Closed
Bug 835835
Opened 11 years ago
Closed 11 years ago
WebRTC use-after-free crash [@sipcc::PeerConnectionMedia::ShutdownMediaTransport]
Categories
(Core :: WebRTC, defect, P1)
Tracking
()
RESOLVED
DUPLICATE
of bug 838169
People
(Reporter: posidron, Assigned: ekr)
References
Details
(4 keywords, Whiteboard: [webrtc][blocking-webrtc+][webrtc-asan-confused][adv-main21-])
Crash Data
Attachments
(2 files)
This crash occurred while running the media crash tests with an ASan enabled build. $ ./mach crashtest dom/media/tests/crashtests alloc: PeerConnectionMedia.cpp:75 nsresult PeerConnectionMedia::Init(const std::vector<NrIceStunServer>& stun_servers) { // TODO(ekr@rtfm.com): need some way to set not offerer later // Looks like a bug in the NrIceCtx API. mIceCtx = NrIceCtx::Create("PC:" + mParent->GetHandle(), true); [...] free: stun_client_ctx.c:658 int nr_stun_client_process_response(nr_stun_client_ctx *ctx, UCHAR *msg, int len, nr_transport_addr *peer_addr) { [...] /* Fire the callback */ if (ctx->finished_cb) { NR_async_cb finished_cb = ctx->finished_cb; ctx->finished_cb = 0; /* prevent 2nd call */ /* finished_cb call must be absolutely last thing in function * because as a side effect this ctx may be operated on in the * callback */ finished_cb(0,0,ctx->cb_arg); } [...] re-use: PeerConnectionImpl.cpp:1106 nsresult PeerConnectionImpl::CloseInt(bool aIsSynchronous) { [...] ShutdownMedia(aIsSynchronous); [...] Tested with m-c changeset: 120102:0c45e6378f1f
Updated•11 years ago
|
Crash Signature: [@ sipcc::PeerConnectionMedia::ShutdownMediaTransport]
Updated•11 years ago
|
Assignee: nobody → ekr
Priority: -- → P1
Whiteboard: [webrtc][blocking-webrtc+]
Updated•11 years ago
|
status-firefox19:
--- → disabled
status-firefox20:
--- → disabled
status-firefox21:
--- → affected
status-firefox-esr17:
--- → unaffected
tracking-firefox21:
--- → +
Updated•11 years ago
|
status-b2g18:
--- → disabled
Reporter | ||
Comment 1•11 years ago
|
||
Click the button and wait a few seconds.
Assignee | ||
Comment 2•11 years ago
|
||
Something is very screwy here, because we have a structure allocated with a C++ new and then allegedly freed in a C code that doesn't even have a free. I feel like ASan is giving bogus line numbers.
Updated•11 years ago
|
Flags: in-testsuite?
Assignee | ||
Updated•11 years ago
|
Whiteboard: [webrtc][blocking-webrtc+] → [webrtc][blocking-webrtc+][webrtc-asan-confused]
Assignee | ||
Comment 3•11 years ago
|
||
cdiehl: please retest with fix in bug 838169
Flags: needinfo?(cdiehl)
Updated•11 years ago
|
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
Updated•11 years ago
|
Flags: in-testsuite?
Updated•11 years ago
|
Updated•11 years ago
|
Whiteboard: [webrtc][blocking-webrtc+][webrtc-asan-confused] → [webrtc][blocking-webrtc+][webrtc-asan-confused][adv-main21-]
Updated•11 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•