820072 - ASSERTION: You can't dereference a NULL nsRefPtr with operator->().: 'mRawPtr != 0' when calling 'remoteStreams.length' on closed peer connection instance [@ mozilla::dom::MediaStreamList::Length()]

Status: RESOLVED WORKSFORME

(Core :: WebRTC: Networking, defect, P1)

Description

[Henrik Skupin [:whimboo][⌚️UTC+1]]

Attachment: testcase

Firefox asserts and crashes when loading the following testcase with:

0:08.50 ###!!! ASSERTION: You can't dereference a NULL nsRefPtr with operator->().: 'mRawPtr != 0', file /Volumes/data/code/firefox/nightly/media/webrtc/signaling//../../../xpcom/base/nsAutoPtr.h, line 1024
 0:08.50 WARNING: no real random source present!
 0:18.61 mozilla::dom::MediaStreamListBinding::get_length [/Volumes/data/code/firefox/obj/debug/dom/bindings/MediaStreamListBinding.cpp:28]
 0:18.61 mozilla::dom::MediaStreamListBinding::genericGetter [/Volumes/data/code/firefox/obj/debug/dom/bindings/MediaStreamListBinding.cpp:59]
 0:18.61 js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) [js/src/jscntxtinlines.h:364]
 0:18.61 js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) [js/src/jsinterp.cpp:362]

Comment 1

[Henrik Skupin [:whimboo][⌚️UTC+1]]

Adding the first 10 frames for now. More you can find in the crash report:

0 	XUL 	mozilla::dom::MediaStreamList::Length 	nsTArray.h:204
1 	XUL 	mozilla::dom::MediaStreamListBinding::get_length 	MediaStreamListBinding.cpp:28
2 	XUL 	mozilla::dom::MediaStreamListBinding::genericGetter 	MediaStreamListBinding.cpp:59
3 	XUL 	js::InvokeKernel 	jscntxtinlines.h:364
4 	XUL 	js::Invoke 	jsinterp.h:109
5 	XUL 	js::InvokeGetterOrSetter 	jsinterp.cpp:487
6 	XUL 	js::Shape::get 	jsscopeinlines.h:295
7 	XUL 	js::baseops::GetProperty 	jsobj.cpp:4240
8 	XUL 	JS_ForwardGetPropertyTo 	jsobjinlines.h:172
9 	XUL 	mozilla::dom::GetPropertyOnPrototype 	BindingUtils.cpp:1081
10 	XUL 	mozilla::dom::MediaStreamListBinding::DOMProxyHandler::get 	MediaStreamListBinding.cpp:353

Comment 2

[Randell Jesup [:jesup] (needinfo me)]

Caused by a null media() pointer after Closing a PeerConnection.

Comment 3

[Henrik Skupin [:whimboo][⌚️UTC+1]]

As talked on bug 819513 this crash is not fixed and that given it cannot be a dupe. Reopening.

Comment 4

[Eric Rescorla (:ekr)]

This new crash as of 12/10 appears to be a lack of implementation of the remoteStreams primitive. Assigning to jesup.

Comment 5

[Daniel Veditz [:dveditz]]

using a null ref/comptr is usually not exploitable -- unhide the bug?

Comment 6

[Randell Jesup [:jesup] (needinfo me)]

Agreed. null-deref, un-hide

Comment 7

[Daniel Veditz [:dveditz]]

agreeing w/myself in comment 5 to clear the needinfo? -- if that's not what you were asking please re-add the flag

Comment 8

[Randell Jesup [:jesup] (needinfo me)]

re-closing as this appears to be fixed; I tested a bunch of times with no problems.  Lots of fixes and refactorings to the PC->media connection and lifetime management has happened since then.