Closed
Bug 834395
Opened 11 years ago
Closed 11 years ago
[WebRTC/DataChannel] SIGBUS in sctp_lower_sosend
Categories
(Core :: WebRTC: Networking, defect)
Tracking
()
RESOLVED
FIXED
mozilla21
Tracking | Status | |
---|---|---|
firefox20 | --- | disabled |
firefox21 | + | fixed |
firefox-esr17 | --- | unaffected |
b2g18 | --- | unaffected |
People
(Reporter: gcp, Assigned: jesup)
Details
(Keywords: crash, sec-high, Whiteboard: [webrtc][blocking-webrtc+][qa-][adv-main21-])
Attachments
(2 files)
10.50 KB,
text/plain
|
Details | |
879 bytes,
patch
|
jesup
:
review+
|
Details | Diff | Splinter Review |
Starting http://mozilla.github.com/webrtc-landing/data_test.html on Android: Program received signal SIGBUS, Bus error. Loading libraries and symbols... [Switching to Thread 29565] 0xffff0fc4 in ?? () (gdb) bt #0 0xffff0fc4 in ?? () #1 0x66b21074 in __sync_fetch_and_add_4 (ptr=0x5a5a5d2a, val=1) at /tmp/ndk-digit/src/build/../gcc/gcc-4.4.3/libgcc/../gcc/config/arm/linux-atomic.c:65 #2 0x646d11fc in sctp_lower_sosend (so=0x636e5000, addr=0x0, uio=0x5c6fb52c, i_pak=0x0, control=0x0, flags=0, srcv=0x5c6fb544) at /home/morbo/hg/mozilla-central/netwerk/sctp/src/netinet/sctp_output.c:12956 #3 0x646928da in usrsctp_sendv (so=0x636e5000, data=0x6313cce0, len=20, to=0x0, addrcnt=0, info=0x5c6fb604, infolen=16, infotype=1, flags=0) at /home/morbo/hg/mozilla-central/netwerk/sctp/src/user_socket.c:925 #4 0x647008f4 in mozilla::DataChannelConnection::SendControlMessage (this=0x5ecae320, msg=0x6313cce0, len=20, streamOut=0) at /home/morbo/hg/mozilla-central/netwerk/sctp/datachannel/DataChannel.cpp:756 #5 0x64700b48 in mozilla::DataChannelConnection::SendOpenRequestMessage (this=0x5ecae320, label=..., streamOut=0, unordered=false, prPolicy=0, prValue=0) at /home/morbo/hg/mozilla-central/netwerk/sctp/datachannel/DataChannel.cpp:824 #6 0x64703a7e in mozilla::DataChannelConnection::OpenFinish (this=0x5ecae320, aChannel=...) at /home/morbo/hg/mozilla-central/netwerk/sctp/datachannel/DataChannel.cpp:1825 #7 0x6470386a in mozilla::DataChannelConnection::Open (this=0x5ecae320, label=..., type=mozilla::DataChannelConnection::RELIABLE, inOrder=true, prValue=0, aListener=0x0, aContext=0x0) at /home/morbo/hg/mozilla-central/netwerk/sctp/datachannel/DataChannel.cpp:1789 #8 0x664b7f4a in sipcc::PeerConnectionImpl::CreateDataChannel (this=0x62b8a030, aLabel=..., aType=0, outOfOrderAllowed=false, aMaxTime=0, aMaxNum=0, aRetval=0x5c6fb908) at /home/morbo/hg/mozilla-central/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp:512 #9 0x65c150ea in NS_InvokeByIndex_P (that=0x62b8a030, methodIndex=20, paramCount=<optimized out>, params=<optimized out>) at /home/morbo/hg/mozilla-central/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_arm.cpp:160 #10 0x653fb088 in CallMethodHelper::Invoke (this=0x5c6fb890) at /home/morbo/hg/mozilla-central/js/xpconnect/src/XPCWrappedNative.cpp:3084 #11 0x653f963e in CallMethodHelper::Call (this=0x5c6fb890) at /home/morbo/hg/mozilla-central/js/xpconnect/src/XPCWrappedNative.cpp:2418 #12 0x653f9514 in XPCWrappedNative::CallMethod (ccx=..., mode=XPCWrappedNative::CALL_METHOD) at /home/morbo/hg/mozilla-central/js/xpconnect/src/XPCWrappedNative.cpp:2384 #13 0x654040f0 in XPC_WN_CallMethod (cx=0x5c5c69d0, argc=5, vp=0x5ed00148) at /home/morbo/hg/mozilla-central/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1488 #14 0x666895b6 in js::CallJSNative (cx=0x5c5c69d0, native=0x65403f45 <XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*)>, args=...) at /home/morbo/hg/mozilla-central/js/src/jscntxtinlines.h:353 #15 0x66691246 in js::InvokeKernel (cx=0x5c5c69d0, args=..., construct=js::NO_CONSTRUCT) at /home/morbo/hg/mozilla-central/js/src/jsinterp.cpp:391 #16 0x666992ba in js::Interpret (cx=0x5c5c69d0, entryFrame=0x5ed00100, interpMode=js::JSINTERP_NORMAL) at /home/morbo/hg/mozilla-central/js/src/jsinterp.cpp:2385 #17 0x66690f40 in js::RunScript (cx=0x5c5c69d0, script=..., fp=0x5ed00100) at /home/morbo/hg/mozilla-central/js/src/jsinterp.cpp:348 #18 0x6669134c in js::InvokeKernel (cx=0x5c5c69d0, args=..., construct=js::NO_CONSTRUCT) at /home/morbo/hg/mozilla-central/js/src/jsinterp.cpp:406 #19 0x665ed6a0 in js::Invoke (cx=0x5c5c69d0, args=..., construct=js::NO_CONSTRUCT) at /home/morbo/hg/mozilla-central/js/src/jsinterp.h:131 #20 0x66691582 in js::Invoke (cx=0x5c5c69d0, thisv=..., fval=..., argc=2, argv=0x5c6fc868, rval=0x5c6fc970) at /home/morbo/hg/mozilla-central/js/src/jsinterp.cpp:439 #21 0x665e1eb4 in JS_CallFunctionValue (cx=0x5c5c69d0, objArg=0x62f84d00, fval=..., argc=2, argv=0x5c6fc868, rval=0x5c6fc970) at /home/morbo/hg/mozilla-central/js/src/jsapi.cpp:5830 #22 0x653f0bfe in nsXPCWrappedJSClass::CallMethod (this=0x5f9d0f40, wrapper=0x62c90a80, methodIndex=33, info_=0x5ec4c0b0, nativeParams=0x5c6fcba8) at /home/morbo/hg/mozilla-central/js/xpconnect/src/XPCWrappedJSClass.cpp:1432 #23 0x653e810c in nsXPCWrappedJS::CallMethod (this=0x62c90a80, methodIndex=33, info=0x5ec4c0b0, params=0x5c6fcba8) at /home/morbo/hg/mozilla-central/js/xpconnect/src/XPCWrappedJS.cpp:578 #24 0x65c15aca in PrepareAndDispatch (self=<optimized out>, methodIndex=<optimized out>, args=0x5c6fcc6c) at /home/morbo/hg/mozilla-central/xpcom/reflect/xptcall/src/md/unix/xptcstubs_arm.cpp:105 #25 0x65c15100 in SharedStub () from /home/morbo/hg/mozilla-central/objdir-android/dist/bin/libxul.so ---Type <return> to continue, or q <return> to quit--- #26 0x65c150ea in NS_InvokeByIndex_P (that=0x601db440, methodIndex=33, paramCount=<optimized out>, params=<optimized out>) at /home/morbo/hg/mozilla-central/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_arm.cpp:160 #27 0x653fb088 in CallMethodHelper::Invoke (this=0x5c6fcd00) at /home/morbo/hg/mozilla-central/js/xpconnect/src/XPCWrappedNative.cpp:3084 #28 0x653f963e in CallMethodHelper::Call (this=0x5c6fcd00) at /home/morbo/hg/mozilla-central/js/xpconnect/src/XPCWrappedNative.cpp:2418 #29 0x653f9514 in XPCWrappedNative::CallMethod (ccx=..., mode=XPCWrappedNative::CALL_METHOD) at /home/morbo/hg/mozilla-central/js/xpconnect/src/XPCWrappedNative.cpp:2384 #30 0x654040f0 in XPC_WN_CallMethod (cx=0x5c5c69d0, argc=2, vp=0x5ed000c0) at /home/morbo/hg/mozilla-central/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1488 #31 0x666895b6 in js::CallJSNative (cx=0x5c5c69d0, native=0x65403f45 <XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*)>, args=...) at /home/morbo/hg/mozilla-central/js/src/jscntxtinlines.h:353 #32 0x66691246 in js::InvokeKernel (cx=0x5c5c69d0, args=..., construct=js::NO_CONSTRUCT) at /home/morbo/hg/mozilla-central/js/src/jsinterp.cpp:391 #33 0x666992ba in js::Interpret (cx=0x5c5c69d0, entryFrame=0x5ed00080, interpMode=js::JSINTERP_NORMAL) at /home/morbo/hg/mozilla-central/js/src/jsinterp.cpp:2385 #34 0x66690f40 in js::RunScript (cx=0x5c5c69d0, script=..., fp=0x5ed00080) at /home/morbo/hg/mozilla-central/js/src/jsinterp.cpp:348 #35 0x6669134c in js::InvokeKernel (cx=0x5c5c69d0, args=..., construct=js::NO_CONSTRUCT) at /home/morbo/hg/mozilla-central/js/src/jsinterp.cpp:406 #36 0x665ed6a0 in js::Invoke (cx=0x5c5c69d0, args=..., construct=js::NO_CONSTRUCT) at /home/morbo/hg/mozilla-central/js/src/jsinterp.h:131 #37 0x66691582 in js::Invoke (cx=0x5c5c69d0, thisv=..., fval=..., argc=0, argv=0x5c6fdcd8, rval=0x5c6fdde0) at /home/morbo/hg/mozilla-central/js/src/jsinterp.cpp:439 #38 0x665e1eb4 in JS_CallFunctionValue (cx=0x5c5c69d0, objArg=0x5f8c17c0, fval=..., argc=0, argv=0x5c6fdcd8, rval=0x5c6fdde0) at /home/morbo/hg/mozilla-central/js/src/jsapi.cpp:5830 #39 0x653f0bfe in nsXPCWrappedJSClass::CallMethod (this=0x5f9d0fd0, wrapper=0x62c90fc0, methodIndex=3, info_=0x5e9e1c28, nativeParams=0x5c6fe018) at /home/morbo/hg/mozilla-central/js/xpconnect/src/XPCWrappedJSClass.cpp:1432 #40 0x653e810c in nsXPCWrappedJS::CallMethod (this=0x62c90fc0, methodIndex=3, info=0x5e9e1c28, params=0x5c6fe018) at /home/morbo/hg/mozilla-central/js/xpconnect/src/XPCWrappedJS.cpp:578 #41 0x65c15b66 in PrepareAndDispatch (self=<optimized out>, methodIndex=<optimized out>, args=0x5c6fe0d4) at /home/morbo/hg/mozilla-central/xpcom/reflect/xptcall/src/md/unix/xptcstubs_arm.cpp:105 #42 0x65c15100 in SharedStub () from /home/morbo/hg/mozilla-central/objdir-android/dist/bin/libxul.so #43 0x65c150ea in NS_InvokeByIndex_P (that=0x601db760, methodIndex=3, paramCount=<optimized out>, params=<optimized out>) at /home/morbo/hg/mozilla-central/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_arm.cpp:160 #44 0x653fb088 in CallMethodHelper::Invoke (this=0x5c6fe168) at /home/morbo/hg/mozilla-central/js/xpconnect/src/XPCWrappedNative.cpp:3084 #45 0x653f963e in CallMethodHelper::Call (this=0x5c6fe168) at /home/morbo/hg/mozilla-central/js/xpconnect/src/XPCWrappedNative.cpp:2418 #46 0x653f9514 in XPCWrappedNative::CallMethod (ccx=..., mode=XPCWrappedNative::CALL_METHOD) at /home/morbo/hg/mozilla-central/js/xpconnect/src/XPCWrappedNative.cpp:2384 #47 0x654040f0 in XPC_WN_CallMethod (cx=0x5c5c69d0, argc=0, vp=0x5ed00060) at /home/morbo/hg/mozilla-central/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1488 #48 0x666895b6 in js::CallJSNative (cx=0x5c5c69d0, native=0x65403f45 <XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*)>, args=...) at /home/morbo/hg/mozilla-central/js/src/jscntxtinlines.h:353 #49 0x66691246 in js::InvokeKernel (cx=0x5c5c69d0, args=..., construct=js::NO_CONSTRUCT) at /home/morbo/hg/mozilla-central/js/src/jsinterp.cpp:391 #50 0x666992ba in js::Interpret (cx=0x5c5c69d0, entryFrame=0x5ed00028, interpMode=js::JSINTERP_NORMAL) at /home/morbo/hg/mozilla-central/js/src/jsinterp.cpp:2385 #51 0x66690f40 in js::RunScript (cx=0x5c5c69d0, script=..., fp=0x5ed00028) at /home/morbo/hg/mozilla-central/js/src/jsinterp.cpp:348 #52 0x6669134c in js::InvokeKernel (cx=0x5c5c69d0, args=..., construct=js::NO_CONSTRUCT) ---Type <return> to continue, or q <return> to quit--- at /home/morbo/hg/mozilla-central/js/src/jsinterp.cpp:406 #53 0x665ed6a0 in js::Invoke (cx=0x5c5c69d0, args=..., construct=js::NO_CONSTRUCT) at /home/morbo/hg/mozilla-central/js/src/jsinterp.h:131 #54 0x66691582 in js::Invoke (cx=0x5c5c69d0, thisv=..., fval=..., argc=0, argv=0x5c6ff140, rval=0x5c6ff248) at /home/morbo/hg/mozilla-central/js/src/jsinterp.cpp:439 #55 0x665e1eb4 in JS_CallFunctionValue (cx=0x5c5c69d0, objArg=0x62f84d90, fval=..., argc=0, argv=0x5c6ff140, rval=0x5c6ff248) at /home/morbo/hg/mozilla-central/js/src/jsapi.cpp:5830 #56 0x653f0bfe in nsXPCWrappedJSClass::CallMethod (this=0x62b0e4f0, wrapper=0x62c4a8c0, methodIndex=12, info_=0x5ec410bc, nativeParams=0x5c6ff480) at /home/morbo/hg/mozilla-central/js/xpconnect/src/XPCWrappedJSClass.cpp:1432 #57 0x653e810c in nsXPCWrappedJS::CallMethod (this=0x62c4a8c0, methodIndex=12, info=0x5ec410bc, params=0x5c6ff480) at /home/morbo/hg/mozilla-central/js/xpconnect/src/XPCWrappedJS.cpp:578 #58 0x65c15b66 in PrepareAndDispatch (self=<optimized out>, methodIndex=<optimized out>, args=0x5c6ff53c) at /home/morbo/hg/mozilla-central/xpcom/reflect/xptcall/src/md/unix/xptcstubs_arm.cpp:105 #59 0x65c15100 in SharedStub () from /home/morbo/hg/mozilla-central/objdir-android/dist/bin/libxul.so #60 0x664bd582 in mozilla::runnable_args_m_0<nsCOMPtr<IPeerConnectionObserver>, tag_nsresult (IPeerConnectionObserver::*)()>::Run (this=0x6313be60) at /home/morbo/hg/mozilla-central/media/webrtc/signaling//../../../media/mtransport/runnable_utils_generated.h:48 #61 0x664b5240 in mozilla::RUN_ON_THREAD (thread=0x5c54f0f0, runnable=0x6313be60, flags=0) at /home/morbo/hg/mozilla-central/media/webrtc/signaling//../../../media/mtransport/runnable_utils.h:54 #62 0x664b81c2 in sipcc::PeerConnectionImpl::NotifyConnection (this=0x62b8a030) at /home/morbo/hg/mozilla-central/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp:541 #63 0x646fe094 in mozilla::DataChannelOnMessageAvailable::Run (this=0x694e3580) at /home/morbo/hg/mozilla-central/netwerk/sctp/datachannel/DataChannel.h:489 #64 0x65beee88 in nsThread::ProcessNextEvent (this=0x5c54f0f0, mayWait=false, result=0x5c6ff72f) at /home/morbo/hg/mozilla-central/xpcom/threads/nsThread.cpp:627 #65 0x65b8f446 in NS_ProcessNextEvent_P (thread=0x5c54f0f0, mayWait=false) at /home/morbo/hg/mozilla-central/objdir-android/xpcom/build/nsThreadUtils.cpp:238 #66 0x658428b6 in mozilla::ipc::MessagePump::Run (this=0x5c5512e0, aDelegate=0x5c57a0c0) at /home/morbo/hg/mozilla-central/ipc/glue/MessagePump.cpp:82 #67 0x65c467a0 in MessageLoop::RunInternal (this=0x5c57a0c0) at /home/morbo/hg/mozilla-central/ipc/chromium/src/base/message_loop.cc:215 #68 0x65c4673a in MessageLoop::RunHandler (this=0x5c57a0c0) at /home/morbo/hg/mozilla-central/ipc/chromium/src/base/message_loop.cc:208 #69 0x65c466e2 in MessageLoop::Run (this=0x5c57a0c0) at /home/morbo/hg/mozilla-central/ipc/chromium/src/base/message_loop.cc:182 #70 0x65706956 in nsBaseAppShell::Run (this=0x5c560980) at /home/morbo/hg/mozilla-central/widget/xpwidgets/nsBaseAppShell.cpp:163 #71 0x6553e9e4 in nsAppStartup::Run (this=0x5ecd0d00) at /home/morbo/hg/mozilla-central/toolkit/components/startup/nsAppStartup.cpp:288 #72 0x644ee366 in XREMain::XRE_mainRun (this=0x5c6ff9d8) at /home/morbo/hg/mozilla-central/toolkit/xre/nsAppRunner.cpp:3823 #73 0x644ee5e0 in XREMain::XRE_main (this=0x5c6ff9d8, argc=9, argv=0x5c571048, aAppData=0x80b59e68) at /home/morbo/hg/mozilla-central/toolkit/xre/nsAppRunner.cpp:3890 #74 0x644ee7b2 in XRE_main (argc=9, argv=0x5c571048, aAppData=0x80b59e68, aFlags=0) at /home/morbo/hg/mozilla-central/toolkit/xre/nsAppRunner.cpp:4093 #75 0x644fa0a2 in GeckoStart (data=0x490f68, appData=0x80b59e68) at /home/morbo/hg/mozilla-central/toolkit/xre/nsAndroidStartup.cpp:73 #76 0x80b2a270 in Java_org_mozilla_gecko_GeckoAppShell_nativeRun (jenv=0x2ffd78, jc=0x40802630, jargs=0x409ef4c0) at /home/morbo/hg/mozilla-central/mozglue/android/APKOpen.cpp:669 #77 0xaca11d38 in dvmPlatformInvoke () from /home/morbo/git/android-gdb/moz-gdb/lib/42800C743000157/system/lib/libdvm.so #78 0xaca41262 in dvmCallJNIMethod_general () from /home/morbo/git/android-gdb/moz-gdb/lib/42800C743000157/system/lib/libdvm.so #79 0xaca46864 in dvmResolveNativeMethod () ---Type <return> to continue, or q <return> to quit--- from /home/morbo/git/android-gdb/moz-gdb/lib/42800C743000157/system/lib/libdvm.so #80 0xaca16f60 in dvmJitToInterpNoChain () from /home/morbo/git/android-gdb/moz-gdb/lib/42800C743000157/system/lib/libdvm.so #81 0xaca16f60 in dvmJitToInterpNoChain () from /home/morbo/git/android-gdb/moz-gdb/lib/42800C743000157/system/lib/libdvm.so Backtrace stopped: previous frame identical to this frame (corrupt stack?)
Reporter | ||
Comment 1•11 years ago
|
||
(gdb) up #1 0x66b21074 in __sync_fetch_and_add_4 (ptr=0x5a5a5d2a, val=1) at /tmp/ndk-digit/src/build/../gcc/gcc-4.4.3/libgcc/../gcc/config/arm/linux-atomic.c:65 65 /tmp/ndk-digit/src/build/../gcc/gcc-4.4.3/libgcc/../gcc/config/arm/linux-atomic.c: No such file or directory. (gdb) up #2 0x646d11fc in sctp_lower_sosend (so=0x636e5000, addr=0x0, uio=0x5c6fb52c, i_pak=0x0, control=0x0, flags=0, srcv=0x5c6fb544) at /home/morbo/hg/mozilla-central/netwerk/sctp/src/netinet/sctp_output.c:12956 12956 atomic_add_int(&inp->total_sends, 1); (gdb) print *so $1 = {so_count = 1515870810, so_type = 23130, so_options = 23130, so_linger = 23130, so_state = 23130, so_qstate = 1515870810, so_pcb = 0x5a5a5a5a, so_dom = 1515870810, so_head = 0x5a5a5a5a, so_incomp = { tqh_first = 0x5a5a5a5a, tqh_last = 0x5a5a5a5a}, so_comp = {tqh_first = 0x5a5a5a5a, tqh_last = 0x5a5a5a5a}, so_list = {tqe_next = 0x5a5a5a5a, tqe_prev = 0x5a5a5a5a}, so_qlen = 23130, so_incqlen = 23130, so_qlimit = 23130, so_timeo = 23130, timeo_cond = {value = 1515870810}, so_error = 23130, so_sigio = 0x5a5a5a5a, so_oobmark = 1515870810, so_aiojobq = {tqh_first = 0x5a5a5a5a, tqh_last = 0x5a5a5a5a}, so_rcv = {sb_cond = { value = 1515870810}, sb_mtx = {value = 1515870810}, sb_state = 23130, sb_mb = 0x5a5a5a5a, sb_mbtail = 0x5a5a5a5a, sb_lastrecord = 0x5a5a5a5a, sb_sndptr = 0x5a5a5a5a, sb_sndptroff = 1515870810, sb_cc = 1515870810, sb_hiwat = 1515870810, sb_mbcnt = 1515870810, sb_mbmax = 1515870810, sb_ctl = 1515870810, sb_lowat = 1515870810, sb_timeo = 1515870810, sb_flags = 23130}, so_snd = {sb_cond = {value = 1515870810}, sb_mtx = {value = 1515870810}, sb_state = 23130, sb_mb = 0x5a5a5a5a, sb_mbtail = 0x5a5a5a5a, sb_lastrecord = 0x5a5a5a5a, sb_sndptr = 0x5a5a5a5a, sb_sndptroff = 1515870810, sb_cc = 1515870810, sb_hiwat = 1515870810, sb_mbcnt = 1515870810, sb_mbmax = 1515870810, sb_ctl = 1515870810, sb_lowat = 1515870810, sb_timeo = 1515870810, sb_flags = 23130}, so_upcall = 0x5a5a5a5a, so_upcallarg = 0x5a5a5a5a, so_cred = 0x5a5a5a5a, so_label = 0x5a5a5a5a, so_peerlabel = 0x5a5a5a5a, so_gencnt = 6510615555426900570, so_emuldata = 0x5a5a5a5a, so_accf = 0x5a5a5a5a}
Assignee | ||
Comment 2•11 years ago
|
||
Freed-memory access, closing as security (though if it's only android right now it's not a big issue until we land the patches). However, we don't know it's android-only
Assignee: nobody → rjesup
Group: core-security
Severity: normal → critical
Keywords: crash
Whiteboard: [webrtc][blocking-webrtc+][webrtc-uplift]
Comment 3•11 years ago
|
||
I haven't done any debugging on Android yet... Can I do debugging on an emulated device or do I need a real one?
Reporter | ||
Comment 4•11 years ago
|
||
Debugging and development should be possible in the emulator, though I admittedly haven't ever done it. I'll check if I can reproduce in Linux. You aren't going to be at FOSDEM by any chance?
Comment 5•11 years ago
|
||
Let me know if you can reproduce it on Linux... and no, I'm not attending FSODEM.
Assignee | ||
Comment 6•11 years ago
|
||
Gian-Carlo got these right before shutting down for the night. Something is going wrong and 'so' is pointing to freed or re-allocated memory it appears.
Reporter | ||
Comment 7•11 years ago
|
||
I was trying to step through this in the debugger, when I hit this. It looks related: Program received signal SIGSEGV, Segmentation fault. Loading libraries and symbols... [Switching to Thread 5605] 0x664a0ada in sctp_lower_sosend (so=0x69b5e900, addr=0x0, uio=0x5c9a0544, i_pak=0x0, control=0x0, flags=0, srcv=0x5c9a055c) at /home/morbo/hg/mozilla-central/netwerk/sctp/src/netinet/sctp_output.c:12955 12955 user_marks_eor = sctp_is_feature_on(inp, SCTP_PCB_FLAGS_EXPLICIT_EOR); (gdb) bt #0 0x664a0ada in sctp_lower_sosend (so=0x69b5e900, addr=0x0, uio=0x5c9a0544, i_pak=0x0, control=0x0, flags=0, srcv=0x5c9a055c) at /home/morbo/hg/mozilla-central/netwerk/sctp/src/netinet/sctp_output.c:12955 #1 0x6646067e in usrsctp_sendv (so=0x69b5e900, data=0x643ff380, len=20, to=0x0, addrcnt=0, info=0x5c9a061c, infolen=16, infotype=1, flags=0) at /home/morbo/hg/mozilla-central/netwerk/sctp/src/user_socket.c:926 #2 0x664d0f50 in mozilla::DataChannelConnection::SendControlMessage (this=0x5c576f30, msg=0x643ff380, len=20, streamOut=0) at /home/morbo/hg/mozilla-central/netwerk/sctp/datachannel/DataChannel.cpp:820 #3 0x664d11a4 in mozilla::DataChannelConnection::SendOpenRequestMessage (this=0x5c576f30, label=..., streamOut=0, unordered=false, prPolicy=0, prValue=0) at /home/morbo/hg/mozilla-central/netwerk/sctp/datachannel/DataChannel.cpp:888 #4 0x664d40da in mozilla::DataChannelConnection::OpenFinish (this=0x5c576f30, aChannel=...) at /home/morbo/hg/mozilla-central/netwerk/sctp/datachannel/DataChannel.cpp:1889 #5 0x664d3ec6 in mozilla::DataChannelConnection::Open (this=0x5c576f30, label=..., type=mozilla::DataChannelConnection::RELIABLE, inOrder=true, prValue=0, aListener=0x0, aContext=0x0) at /home/morbo/hg/mozilla-central/netwerk/sctp/datachannel/DataChannel.cpp:1853 #6 0x682826d2 in sipcc::PeerConnectionImpl::CreateDataChannel (this=0x63ef39d0, aLabel=..., aType=0, outOfOrderAllowed=false, aMaxTime=0, aMaxNum=0, aRetval=0x5c9a0920) at /home/morbo/hg/mozilla-central/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp:649 #7 0x679e744a in NS_InvokeByIndex_P (that=0x63ef39d0, methodIndex=20, paramCount=<optimized out>, params=<optimized out>) at /home/morbo/hg/mozilla-central/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_arm.cpp:160 #8 0x671cb930 in CallMethodHelper::Invoke (this=0x5c9a08a8) at /home/morbo/hg/mozilla-central/js/xpconnect/src/XPCWrappedNative.cpp:3084 #9 0x671c9ee6 in CallMethodHelper::Call (this=0x5c9a08a8) at /home/morbo/hg/mozilla-central/js/xpconnect/src/XPCWrappedNative.cpp:2418 #10 0x671c9dbc in XPCWrappedNative::CallMethod (ccx=..., mode=XPCWrappedNative::CALL_METHOD) at /home/morbo/hg/mozilla-central/js/xpconnect/src/XPCWrappedNative.cpp:2384 #11 0x671d4998 in XPC_WN_CallMethod (cx=0x5c540100, argc=5, vp=0x5fadc148) at /home/morbo/hg/mozilla-central/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1488 #12 0x684549da in js::CallJSNative (cx=0x5c540100, native=0x671d47ed <XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*)>, args=...) at /home/morbo/hg/mozilla-central/js/src/jscntxtinlines.h:353 #13 0x6845c70e in js::InvokeKernel (cx=0x5c540100, args=..., construct=js::NO_CONSTRUCT) at /home/morbo/hg/mozilla-central/js/src/jsinterp.cpp:389 #14 0x68464782 in js::Interpret (cx=0x5c540100, entryFrame=0x5fadc100, interpMode=js::JSINTERP_NORMAL) at /home/morbo/hg/mozilla-central/js/src/jsinterp.cpp:2383 #15 0x6845c408 in js::RunScript (cx=0x5c540100, script=..., fp=0x5fadc100) at /home/morbo/hg/mozilla-central/js/src/jsinterp.cpp:346 #16 0x6845c814 in js::InvokeKernel (cx=0x5c540100, args=..., construct=js::NO_CONSTRUCT) at /home/morbo/hg/mozilla-central/js/src/jsinterp.cpp:404 #17 0x683b8740 in js::Invoke (cx=0x5c540100, args=..., construct=js::NO_CONSTRUCT) at /home/morbo/hg/mozilla-central/js/src/jsinterp.h:131 #18 0x6845ca4a in js::Invoke (cx=0x5c540100, thisv=..., fval=..., argc=2, argv=0x5c9a1878, rval=0x5c9a1980)
Updated•11 years ago
|
status-b2g18:
--- → unaffected
status-firefox21:
--- → affected
status-firefox-esr17:
--- → unaffected
tracking-firefox21:
--- → +
Keywords: sec-critical,
testcase-wanted
Assignee | ||
Comment 8•11 years ago
|
||
Testcase is the DataChannel demo at http://mozilla.github.com/webrtc-landing/data_test.html This bug only affects Android, and only if you turn on building webrtc on Android by hand (and this can't be done on m-c currently as webrtc requires Android 2.3/Gingerbread currently.)
Assignee | ||
Comment 9•11 years ago
|
||
Given the above status, I'd suggest the sec rating be lowered (though it really won't matter much, as we have a fix in hand now.)
Flags: needinfo?(dveditz)
Reporter | ||
Comment 10•11 years ago
|
||
Jesup found that we were compiling some of our source with INET6 enabled, which causes several structures to have the wrong layout. Fixing that makes the crash go away.
Attachment #707149 -
Flags: review?(rjesup)
Assignee | ||
Updated•11 years ago
|
Attachment #707149 -
Flags: review?(rjesup) → review+
Reporter | ||
Comment 11•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/0c1c97ae4603
Comment 12•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/0c1c97ae4603
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla21
Updated•11 years ago
|
Whiteboard: [webrtc][blocking-webrtc+][webrtc-uplift] → [webrtc][blocking-webrtc+][webrtc-uplift][qa-]
Updated•11 years ago
|
Flags: in-testsuite-
Assignee | ||
Comment 13•11 years ago
|
||
No uplift required; this is an Android-only bug and we don't even build Android Webrtc on m-c yet by default.
Whiteboard: [webrtc][blocking-webrtc+][webrtc-uplift][qa-] → [webrtc][blocking-webrtc+][qa-]
Updated•11 years ago
|
Keywords: sec-critical → sec-high
Updated•11 years ago
|
Keywords: testcase-wanted
Updated•11 years ago
|
Flags: needinfo?(dveditz)
Comment 14•11 years ago
|
||
This was pref'd off for Firefox 20, right?
Assignee | ||
Updated•11 years ago
|
status-firefox20:
--- → disabled
Updated•11 years ago
|
Whiteboard: [webrtc][blocking-webrtc+][qa-] → [webrtc][blocking-webrtc+][qa-][adv-main21-]
Updated•11 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•