Closed
Bug 817841
Opened 12 years ago
Closed 12 years ago
Race condition deleting nsDOMMediaStream via proxying to MainThread
Categories
(Core :: WebRTC: Audio/Video, defect)
Core
WebRTC: Audio/Video
Tracking
()
RESOLVED
FIXED
mozilla20
| Tracking | Status | |
|---|---|---|
| firefox18 | --- | unaffected |
| firefox19 | --- | affected |
| firefox20 | --- | fixed |
| firefox-esr10 | --- | unaffected |
| firefox-esr17 | --- | unaffected |
People
(Reporter: jesup, Assigned: jesup)
References
Details
(Keywords: crash, csectype-race, sec-high, Whiteboard: [qa-][adv-main20+])
Attachments
(1 file)
|
3.72 KB,
patch
|
roc
:
review+
|
Details | Diff | Splinter Review |
We have a number of hard-to-reproduce reports of crashes due to a Release off-main-thread in ~MediaOperationRunnable(), which deletes a nsDOMMediaStream (which is a cycle-collected object, and thus main-thread only).
It tries to proxy to mainthread by resending itself there and letting the post-Run release kill it, but if MainThread runs *before* the off-main-thread Run() exists, it gets deleted off-main-thread (boom).
A better solution (though it means allocating) is to proxy to main thread just the Release() via NS_ProxyRelease(). This code isn't a performance hotspot so the alloc is not a big deal.
|
Assignee | |
Comment 1•12 years ago
|
||
|
|
Assignee | |
Comment 2•12 years ago
|
||
Comment on attachment 688006 [details] [diff] [review]
Proxy deletion of nsDOMMediaStreams with NS_ProxyRelease()
Seems to work fine for me; I don't have a working reproducible case (though p.franc does I think) so I can't verify it fixes the problem directly.
Attachment #688006 -
Flags: review?(roc)
Attachment #688006 -
Flags: review?(roc) → review+
|
|
Assignee | |
Comment 3•12 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/d9bcbec33260
Once baked we should consider uplift to Aurora
status-firefox18:
--- → unaffected
status-firefox19:
--- → affected
status-firefox20:
--- → affected
Target Milestone: --- → mozilla20
|
||
Comment 4•12 years ago
|
||
backed out (f88a7f4b3792) for compiler error (warning->error: comma at end of enum list) and relanded: (I hope that's acceptable procedure: wanted to make sure we don't repeat same problem on aurora/beta if we copy patch to them)
https://hg.mozilla.org/integration/mozilla-inbound/rev/857e8fdd2d5d
|
|
Assignee | |
Comment 5•12 years ago
|
||
As per IRC: thanks
|
||
Comment 6•12 years ago
|
||
Looks like bug 817976 is a dupe, right?
|
||
Comment 7•12 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
|
||
Comment 8•12 years ago
|
||
comment 2 implies there isn't a reproducible test case. If there is one, feel free to comment to explain it.
Flags: in-testsuite-
Whiteboard: [qa-]
|
|
||
Comment 10•12 years ago
|
||
|
|
||
Comment 11•12 years ago
|
||
Sounds like the best course of action here is probably then is to only reopen if we reproduce this crash again. It looks like the URLs in comment 10 imply that general gum usage could reproduce this.
|
||
Updated•12 years ago
|
status-firefox-esr10:
--- → unaffected
status-firefox-esr17:
--- → unaffected
|
||
Comment 12•12 years ago
|
||
I can not reproduce this particular crash anymore with current nightly.
|
||
Updated•12 years ago
|
Whiteboard: [qa-] → [qa-][adv-main20+]
|
||
Updated•12 years ago
|
|
|
||
Comment 13•12 years ago
|
||
Already fixed at this point, no need to get a reduced test case here.
Keywords: testcase-wanted
|
|
||
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•