50 T36) AddressSanitizer can not provide additional info. ABORTING #0 0x11e4005d1 in fsm_init_fcb fsm.c:147 #1 0x11e44c192 in fsmdef_free_cb fsmdef.c:1227 #2 0x11e3fc7ee in fim_free_call_chn fim.c:162 #3 0x11e3f88dc in fim_process_event fim.c:718 #4 0x11e5038e0 in gsm_process_msg gsm.c:167 #5 0x11e504eaa in GSMTask gsm.c:359 #6 0x10003622a in __asan::AsanThread::ThreadStart() (in firefox) + 42 #7 0x7fff8b9f7181 in thread_start (in libsystem_c.dylib) + 13 Stats: 17227M malloced (12751M for red zones) by 15490798 calls Stats: 9135M realloced by 438706 calls Stats: 16015M freed by 14952769 calls Stats: 15847M really freed by 14877742 calls Stats: 3747M (959279 full pages) mmaped in 915 calls
Updated•12 years ago
|
Whiteboard: [asan] → [asan], [WebRTC], [blocking-webrtc+]
Updated•12 years ago
|
Whiteboard: [asan], [WebRTC], [blocking-webrtc+] → [asan], [WebRTC], [blocking-webrtc-]
Updated•12 years ago
|
Priority: -- → P2
Whiteboard: [asan], [WebRTC], [blocking-webrtc-] → [asan], [WebRTC], [blocking-webrtc+]
Updated•12 years ago
|
Flags: in-testsuite-
Comment 7•12 years ago
|
||
Fixed in bug 805701
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Updated•12 years ago
|
Whiteboard: [asan], [WebRTC], [blocking-webrtc+] → [asan], [WebRTC], [blocking-webrtc+] [qa-]
You need to log in
before you can comment on or make changes to this bug.
Description
•