WebRTC crash [@fsm_init_fcb]

RESOLVED FIXED in mozilla19

Status

()

Core
WebRTC: Signaling
--
critical
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: posidron, Assigned: jesup)

Tracking

(Blocks: 1 bug, {crash})

Trunk
mozilla19
x86_64
Mac OS X
crash
Points:
---
Bug Flags:
in-testsuite -

Firefox Tracking Flags

(firefox18 affected)

Details

(Whiteboard: [testcase see comment 3][qa-])

Attachments

(2 attachments)

(Reporter)

Description

5 years ago
Created attachment 675408 [details]
callstack

This might be caused by the same issue as in https://bugzilla.mozilla.org/show_bug.cgi?id=805691 
I can not get a workable testcase for both bugs but they occur on a regular basis during SDP fuzzing. Will try to provide more information.

media/webrtc/signaling/src/sipcc/core/gsm/fsm.c

void
fsm_init_fcb (fsm_fcb_t *fcb, callid_t call_id, fsmdef_dcb_t *dcb,
              fsm_types_t type)
{
    fcb->call_id = call_id;
[...]

media/webrtc/signaling/src/sipcc/core/gsm/fim.c
[...]
    for (icb = call_chn; icb != NULL; icb = icb->next_icb) {
        if (icb->scb->free_cb != NULL) {
            icb->scb->free_cb(icb, icb->call_id);
        }
        icb->call_id = CC_NO_CALL_ID;
        icb->cb = NULL;
    }
[...]

Tested on m-central with changeset: 111360:58c8080a1a7c
(Assignee)

Comment 1

5 years ago
While that callstack looks impossible, there's very likely a fsmdef.c:1194 inbetween frames 0 and 1.

That's the only free_cb pointer value that has a tail-call to fsm_init_cb *and* doesn't check fsm for NULL.

Why it would be NULL is another question, but certainly all the other init callers generally check against NULL, so probably best to just add the null check
(Assignee)

Comment 2

5 years ago
Created attachment 675810 [details] [diff] [review]
protect against NULL fcb pointer
(Assignee)

Updated

5 years ago
Attachment #675810 - Flags: review?(ethanhugg)
(Assignee)

Updated

5 years ago
Assignee: nobody → rjesup
This crash can be seen on OS X with my testcase from bug 798323 (attachment 671342 [details]).

https://crash-stats.mozilla.com/report/index/fcba0483-1c28-4d90-81c5-709ef2121027
Whiteboard: [testcase see comment 3]
Just one mre note, you will have to let run Nightly for a while with the testcase open. It should crash after about 2 minutes.

Comment 5

5 years ago
Comment on attachment 675810 [details] [diff] [review]
protect against NULL fcb pointer

Review of attachment 675810 [details] [diff] [review]:
-----------------------------------------------------------------

r+ with syntax error fixed.  Although this is probably a symptom of a larger problem.  We should re-test after lock patch.

::: media/webrtc/signaling/src/sipcc/core/gsm/fsmdef.c
@@ +1192,5 @@
>              fsmdef_init_dcb(dcb, CC_NO_CALL_ID, FSMDEF_CALL_TYPE_NONE,
>                              NULL, LSM_NO_LINE, NULL);
> +            /* fsmdef_init_dcb(...,NULL) will always set the fcb ptr to NULL,
> +               so if fsmdef_free_cb were called on that we'd have fcb==NULL here */
> +            if (fcb != NULL) {

I believe we're missing a closing brace here.  Syntax error.
Attachment #675810 - Flags: review?(ethanhugg) → review+
(Assignee)

Comment 6

5 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/19dc5eccbc06
status-firefox18: --- → affected
status-firefox19: --- → affected
Target Milestone: --- → mozilla19
https://hg.mozilla.org/mozilla-central/rev/19dc5eccbc06
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Flags: in-testsuite?
Resolution: --- → FIXED

Updated

5 years ago
Whiteboard: [testcase see comment 3] → [testcase see comment 3][qa-]

Updated

5 years ago
status-firefox19: affected → ---
Not crash test worthy since another bug already covers the crashtest likely, although the other bug referenced by whimboo may be crashtest worthy that will cover this bug inevitably.
Flags: in-testsuite? → in-testsuite-
You need to log in before you can comment on or make changes to this bug.