Closed Bug 805729 Opened 13 years ago Closed 13 years ago

WebRTC crash [@nr_ice_candidate_pair_stun_cb]

Categories

(Core :: WebRTC: Networking, defect, P1)

Product:
Core
Component:
WebRTC: Networking
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox17 --- unaffected
firefox18 --- disabled
firefox19 --- disabled
firefox20 --- disabled
firefox21 + fixed
firefox-esr10 --- unaffected

People

(Reporter: posidron, Assigned: ekr)

References

Details

(Keywords: crash, sec-critical, Whiteboard: [WebRTC] [blocking-webrtc+][fixed via 825651?][qa-][adv-main21-])

Attachments

(1 file)

callstack
26.74 KB, text/plain
Details
Attached file callstack
Reproducible use-after-free bug, couldn't reproduce with a single testcase yet but it pops up every now and then with the same callstack. alloc: media/mtransport/third_party/nICEr/src/ice/ice_candidate_pair.c:63 int nr_ice_candidate_pair_create(nr_ice_peer_ctx *pctx, nr_ice_candidate *lcand,nr_ice_candidate *rcand,nr_ice_cand_pair **pairp) { [...] if(!(pair=RCALLOC(sizeof(nr_ice_cand_pair)))) ABORT(R_NO_MEMORY); [...] free: media/mtransport/third_party/nICEr/src/ice/ice_candidate_pair.c:175 int nr_ice_candidate_pair_destroy(nr_ice_cand_pair **pairp) { [...] RFREE(pair); [...] re-use: media/mtransport/third_party/nICEr/src/ice/ice_candidate_pair.c:200 [...] r_log(LOG_ICE,LOG_DEBUG,"ICE-PEER(%s)/STREAM(%s): STUN cb on pair %s", pair->pctx->label,pair->local->stream->label,pair->as_string); [...] Tested on m-central with changeset: 111360:58c8080a1a7c
Priority: -- → P1
Whiteboard: [WebRTC] → [WebRTC] [blocking-webrtc+]
ekr: same question - have you looked at this, and if so, is this also expected to be fixed by the lock patch? Thanks.
Not crashtest worthy at the moment, as it needs a clearer consistent testcase defined.
Flags: in-testsuite-
Adding a needinfo?ekr for comment 1
Flags: needinfo?(ekr)
ekr: bump
Assignee: nobody → ekr
OS: Mac OS X → All
Hardware: x86_64 → All
All of these events are on the STS thread, so I doubt that any locks would fix it. I'm not sure what the problem is, but presumably it's a failure to cancel some timer.
Flags: needinfo?(ekr)
A lot of things have changed. Are you still seeing this?
cdiehl - can you retest this for us? Thanks.
Flags: needinfo?(cdiehl)
cdiehl: if you do repro, please report the timer duration of the timer in question here. The field is timer.mDelay.
jesup: I think this is probably an NR_ASYNC_SCHEDULE non-cancellation issue, but I would like to verify before we start fixing.
I haven't seen this crash for a while but if it occurs again I will let you know.
Flags: needinfo?(cdiehl)
Given it hasn't been seen recently, do we believe this has been fixed along the way by other fixes? Is there any way to verify that or to add assertions to catch this if it's still happening?
Flags: needinfo?(ekr)
I suspect that it has not been fixed because we know that ASYNC_SCHEDULE is still a potential issue. It's probably just pretty hard to reproduce from JS.
Flags: needinfo?(ekr)
I believe this is now fixed by 825651. I'm marking as resolved. Please reopen if you see it again,
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Whiteboard: [WebRTC] [blocking-webrtc+] → [WebRTC] [blocking-webrtc+][fixed via 825651?]
Whiteboard: [WebRTC] [blocking-webrtc+][fixed via 825651?] → [WebRTC] [blocking-webrtc+][fixed via 825651?][qa-]
Whiteboard: [WebRTC] [blocking-webrtc+][fixed via 825651?][qa-] → [WebRTC] [blocking-webrtc+][fixed via 825651?][qa-][adv-main21-]
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: