824851 - Intermittent assertion and crash for test_peerConnection_basicAudio.html: 'Assertion failure: !description_.empty(), at e:/builds/moz2_slave/a-w32-dbg/build/obj-firefox/media/webrtc' [@ mozilla::MediaPipeline::TransportReadyInt(mozilla::TransportFlow *)]

Status: RESOLVED FIXED

(Core :: WebRTC: Signaling, defect, P1)

Description

[Henrik Skupin [:whimboo][⌚️UTC+1]]

https://tbpl.mozilla.org/php/getParsedLog.php?id=18278223&tree=Alder

http://mxr.mozilla.org/mozilla-central/source/media/webrtc/signaling/src/mediapipeline/MediaPipeline.cpp#129

Assertion failure: !description_.empty(), at e:/builds/moz2_slave/a-w32-dbg/build/obj-firefox/media/webrtc/signaling/signaling_ecc/../../../../../media/webrtc/signaling/src/mediapipeline/MediaPipeline.cpp:129
TEST-UNEXPECTED-FAIL | /tests/dom/media/tests/mochitest/test_peerConnection_basicAudio.html | Exited with code -2147483645 during test run

PROCESS-CRASH | /tests/dom/media/tests/mochitest/test_peerConnection_basicAudio.html | application crashed [@ mozilla::MediaPipeline::TransportReadyInt(mozilla::TransportFlow *)]
Crash dump filename: c:\users\cltbld\appdata\local\temp\tmpwxgobu\minidumps\e6d8929a-5dc7-4ac3-ad4e-cdc1f06c700c.dmp
Operating system: Windows NT
                  6.1.7600 
CPU: x86
     GenuineIntel family 6 model 23 stepping 10
     2 CPUs

Crash reason:  EXCEPTION_BREAKPOINT
Crash address: 0x6b9875e9

Thread 7 (crashed)
 0  xul.dll!mozilla::MediaPipeline::TransportReadyInt(mozilla::TransportFlow *) [MediaPipeline.cpp:bd9829cde22f : 129 + 0x17]
    eip = 0x6b9875e9   esp = 0x03b1ba0c   ebp = 0x03b1c228   ebx = 0x75de509b
    esi = 0x295a6fc0   edi = 0x20236cc8   eax = 0x00000000   ecx = 0x10106637
    edx = 0x7210e4d8   efl = 0x00000206
    Found by: given as instruction pointer in context
 1  xul.dll!mozilla::runnable_args_m_1_ret<mozilla::MediaPipeline *,tag_nsresult ( mozilla::MediaPipeline::*)(mozilla::TransportFlow *),mozilla::TransportFlow *,tag_nsresult>::Run() [runnable_utils_generated.h:bd9829cde22f : 141 + 0xe]
    eip = 0x6b9852fa   esp = 0x03b1c230   ebp = 0x03b1c238
    Found by: call frame info
 2  xul.dll!nsThreadSyncDispatch::Run() [nsThread.cpp:bd9829cde22f : 774 + 0xd]
    eip = 0x6b7b75d0   esp = 0x03b1c240   ebp = 0x03b1c24c
    Found by: call frame info
 3  xul.dll!nsThread::ProcessNextEvent(bool,bool *) [nsThread.cpp:bd9829cde22f : 627 + 0xd]
    eip = 0x6b7b7d97   esp = 0x03b1c254   ebp = 0x03b1c280
    Found by: call frame info
 4  xul.dll!NS_ProcessNextEvent_P(nsIThread *,bool) [nsThreadUtils.cpp:bd9829cde22f : 237 + 0xc]
    eip = 0x6b76560e   esp = 0x03b1c288   ebp = 0x03b1c294
    Found by: call frame info
 5  xul.dll!nsThread::Dispatch(nsIRunnable *,unsigned int) [nsThread.cpp:bd9829cde22f : 410 + 0x7]
    eip = 0x6b7b7a88   esp = 0x03b1c29c   ebp = 0x03b1c2b0
    Found by: call frame info
 6  xul.dll!nsSocketTransportService::Dispatch(nsIRunnable *,unsigned int) [nsSocketTransportService2.cpp:bd9829cde22f : 116 + 0x13]
    eip = 0x6a422750   esp = 0x03b1c2b8   ebp = 0x03b1c2cc
    Found by: call frame info
 7  xul.dll!mozilla::RUN_ON_THREAD [runnable_utils.h:bd9829cde22f : 46 + 0x9]
    eip = 0x6b984c81   esp = 0x03b1c2d4   ebp = 0x03b1c2ec
    Found by: call frame info
 8  xul.dll!mozilla::MediaPipeline::TransportReady(mozilla::TransportFlow *) [MediaPipeline.cpp:bd9829cde22f : 119 + 0x26]
    eip = 0x6b988b90   esp = 0x03b1c2f4   ebp = 0x03b1c300

Comment 1

[Henrik Skupin [:whimboo][⌚️UTC+1]]

Similar for OS X:

https://tbpl.mozilla.org/php/getParsedLog.php?id=18277134&tree=Alder

PROCESS-CRASH | /tests/dom/media/tests/mochitest/test_peerConnection_basicAudio.html | application crashed [@ libstdc++.6.dylib + 0x2be6c]
Crash dump filename: /var/folders/qd/srwd5f710sj0fcl9z464lkj00000gn/T/tmpByCJrG/minidumps/68CF29B8-6F25-4F94-B6EC-DCED3568E0F5.dmp
Operating system: Mac OS X
                  10.7.2 11C74
CPU: amd64
     family 6 model 23 stepping 10
     2 CPUs

Crash reason:  EXC_BAD_ACCESS / KERN_INVALID_ADDRESS
Crash address: 0xffffffff80cd7fe0

Thread 4 (crashed)
 0  libstdc++.6.dylib + 0x2be6c
    rbx = 0xc000000000000000   r12 = 0x000000013ee1c320
    r13 = 0x3fffffff00000066   r14 = 0x0000000104fdf378
    r15 = 0x0000000000000000   rip = 0x00007fff8daf7e6c
    rsp = 0x0000000104fde830   rbp = 0x0000000104fde830
    Found by: given as instruction pointer in context
 1  libstdc++.6.dylib + 0x27622
    rip = 0x00007fff8daf3623   rsp = 0x0000000104fde840
    rbp = 0x0000000104fde890
    Found by: stack scanning
 2  XUL!mozilla::MediaPipeline::TransportReadyInt(mozilla::TransportFlow*) [basic_string.h : 2413 + 0x7]
    rip = 0x0000000102f95713   rsp = 0x0000000104fde8a0
    rbp = 0x0000000104fdf750
    Found by: stack scanning
 3  XUL!mozilla::runnable_args_m_1_ret<mozilla::MediaPipeline*, tag_nsresult (mozilla::MediaPipeline::*)(mozilla::TransportFlow*), mozilla::TransportFlow*, tag_nsresult>::Run() [runnable_utils_generated.h : 141 + 0x1d]
    rbx = 0x000000010e04d320   r12 = 0x0000000104e25ad0
    r13 = 0x000000010d69c950   r14 = 0x000000010d69c950
    r15 = 0x000000010d69c970   rip = 0x0000000102f9ef47
    rsp = 0x0000000104fdf760   rbp = 0x0000000104fdf770
    Found by: call frame info
 4  XUL!nsThreadSyncDispatch::Run() [nsThread.cpp : 774 + 0x5]
    rbx = 0x0000000104e25ad0   r12 = 0x0000000104e25ad0
    r13 = 0x000000010d69c950   r14 = 0x000000010d69c950
    r15 = 0x000000010d69c970   rip = 0x00000001029fe450
    rsp = 0x0000000104fdf780   rbp = 0x0000000104fdf7a0
    Found by: call frame info
 5  XUL!nsThread::ProcessNextEvent(bool, bool*) [nsThread.cpp : 627 + 0x5]
    rbx = 0x0000000104e25ad0   r12 = 0x0000000104e25ad0
    r13 = 0x000000010d69c950   r14 = 0x0000000104e25b10
    r15 = 0x0000000000000001   rip = 0x00000001029fdc4f
    rsp = 0x0000000104fdf7b0   rbp = 0x0000000104fdf850
    Found by: call frame info
 6  XUL!NS_ProcessNextEvent_P(nsIThread*, bool) [nsThreadUtils.cpp : 237 + 0xc]
    rbx = 0x0000000000000001   r12 = 0x0000000104e25ad0
    r13 = 0x000000010d69c950   r14 = 0x0000000104e25ad0
    r15 = 0x0000000000000000   rip = 0x000000010299e7ee
    rsp = 0x0000000104fdf860   rbp = 0x0000000104fdf870
    Found by: call frame info
 7  XUL!nsThread::Dispatch(nsIRunnable*, unsigned int) [nsThread.cpp : 410 + 0xc]

Comment 2

[Adam Roach [:abr]]

This appears to be an issue with RUN_ON_THREAD sending through Dispatch() even when the target thread is the current thread. In this case, the STS thread is Dispatching to the STS thread, which ends up calling operations on the MediaPipeline after its Destructor has been invoked. The behavior of calling Dispatch() is shown in the following backtrace:

Breakpoint 6, mozilla::MediaPipeline::DetachTransport_s (this=0x124ef84f0) at MediaPipeline.cpp:90
90        ASSERT_ON_THREAD(sts_thread_);
############################################################
DetatchTransport_s
############################################################
#0  mozilla::MediaPipeline::DetachTransport_s (this=0x124ef84f0) at MediaPipeline.cpp:90
#1  0x000000010471f1f3 in mozilla::runnable_args_m_0<mozilla::MediaPipeline*, void (mozilla::MediaPipeline::*)()>::Run (this=0x126bffe80) at runnable_utils_generated.h:48
#2  0x0000000103a4ef52 in nsThreadSyncDispatch::Run (this=0x126bffeb0) at /Users/Adam/devel/mozilla/mozilla-inbound/xpcom/threads/nsThread.cpp:774
#3  0x0000000103a4e644 in nsThread::ProcessNextEvent (this=0x100538eb0, mayWait=true, result=0x10be81f0e) at /Users/Adam/devel/mozilla/mozilla-inbound/xpcom/threads/nsThread.cpp:627
#4  0x00000001039b704f in NS_ProcessNextEvent_P (thread=0x100538eb0, mayWait=true) at nsThreadUtils.cpp:237
#5  0x0000000103a4d4ba in nsThread::Dispatch (this=0x100538eb0, event=0x124e97800, flags=1) at /Users/Adam/devel/mozilla/mozilla-inbound/xpcom/threads/nsThread.cpp:410
#6  0x00000001014a006f in nsSocketTransportService::Dispatch (this=0x10051ade0, event=0x124e97800, flags=1) at /Users/Adam/devel/mozilla/mozilla-inbound/netwerk/base/src/nsSocketTransportService2.cpp:116
#7  0x00000001014a00e5 in non-virtual thunk to nsSocketTransportService::Dispatch(nsIRunnable*, unsigned int) () at /Users/Adam/devel/mozilla/mozilla-inbound/netwerk/base/src/nsSocketTransportService2.cpp:123
#8  0x0000000104718678 in RUN_ON_THREAD (thread=0x10051ade8, runnable=0x124e97800, flags=1) at runnable_utils.h:46
#9  0x000000010471872d in mozilla::MediaPipeline::TransportReady (this=0x124e8f860, flow=0x124e8ede0) at MediaPipeline.cpp:118
#10 0x000000010471af87 in mozilla::MediaPipelineTransmit::TransportReady (this=0x124e8f860, flow=0x124e8ede0) at MediaPipeline.cpp:487
#11 0x000000010471835d in mozilla::MediaPipeline::StateChange (this=0x124e8f860, flow=0x124e8ede0, state=mozilla::TransportLayer::TS_OPEN) at MediaPipeline.cpp:106
#12 0x000000010471f42b in sigslot::_connection2<mozilla::MediaPipeline, mozilla::TransportFlow*, mozilla::TransportLayer::State, sigslot::single_threaded>::emit (this=0x1262ff400, a1=0x124e8ede0, a2=mozilla::TransportLayer::TS_OPEN) at sigslot.h:1898
#13 0x00000001046a2b31 in sigslot::signal2<mozilla::TransportFlow*, mozilla::TransportLayer::State, sigslot::single_threaded>::operator() (this=0x124e8ee20, a1=0x124e8ede0, a2=mozilla::TransportLayer::TS_OPEN) at sigslot.h:2411
#14 0x00000001046a1e79 in mozilla::TransportFlow::StateChange (this=0x124e8ede0, layer=0x1233b9a00, state=mozilla::TransportLayer::TS_OPEN) at transportflow.cpp:88
#15 0x00000001046a47bb in sigslot::_connection2<mozilla::TransportFlow, mozilla::TransportLayer*, mozilla::TransportLayer::State, sigslot::single_threaded>::emit (this=0x124ed80e0, a1=0x1233b9a00, a2=mozilla::TransportLayer::TS_OPEN) at sigslot.h:1898
#16 0x00000001046a6c01 in sigslot::signal2<mozilla::TransportLayer*, mozilla::TransportLayer::State, sigslot::single_threaded>::operator() (this=0x1233b9a40, a1=0x1233b9a00, a2=mozilla::TransportLayer::TS_OPEN) at sigslot.h:2411
#17 0x00000001046a6a4e in mozilla::TransportLayer::SetState (this=0x1233b9a00, state=mozilla::TransportLayer::TS_OPEN) at transportlayer.cpp:48
#18 0x00000001046ad184 in mozilla::TransportLayerDtls::Handshake (this=0x1233b9a00) at transportlayerdtls.cpp:642
#19 0x00000001046ac89f in mozilla::TransportLayerDtls::PacketReceived (this=0x1233b9a00, layer=0x10c4e8140, data=0x10be84a40 "\026??", len=833) at transportlayerdtls.cpp:694
#20 0x00000001046b16a7 in sigslot::_connection3<mozilla::TransportLayerDtls, mozilla::TransportLayer*, unsigned char const*, unsigned long, sigslot::single_threaded>::emit (this=0x10f5f53c0, a1=0x10c4e8140, a2=0x10be84a40 "\026??", a3=833) at sigslot.h:1944
#21 0x00000001046a89e3 in sigslot::signal3<mozilla::TransportLayer*, unsigned char const*, unsigned long, sigslot::single_threaded>::operator() (this=0x10c4e81a0, a1=0x10c4e8140, a2=0x10be84a40 "\026??", a3=833) at sigslot.h:2477
#22 0x00000001046a8229 in mozilla::TransportLayerIce::IcePacketReceived (this=0x10c4e8140, stream=0x121b3b500, component=1, data=0x10be84a40 "\026??", len=833) at transportlayerice.cpp:147
#23 0x00000001046a8c5d in sigslot::_connection4<mozilla::TransportLayerIce, mozilla::NrIceMediaStream*, int, unsigned char const*, int, sigslot::single_threaded>::emit (this=0x124ce4da0, a1=0x121b3b500, a2=1, a3=0x10be84a40 "\026??", a4=833) at sigslot.h:1993
#24 0x00000001046983a6 in sigslot::signal4<mozilla::NrIceMediaStream*, int, unsigned char const*, int, sigslot::single_threaded>::operator() (this=0x121b3b560, a1=0x121b3b500, a2=1, a3=0x10be84a40 "\026??", a4=833) at sigslot.h:2544
#25 0x0000000104696410 in mozilla::NrIceCtx::msg_recvd (obj=0x121b60c40, pctx=0x123dfe55c, stream=0x11c492b0c, component_id=1, msg=0x10be84a40 "\026??", len=833) at nricectx.cpp:227
#26 0x000000010466a43b in nr_ice_peer_ctx_deliver_packet_maybe (pctx=0x123dfe55c, comp=0x123d84aac, source_addr=0x10be848d8, data=0x10be84a40 "\026??", len=833) at ice_peer_ctx.c:511
#27 0x0000000104665212 in nr_ice_ctx_deliver_packet (ctx=0x123d2e42c, comp=0x123d84aac, source_addr=0x10be848d8, data=0x10be84a40 "\026??", len=833) at ice_ctx.c:462
#28 0x000000010466ab81 in nr_ice_socket_readable_cb (s=0x123db5080, how=0, cb_arg=0x112bfc80c) at ice_socket.c:162
#29 0x00000001046a038d in mozilla::NrSocket::fire_callback (this=0x123db5080, how=0) at nr_socket_prsock.cpp:190
#30 0x00000001046a02c3 in mozilla::NrSocket::OnSocketReady (this=0x123db5080, fd=0x123db2a90, outflags=1) at nr_socket_prsock.cpp:124
#31 0x00000001014a2986 in nsSocketTransportService::DoPollIteration (this=0x10051ade0, wait=true) at /Users/Adam/devel/mozilla/mozilla-inbound/netwerk/base/src/nsSocketTransportService2.cpp:784
#32 0x00000001014a2352 in nsSocketTransportService::Run (this=0x10051ade0) at /Users/Adam/devel/mozilla/mozilla-inbound/netwerk/base/src/nsSocketTransportService2.cpp:641
#33 0x00000001014a2d8c in non-virtual thunk to nsSocketTransportService::Run() () at /Users/Adam/devel/mozilla/mozilla-inbound/netwerk/base/src/nsSocketTransportService2.cpp:707
#34 0x0000000103a4e644 in nsThread::ProcessNextEvent (this=0x100538eb0, mayWait=true, result=0x10be86dee) at /Users/Adam/devel/mozilla/mozilla-inbound/xpcom/threads/nsThread.cpp:627
#35 0x00000001039b704f in NS_ProcessNextEvent_P (thread=0x100538eb0, mayWait=true) at nsThreadUtils.cpp:237
#36 0x0000000103a4d117 in nsThread::ThreadFunc (arg=0x100538eb0) at /Users/Adam/devel/mozilla/mozilla-inbound/xpcom/threads/nsThread.cpp:265
#37 0x0000000100638583 in _pt_root (arg=0x100563790) at /Users/Adam/devel/mozilla/mozilla-inbound/nsprpub/pr/src/pthreads/ptthread.c:156
#38 0x00007fff85fcf742 in _pthread_start ()
#39 0x00007fff85fbc181 in thread_start ()

Comment 3

[Jan-Ivar Bruaroey [:jib] (needinfo? me)]

Attachment: Fixed RUN_ON_THREAD to not dispatch on own thread

Comment 4

[Eric Rescorla (:ekr)]

Comment on attachment 696375 [details] [diff] [review]
Fixed RUN_ON_THREAD to not dispatch on own thread

Review of attachment 696375 [details] [diff] [review]:
-----------------------------------------------------------------

With extra error checking.

::: media/mtransport/runnable_utils.h
@@ +40,5 @@
>  
>  // Temporary hack. Really we want to have a template which will do this
>  static inline nsresult RUN_ON_THREAD(nsIEventTarget *thread, nsIRunnable *runnable, uint32_t flags) {
>    RefPtr<nsIRunnable> runnable_ref(runnable);
>    

Please remove this whitespace.

@@ +44,5 @@
>    
> +  if (thread) {
> +    bool on;
> +    nsresult rv;
> +    rv = thread->IsOnCurrentThread(&on);

We should have an error here  if this fails.

MOZ_ASSERT(NS_SUCCEEDED(rv))
NS_ENSURE(NS_SUCCEEDED(rv), rv);

@@ +45,5 @@
> +  if (thread) {
> +    bool on;
> +    nsresult rv;
> +    rv = thread->IsOnCurrentThread(&on);
> +    if(!NS_SUCCEEDED(rv) || !on) {

And here we just need if (!on)

@@ +52,4 @@
>    }
>    return runnable_ref->Run();
>  }
> + 

And this.

Comment 5

[Jan-Ivar Bruaroey [:jib] (needinfo? me)]

Attachment: Fixed RUN_ON_THREAD to not dispatch on own thread

Comment 6

[Jan-Ivar Bruaroey [:jib] (needinfo? me)]

Attachment: Fixed RUN_ON_THREAD to not dispatch on own thread.

Comment 7

[Jan-Ivar Bruaroey [:jib] (needinfo? me)]

Attachment: Fixed RUN_ON_THREAD to not dispatch on own thread.

Comment 8

[Jan-Ivar Bruaroey [:jib] (needinfo? me)]

Comment on attachment 696384 [details] [diff] [review]
Fixed RUN_ON_THREAD to not dispatch on own thread.

Carrying forward r+ from ekr.

Comment 9

[Henrik Skupin [:whimboo][⌚️UTC+1]]

Failed on WinXP SP2:
https://tbpl.mozilla.org/php/getParsedLog.php?id=18337591&tree=Alder

PROCESS-CRASH | Main app process exited normally | application crashed [@ ntdll.dll + 0xeb94]

Crash reason:  EXCEPTION_NONCONTINUABLE_EXCEPTION
Crash address: 0x0
Assertion: Pure virtual function called

Thread 6 (crashed)
 0  ntdll.dll + 0xeb94
    eip = 0x7c90eb94   esp = 0x039fbe0c   ebp = 0x039fbe70   ebx = 0x00000000
    esi = 0x00000730   edi = 0x00000000   eax = 0x00000000   ecx = 0x039fc190
    edx = 0x00000308   efl = 0x00000246
    Found by: given as instruction pointer in context
 1  kernel32.dll + 0x2541
    eip = 0x7c802542   esp = 0x039fbe78   ebp = 0x039fbe84
    Found by: previous frame's frame pointer
 2  xul.dll!google_breakpad::ExceptionHandler::WriteMinidumpOnHandlerThread(_EXCEPTION_POINTERS *,MDRawAssertionInfo *) [exception_handler.cc:3cca59a99ce4 : 690 + 0xd]
    eip = 0x01237bbb   esp = 0x039fbe8c   ebp = 0x039fbea0
    Found by: previous frame's frame pointer
 3  xul.dll!google_breakpad::ExceptionHandler::HandlePureVirtualCall() [exception_handler.cc:3cca59a99ce4 : 645 + 0x6]
    eip = 0x0123873c   esp = 0x039fbea8   ebp = 0x039fc4ec
    Found by: call frame info
 4  msvcr100.dll + 0x8af05
    eip = 0x78b2af06   esp = 0x039fc4f4   ebp = 0x039fc508
    Found by: call frame info
 5  xul.dll!mozilla::MediaPipeline::TransportReadyInt(mozilla::TransportFlow *) [MediaPipeline.cpp:3cca59a99ce4 : 249 + 0x14]
    eip = 0x01c93f0e   esp = 0x039fc510   ebp = 0x039fcc04
    Found by: previous frame's frame pointer
 6  xul.dll!mozilla::runnable_args_m_1_ret<mozilla::MediaPipeline *,tag_nsresult ( mozilla::MediaPipeline::*)(mozilla::TransportFlow *),mozilla::TransportFlow *,tag_nsresult>::Run() [runnable_utils_generated.h:3cca59a99ce4 : 141 + 0xe]
    eip = 0x01c92cc7   esp = 0x039fcc0c   ebp = 0x039fcc14
    Found by: call frame info
 7  xul.dll!nsThreadSyncDispatch::Run() [nsThread.cpp:3cca59a99ce4 : 774 + 0x5]
    eip = 0x01bec9e2   esp = 0x039fcc1c   ebp = 0x039fcc28
    Found by: call frame info
 8  xul.dll!nsThread::ProcessNextEvent(bool,bool *) [nsThread.cpp:3cca59a99ce4 : 627 + 0x5]

Comment 10

[Henrik Skupin [:whimboo][⌚️UTC+1]]

https://tbpl.mozilla.org/php/getParsedLog.php?id=18336835&tree=Alder

PROCESS-CRASH | /tests/dom/media/tests/mochitest/test_peerConnection_basicAudio.html | application crashed [@ libstdc++.6.dylib + 0x2d5ee]

Comment 11

[Eric Rescorla (:ekr)]

I'm not sure what I'm supposed to be looking at here. The tbpl push doesn't seem to contain the patch listed above, so I would expect to see a crash here.

Comment 12

[Randell Jesup [:jesup] (needinfo me)]

Right: this is r+'d but not landed.  Those alder reports are (I assume) just other instances of it failing.

Comment 13

[Henrik Skupin [:whimboo][⌚️UTC+1]]

So can this patch be landed then? If Jan is not around can someone from you both do it?

Comment 14

[Jan-Ivar Bruaroey [:jib] (needinfo? me)]

Just finishing a test. I'll mark it checkin? in a sec.

Comment 15

[Jan-Ivar Bruaroey [:jib] (needinfo? me)]

Comment on attachment 696384 [details] [diff] [review]
Fixed RUN_ON_THREAD to not dispatch on own thread.

[Security approval request comment]
How easily could an exploit be constructed based on the patch?
Difficult, though in theory, use-after-free can be exploited to run attacker code using heap blasting.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
No.

Which older supported branches are affected by this flaw?
webrtc only, behind pref

If not all supported branches, which bug introduced the flaw?

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?

How likely is this patch to cause regressions; how much testing does it need?
All signaling unittests passed. One test-run out of 7 produced an assertion believed to be unrelated, but the team agreed patch is more urgent than following that one case. Will keep testing afterwards.

Comment 16

[Randell Jesup [:jesup] (needinfo me)]

https://hg.mozilla.org/integration/mozilla-inbound/rev/288b327769f0

Comment 17

[Randell Jesup [:jesup] (needinfo me)]

Correction: 
https://hg.mozilla.org/integration/mozilla-inbound/rev/e3a7b9905aaf

Comment 18

[bhavana bajaj [:bajaj]]

Not tracking for FF18/19 as webRTC is disabled by default.Please feel free to renominate for FF19 if this is critical & this patch needs to be uplifted.

Comment 19

[Ed Morley [:emorley]]

https://hg.mozilla.org/mozilla-central/rev/e3a7b9905aaf