Closed Bug 834395 Opened 11 years ago Closed 11 years ago

[WebRTC/DataChannel] SIGBUS in sctp_lower_sosend

Categories

(Core :: WebRTC: Networking, defect)

ARM
Android
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla21
Tracking Status
firefox20 --- disabled
firefox21 + fixed
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: gcp, Assigned: jesup)

Details

(Keywords: crash, sec-high, Whiteboard: [webrtc][blocking-webrtc+][qa-][adv-main21-])

Attachments

(2 files)

Starting http://mozilla.github.com/webrtc-landing/data_test.html on Android:

Program received signal SIGBUS, Bus error.
Loading libraries and symbols...
[Switching to Thread 29565]
0xffff0fc4 in ?? ()
(gdb) bt
#0  0xffff0fc4 in ?? ()
#1  0x66b21074 in __sync_fetch_and_add_4 (ptr=0x5a5a5d2a, val=1)
    at /tmp/ndk-digit/src/build/../gcc/gcc-4.4.3/libgcc/../gcc/config/arm/linux-atomic.c:65
#2  0x646d11fc in sctp_lower_sosend (so=0x636e5000, addr=0x0, uio=0x5c6fb52c, i_pak=0x0, control=0x0, flags=0, 
    srcv=0x5c6fb544) at /home/morbo/hg/mozilla-central/netwerk/sctp/src/netinet/sctp_output.c:12956
#3  0x646928da in usrsctp_sendv (so=0x636e5000, data=0x6313cce0, len=20, to=0x0, addrcnt=0, info=0x5c6fb604, 
    infolen=16, infotype=1, flags=0) at /home/morbo/hg/mozilla-central/netwerk/sctp/src/user_socket.c:925
#4  0x647008f4 in mozilla::DataChannelConnection::SendControlMessage (this=0x5ecae320, msg=0x6313cce0, len=20, 
    streamOut=0) at /home/morbo/hg/mozilla-central/netwerk/sctp/datachannel/DataChannel.cpp:756
#5  0x64700b48 in mozilla::DataChannelConnection::SendOpenRequestMessage (this=0x5ecae320, label=..., streamOut=0, 
    unordered=false, prPolicy=0, prValue=0)
    at /home/morbo/hg/mozilla-central/netwerk/sctp/datachannel/DataChannel.cpp:824
#6  0x64703a7e in mozilla::DataChannelConnection::OpenFinish (this=0x5ecae320, aChannel=...)
    at /home/morbo/hg/mozilla-central/netwerk/sctp/datachannel/DataChannel.cpp:1825
#7  0x6470386a in mozilla::DataChannelConnection::Open (this=0x5ecae320, label=..., 
    type=mozilla::DataChannelConnection::RELIABLE, inOrder=true, prValue=0, aListener=0x0, aContext=0x0)
    at /home/morbo/hg/mozilla-central/netwerk/sctp/datachannel/DataChannel.cpp:1789
#8  0x664b7f4a in sipcc::PeerConnectionImpl::CreateDataChannel (this=0x62b8a030, aLabel=..., aType=0, 
    outOfOrderAllowed=false, aMaxTime=0, aMaxNum=0, aRetval=0x5c6fb908)
    at /home/morbo/hg/mozilla-central/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp:512
#9  0x65c150ea in NS_InvokeByIndex_P (that=0x62b8a030, methodIndex=20, paramCount=<optimized out>, 
    params=<optimized out>) at /home/morbo/hg/mozilla-central/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_arm.cpp:160
#10 0x653fb088 in CallMethodHelper::Invoke (this=0x5c6fb890)
    at /home/morbo/hg/mozilla-central/js/xpconnect/src/XPCWrappedNative.cpp:3084
#11 0x653f963e in CallMethodHelper::Call (this=0x5c6fb890)
    at /home/morbo/hg/mozilla-central/js/xpconnect/src/XPCWrappedNative.cpp:2418
#12 0x653f9514 in XPCWrappedNative::CallMethod (ccx=..., mode=XPCWrappedNative::CALL_METHOD)
    at /home/morbo/hg/mozilla-central/js/xpconnect/src/XPCWrappedNative.cpp:2384
#13 0x654040f0 in XPC_WN_CallMethod (cx=0x5c5c69d0, argc=5, vp=0x5ed00148)
    at /home/morbo/hg/mozilla-central/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1488
#14 0x666895b6 in js::CallJSNative (cx=0x5c5c69d0, 
    native=0x65403f45 <XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*)>, args=...)
    at /home/morbo/hg/mozilla-central/js/src/jscntxtinlines.h:353
#15 0x66691246 in js::InvokeKernel (cx=0x5c5c69d0, args=..., construct=js::NO_CONSTRUCT)
    at /home/morbo/hg/mozilla-central/js/src/jsinterp.cpp:391
#16 0x666992ba in js::Interpret (cx=0x5c5c69d0, entryFrame=0x5ed00100, interpMode=js::JSINTERP_NORMAL)
    at /home/morbo/hg/mozilla-central/js/src/jsinterp.cpp:2385
#17 0x66690f40 in js::RunScript (cx=0x5c5c69d0, script=..., fp=0x5ed00100)
    at /home/morbo/hg/mozilla-central/js/src/jsinterp.cpp:348
#18 0x6669134c in js::InvokeKernel (cx=0x5c5c69d0, args=..., construct=js::NO_CONSTRUCT)
    at /home/morbo/hg/mozilla-central/js/src/jsinterp.cpp:406
#19 0x665ed6a0 in js::Invoke (cx=0x5c5c69d0, args=..., construct=js::NO_CONSTRUCT)
    at /home/morbo/hg/mozilla-central/js/src/jsinterp.h:131
#20 0x66691582 in js::Invoke (cx=0x5c5c69d0, thisv=..., fval=..., argc=2, argv=0x5c6fc868, rval=0x5c6fc970)
    at /home/morbo/hg/mozilla-central/js/src/jsinterp.cpp:439
#21 0x665e1eb4 in JS_CallFunctionValue (cx=0x5c5c69d0, objArg=0x62f84d00, fval=..., argc=2, argv=0x5c6fc868, 
    rval=0x5c6fc970) at /home/morbo/hg/mozilla-central/js/src/jsapi.cpp:5830
#22 0x653f0bfe in nsXPCWrappedJSClass::CallMethod (this=0x5f9d0f40, wrapper=0x62c90a80, methodIndex=33, 
    info_=0x5ec4c0b0, nativeParams=0x5c6fcba8)
    at /home/morbo/hg/mozilla-central/js/xpconnect/src/XPCWrappedJSClass.cpp:1432
#23 0x653e810c in nsXPCWrappedJS::CallMethod (this=0x62c90a80, methodIndex=33, info=0x5ec4c0b0, params=0x5c6fcba8)
    at /home/morbo/hg/mozilla-central/js/xpconnect/src/XPCWrappedJS.cpp:578
#24 0x65c15aca in PrepareAndDispatch (self=<optimized out>, methodIndex=<optimized out>, args=0x5c6fcc6c)
    at /home/morbo/hg/mozilla-central/xpcom/reflect/xptcall/src/md/unix/xptcstubs_arm.cpp:105
#25 0x65c15100 in SharedStub () from /home/morbo/hg/mozilla-central/objdir-android/dist/bin/libxul.so
---Type <return> to continue, or q <return> to quit---
#26 0x65c150ea in NS_InvokeByIndex_P (that=0x601db440, methodIndex=33, paramCount=<optimized out>, 
    params=<optimized out>) at /home/morbo/hg/mozilla-central/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_arm.cpp:160
#27 0x653fb088 in CallMethodHelper::Invoke (this=0x5c6fcd00)
    at /home/morbo/hg/mozilla-central/js/xpconnect/src/XPCWrappedNative.cpp:3084
#28 0x653f963e in CallMethodHelper::Call (this=0x5c6fcd00)
    at /home/morbo/hg/mozilla-central/js/xpconnect/src/XPCWrappedNative.cpp:2418
#29 0x653f9514 in XPCWrappedNative::CallMethod (ccx=..., mode=XPCWrappedNative::CALL_METHOD)
    at /home/morbo/hg/mozilla-central/js/xpconnect/src/XPCWrappedNative.cpp:2384
#30 0x654040f0 in XPC_WN_CallMethod (cx=0x5c5c69d0, argc=2, vp=0x5ed000c0)
    at /home/morbo/hg/mozilla-central/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1488
#31 0x666895b6 in js::CallJSNative (cx=0x5c5c69d0, 
    native=0x65403f45 <XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*)>, args=...)
    at /home/morbo/hg/mozilla-central/js/src/jscntxtinlines.h:353
#32 0x66691246 in js::InvokeKernel (cx=0x5c5c69d0, args=..., construct=js::NO_CONSTRUCT)
    at /home/morbo/hg/mozilla-central/js/src/jsinterp.cpp:391
#33 0x666992ba in js::Interpret (cx=0x5c5c69d0, entryFrame=0x5ed00080, interpMode=js::JSINTERP_NORMAL)
    at /home/morbo/hg/mozilla-central/js/src/jsinterp.cpp:2385
#34 0x66690f40 in js::RunScript (cx=0x5c5c69d0, script=..., fp=0x5ed00080)
    at /home/morbo/hg/mozilla-central/js/src/jsinterp.cpp:348
#35 0x6669134c in js::InvokeKernel (cx=0x5c5c69d0, args=..., construct=js::NO_CONSTRUCT)
    at /home/morbo/hg/mozilla-central/js/src/jsinterp.cpp:406
#36 0x665ed6a0 in js::Invoke (cx=0x5c5c69d0, args=..., construct=js::NO_CONSTRUCT)
    at /home/morbo/hg/mozilla-central/js/src/jsinterp.h:131
#37 0x66691582 in js::Invoke (cx=0x5c5c69d0, thisv=..., fval=..., argc=0, argv=0x5c6fdcd8, rval=0x5c6fdde0)
    at /home/morbo/hg/mozilla-central/js/src/jsinterp.cpp:439
#38 0x665e1eb4 in JS_CallFunctionValue (cx=0x5c5c69d0, objArg=0x5f8c17c0, fval=..., argc=0, argv=0x5c6fdcd8, 
    rval=0x5c6fdde0) at /home/morbo/hg/mozilla-central/js/src/jsapi.cpp:5830
#39 0x653f0bfe in nsXPCWrappedJSClass::CallMethod (this=0x5f9d0fd0, wrapper=0x62c90fc0, methodIndex=3, 
    info_=0x5e9e1c28, nativeParams=0x5c6fe018)
    at /home/morbo/hg/mozilla-central/js/xpconnect/src/XPCWrappedJSClass.cpp:1432
#40 0x653e810c in nsXPCWrappedJS::CallMethod (this=0x62c90fc0, methodIndex=3, info=0x5e9e1c28, params=0x5c6fe018)
    at /home/morbo/hg/mozilla-central/js/xpconnect/src/XPCWrappedJS.cpp:578
#41 0x65c15b66 in PrepareAndDispatch (self=<optimized out>, methodIndex=<optimized out>, args=0x5c6fe0d4)
    at /home/morbo/hg/mozilla-central/xpcom/reflect/xptcall/src/md/unix/xptcstubs_arm.cpp:105
#42 0x65c15100 in SharedStub () from /home/morbo/hg/mozilla-central/objdir-android/dist/bin/libxul.so
#43 0x65c150ea in NS_InvokeByIndex_P (that=0x601db760, methodIndex=3, paramCount=<optimized out>, 
    params=<optimized out>) at /home/morbo/hg/mozilla-central/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_arm.cpp:160
#44 0x653fb088 in CallMethodHelper::Invoke (this=0x5c6fe168)
    at /home/morbo/hg/mozilla-central/js/xpconnect/src/XPCWrappedNative.cpp:3084
#45 0x653f963e in CallMethodHelper::Call (this=0x5c6fe168)
    at /home/morbo/hg/mozilla-central/js/xpconnect/src/XPCWrappedNative.cpp:2418
#46 0x653f9514 in XPCWrappedNative::CallMethod (ccx=..., mode=XPCWrappedNative::CALL_METHOD)
    at /home/morbo/hg/mozilla-central/js/xpconnect/src/XPCWrappedNative.cpp:2384
#47 0x654040f0 in XPC_WN_CallMethod (cx=0x5c5c69d0, argc=0, vp=0x5ed00060)
    at /home/morbo/hg/mozilla-central/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1488
#48 0x666895b6 in js::CallJSNative (cx=0x5c5c69d0, 
    native=0x65403f45 <XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*)>, args=...)
    at /home/morbo/hg/mozilla-central/js/src/jscntxtinlines.h:353
#49 0x66691246 in js::InvokeKernel (cx=0x5c5c69d0, args=..., construct=js::NO_CONSTRUCT)
    at /home/morbo/hg/mozilla-central/js/src/jsinterp.cpp:391
#50 0x666992ba in js::Interpret (cx=0x5c5c69d0, entryFrame=0x5ed00028, interpMode=js::JSINTERP_NORMAL)
    at /home/morbo/hg/mozilla-central/js/src/jsinterp.cpp:2385
#51 0x66690f40 in js::RunScript (cx=0x5c5c69d0, script=..., fp=0x5ed00028)
    at /home/morbo/hg/mozilla-central/js/src/jsinterp.cpp:348
#52 0x6669134c in js::InvokeKernel (cx=0x5c5c69d0, args=..., construct=js::NO_CONSTRUCT)
---Type <return> to continue, or q <return> to quit---
    at /home/morbo/hg/mozilla-central/js/src/jsinterp.cpp:406
#53 0x665ed6a0 in js::Invoke (cx=0x5c5c69d0, args=..., construct=js::NO_CONSTRUCT)
    at /home/morbo/hg/mozilla-central/js/src/jsinterp.h:131
#54 0x66691582 in js::Invoke (cx=0x5c5c69d0, thisv=..., fval=..., argc=0, argv=0x5c6ff140, rval=0x5c6ff248)
    at /home/morbo/hg/mozilla-central/js/src/jsinterp.cpp:439
#55 0x665e1eb4 in JS_CallFunctionValue (cx=0x5c5c69d0, objArg=0x62f84d90, fval=..., argc=0, argv=0x5c6ff140, 
    rval=0x5c6ff248) at /home/morbo/hg/mozilla-central/js/src/jsapi.cpp:5830
#56 0x653f0bfe in nsXPCWrappedJSClass::CallMethod (this=0x62b0e4f0, wrapper=0x62c4a8c0, methodIndex=12, 
    info_=0x5ec410bc, nativeParams=0x5c6ff480)
    at /home/morbo/hg/mozilla-central/js/xpconnect/src/XPCWrappedJSClass.cpp:1432
#57 0x653e810c in nsXPCWrappedJS::CallMethod (this=0x62c4a8c0, methodIndex=12, info=0x5ec410bc, params=0x5c6ff480)
    at /home/morbo/hg/mozilla-central/js/xpconnect/src/XPCWrappedJS.cpp:578
#58 0x65c15b66 in PrepareAndDispatch (self=<optimized out>, methodIndex=<optimized out>, args=0x5c6ff53c)
    at /home/morbo/hg/mozilla-central/xpcom/reflect/xptcall/src/md/unix/xptcstubs_arm.cpp:105
#59 0x65c15100 in SharedStub () from /home/morbo/hg/mozilla-central/objdir-android/dist/bin/libxul.so
#60 0x664bd582 in mozilla::runnable_args_m_0<nsCOMPtr<IPeerConnectionObserver>, tag_nsresult (IPeerConnectionObserver::*)()>::Run (this=0x6313be60)
    at /home/morbo/hg/mozilla-central/media/webrtc/signaling//../../../media/mtransport/runnable_utils_generated.h:48
#61 0x664b5240 in mozilla::RUN_ON_THREAD (thread=0x5c54f0f0, runnable=0x6313be60, flags=0)
    at /home/morbo/hg/mozilla-central/media/webrtc/signaling//../../../media/mtransport/runnable_utils.h:54
#62 0x664b81c2 in sipcc::PeerConnectionImpl::NotifyConnection (this=0x62b8a030)
    at /home/morbo/hg/mozilla-central/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp:541
#63 0x646fe094 in mozilla::DataChannelOnMessageAvailable::Run (this=0x694e3580)
    at /home/morbo/hg/mozilla-central/netwerk/sctp/datachannel/DataChannel.h:489
#64 0x65beee88 in nsThread::ProcessNextEvent (this=0x5c54f0f0, mayWait=false, result=0x5c6ff72f)
    at /home/morbo/hg/mozilla-central/xpcom/threads/nsThread.cpp:627
#65 0x65b8f446 in NS_ProcessNextEvent_P (thread=0x5c54f0f0, mayWait=false)
    at /home/morbo/hg/mozilla-central/objdir-android/xpcom/build/nsThreadUtils.cpp:238
#66 0x658428b6 in mozilla::ipc::MessagePump::Run (this=0x5c5512e0, aDelegate=0x5c57a0c0)
    at /home/morbo/hg/mozilla-central/ipc/glue/MessagePump.cpp:82
#67 0x65c467a0 in MessageLoop::RunInternal (this=0x5c57a0c0)
    at /home/morbo/hg/mozilla-central/ipc/chromium/src/base/message_loop.cc:215
#68 0x65c4673a in MessageLoop::RunHandler (this=0x5c57a0c0)
    at /home/morbo/hg/mozilla-central/ipc/chromium/src/base/message_loop.cc:208
#69 0x65c466e2 in MessageLoop::Run (this=0x5c57a0c0)
    at /home/morbo/hg/mozilla-central/ipc/chromium/src/base/message_loop.cc:182
#70 0x65706956 in nsBaseAppShell::Run (this=0x5c560980)
    at /home/morbo/hg/mozilla-central/widget/xpwidgets/nsBaseAppShell.cpp:163
#71 0x6553e9e4 in nsAppStartup::Run (this=0x5ecd0d00)
    at /home/morbo/hg/mozilla-central/toolkit/components/startup/nsAppStartup.cpp:288
#72 0x644ee366 in XREMain::XRE_mainRun (this=0x5c6ff9d8)
    at /home/morbo/hg/mozilla-central/toolkit/xre/nsAppRunner.cpp:3823
#73 0x644ee5e0 in XREMain::XRE_main (this=0x5c6ff9d8, argc=9, argv=0x5c571048, aAppData=0x80b59e68)
    at /home/morbo/hg/mozilla-central/toolkit/xre/nsAppRunner.cpp:3890
#74 0x644ee7b2 in XRE_main (argc=9, argv=0x5c571048, aAppData=0x80b59e68, aFlags=0)
    at /home/morbo/hg/mozilla-central/toolkit/xre/nsAppRunner.cpp:4093
#75 0x644fa0a2 in GeckoStart (data=0x490f68, appData=0x80b59e68)
    at /home/morbo/hg/mozilla-central/toolkit/xre/nsAndroidStartup.cpp:73
#76 0x80b2a270 in Java_org_mozilla_gecko_GeckoAppShell_nativeRun (jenv=0x2ffd78, jc=0x40802630, jargs=0x409ef4c0)
    at /home/morbo/hg/mozilla-central/mozglue/android/APKOpen.cpp:669
#77 0xaca11d38 in dvmPlatformInvoke ()
   from /home/morbo/git/android-gdb/moz-gdb/lib/42800C743000157/system/lib/libdvm.so
#78 0xaca41262 in dvmCallJNIMethod_general ()
   from /home/morbo/git/android-gdb/moz-gdb/lib/42800C743000157/system/lib/libdvm.so
#79 0xaca46864 in dvmResolveNativeMethod ()
---Type <return> to continue, or q <return> to quit---
   from /home/morbo/git/android-gdb/moz-gdb/lib/42800C743000157/system/lib/libdvm.so
#80 0xaca16f60 in dvmJitToInterpNoChain ()
   from /home/morbo/git/android-gdb/moz-gdb/lib/42800C743000157/system/lib/libdvm.so
#81 0xaca16f60 in dvmJitToInterpNoChain ()
   from /home/morbo/git/android-gdb/moz-gdb/lib/42800C743000157/system/lib/libdvm.so
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb) up
#1  0x66b21074 in __sync_fetch_and_add_4 (ptr=0x5a5a5d2a, val=1)
    at /tmp/ndk-digit/src/build/../gcc/gcc-4.4.3/libgcc/../gcc/config/arm/linux-atomic.c:65
65      /tmp/ndk-digit/src/build/../gcc/gcc-4.4.3/libgcc/../gcc/config/arm/linux-atomic.c: No such file or directory.
(gdb) up
#2  0x646d11fc in sctp_lower_sosend (so=0x636e5000, addr=0x0, uio=0x5c6fb52c, i_pak=0x0, control=0x0, flags=0, 
    srcv=0x5c6fb544) at /home/morbo/hg/mozilla-central/netwerk/sctp/src/netinet/sctp_output.c:12956
12956           atomic_add_int(&inp->total_sends, 1);
(gdb) print *so
$1 = {so_count = 1515870810, so_type = 23130, so_options = 23130, so_linger = 23130, so_state = 23130, 
  so_qstate = 1515870810, so_pcb = 0x5a5a5a5a, so_dom = 1515870810, so_head = 0x5a5a5a5a, so_incomp = {
    tqh_first = 0x5a5a5a5a, tqh_last = 0x5a5a5a5a}, so_comp = {tqh_first = 0x5a5a5a5a, tqh_last = 0x5a5a5a5a}, 
  so_list = {tqe_next = 0x5a5a5a5a, tqe_prev = 0x5a5a5a5a}, so_qlen = 23130, so_incqlen = 23130, so_qlimit = 23130, 
  so_timeo = 23130, timeo_cond = {value = 1515870810}, so_error = 23130, so_sigio = 0x5a5a5a5a, 
  so_oobmark = 1515870810, so_aiojobq = {tqh_first = 0x5a5a5a5a, tqh_last = 0x5a5a5a5a}, so_rcv = {sb_cond = {
      value = 1515870810}, sb_mtx = {value = 1515870810}, sb_state = 23130, sb_mb = 0x5a5a5a5a, 
    sb_mbtail = 0x5a5a5a5a, sb_lastrecord = 0x5a5a5a5a, sb_sndptr = 0x5a5a5a5a, sb_sndptroff = 1515870810, 
    sb_cc = 1515870810, sb_hiwat = 1515870810, sb_mbcnt = 1515870810, sb_mbmax = 1515870810, sb_ctl = 1515870810, 
    sb_lowat = 1515870810, sb_timeo = 1515870810, sb_flags = 23130}, so_snd = {sb_cond = {value = 1515870810}, 
    sb_mtx = {value = 1515870810}, sb_state = 23130, sb_mb = 0x5a5a5a5a, sb_mbtail = 0x5a5a5a5a, 
    sb_lastrecord = 0x5a5a5a5a, sb_sndptr = 0x5a5a5a5a, sb_sndptroff = 1515870810, sb_cc = 1515870810, 
    sb_hiwat = 1515870810, sb_mbcnt = 1515870810, sb_mbmax = 1515870810, sb_ctl = 1515870810, sb_lowat = 1515870810, 
    sb_timeo = 1515870810, sb_flags = 23130}, so_upcall = 0x5a5a5a5a, so_upcallarg = 0x5a5a5a5a, 
  so_cred = 0x5a5a5a5a, so_label = 0x5a5a5a5a, so_peerlabel = 0x5a5a5a5a, so_gencnt = 6510615555426900570, 
  so_emuldata = 0x5a5a5a5a, so_accf = 0x5a5a5a5a}
Freed-memory access, closing as security (though if it's only android right now it's not a big issue until we land the patches).  However, we don't know it's android-only
Assignee: nobody → rjesup
Group: core-security
Severity: normal → critical
Keywords: crash
Whiteboard: [webrtc][blocking-webrtc+][webrtc-uplift]
I haven't done any debugging on Android yet... Can I do debugging on an emulated device or do I need a real one?
Debugging and development should be possible in the emulator, though I admittedly haven't ever done it. I'll check if I can reproduce in Linux. 

You aren't going to be at FOSDEM by any chance?
Let me know if you can reproduce it on Linux... and no, I'm not attending FSODEM.
Gian-Carlo got these right before shutting down for the night.  Something is going wrong and 'so' is pointing to freed or re-allocated memory it appears.
I was trying to step through this in the debugger, when I hit this. It looks related:

Program received signal SIGSEGV, Segmentation fault.
Loading libraries and symbols...
[Switching to Thread 5605]
0x664a0ada in sctp_lower_sosend (so=0x69b5e900, addr=0x0, uio=0x5c9a0544, i_pak=0x0, control=0x0, flags=0, 
    srcv=0x5c9a055c) at /home/morbo/hg/mozilla-central/netwerk/sctp/src/netinet/sctp_output.c:12955
12955           user_marks_eor = sctp_is_feature_on(inp, SCTP_PCB_FLAGS_EXPLICIT_EOR);
(gdb) bt
#0  0x664a0ada in sctp_lower_sosend (so=0x69b5e900, addr=0x0, uio=0x5c9a0544, i_pak=0x0, control=0x0, flags=0, 
    srcv=0x5c9a055c) at /home/morbo/hg/mozilla-central/netwerk/sctp/src/netinet/sctp_output.c:12955
#1  0x6646067e in usrsctp_sendv (so=0x69b5e900, data=0x643ff380, len=20, to=0x0, addrcnt=0, info=0x5c9a061c, 
    infolen=16, infotype=1, flags=0) at /home/morbo/hg/mozilla-central/netwerk/sctp/src/user_socket.c:926
#2  0x664d0f50 in mozilla::DataChannelConnection::SendControlMessage (this=0x5c576f30, msg=0x643ff380, len=20, 
    streamOut=0) at /home/morbo/hg/mozilla-central/netwerk/sctp/datachannel/DataChannel.cpp:820
#3  0x664d11a4 in mozilla::DataChannelConnection::SendOpenRequestMessage (this=0x5c576f30, label=..., streamOut=0, 
    unordered=false, prPolicy=0, prValue=0)
    at /home/morbo/hg/mozilla-central/netwerk/sctp/datachannel/DataChannel.cpp:888
#4  0x664d40da in mozilla::DataChannelConnection::OpenFinish (this=0x5c576f30, aChannel=...)
    at /home/morbo/hg/mozilla-central/netwerk/sctp/datachannel/DataChannel.cpp:1889
#5  0x664d3ec6 in mozilla::DataChannelConnection::Open (this=0x5c576f30, label=..., 
    type=mozilla::DataChannelConnection::RELIABLE, inOrder=true, prValue=0, aListener=0x0, aContext=0x0)
    at /home/morbo/hg/mozilla-central/netwerk/sctp/datachannel/DataChannel.cpp:1853
#6  0x682826d2 in sipcc::PeerConnectionImpl::CreateDataChannel (this=0x63ef39d0, aLabel=..., aType=0, 
    outOfOrderAllowed=false, aMaxTime=0, aMaxNum=0, aRetval=0x5c9a0920)
    at /home/morbo/hg/mozilla-central/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp:649
#7  0x679e744a in NS_InvokeByIndex_P (that=0x63ef39d0, methodIndex=20, paramCount=<optimized out>, 
    params=<optimized out>) at /home/morbo/hg/mozilla-central/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_arm.cpp:160
#8  0x671cb930 in CallMethodHelper::Invoke (this=0x5c9a08a8)
    at /home/morbo/hg/mozilla-central/js/xpconnect/src/XPCWrappedNative.cpp:3084
#9  0x671c9ee6 in CallMethodHelper::Call (this=0x5c9a08a8)
    at /home/morbo/hg/mozilla-central/js/xpconnect/src/XPCWrappedNative.cpp:2418
#10 0x671c9dbc in XPCWrappedNative::CallMethod (ccx=..., mode=XPCWrappedNative::CALL_METHOD)
    at /home/morbo/hg/mozilla-central/js/xpconnect/src/XPCWrappedNative.cpp:2384
#11 0x671d4998 in XPC_WN_CallMethod (cx=0x5c540100, argc=5, vp=0x5fadc148)
    at /home/morbo/hg/mozilla-central/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1488
#12 0x684549da in js::CallJSNative (cx=0x5c540100, 
    native=0x671d47ed <XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*)>, args=...)
    at /home/morbo/hg/mozilla-central/js/src/jscntxtinlines.h:353
#13 0x6845c70e in js::InvokeKernel (cx=0x5c540100, args=..., construct=js::NO_CONSTRUCT)
    at /home/morbo/hg/mozilla-central/js/src/jsinterp.cpp:389
#14 0x68464782 in js::Interpret (cx=0x5c540100, entryFrame=0x5fadc100, interpMode=js::JSINTERP_NORMAL)
    at /home/morbo/hg/mozilla-central/js/src/jsinterp.cpp:2383
#15 0x6845c408 in js::RunScript (cx=0x5c540100, script=..., fp=0x5fadc100)
    at /home/morbo/hg/mozilla-central/js/src/jsinterp.cpp:346
#16 0x6845c814 in js::InvokeKernel (cx=0x5c540100, args=..., construct=js::NO_CONSTRUCT)
    at /home/morbo/hg/mozilla-central/js/src/jsinterp.cpp:404
#17 0x683b8740 in js::Invoke (cx=0x5c540100, args=..., construct=js::NO_CONSTRUCT)
    at /home/morbo/hg/mozilla-central/js/src/jsinterp.h:131
#18 0x6845ca4a in js::Invoke (cx=0x5c540100, thisv=..., fval=..., argc=2, argv=0x5c9a1878, rval=0x5c9a1980)
Testcase is the DataChannel demo at http://mozilla.github.com/webrtc-landing/data_test.html

This bug only affects Android, and only if you turn on building webrtc on Android by hand (and this can't be done on m-c currently as webrtc requires Android 2.3/Gingerbread currently.)
Given the above status, I'd suggest the sec rating be lowered (though it really won't matter much, as we have a fix in hand now.)
Flags: needinfo?(dveditz)
Jesup found that we were compiling some of our source with INET6 enabled, which causes several structures to have the wrong layout. Fixing that makes the crash go away.
Attachment #707149 - Flags: review?(rjesup)
Attachment #707149 - Flags: review?(rjesup) → review+
https://hg.mozilla.org/mozilla-central/rev/0c1c97ae4603
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla21
Whiteboard: [webrtc][blocking-webrtc+][webrtc-uplift] → [webrtc][blocking-webrtc+][webrtc-uplift][qa-]
Flags: in-testsuite-
No uplift required; this is an Android-only bug and we don't even build Android Webrtc on m-c yet by default.
Whiteboard: [webrtc][blocking-webrtc+][webrtc-uplift][qa-] → [webrtc][blocking-webrtc+][qa-]
Flags: needinfo?(dveditz)
This was pref'd off for Firefox 20, right?
Whiteboard: [webrtc][blocking-webrtc+][qa-] → [webrtc][blocking-webrtc+][qa-][adv-main21-]
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: