Closed Bug 800969 Opened 12 years ago Closed 12 years ago

WebRTC crash [@PL_ArenaAllocate]

Categories

(Core :: WebRTC: Signaling, defect, P2)

Product:
Core
Component:
WebRTC: Signaling
Platform:
x86_64
macOS
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Tracking Flags:
Tracking Status
firefox16 --- unaffected
firefox17 --- unaffected
firefox18 - disabled
firefox19 + verified
firefox-esr10 --- unaffected
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: posidron, Assigned: ekr)

References

Details

(Keywords: crash, sec-critical, testcase, Whiteboard: [WebRTC], [blocking-webrtc+] [adv-main19-])

Attachments

(6 files)

testcase
4.89 KB, text/html
Details
crashreport
83.22 KB, text/plain
Details
NSPR_LOG_MODULES
273.07 KB, text/plain
Details
testcase for M-C builds after 10/16/12
4.88 KB, text/html
Details
testcase_new_createAnswer
4.88 KB, text/html
Details
Complete stack trace
82.72 KB, text/plain
Details
Attached file testcase 
The testcase must not be opened over the command-line via GDB else it will produce an assertion failure: (mod != NULL, at pk11slot.c:1766). Instead drag & drop the testcase into Firefox.


Reason: KERN_PROTECTION_FAILURE at address: 0x00000001304c3eb8
[Switching to process 63747 thread 0x3907]
PL_ArenaAllocate (pool=<value temporarily unavailable, due to optimizations>, nb=<value temporarily unavailable, due to optimizations>) at /Users/cdiehl/Code/Mozilla/mc-inbound-asan/nsprpub/lib/ds/plarena.c:170
170	        if ( PR_FAILURE == LockArena())


mozilla-inbound
changeset:   110109:78f0949318a5
tag:         tip
Attached file crashreport 

    
    

    
  

      
      
      
      

        Attached file
          
        NSPR_LOG_MODULES
      

    


  

    
  
Whiteboard: [fuzzblocker]

    
    

    
  
Does this happen every time for you?  I need some tips on getting this to repro, was unable so far on OSX 10.8 and Ubuntu 12.04.

Also had to remove the first param from CreateAnswer in the test case because of this recent patch:
https://hg.mozilla.org/mozilla-central/rev/76c3e2baba71

But I don't think that would affect this crash.

    
    

    
  
(In reply to Ethan Hugg [:ehugg] from comment #3)

> Also had to remove the first param from CreateAnswer in the test case
> because of this recent patch:
> https://hg.mozilla.org/mozilla-central/rev/76c3e2baba71
> 
> But I don't think that would affect this crash.

Can you update the testcase?  You can leave the old one active if you want

    
    

    
  


  
Updated test case for new CreateAnswer signature.

    
    

    
  
Tested it with m-c 110380:fc883f5a1a08 tip but couldn't reproduce it anymore either.

    
  
Whiteboard: [fuzzblocker]
Priority: -- → P2
Whiteboard: [WebRTC], [blocking-webrtc+]

    
    

    
  
Does this still reproduce on FF18? Trying to understand if this bug is actionable in any way before tracking.
Flags: in-testsuite?

    
    

    
  


  
(In reply to Alex Keybl [:akeybl] from comment #7)
> Does this still reproduce on FF18? Trying to understand if this bug is
> actionable in any way before tracking.

I can not reproduce it anymore with m-c changeset: 110899:1c3e4cb1f754

    
    

    
  
I was wrong, still can reproduce it but you need to refresh the page a bit more often.
Assignee: nobody → ekr

    
    

    
  
Couple things: the crash in Arenas implies a bad/freed memory write.

There are one or two interesting messages in the log (unhandled call state, some errors from ICE).

Additional callstacks from this testcase would be useful.

    
    

    
  
The testcase is now crashing at a different location and also get's triggered differently as I recall now. 
The original underlying bug here has been fixed. I will open a new bug for the testcase.

    
  
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED

    
    

    
  
Is this an asan only crash? Debug only? I can't reproduce a crash on nightly 11/5 with any of the attached test cases.

    
    

    
  
No this original crash was not ASan only.

I opened this bug: https://bugzilla.mozilla.org/show_bug.cgi?id=800969
It has the same testcase but triggers a different bug. Please do not open this bug until the new one is solved since this bug contains step to reproduce the new one.

    
    

    
  
(In reply to Christoph Diehl [:cdiehl] from comment #13)
> No this original crash was not ASan only.
> 
> I opened this bug: https://bugzilla.mozilla.org/show_bug.cgi?id=800969
> It has the same testcase but triggers a different bug. Please do not open
> this bug until the new one is solved since this bug contains step to
> reproduce the new one.

Had the wrong URL in my cache: https://bugzilla.mozilla.org/show_bug.cgi?id=808829

    
    

    
  
(In reply to Jason Smith [:jsmith] from comment #12)
> Is this an asan only crash? Debug only? I can't reproduce a crash on nightly
> 11/5 with any of the attached test cases.

It looks that it got already fixed by something else prior to that. It worked for me with m-i and changeset: 110109:78f0949318a5

    
    

    
  
Given this test case and an ordinary build I am now getting a crash in:

Assertion failure: any, at /Users/ekr/dev/mozilla-inbound/js/src/jsgc.cpp:3285

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x0000000000000000
BeginMarkPhase (rt=0x11c502000) at /Users/ekr/dev/mozilla-inbound/js/src/jsgc.cpp:3285
(gdb) bt
#0  BeginMarkPhase (rt=0x11c502000) at /Users/ekr/dev/mozilla-inbound/js/src/jsgc.cpp:3285
#1  0x00000001046ebab0 in IncrementalCollectSlice (rt=0x11c502000, budget=40000, reason=js::gcreason::INTER_SLICE_GC, gckind=js::GC_NORMAL) at /Users/ekr/dev/mozilla-inbound/js/src/jsgc.cpp:4231
#2  0x00000001046eb2a7 in GCCycle (rt=0x11c502000, incremental=true, budget=40000, gckind=js::GC_NORMAL, reason=js::gcreason::INTER_SLICE_GC) at /Users/ekr/dev/mozilla-inbound/js/src/jsgc.cpp:4452
#3  0x00000001046e7a86 in Collect (rt=0x11c502000, incremental=true, budget=40000, gckind=js::GC_NORMAL, reason=js::gcreason::INTER_SLICE_GC) at /Users/ekr/dev/mozilla-inbound/js/src/jsgc.cpp:4566
#4  0x00000001046e5a22 in js::GCSlice (rt=0x11c502000, gckind=js::GC_NORMAL, reason=js::gcreason::INTER_SLICE_GC, millis=40) at /Users/ekr/dev/mozilla-inbound/js/src/jsgc.cpp:4606
#5  0x00000001046cf6ca in js::IncrementalGC (rt=0x11c502000, reason=js::gcreason::INTER_SLICE_GC, millis=40) at /Users/ekr/dev/mozilla-inbound/js/src/jsfriendapi.cpp:172
#6  0x000000010223b40f in nsJSContext::GarbageCollectNow (aReason=js::gcreason::INTER_SLICE_GC, aIncremental=nsJSContext::IncrementalGC, aCompartment=nsJSContext::CompartmentGC, aShrinking=nsJSContext::NonShrinkingGC, aSliceMillis=40) at /Users/ekr/dev/mozilla-inbound/dom/base/nsJSEnvironment.cpp:2914
#7  0x0000000102245c63 in InterSliceGCTimerFired (aTimer=0x11d7af880, aClosure=0x0) at /Users/ekr/dev/mozilla-inbound/dom/base/nsJSEnvironment.cpp:3194
#8  0x00000001037d7d60 in nsTimerImpl::Fire (this=0x11d7af880) at /Users/ekr/dev/mozilla-inbound/xpcom/threads/nsTimerImpl.cpp:482
#9  0x00000001037d8141 in nsTimerEvent::Run (this=0x1003ba128) at /Users/ekr/dev/mozilla-inbound/xpcom/threads/nsTimerImpl.cpp:565
#10 0x00000001037cd6b6 in nsThread::ProcessNextEvent (this=0x100342420, mayWait=true, result=0x7fff5fbf327e) at /Users/ekr/dev/mozilla-inbound/xpcom/threads/nsThread.cpp:627
#11 0x00000001037332b9 in NS_ProcessNextEvent_P (thread=0x100342420, mayWait=true) at nsThreadUtils.cpp:221
#12 0x00000001037cc4c3 in nsThread::Dispatch (this=0x100342830, event=0x149ff89a0, flags=1) at /Users/ekr/dev/mozilla-inbound/xpcom/threads/nsThread.cpp:410
#13 0x00000001012fbe2e in nsSocketTransportService::Dispatch (this=0x10033b440, event=0x149ff89a0, flags=1) at /Users/ekr/dev/mozilla-inbound/netwerk/base/src/nsSocketTransportService2.cpp:123
#14 0x00000001012fbea5 in non-virtual thunk to nsSocketTransportService::Dispatch(nsIRunnable*, unsigned int) () at /Users/ekr/dev/mozilla-inbound/netwerk/base/src/nsSocketTransportService2.cpp:130
#15 0x00000001044ace87 in sipcc::PeerConnectionImpl::ShutdownMedia (this=0x126de4990) at PeerConnectionImpl.cpp:1113
#16 0x00000001044a819e in sipcc::PeerConnectionImpl::Close (this=0x126de4990) at PeerConnectionImpl.cpp:1096
#17 0x0000000103806319 in NS_InvokeByIndex_P (that=0x126de4990, methodIndex=14, paramCount=0, params=0x7fff5fbf3b78) at /Users/ekr/dev/mozilla-inbound/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:162
#18 0x0000000102b28364 in CallMethodHelper::Invoke (this=0x7fff5fbf3b38) at /Users/ekr/dev/mozilla-inbound/js/xpconnect/src/XPCWrappedNative.cpp:3118
#19 0x0000000102b2662c in CallMethodHelper::Call (this=0x7fff5fbf3b38) at /Users/ekr/dev/mozilla-inbound/js/xpconnect/src/XPCWrappedNative.cpp:2452
#20 0x0000000102b22b2e in XPCWrappedNative::CallMethod (ccx=@0x7fff5fbf3cf8, mode=XPCWrappedNative::CALL_METHOD) at /Users/ekr/dev/mozilla-inbound/js/xpconnect/src/XPCWrappedNative.cpp:2418
#21 0x0000000102b3333a in XPC_WN_CallMethod (cx=0x1003a8690, argc=0, vp=0x11c7df1a8) at /Users/ekr/dev/mozilla-inbound/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1488
#22 0x0000000104759a87 in js::CallJSNative (cx=0x1003a8690, native=0x102b330e0 <XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*)>, args=@0x7fff5fbf3fb0) at jscntxtinlines.h:364
#23 0x000000010474f96e in js::InvokeKernel (cx=0x1003a8690, args={<JS::CallReceiver> = {usedRval_ = false, argv_ = 0x11c7df1b8}, argc_ = 0}, construct=js::NO_CONSTRUCT) at /Users/ekr/dev/mozilla-inbound/js/src/jsinterp.cpp:367
#24 0x0000000104747718 in js::Interpret (cx=0x1003a8690, entryFrame=0x11c7df138, interpMode=js::JSINTERP_NORMAL) at /Users/ekr/dev/mozilla-inbound/js/src/jsinterp.cpp:2321
#25 0x0000000104741551 in js::RunScript (cx=0x1003a8690, script={<js::HandleBase<JSScript *>> = {<No data fields>}, ptr = 0x7fff5fbf6388}, fp=0x11c7df138) at /Users/ekr/dev/mozilla-inbound/js/src/jsinterp.cpp:324
#26 0x000000010474faa6 in js::InvokeKernel (cx=0x1003a8690, args={<JS::CallReceiver> = {usedRval_ = false, argv_ = 0x11c7df108}, argc_ = 3}, construct=js::NO_CONSTRUCT) at /Users/ekr/dev/mozilla-inbound/js/src/jsinterp.cpp:379
#27 0x000000010487aad1 in js::Invoke (cx=0x1003a8690, args=@0x7fff5fbf6610, construct=js::NO_CONSTRUCT) at jsinterp.h:109
#28 0x00000001046778ef in js::FastInvokeGuard::invoke (this=0x7fff5fbf6610, cx=0x1003a8690) at jsinterpinlines.h:1059
#29 0x0000000104672257 in array_readonlyCommon (cx=0x1003a8690, args=@0x7fff5fbf6750) at /Users/ekr/dev/mozilla-inbound/js/src/jsarray.cpp:3123
#30 0x000000010466ee53 in array_forEach (cx=0x1003a8690, argc=1, vp=0x11c7df0e0) at /Users/ekr/dev/mozilla-inbound/js/src/jsarray.cpp:3160
#31 0x0000000104759a87 in js::CallJSNative (cx=0x1003a8690, native=0x10466ee20 <array_forEach(JSContext*, unsigned int, JS::Value*)>, args=@0x7fff5fbf6940) at jscntxtinlines.h:364
#32 0x000000010474f96e in js::InvokeKernel (cx=0x1003a8690, args={<JS::CallReceiver> = {usedRval_ = false, argv_ = 0x11c7df0f0}, argc_ = 1}, construct=js::NO_CONSTRUCT) at /Users/ekr/dev/mozilla-inbound/js/src/jsinterp.cpp:367
#33 0x0000000104747718 in js::Interpret (cx=0x1003a8690, entryFrame=0x11c7df068, interpMode=js::JSINTERP_NORMAL) at /Users/ekr/dev/mozilla-inbound/js/src/jsinterp.cpp:2321
#34 0x0000000104741551 in js::RunScript (cx=0x1003a8690, script={<js::HandleBase<JSScript *>> = {<No data fields>}, ptr = 0x7fff5fbf8d18}, fp=0x11c7df068) at /Users/ekr/dev/mozilla-inbound/js/src/jsinterp.cpp:324
#35 0x000000010474faa6 in js::InvokeKernel (cx=0x1003a8690, args={<JS::CallReceiver> = {usedRval_ = false, argv_ = 0x11c7df050}, argc_ = 3}, construct=js::NO_CONSTRUCT) at /Users/ekr/dev/mozilla-inbound/js/src/jsinterp.cpp:379
#36 0x000000010487aad1 in js::Invoke (cx=0x1003a8690, args=@0x7fff5fbf8ec0, construct=js::NO_CONSTRUCT) at jsinterp.h:109
#37 0x00000001047500e8 in js::Invoke (cx=0x1003a8690, thisv=@0x7fff5fbf8f80, fval=@0x7fff5fbf8fe8, argc=3, argv=0x7fff5fbf9690, rval=0x7fff5fbf9380) at /Users/ekr/dev/mozilla-inbound/js/src/jsinterp.cpp:412
#38 0x000000010463a754 in JS_CallFunctionValue (cx=0x1003a8690, objArg=0x11df79680, fval={data = {asBits = 18445477441112086080, debugView = {payload47 = 4797732416, tag = JSVAL_TAG_OBJECT}, s = {payload = {i32 = 502765120, u32 = 502765120, why = 502765120}}, asDouble = -nan(0xb80011df79640), asPtr = 0xfffb80011df79640, asWord = 18445477441112086080, asUIntPtr = 18445477441112086080}}, argc=3, argv=0x7fff5fbf9690, rval=0x7fff5fbf9380) at /Users/ekr/dev/mozilla-inbound/js/src/jsapi.cpp:5774
#39 0x0000000102b16794 in nsXPCWrappedJSClass::CallMethod (this=0x11d08ca60, wrapper=0x129227380, methodIndex=3, info=0x11b44af70, nativeParams=0x7fff5fbf99c0) at /Users/ekr/dev/mozilla-inbound/js/xpconnect/src/XPCWrappedJSClass.cpp:1420
#40 0x0000000102b098b4 in nsXPCWrappedJS::CallMethod (this=0x129227380, methodIndex=3, info=0x11b44af70, params=0x7fff5fbf99c0) at /Users/ekr/dev/mozilla-inbound/js/xpconnect/src/XPCWrappedJS.cpp:580
#41 0x0000000103807dd2 in PrepareAndDispatch (self=0x11fc49120, methodIndex=3, args=0x7fff5fbf9b10, gpregs=0x7fff5fbf9a90, fpregs=0x7fff5fbf9ac0) at /Users/ekr/dev/mozilla-inbound/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_darwin.cpp:121
#42 0x000000010380683b in SharedStub () at /Users/ekr/dev/mozilla-inbound/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_darwin.cpp:35
#43 0x0000000103765536 in nsObserverList::NotifyObservers (this=0x128f922a0, aSubject=0x11d3bb260, aTopic=0x14bddca88 "inner-window-destroyed", someData=0x0) at /Users/ekr/dev/mozilla-inbound/xpcom/ds/nsObserverList.cpp:99
#44 0x00000001037679f4 in nsObserverService::NotifyObservers (this=0x1003fbe70, aSubject=0x11d3bb260, aTopic=0x14bddca88 "inner-window-destroyed", someData=0x0) at /Users/ekr/dev/mozilla-inbound/xpcom/ds/nsObserverService.cpp:156
#45 0x00000001022b3d2a in WindowDestroyedEvent::Run (this=0x14b250d00) at /Users/ekr/dev/mozilla-inbound/dom/base/nsGlobalWindow.cpp:6968
#46 0x00000001037cd6b6 in nsThread::ProcessNextEvent (this=0x100342420, mayWait=true, result=0x7fff5fbf9ebe) at /Users/ekr/dev/mozilla-inbound/xpcom/threads/nsThread.cpp:627
#47 0x00000001037332b9 in NS_ProcessNextEvent_P (thread=0x100342420, mayWait=true) at nsThreadUtils.cpp:221
#48 0x00000001037cc4c3 in nsThread::Dispatch (this=0x100342830, event=0x149fd4220, flags=1) at /Users/ekr/dev/mozilla-inbound/xpcom/threads/nsThread.cpp:410
#49 0x00000001012fbe2e in nsSocketTransportService::Dispatch (this=0x10033b440, event=0x149fd4220, flags=1) at /Users/ekr/dev/mozilla-inbound/netwerk/base/src/nsSocketTransportService2.cpp:123
#50 0x00000001012fbea5 in non-virtual thunk to nsSocketTransportService::Dispatch(nsIRunnable*, unsigned int) () at /Users/ekr/dev/mozilla-inbound/netwerk/base/src/nsSocketTransportService2.cpp:130
#51 0x00000001044ace87 in sipcc::PeerConnectionImpl::ShutdownMedia (this=0x126de43d0) at PeerConnectionImpl.cpp:1113
#52 0x00000001044a819e in sipcc::PeerConnectionImpl::Close (this=0x126de43d0) at PeerConnectionImpl.cpp:1096
#53 0x00000001044a7eb8 in sipcc::PeerConnectionImpl::~PeerConnectionImpl (this=0x126de43d0) at PeerConnectionImpl.cpp:341
#54 0x00000001044a7da5 in sipcc::PeerConnectionImpl::~PeerConnectionImpl (this=0x126de43d0) at PeerConnectionImpl.cpp:339
#55 0x00000001044a7d79 in sipcc::PeerConnectionImpl::~PeerConnectionImpl (this=0x126de43d0) at PeerConnectionImpl.cpp:339
#56 0x00000001044a7a0e in sipcc::PeerConnectionImpl::Release (this=0x126de43d0) at PeerConnectionImpl.cpp:322
#57 0x0000000102ae580f in DoDeferredRelease (array=@0x11b65f720) at /Users/ekr/dev/mozilla-inbound/js/xpconnect/src/XPCJSRuntime.cpp:508
#58 0x0000000102ae5697 in XPCJSRuntime::GCCallback (rt=0x11c502000, status=JSGC_END) at /Users/ekr/dev/mozilla-inbound/js/xpconnect/src/XPCJSRuntime.cpp:714
#59 0x00000001046e7b17 in Collect (rt=0x11c502000, incremental=true, budget=0, gckind=js::GC_NORMAL, reason=js::gcreason::TRANSPLANT) at /Users/ekr/dev/mozilla-inbound/js/src/jsgc.cpp:4571
#60 0x00000001046e7be6 in js::GCFinalSlice (rt=0x11c502000, gckind=js::GC_NORMAL, reason=js::gcreason::TRANSPLANT) at /Users/ekr/dev/mozilla-inbound/js/src/jsgc.cpp:4613
#61 0x00000001046cf6f2 in js::FinishIncrementalGC (rt=0x11c502000, reason=js::gcreason::TRANSPLANT) at /Users/ekr/dev/mozilla-inbound/js/src/jsfriendapi.cpp:178
#62 0x0000000104624823 in JS_TransplantObject (cx=0x1003a95c0, origobjArg=0x11cfc5080, targetArg=0x11cfe1080) at /Users/ekr/dev/mozilla-inbound/js/src/jsapi.cpp:1559
#63 0x0000000102c25082 in xpc::TransplantObject (cx=0x1003a95c0, origobj=0x11cfc5080, target=0x11cfe1080) at /Users/ekr/dev/mozilla-inbound/js/xpconnect/wrappers/WrapperFactory.cpp:620
#64 0x000000010226d535 in nsGlobalWindow::SetNewDocument (this=0x127b6e400, aDocument=0x11d060800, aState=0x0, aForceReuseInnerWindow=false) at /Users/ekr/dev/mozilla-inbound/dom/base/nsGlobalWindow.cpp:2020
#65 0x00000001017a49cc in DocumentViewerImpl::InitInternal (this=0x11d4b88a0, aParentWidget=0x0, aState=0x0, aBounds=@0x7fff5fbfb388, aDoCreation=true, aNeedMakeCX=true, aForceSetNewDocument=true) at /Users/ekr/dev/mozilla-inbound/layout/base/nsDocumentViewer.cpp:934
#66 0x00000001017a3f94 in DocumentViewerImpl::Init (this=0x11d4b88a0, aParentWidget=0x0, aBounds=@0x7fff5fbfb388) at /Users/ekr/dev/mozilla-inbound/layout/base/nsDocumentViewer.cpp:684
#67 0x0000000102c53080 in nsDocShell::SetupNewViewer (this=0x127850000, aNewViewer=0x11d4b88a0) at /Users/ekr/dev/mozilla-inbound/docshell/base/nsDocShell.cpp:8101
#68 0x0000000102c47119 in nsDocShell::Embed (this=0x127850000, aContentViewer=0x11d4b88a0, aCommand=0x104e029d8 "", aExtraInfo=0x0) at /Users/ekr/dev/mozilla-inbound/docshell/base/nsDocShell.cpp:6153
#69 0x0000000102c50716 in nsDocShell::CreateContentViewer (this=0x127850000, aContentType=0x14b975978 "text/html", request=0x11d4b87a0, aContentHandler=0x14ba99260) at /Users/ekr/dev/mozilla-inbound/docshell/base/nsDocShell.cpp:7887
#70 0x0000000102c76024 in nsDSURIContentListener::DoContent (this=0x126cfc880, aContentType=0x14b975978 "text/html", aIsContentPreferred=false, request=0x11d4b87a0, aContentHandler=0x14ba99260, aAbortProcess=0x7fff5fbfbc87) at /Users/ekr/dev/mozilla-inbound/docshell/base/nsDSURIContentListener.cpp:122
#71 0x0000000102c81fb2 in nsDocumentOpenInfo::TryContentListener (this=0x14ba99240, aListener=0x126cfc880, aChannel=0x11d4b87a0) at /Users/ekr/dev/mozilla-inbound/uriloader/base/nsURILoader.cpp:654
#72 0x0000000102c80a58 in nsDocumentOpenInfo::DispatchContent (this=0x14ba99240, request=0x11d4b87a0, aCtxt=0x0) at /Users/ekr/dev/mozilla-inbound/uriloader/base/nsURILoader.cpp:356
#73 0x0000000102c803e6 in nsDocumentOpenInfo::OnStartRequest (this=0x14ba99240, request=0x11d4b87a0, aCtxt=0x0) at /Users/ekr/dev/mozilla-inbound/uriloader/base/nsURILoader.cpp:248
#74 0x000000010128d71f in nsBaseChannel::OnStartRequest (this=0x11d4b8750, request=0x12b3b9400, ctxt=0x0) at /Users/ekr/dev/mozilla-inbound/netwerk/base/src/nsBaseChannel.cpp:729
#75 0x000000010128db07 in non-virtual thunk to nsBaseChannel::OnStartRequest(nsIRequest*, nsISupports*) () at /Users/ekr/dev/mozilla-inbound/netwerk/base/src/nsBaseChannel.cpp:688
#76 0x00000001012adae3 in nsInputStreamPump::OnStateStart (this=0x12b3b9400) at /Users/ekr/dev/mozilla-inbound/netwerk/base/src/nsInputStreamPump.cpp:417
#77 0x00000001012ad7e5 in nsInputStreamPump::OnInputStreamReady (this=0x12b3b9400, stream=0x14a4c5b38) at /Users/ekr/dev/mozilla-inbound/netwerk/base/src/nsInputStreamPump.cpp:368
#78 0x00000001012ae3ff in non-virtual thunk to nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) () at /Users/ekr/dev/mozilla-inbound/netwerk/base/src/nsInputStreamPump.cpp:559
#79 0x000000010379d4d0 in nsInputStreamReadyEvent::Run (this=0x14ba021c0) at /Users/ekr/dev/mozilla-inbound/xpcom/io/nsStreamUtils.cpp:82
#80 0x00000001037cd6b6 in nsThread::ProcessNextEvent (this=0x100342420, mayWait=false, result=0x7fff5fbfc4e3) at /Users/ekr/dev/mozilla-inbound/xpcom/threads/nsThread.cpp:627
#81 0x00000001037330fc in NS_ProcessPendingEvents_P (thread=0x100342420, timeout=20) at nsThreadUtils.cpp:171
#82 0x00000001031793cf in nsBaseAppShell::NativeEventCallback (this=0x11b646160) at /Users/ekr/dev/mozilla-inbound/widget/xpwidgets/nsBaseAppShell.cpp:97
#83 0x00000001031089ec in nsAppShell::ProcessGeckoEvents (aInfo=0x11b646160) at /Users/ekr/dev/mozilla-inbound/widget/cocoa/nsAppShell.mm:398
#84 0x00007fff8a69a3d1 in __CFRunLoopDoSources0 ()
#85 0x00007fff8a6985c9 in __CFRunLoopRun ()
#86 0x00007fff8a697d8f in CFRunLoopRunSpecific ()
#87 0x00007fff87ee07ee in RunCurrentEventLoopInMode ()
#88 0x00007fff87ee0551 in ReceiveNextEventCommon ()
#89 0x00007fff87ee04ac in BlockUntilNextEventMatchingListInMode ()
#90 0x00007fff83a65eb2 in _DPSNextEvent ()
#91 0x00007fff83a65801 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] ()
#92 0x00000001031070b7 in -[GeckoNSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] (self=0x100365160, _cmd=0x7fff8415d138, mask=18446744073709551615, expiration=0x11d36f540, mode=0x7fff7127c390, flag=1 '\001') at /Users/ekr/dev/mozilla-inbound/widget/cocoa/nsAppShell.mm:164
#93 0x00007fff83a2b68f in -[NSApplication run] ()
#94 0x00000001031094c1 in nsAppShell::Run (this=0x11b646160) at /Users/ekr/dev/mozilla-inbound/widget/cocoa/nsAppShell.mm:752
#95 0x0000000102d7799c in nsAppStartup::Run (this=0x11b4347e0) at /Users/ekr/dev/mozilla-inbound/toolkit/components/startup/nsAppStartup.cpp:290
#96 0x0000000101220aa2 in XREMain::XRE_mainRun (this=0x7fff5fbfdf80) at /Users/ekr/dev/mozilla-inbound/toolkit/xre/nsAppRunner.cpp:3819
#97 0x000000010122126f in XREMain::XRE_main (this=0x7fff5fbfdf80, argc=1, argv=0x7fff5fbfeb70, aAppData=0x100008250) at /Users/ekr/dev/mozilla-inbound/toolkit/xre/nsAppRunner.cpp:3886
#98 0x000000010122169d in XRE_main (argc=1, argv=0x7fff5fbfeb70, aAppData=0x100008250, aFlags=0) at /Users/ekr/dev/mozilla-inbound/toolkit/xre/nsAppRunner.cpp:3965
#99 0x0000000100001ce3 in do_main (argc=1, argv=0x7fff5fbfeb70) at /Users/ekr/dev/mozilla-inbound/browser/app/nsBrowserApp.cpp:174
#100 0x000000010000154c in main (argc=1, argv=0x7fff5fbfeb70) at /Users/ekr/dev/mozilla-inbound/browser/app/nsBrowserApp.cpp:279
(gdb)

    
    

    
  

      
      
      
      

        Attached file
          
        Complete stack trace
      

    


  

    
    

    
  
Eric, this is a different stack. Can you please file as a new bug?
Whiteboard: [WebRTC], [blocking-webrtc+] → [WebRTC], [blocking-webrtc+] [qa verification blocked]

    
  
Blocks: 811183

    
  
Blocks: 811184

    
    

    
  
Untracking for FF18 since we don't expect to ship WebRTC enabled in that version of Firefox. Will likely do the same for FF19 (the feature is targeted for FF20).

          tracking-firefox18:
          +-
Keywords: verifyme
Whiteboard: [WebRTC], [blocking-webrtc+] [qa verification blocked] → [WebRTC], [blocking-webrtc+]

    
    

    
  
Can't reproduce any of the crashes with the attached test cases on trunk. Marking verified as such.
Status: RESOLVED → VERIFIED

          status-firefox19:
          affectedverified
Keywords: verifyme

    
    

    
  
This was behind a pref (aka "disabled by default") in 18 and earlier, right? This was never shipped as an active issue?

    
    

    
  
Correct, this still has not been enabled-by-default

          status-firefox18:
          affecteddisabled
Whiteboard: [WebRTC], [blocking-webrtc+] → [WebRTC], [blocking-webrtc+] [adv-main19-]
Group: core-security

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: