Closed
Bug 1587248
Opened 5 years ago
Closed 5 years ago
AddressSanitizer: SEGV /builds/worker/workspace/build/src/dom/html/HTMLMediaElement.cpp:448:9 in mozilla::dom::HTMLMediaElement::MediaStreamRenderer::Start()
Categories
(Core :: WebRTC: Audio/Video, defect, P2)
Core
WebRTC: Audio/Video
Tracking
()
RESOLVED
FIXED
mozilla71
| Tracking | Status | |
|---|---|---|
| firefox-esr60 | --- | unaffected |
| firefox-esr68 | --- | unaffected |
| firefox67 | --- | unaffected |
| firefox68 | --- | unaffected |
| firefox69 | --- | unaffected |
| firefox70 | --- | wontfix |
| firefox71 | --- | fixed |
People
(Reporter: jkratzer, Assigned: pehrsons)
References
(Blocks 2 open bugs, Regression)
Details
(Keywords: crash, regression, testcase)
Attachments
(4 files)
Testcase found while fuzzing mozilla-central rev 035f52aed442.
==701==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000028 (pc 0x7fc6a953990b bp 0x7ffc1a36aa80 sp 0x7ffc1a36a980 T0)
==701==The signal is caused by a READ memory access.
==701==Hint: address points to the zero page.
#0 0x7fc6a953990a in mozilla::dom::HTMLMediaElement::MediaStreamRenderer::Start() /builds/worker/workspace/build/src/dom/html/HTMLMediaElement.cpp:448:9
#1 0x7fc6a9523284 in mozilla::dom::HTMLMediaElement::UpdateSrcMediaStreamPlaying(unsigned int) /builds/worker/workspace/build/src/dom/html/HTMLMediaElement.cpp:4817:27
#2 0x7fc6a95309d5 in mozilla::dom::HTMLMediaElement::PlayInternal(bool) /builds/worker/workspace/build/src/dom/html/HTMLMediaElement.cpp:3917:3
#3 0x7fc6a952f271 in mozilla::dom::HTMLMediaElement::Play(mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/html/HTMLMediaElement.cpp:3831:5
#4 0x7fc6a87fe303 in play /builds/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLMediaElementBinding.cpp:1236:60
#5 0x7fc6a87fe303 in mozilla::dom::HTMLMediaElement_Binding::play_promiseWrapper(JSContext*, JS::Handle<JSObject*>, mozilla::dom::HTMLMediaElement*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLMediaElementBinding.cpp:1250
#6 0x7fc6a8a8e2a3 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ConvertExceptionsToPromises>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3250:13
#7 0x7fc6af6f38cc in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:457:13
#8 0x7fc6af6f38cc in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:549
#9 0x7fc6af6dbf50 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:622:10
#10 0x7fc6af6dbf50 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3111
#11 0x7fc6af6bd7af in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:424:10
#12 0x7fc6af6f43d6 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:590:13
#13 0x7fc6af6f6729 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:635:8
#14 0x7fc6b02a8d1b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2722:10
#15 0x7fc6a85307f2 in mozilla::dom::Function::Call(JSContext*, JS::Handle<JS::Value>, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/FunctionBinding.cpp:41:8
#16 0x7fc6a629bfaf in void mozilla::dom::Function::Call<nsCOMPtr<nsIGlobalObject> >(nsCOMPtr<nsIGlobalObject> const&, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/FunctionBinding.h:73:12
#17 0x7fc6a629b961 in mozilla::dom::CallbackTimeoutHandler::Call(char const*) /builds/worker/workspace/build/src/dom/base/TimeoutHandler.cpp:181:29
#18 0x7fc6a5e56784 in nsGlobalWindowInner::RunTimeoutHandler(mozilla::dom::Timeout*, nsIScriptContext*) /builds/worker/workspace/build/src/dom/base/nsGlobalWindowInner.cpp:5922:38
#19 0x7fc6a6295a7c in mozilla::dom::TimeoutManager::RunTimeout(mozilla::TimeStamp const&, mozilla::TimeStamp const&, bool) /builds/worker/workspace/build/src/dom/base/TimeoutManager.cpp:892:44
#20 0x7fc6a62945d5 in mozilla::dom::TimeoutExecutor::MaybeExecute() /builds/worker/workspace/build/src/dom/base/TimeoutExecutor.cpp:179:11
#21 0x7fc6a6298476 in Notify /builds/worker/workspace/build/src/dom/base/TimeoutExecutor.cpp:246:5
#22 0x7fc6a6298476 in non-virtual thunk to mozilla::dom::TimeoutExecutor::Notify(nsITimer*) /builds/worker/workspace/build/src/dom/base/TimeoutExecutor.cpp
#23 0x7fc6a1e8e60c in nsTimerImpl::Fire(int) /builds/worker/workspace/build/src/xpcom/threads/nsTimerImpl.cpp:564:39
#24 0x7fc6a1e8ddb9 in nsTimerEvent::Run() /builds/worker/workspace/build/src/xpcom/threads/TimerThread.cpp:260:11
#25 0x7fc6a1ebcb04 in mozilla::ThrottledEventQueue::Inner::ExecuteRunnable() /builds/worker/workspace/build/src/xpcom/threads/ThrottledEventQueue.cpp:252:22
#26 0x7fc6a1eb77ff in mozilla::ThrottledEventQueue::Inner::Executor::Run() /builds/worker/workspace/build/src/xpcom/threads/ThrottledEventQueue.cpp:80:15
#27 0x7fc6a1e6f5b1 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:295:32
#28 0x7fc6a1ea0d79 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1225:14
#29 0x7fc6a1ea79e8 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
#30 0x7fc6a30f1954 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:110:5
#31 0x7fc6a2fea622 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#32 0x7fc6a2fea622 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#33 0x7fc6a2fea622 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#34 0x7fc6ab4ef7a9 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
#35 0x7fc6af43635f in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:934:20
#36 0x7fc6a2fea622 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#37 0x7fc6a2fea622 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#38 0x7fc6a2fea622 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#39 0x7fc6af435c06 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:769:34
#40 0x55f4944d9bfa in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#41 0x55f4944d9bfa in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:272
#42 0x7fc6c4f52b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/dom/html/HTMLMediaElement.cpp:448:9 in mozilla::dom::HTMLMediaElement::MediaStreamRenderer::Start()
Flags: in-testsuite?
|
||
Updated•5 years ago
|
Component: DOM: Core & HTML → Audio/Video
|
||
Comment 1•5 years ago
|
||
Andreas looks like you have touched that code last, could you have a look at this please?
Flags: needinfo?(apehrson)
Priority: -- → P2
|
Assignee | |
Updated•5 years ago
|
Assignee: nobody → apehrson
Status: NEW → ASSIGNED
Flags: needinfo?(apehrson)
|
|
Assignee | |
Updated•5 years ago
|
Component: Audio/Video → WebRTC: Audio/Video
|
|
Assignee | |
Comment 2•5 years ago
|
||
Here's a pernosco recording: https://pernos.co/debug/o2ljG3LLxU67CoA0BCxp6g/index.html
|
|
Assignee | |
Comment 3•5 years ago
|
||
|
|
Assignee | |
Comment 4•5 years ago
|
||
Depends on D49572
|
|
Assignee | |
Comment 5•5 years ago
|
||
It can be unset by NotifyShutdown, to release the VideoFrameContainer in time.
This is unexpected for all paths assuming it will be unset by
EndSrcMediaStreamPlayback().
Depends on D49573
|
||
Comment 6•5 years ago
|
||
Bugbug thinks this bug is a regression, but please revert this change in case of error.
Keywords: regression
|
|
Assignee | |
Updated•5 years ago
|
status-firefox67:
--- → unaffected
status-firefox68:
--- → unaffected
status-firefox69:
--- → unaffected
status-firefox70:
--- → wontfix
status-firefox-esr60:
--- → unaffected
status-firefox-esr68:
--- → unaffected
Regressed by: 1493613
Pushed by pehrsons@gmail.com: https://hg.mozilla.org/integration/autoland/rev/643c477a36c0 Add crashtest. r=bryce https://hg.mozilla.org/integration/autoland/rev/131a93988dcd Remove unnecessary legacy window guard. r=bryce https://hg.mozilla.org/integration/autoland/rev/721bbb99b98d Adequately guard mMediaStreamRenderer usage. r=bryce
|
||
Comment 8•5 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/643c477a36c0
https://hg.mozilla.org/mozilla-central/rev/131a93988dcd
https://hg.mozilla.org/mozilla-central/rev/721bbb99b98d
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla71
|
||
Updated•4 years ago
|
Blocks: asan-maintenance
|
|
||
Updated•3 years ago
|
Has Regression Range: --- → yes
You need to log in
before you can comment on or make changes to this bug.
Description
•