Closed Bug 805701 Opened 12 years ago Closed 12 years ago

WebRTC crash [@fsm_init_fcb]

Categories

(Core :: WebRTC: Signaling, defect)

Product:
Core
Component:
WebRTC: Signaling
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla19
Tracking Flags:
Tracking Status
firefox18 --- affected

People

(Reporter: posidron, Assigned: jesup)

References

Details

(Keywords: crash, Whiteboard: [testcase see comment 3][qa-])

Attachments

(2 files)

callstack
7.35 KB, text/plain
Details
protect against NULL fcb pointer
1.40 KB, patch
ehugg
: review+
Details | Diff | Splinter Review
Attached file callstack 
This might be caused by the same issue as in https://bugzilla.mozilla.org/show_bug.cgi?id=805691 
I can not get a workable testcase for both bugs but they occur on a regular basis during SDP fuzzing. Will try to provide more information.

media/webrtc/signaling/src/sipcc/core/gsm/fsm.c

void
fsm_init_fcb (fsm_fcb_t *fcb, callid_t call_id, fsmdef_dcb_t *dcb,
              fsm_types_t type)
{
    fcb->call_id = call_id;
[...]

media/webrtc/signaling/src/sipcc/core/gsm/fim.c
[...]
    for (icb = call_chn; icb != NULL; icb = icb->next_icb) {
        if (icb->scb->free_cb != NULL) {
            icb->scb->free_cb(icb, icb->call_id);
        }
        icb->call_id = CC_NO_CALL_ID;
        icb->cb = NULL;
    }
[...]

Tested on m-central with changeset: 111360:58c8080a1a7c
While that callstack looks impossible, there's very likely a fsmdef.c:1194 inbetween frames 0 and 1.

That's the only free_cb pointer value that has a tail-call to fsm_init_cb *and* doesn't check fsm for NULL.

Why it would be NULL is another question, but certainly all the other init callers generally check against NULL, so probably best to just add the null check
Attachment #675810 - Flags: review?(ethanhugg)
Assignee: nobody → rjesup
This crash can be seen on OS X with my testcase from bug 798323 (attachment 671342 [details]).

https://crash-stats.mozilla.com/report/index/fcba0483-1c28-4d90-81c5-709ef2121027
Whiteboard: [testcase see comment 3]
Just one mre note, you will have to let run Nightly for a while with the testcase open. It should crash after about 2 minutes.
Comment on attachment 675810 [details] [diff] [review]
protect against NULL fcb pointer

Review of attachment 675810 [details] [diff] [review]:
-----------------------------------------------------------------

r+ with syntax error fixed.  Although this is probably a symptom of a larger problem.  We should re-test after lock patch.

::: media/webrtc/signaling/src/sipcc/core/gsm/fsmdef.c
@@ +1192,5 @@
>              fsmdef_init_dcb(dcb, CC_NO_CALL_ID, FSMDEF_CALL_TYPE_NONE,
>                              NULL, LSM_NO_LINE, NULL);
> +            /* fsmdef_init_dcb(...,NULL) will always set the fcb ptr to NULL,
> +               so if fsmdef_free_cb were called on that we'd have fcb==NULL here */
> +            if (fcb != NULL) {

I believe we're missing a closing brace here.  Syntax error.
Attachment #675810 - Flags: review?(ethanhugg) → review+
https://hg.mozilla.org/mozilla-central/rev/19dc5eccbc06
Status: NEW → RESOLVED
Closed: 12 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Whiteboard: [testcase see comment 3] → [testcase see comment 3][qa-]
Not crash test worthy since another bug already covers the crashtest likely, although the other bug referenced by whimboo may be crashtest worthy that will cover this bug inevitably.
Flags: in-testsuite? → in-testsuite-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: