Closed Bug 808546 Opened 12 years ago Closed 12 years ago

WebRTC crash [@nsDOMMediaStream::GetStream]

Categories

(Core :: WebRTC: Audio/Video, defect, P1)

Product:
Core
Component:
WebRTC: Audio/Video
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox18 --- disabled
firefox19 --- disabled
firefox20 + fixed
firefox-esr17 --- unaffected

People

(Reporter: posidron, Assigned: jesup)

References

Details

(Keywords: crash, sec-critical, testcase, Whiteboard: [asan][WebRTC][blocking-webrtc+][qa-][adv-main20-])

Crash Data

Attachments

(5 files)

callstack
8.03 KB, text/plain
Details
NSPR_LOG
16.36 KB, text/plain
Details
testcase
1.45 KB, text/html
Details
Testcase that loops
1.58 KB, text/html
Details
callstack with patch from bug 792175
148.58 KB, text/plain
Details
Attached file callstack
Tested with m-c changeset: 112272:ab099c9e1a09
Attached file NSPR_LOG
From the log: 565325824[1311df480]: VcmSipccBinding vcmRxStartICE(7f1a88324fc9ac82) 565325824[1311df480]: VcmSipccBinding Making new transport flow for level=1 rtcp=false 565325824[1311df480]: VcmSipccBinding Making new transport flow for level=1 rtcp=true 565325824[1311df480]: WebrtcAudioSessionConduit Create 565325824[1311df480]: WebrtcAudioSessionConduit Init 1987719552[1037e9e80]: PeerConnectionImpl ShutdownMedia Disconnecting media streams from PC 556646400[13121f480]: cpr SIPCC-CC_API: 8/15, cc_int_onhook: UI -> GSM: ONHOOK 1987719552[1037e9e80]: PeerConnectionImpl ShutdownMedia Disconnecting transport 1987719552[1037e9e80]: PeerConnectionImpl ShutdownMedia Media shut down 1987719552[1037e9e80]: PeerConnectionImpl ShutdownMedia Disconnecting media streams from PC 556646400[13121f480]: cpr SIPCC-CC_API: 10/16, cc_int_onhook: UI -> GSM: ONHOOK 1987719552[1037e9e80]: PeerConnectionImpl ShutdownMedia Disconnecting transport 1987719552[1037e9e80]: PeerConnectionImpl ShutdownMedia Media shut down 565325824[1311df480]: WebrtcAudioSessionConduit Init Channel Created 0 565325824[1311df480]: WebrtcAudioSessionConduit Init AudioSessionConduit Initialization Done 565325824[1311df480]: WebrtcAudioSessionConduit Create Successfully created AudioConduit I'd guess this is due to a race between startup of a session and an almost immediate shutdown. Without local vars I can't be sure, but I'd bet the stream_ dis null or bad. Did asan indicate what sort of failure it was?
Can you give steps to reproduce?
Oh, sorry that line got cut of. It's a null pointer dereference. It's reproducible but sadly not always at the same place therefore I couldn't provide a testcase.
Not a candidate for a crashtest.
Flags: in-testsuite-
Verify this exists when peer connection shutdown lands.
Priority: -- → P1
Whiteboard: [asan][WebRTC][blocking-webrtc+]
Attached file testcase
To reproduce reload the testcase a few times. The testcase will lead to crashes at non determinable locations. Tested with m-c changeset: 113558:9a6d708faf3f
Whiteboard: [asan][WebRTC][blocking-webrtc+] → [asan][WebRTC][blocking-webrtc+][fuzzblocker]
Keywords: testcase
And...now it's a candidate for a crashtest with the testcase given.
Flags: in-testsuite- → in-testsuite?
This testcase doesn't reproduce the crash for me with Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:20.0) Gecko/20.0 Firefox/20.0 ID:20121122030751 and newer.
Hm, still works here, in fact it can crash at the same place as https://bugzilla.mozilla.org/show_bug.cgi?id=810626 therefore marking s-s. Tested with m-c changeset: 114110:541ccce39563
Group: core-security
Crash Signature: [@ nsDOMMediaStream::GetStream] [@ nsDOMMediaStream::GetHintContents] [@ sipcc::PeerConnectionMedia::AddStream]
See Also: → 810626
What type of build do you have? Can you also see it with an official nightly build? Is it opt only?
(In reply to Henrik Skupin (:whimboo) from comment #11) > build? Is it opt only? I meant debug not-optimized, sorry.
It is an ASan enabled debug, -O1 build. It's used through out all tests.
Keywords: sec-critical
This will crash with a debug non-ASAN build. I strongly think this is another "Big Lock" bug, where something is deleting the stream while we're still initing the conduit. My GDB backtrace shows that stream (GetLocalStream(0)) is non-null, but stream->GetMediaStream() is NULL (and what causes the crash).
Depends on: webrtc-big-lock
I added locally MOZ_ASSERT()s to vcmTxStartICE for stream and stream->GetMediaStream(), and a short run of the new testcase will kick out in the GetMediaStream() assert.
Assigning to Randell on a guess that he'll be okay with that.
Assignee: nobody → rjesup
OS: Mac OS X → All
Hardware: x86_64 → All
Tested with current inbound (with the fix for bug 792175 (and others)) for about 5 hours; no problems. I believe this is fixed as expected from comment 14.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Keywords: verifyme
Keywords: verifyme
Whiteboard: [asan][WebRTC][blocking-webrtc+][fuzzblocker] → [asan][WebRTC][blocking-webrtc+][fuzzblocker][qa-]
Whiteboard: [asan][WebRTC][blocking-webrtc+][fuzzblocker][qa-] → [asan][WebRTC][blocking-webrtc+][qa-]
This landed on 20 before it merged to Aurora on 1/7/2012 so marking status as fixed.
status-firefox20: affectedfixed
Whiteboard: [asan][WebRTC][blocking-webrtc+][qa-] → [asan][WebRTC][blocking-webrtc+][qa-][adv-main20-]
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: