Closed Bug 824851 Opened 13 years ago Closed 13 years ago

Intermittent assertion and crash for test_peerConnection_basicAudio.html: 'Assertion failure: !description_.empty(), at e:/builds/moz2_slave/a-w32-dbg/build/obj-firefox/media/webrtc' [@ mozilla::MediaPipeline::TransportReadyInt(mozilla::TransportFlow *)]

Categories

(Core :: WebRTC: Signaling, defect, P1)

Product:
Core
Component:
WebRTC: Signaling
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla20
Tracking Flags:
Tracking Status
firefox17 --- disabled
firefox18 - disabled
firefox19 - disabled
firefox20 + fixed
firefox-esr10 --- unaffected
firefox-esr17 - disabled
b2g18 --- disabled

People

(Reporter: whimboo, Assigned: jib)

References

(
URL
)

Details

(Keywords: crash, intermittent-failure, Whiteboard: [WebRTC][blocking-webrtc+][qa-][adv-main20-])

Crash Data

Attachments

(1 file, 3 obsolete files)

Fixed RUN_ON_THREAD to not dispatch on own thread.
1.48 KB, patch
jesup
: review+
abillings
: sec-approval+
jesup
: checkin+
Details | Diff | Splinter Review
https://tbpl.mozilla.org/php/getParsedLog.php?id=18278223&tree=Alder http://mxr.mozilla.org/mozilla-central/source/media/webrtc/signaling/src/mediapipeline/MediaPipeline.cpp#129 Assertion failure: !description_.empty(), at e:/builds/moz2_slave/a-w32-dbg/build/obj-firefox/media/webrtc/signaling/signaling_ecc/../../../../../media/webrtc/signaling/src/mediapipeline/MediaPipeline.cpp:129 TEST-UNEXPECTED-FAIL | /tests/dom/media/tests/mochitest/test_peerConnection_basicAudio.html | Exited with code -2147483645 during test run PROCESS-CRASH | /tests/dom/media/tests/mochitest/test_peerConnection_basicAudio.html | application crashed [@ mozilla::MediaPipeline::TransportReadyInt(mozilla::TransportFlow *)] Crash dump filename: c:\users\cltbld\appdata\local\temp\tmpwxgobu\minidumps\e6d8929a-5dc7-4ac3-ad4e-cdc1f06c700c.dmp Operating system: Windows NT 6.1.7600 CPU: x86 GenuineIntel family 6 model 23 stepping 10 2 CPUs Crash reason: EXCEPTION_BREAKPOINT Crash address: 0x6b9875e9 Thread 7 (crashed) 0 xul.dll!mozilla::MediaPipeline::TransportReadyInt(mozilla::TransportFlow *) [MediaPipeline.cpp:bd9829cde22f : 129 + 0x17] eip = 0x6b9875e9 esp = 0x03b1ba0c ebp = 0x03b1c228 ebx = 0x75de509b esi = 0x295a6fc0 edi = 0x20236cc8 eax = 0x00000000 ecx = 0x10106637 edx = 0x7210e4d8 efl = 0x00000206 Found by: given as instruction pointer in context 1 xul.dll!mozilla::runnable_args_m_1_ret<mozilla::MediaPipeline *,tag_nsresult ( mozilla::MediaPipeline::*)(mozilla::TransportFlow *),mozilla::TransportFlow *,tag_nsresult>::Run() [runnable_utils_generated.h:bd9829cde22f : 141 + 0xe] eip = 0x6b9852fa esp = 0x03b1c230 ebp = 0x03b1c238 Found by: call frame info 2 xul.dll!nsThreadSyncDispatch::Run() [nsThread.cpp:bd9829cde22f : 774 + 0xd] eip = 0x6b7b75d0 esp = 0x03b1c240 ebp = 0x03b1c24c Found by: call frame info 3 xul.dll!nsThread::ProcessNextEvent(bool,bool *) [nsThread.cpp:bd9829cde22f : 627 + 0xd] eip = 0x6b7b7d97 esp = 0x03b1c254 ebp = 0x03b1c280 Found by: call frame info 4 xul.dll!NS_ProcessNextEvent_P(nsIThread *,bool) [nsThreadUtils.cpp:bd9829cde22f : 237 + 0xc] eip = 0x6b76560e esp = 0x03b1c288 ebp = 0x03b1c294 Found by: call frame info 5 xul.dll!nsThread::Dispatch(nsIRunnable *,unsigned int) [nsThread.cpp:bd9829cde22f : 410 + 0x7] eip = 0x6b7b7a88 esp = 0x03b1c29c ebp = 0x03b1c2b0 Found by: call frame info 6 xul.dll!nsSocketTransportService::Dispatch(nsIRunnable *,unsigned int) [nsSocketTransportService2.cpp:bd9829cde22f : 116 + 0x13] eip = 0x6a422750 esp = 0x03b1c2b8 ebp = 0x03b1c2cc Found by: call frame info 7 xul.dll!mozilla::RUN_ON_THREAD [runnable_utils.h:bd9829cde22f : 46 + 0x9] eip = 0x6b984c81 esp = 0x03b1c2d4 ebp = 0x03b1c2ec Found by: call frame info 8 xul.dll!mozilla::MediaPipeline::TransportReady(mozilla::TransportFlow *) [MediaPipeline.cpp:bd9829cde22f : 119 + 0x26] eip = 0x6b988b90 esp = 0x03b1c2f4 ebp = 0x03b1c300
Similar for OS X: https://tbpl.mozilla.org/php/getParsedLog.php?id=18277134&tree=Alder PROCESS-CRASH | /tests/dom/media/tests/mochitest/test_peerConnection_basicAudio.html | application crashed [@ libstdc++.6.dylib + 0x2be6c] Crash dump filename: /var/folders/qd/srwd5f710sj0fcl9z464lkj00000gn/T/tmpByCJrG/minidumps/68CF29B8-6F25-4F94-B6EC-DCED3568E0F5.dmp Operating system: Mac OS X 10.7.2 11C74 CPU: amd64 family 6 model 23 stepping 10 2 CPUs Crash reason: EXC_BAD_ACCESS / KERN_INVALID_ADDRESS Crash address: 0xffffffff80cd7fe0 Thread 4 (crashed) 0 libstdc++.6.dylib + 0x2be6c rbx = 0xc000000000000000 r12 = 0x000000013ee1c320 r13 = 0x3fffffff00000066 r14 = 0x0000000104fdf378 r15 = 0x0000000000000000 rip = 0x00007fff8daf7e6c rsp = 0x0000000104fde830 rbp = 0x0000000104fde830 Found by: given as instruction pointer in context 1 libstdc++.6.dylib + 0x27622 rip = 0x00007fff8daf3623 rsp = 0x0000000104fde840 rbp = 0x0000000104fde890 Found by: stack scanning 2 XUL!mozilla::MediaPipeline::TransportReadyInt(mozilla::TransportFlow*) [basic_string.h : 2413 + 0x7] rip = 0x0000000102f95713 rsp = 0x0000000104fde8a0 rbp = 0x0000000104fdf750 Found by: stack scanning 3 XUL!mozilla::runnable_args_m_1_ret<mozilla::MediaPipeline*, tag_nsresult (mozilla::MediaPipeline::*)(mozilla::TransportFlow*), mozilla::TransportFlow*, tag_nsresult>::Run() [runnable_utils_generated.h : 141 + 0x1d] rbx = 0x000000010e04d320 r12 = 0x0000000104e25ad0 r13 = 0x000000010d69c950 r14 = 0x000000010d69c950 r15 = 0x000000010d69c970 rip = 0x0000000102f9ef47 rsp = 0x0000000104fdf760 rbp = 0x0000000104fdf770 Found by: call frame info 4 XUL!nsThreadSyncDispatch::Run() [nsThread.cpp : 774 + 0x5] rbx = 0x0000000104e25ad0 r12 = 0x0000000104e25ad0 r13 = 0x000000010d69c950 r14 = 0x000000010d69c950 r15 = 0x000000010d69c970 rip = 0x00000001029fe450 rsp = 0x0000000104fdf780 rbp = 0x0000000104fdf7a0 Found by: call frame info 5 XUL!nsThread::ProcessNextEvent(bool, bool*) [nsThread.cpp : 627 + 0x5] rbx = 0x0000000104e25ad0 r12 = 0x0000000104e25ad0 r13 = 0x000000010d69c950 r14 = 0x0000000104e25b10 r15 = 0x0000000000000001 rip = 0x00000001029fdc4f rsp = 0x0000000104fdf7b0 rbp = 0x0000000104fdf850 Found by: call frame info 6 XUL!NS_ProcessNextEvent_P(nsIThread*, bool) [nsThreadUtils.cpp : 237 + 0xc] rbx = 0x0000000000000001 r12 = 0x0000000104e25ad0 r13 = 0x000000010d69c950 r14 = 0x0000000104e25ad0 r15 = 0x0000000000000000 rip = 0x000000010299e7ee rsp = 0x0000000104fdf860 rbp = 0x0000000104fdf870 Found by: call frame info 7 XUL!nsThread::Dispatch(nsIRunnable*, unsigned int) [nsThread.cpp : 410 + 0xc]
Group: core-security
Crash Signature: [@ mozilla::MediaPipeline::TransportReadyInt(mozilla::TransportFlow *)] → [@ mozilla::MediaPipeline::TransportReadyInt(mozilla::TransportFlow *)] [@ libstdc++.6.dylib + 0x2be6c]
OS: Windows 7 → All
Hardware: x86 → All
Assignee: nobody → ekr
Priority: -- → P1
Whiteboard: [WebRTC][automation-blocked] → [WebRTC][automation-blocked][blocking-webrtc+]
This appears to be an issue with RUN_ON_THREAD sending through Dispatch() even when the target thread is the current thread. In this case, the STS thread is Dispatching to the STS thread, which ends up calling operations on the MediaPipeline after its Destructor has been invoked. The behavior of calling Dispatch() is shown in the following backtrace: Breakpoint 6, mozilla::MediaPipeline::DetachTransport_s (this=0x124ef84f0) at MediaPipeline.cpp:90 90 ASSERT_ON_THREAD(sts_thread_); ############################################################ DetatchTransport_s ############################################################ #0 mozilla::MediaPipeline::DetachTransport_s (this=0x124ef84f0) at MediaPipeline.cpp:90 #1 0x000000010471f1f3 in mozilla::runnable_args_m_0<mozilla::MediaPipeline*, void (mozilla::MediaPipeline::*)()>::Run (this=0x126bffe80) at runnable_utils_generated.h:48 #2 0x0000000103a4ef52 in nsThreadSyncDispatch::Run (this=0x126bffeb0) at /Users/Adam/devel/mozilla/mozilla-inbound/xpcom/threads/nsThread.cpp:774 #3 0x0000000103a4e644 in nsThread::ProcessNextEvent (this=0x100538eb0, mayWait=true, result=0x10be81f0e) at /Users/Adam/devel/mozilla/mozilla-inbound/xpcom/threads/nsThread.cpp:627 #4 0x00000001039b704f in NS_ProcessNextEvent_P (thread=0x100538eb0, mayWait=true) at nsThreadUtils.cpp:237 #5 0x0000000103a4d4ba in nsThread::Dispatch (this=0x100538eb0, event=0x124e97800, flags=1) at /Users/Adam/devel/mozilla/mozilla-inbound/xpcom/threads/nsThread.cpp:410 #6 0x00000001014a006f in nsSocketTransportService::Dispatch (this=0x10051ade0, event=0x124e97800, flags=1) at /Users/Adam/devel/mozilla/mozilla-inbound/netwerk/base/src/nsSocketTransportService2.cpp:116 #7 0x00000001014a00e5 in non-virtual thunk to nsSocketTransportService::Dispatch(nsIRunnable*, unsigned int) () at /Users/Adam/devel/mozilla/mozilla-inbound/netwerk/base/src/nsSocketTransportService2.cpp:123 #8 0x0000000104718678 in RUN_ON_THREAD (thread=0x10051ade8, runnable=0x124e97800, flags=1) at runnable_utils.h:46 #9 0x000000010471872d in mozilla::MediaPipeline::TransportReady (this=0x124e8f860, flow=0x124e8ede0) at MediaPipeline.cpp:118 #10 0x000000010471af87 in mozilla::MediaPipelineTransmit::TransportReady (this=0x124e8f860, flow=0x124e8ede0) at MediaPipeline.cpp:487 #11 0x000000010471835d in mozilla::MediaPipeline::StateChange (this=0x124e8f860, flow=0x124e8ede0, state=mozilla::TransportLayer::TS_OPEN) at MediaPipeline.cpp:106 #12 0x000000010471f42b in sigslot::_connection2<mozilla::MediaPipeline, mozilla::TransportFlow*, mozilla::TransportLayer::State, sigslot::single_threaded>::emit (this=0x1262ff400, a1=0x124e8ede0, a2=mozilla::TransportLayer::TS_OPEN) at sigslot.h:1898 #13 0x00000001046a2b31 in sigslot::signal2<mozilla::TransportFlow*, mozilla::TransportLayer::State, sigslot::single_threaded>::operator() (this=0x124e8ee20, a1=0x124e8ede0, a2=mozilla::TransportLayer::TS_OPEN) at sigslot.h:2411 #14 0x00000001046a1e79 in mozilla::TransportFlow::StateChange (this=0x124e8ede0, layer=0x1233b9a00, state=mozilla::TransportLayer::TS_OPEN) at transportflow.cpp:88 #15 0x00000001046a47bb in sigslot::_connection2<mozilla::TransportFlow, mozilla::TransportLayer*, mozilla::TransportLayer::State, sigslot::single_threaded>::emit (this=0x124ed80e0, a1=0x1233b9a00, a2=mozilla::TransportLayer::TS_OPEN) at sigslot.h:1898 #16 0x00000001046a6c01 in sigslot::signal2<mozilla::TransportLayer*, mozilla::TransportLayer::State, sigslot::single_threaded>::operator() (this=0x1233b9a40, a1=0x1233b9a00, a2=mozilla::TransportLayer::TS_OPEN) at sigslot.h:2411 #17 0x00000001046a6a4e in mozilla::TransportLayer::SetState (this=0x1233b9a00, state=mozilla::TransportLayer::TS_OPEN) at transportlayer.cpp:48 #18 0x00000001046ad184 in mozilla::TransportLayerDtls::Handshake (this=0x1233b9a00) at transportlayerdtls.cpp:642 #19 0x00000001046ac89f in mozilla::TransportLayerDtls::PacketReceived (this=0x1233b9a00, layer=0x10c4e8140, data=0x10be84a40 "\026??", len=833) at transportlayerdtls.cpp:694 #20 0x00000001046b16a7 in sigslot::_connection3<mozilla::TransportLayerDtls, mozilla::TransportLayer*, unsigned char const*, unsigned long, sigslot::single_threaded>::emit (this=0x10f5f53c0, a1=0x10c4e8140, a2=0x10be84a40 "\026??", a3=833) at sigslot.h:1944 #21 0x00000001046a89e3 in sigslot::signal3<mozilla::TransportLayer*, unsigned char const*, unsigned long, sigslot::single_threaded>::operator() (this=0x10c4e81a0, a1=0x10c4e8140, a2=0x10be84a40 "\026??", a3=833) at sigslot.h:2477 #22 0x00000001046a8229 in mozilla::TransportLayerIce::IcePacketReceived (this=0x10c4e8140, stream=0x121b3b500, component=1, data=0x10be84a40 "\026??", len=833) at transportlayerice.cpp:147 #23 0x00000001046a8c5d in sigslot::_connection4<mozilla::TransportLayerIce, mozilla::NrIceMediaStream*, int, unsigned char const*, int, sigslot::single_threaded>::emit (this=0x124ce4da0, a1=0x121b3b500, a2=1, a3=0x10be84a40 "\026??", a4=833) at sigslot.h:1993 #24 0x00000001046983a6 in sigslot::signal4<mozilla::NrIceMediaStream*, int, unsigned char const*, int, sigslot::single_threaded>::operator() (this=0x121b3b560, a1=0x121b3b500, a2=1, a3=0x10be84a40 "\026??", a4=833) at sigslot.h:2544 #25 0x0000000104696410 in mozilla::NrIceCtx::msg_recvd (obj=0x121b60c40, pctx=0x123dfe55c, stream=0x11c492b0c, component_id=1, msg=0x10be84a40 "\026??", len=833) at nricectx.cpp:227 #26 0x000000010466a43b in nr_ice_peer_ctx_deliver_packet_maybe (pctx=0x123dfe55c, comp=0x123d84aac, source_addr=0x10be848d8, data=0x10be84a40 "\026??", len=833) at ice_peer_ctx.c:511 #27 0x0000000104665212 in nr_ice_ctx_deliver_packet (ctx=0x123d2e42c, comp=0x123d84aac, source_addr=0x10be848d8, data=0x10be84a40 "\026??", len=833) at ice_ctx.c:462 #28 0x000000010466ab81 in nr_ice_socket_readable_cb (s=0x123db5080, how=0, cb_arg=0x112bfc80c) at ice_socket.c:162 #29 0x00000001046a038d in mozilla::NrSocket::fire_callback (this=0x123db5080, how=0) at nr_socket_prsock.cpp:190 #30 0x00000001046a02c3 in mozilla::NrSocket::OnSocketReady (this=0x123db5080, fd=0x123db2a90, outflags=1) at nr_socket_prsock.cpp:124 #31 0x00000001014a2986 in nsSocketTransportService::DoPollIteration (this=0x10051ade0, wait=true) at /Users/Adam/devel/mozilla/mozilla-inbound/netwerk/base/src/nsSocketTransportService2.cpp:784 #32 0x00000001014a2352 in nsSocketTransportService::Run (this=0x10051ade0) at /Users/Adam/devel/mozilla/mozilla-inbound/netwerk/base/src/nsSocketTransportService2.cpp:641 #33 0x00000001014a2d8c in non-virtual thunk to nsSocketTransportService::Run() () at /Users/Adam/devel/mozilla/mozilla-inbound/netwerk/base/src/nsSocketTransportService2.cpp:707 #34 0x0000000103a4e644 in nsThread::ProcessNextEvent (this=0x100538eb0, mayWait=true, result=0x10be86dee) at /Users/Adam/devel/mozilla/mozilla-inbound/xpcom/threads/nsThread.cpp:627 #35 0x00000001039b704f in NS_ProcessNextEvent_P (thread=0x100538eb0, mayWait=true) at nsThreadUtils.cpp:237 #36 0x0000000103a4d117 in nsThread::ThreadFunc (arg=0x100538eb0) at /Users/Adam/devel/mozilla/mozilla-inbound/xpcom/threads/nsThread.cpp:265 #37 0x0000000100638583 in _pt_root (arg=0x100563790) at /Users/Adam/devel/mozilla/mozilla-inbound/nsprpub/pr/src/pthreads/ptthread.c:156 #38 0x00007fff85fcf742 in _pthread_start () #39 0x00007fff85fbc181 in thread_start ()
Assignee: ekr → jib
Blocks: 821884
Attachment #696375 - Flags: review?(rjesup)
Attachment #696375 - Flags: review?(ekr)
Comment on attachment 696375 [details] [diff] [review] Fixed RUN_ON_THREAD to not dispatch on own thread Review of attachment 696375 [details] [diff] [review]: ----------------------------------------------------------------- With extra error checking. ::: media/mtransport/runnable_utils.h @@ +40,5 @@ > > // Temporary hack. Really we want to have a template which will do this > static inline nsresult RUN_ON_THREAD(nsIEventTarget *thread, nsIRunnable *runnable, uint32_t flags) { > RefPtr<nsIRunnable> runnable_ref(runnable); > Please remove this whitespace. @@ +44,5 @@ > > + if (thread) { > + bool on; > + nsresult rv; > + rv = thread->IsOnCurrentThread(&on); We should have an error here if this fails. MOZ_ASSERT(NS_SUCCEEDED(rv)) NS_ENSURE(NS_SUCCEEDED(rv), rv); @@ +45,5 @@ > + if (thread) { > + bool on; > + nsresult rv; > + rv = thread->IsOnCurrentThread(&on); > + if(!NS_SUCCEEDED(rv) || !on) { And here we just need if (!on) @@ +52,4 @@ > } > return runnable_ref->Run(); > } > + And this.
Attachment #696375 - Flags: review?(ekr) → review+
Attachment #696375 - Attachment is obsolete: true
Attachment #696375 - Flags: review?(rjesup)
Attachment #696378 - Attachment is obsolete: true
Attachment #696381 - Attachment is obsolete: true
Comment on attachment 696384 [details] [diff] [review] Fixed RUN_ON_THREAD to not dispatch on own thread. Carrying forward r+ from ekr.
Attachment #696384 - Flags: review?(rjesup)
Attachment #696384 - Flags: review?(rjesup) → review+
Failed on WinXP SP2: https://tbpl.mozilla.org/php/getParsedLog.php?id=18337591&tree=Alder PROCESS-CRASH | Main app process exited normally | application crashed [@ ntdll.dll + 0xeb94] Crash reason: EXCEPTION_NONCONTINUABLE_EXCEPTION Crash address: 0x0 Assertion: Pure virtual function called Thread 6 (crashed) 0 ntdll.dll + 0xeb94 eip = 0x7c90eb94 esp = 0x039fbe0c ebp = 0x039fbe70 ebx = 0x00000000 esi = 0x00000730 edi = 0x00000000 eax = 0x00000000 ecx = 0x039fc190 edx = 0x00000308 efl = 0x00000246 Found by: given as instruction pointer in context 1 kernel32.dll + 0x2541 eip = 0x7c802542 esp = 0x039fbe78 ebp = 0x039fbe84 Found by: previous frame's frame pointer 2 xul.dll!google_breakpad::ExceptionHandler::WriteMinidumpOnHandlerThread(_EXCEPTION_POINTERS *,MDRawAssertionInfo *) [exception_handler.cc:3cca59a99ce4 : 690 + 0xd] eip = 0x01237bbb esp = 0x039fbe8c ebp = 0x039fbea0 Found by: previous frame's frame pointer 3 xul.dll!google_breakpad::ExceptionHandler::HandlePureVirtualCall() [exception_handler.cc:3cca59a99ce4 : 645 + 0x6] eip = 0x0123873c esp = 0x039fbea8 ebp = 0x039fc4ec Found by: call frame info 4 msvcr100.dll + 0x8af05 eip = 0x78b2af06 esp = 0x039fc4f4 ebp = 0x039fc508 Found by: call frame info 5 xul.dll!mozilla::MediaPipeline::TransportReadyInt(mozilla::TransportFlow *) [MediaPipeline.cpp:3cca59a99ce4 : 249 + 0x14] eip = 0x01c93f0e esp = 0x039fc510 ebp = 0x039fcc04 Found by: previous frame's frame pointer 6 xul.dll!mozilla::runnable_args_m_1_ret<mozilla::MediaPipeline *,tag_nsresult ( mozilla::MediaPipeline::*)(mozilla::TransportFlow *),mozilla::TransportFlow *,tag_nsresult>::Run() [runnable_utils_generated.h:3cca59a99ce4 : 141 + 0xe] eip = 0x01c92cc7 esp = 0x039fcc0c ebp = 0x039fcc14 Found by: call frame info 7 xul.dll!nsThreadSyncDispatch::Run() [nsThread.cpp:3cca59a99ce4 : 774 + 0x5] eip = 0x01bec9e2 esp = 0x039fcc1c ebp = 0x039fcc28 Found by: call frame info 8 xul.dll!nsThread::ProcessNextEvent(bool,bool *) [nsThread.cpp:3cca59a99ce4 : 627 + 0x5]
Crash Signature: [@ mozilla::MediaPipeline::TransportReadyInt(mozilla::TransportFlow *)] [@ libstdc++.6.dylib + 0x2be6c] → [@ mozilla::MediaPipeline::TransportReadyInt(mozilla::TransportFlow *)] [@ libstdc++.6.dylib + 0x2be6c] [@ ntdll.dll + 0xeb94]
https://tbpl.mozilla.org/php/getParsedLog.php?id=18336835&tree=Alder PROCESS-CRASH | /tests/dom/media/tests/mochitest/test_peerConnection_basicAudio.html | application crashed [@ libstdc++.6.dylib + 0x2d5ee]
Status: NEW → ASSIGNED
Crash Signature: [@ mozilla::MediaPipeline::TransportReadyInt(mozilla::TransportFlow *)] [@ libstdc++.6.dylib + 0x2be6c] [@ ntdll.dll + 0xeb94] → [@ mozilla::MediaPipeline::TransportReadyInt(mozilla::TransportFlow *)] [@ libstdc++.6.dylib + 0x2be6c] [@ libstdc++.6.dylib + 0x2d5ee] [@ ntdll.dll + 0xeb94]
I'm not sure what I'm supposed to be looking at here. The tbpl push doesn't seem to contain the patch listed above, so I would expect to see a crash here.
Right: this is r+'d but not landed. Those alder reports are (I assume) just other instances of it failing.
So can this patch be landed then? If Jan is not around can someone from you both do it?
Just finishing a test. I'll mark it checkin? in a sec.
Comment on attachment 696384 [details] [diff] [review] Fixed RUN_ON_THREAD to not dispatch on own thread. [Security approval request comment] How easily could an exploit be constructed based on the patch? Difficult, though in theory, use-after-free can be exploited to run attacker code using heap blasting. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? No. Which older supported branches are affected by this flaw? webrtc only, behind pref If not all supported branches, which bug introduced the flaw? Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? How likely is this patch to cause regressions; how much testing does it need? All signaling unittests passed. One test-run out of 7 produced an assertion believed to be unrelated, but the team agreed patch is more urgent than following that one case. Will keep testing afterwards.
Attachment #696384 - Flags: sec-approval?
Attachment #696384 - Flags: sec-approval? → sec-approval+
Blocks: 825651
Attachment #696384 - Flags: checkin?(rjesup)
Attachment #696384 - Flags: checkin?(rjesup) → checkin+
Not tracking for FF18/19 as webRTC is disabled by default.Please feel free to renominate for FF19 if this is critical & this patch needs to be uplifted.
tracking-firefox18: ?-
tracking-firefox19: ?-
https://hg.mozilla.org/mozilla-central/rev/e3a7b9905aaf
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
status-firefox20: disabledfixed
Resolution: --- → FIXED
Whiteboard: [WebRTC][automation-blocked][blocking-webrtc+] → [WebRTC][automation-blocked][blocking-webrtc+][qa-]
Flags: in-testsuite+
Whiteboard: [WebRTC][automation-blocked][blocking-webrtc+][qa-] → [WebRTC][automation-blocked][blocking-webrtc+][qa-][adv-main20-]
Whiteboard: [WebRTC][automation-blocked][blocking-webrtc+][qa-][adv-main20-] → [WebRTC][blocking-webrtc+][qa-][adv-main20-]
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: