Closed Bug 964754 Opened 8 years ago Closed 7 years ago

crash after desktop tab share (double free and/or refcount err in MediaEngineTabVideoSource)


(Core :: WebRTC, defect)

Not set





(Reporter: dmosedale, Assigned: blassey)


Crash Data


(1 file)


* Save TabShare.xpi from to disk
* Install XPI from Add-on Manager
* Browser to
* Activate Talkilla
* Login with Persona
* Start chat with another person
* Start video call with another person
* Select "share tab"
* Complete call
* (wait a while)
* browser crashes with this message in the console on Mac:

> firefox(86196,0x7fff7bb31180) malloc: *** error for object 0x6f6c2f2f00000001: pointer being freed was not allocated
> *** set a breakpoint in malloc_error_break to debug

Crash report at:
Assignee: nobody → blassey.bugs
does this fix the crash for you?
Attachment #8369769 - Flags: feedback?(dmose)
That should be totally irrelevant: free(NULL) is allowed and not an error in the std library.  Odd, but true.  though a null check doesn't hurt.  More relevant: is there an initializer for mData, and is there *anything* else that frees it?  I don't see anything initing it in the constructor
Unclear, as I don't currently have a mozilla-central build set up.  Would it be easy for you to push-to-try to generate a build?
Flags: needinfo?(blassey.bugs)
assuming you're on OSX
Flags: needinfo?(blassey.bugs)
Unfortunately, the build has issues; we discussed in detail yesterday.  IRC log at <>.  

I think the next step was for Brad to try using lldb with the crashreporter disabled.

If there's something I can do to help, please let me know...
Attachment #8369769 - Flags: feedback?(dmose)
To be clear: if I remember my look at it, there's absolutely no initializer for mData, so if there are any paths where mData doesn't get set it will go boom.  Perhaps make it an AutoPtr and get rid of the manual delete instead of adding an initializer
Any updates on this? I managed to crash FF30.0 with the Tab Share add on as well. Not sure if this is the same crash -
Strongly suspect this was fixed on another bug last year
Closed: 7 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.