Closed Bug 1708700 Opened 3 years ago Closed 3 years ago

Assertion failure: get() (dereferencing a UniquePtr containing nullptr with ->), at /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:284

Categories

(Core :: Audio/Video: MediaStreamGraph, defect, P1)

Product:
Core
Component:
Audio/Video: MediaStreamGraph
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
90 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- unaffected
firefox88 --- unaffected
firefox89 --- unaffected
firefox90 --- verified

People

(Reporter: jkratzer, Assigned: alwu)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase, Whiteboard: [bugmon:confirm][fuzzblocker])

Attachments

(2 files)

testcase.zip
1.37 KB, application/zip
Details
Bug 1708700 - only access 'mData' when it's not null.
48 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.zip

Testcase found while fuzzing mozilla-central rev b5b42ed4d6a0 (built with --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build b5b42ed4d6a0 --debug --fuzzing -n mc-debug
$ python -m grizzly.replay --xvfb ./mc-debug/firefox ./testcase.zip

Assertion failure: get() (dereferencing a UniquePtr containing nullptr with ->), at /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:284

    #0 0x7f449d320058 in operator-> /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:284:5
    #1 0x7f449d320058 in mozilla::DecodedStream::SetPreservesPitch(bool) /builds/worker/checkouts/gecko/dom/media/mediasink/DecodedStream.cpp:705:7
    #2 0x7f449cfc7456 in mozilla::MediaDecoderStateMachine::PreservesPitchChanged() /builds/worker/checkouts/gecko/dom/media/MediaDecoderStateMachine.cpp:3703:15
    #3 0x7f449d0d881c in mozilla::WatchManager<mozilla::MediaDecoderStateMachine>::PerCallbackWatcher::Notify()::'lambda'()::operator()() const /builds/worker/workspace/obj-build/dist/include/mozilla/StateWatching.h:251:38
    #4 0x7f449d0d86e4 in mozilla::detail::RunnableFunction<mozilla::WatchManager<mozilla::MediaDecoderStateMachine>::PerCallbackWatcher::Notify()::'lambda'()>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:534:5
    #5 0x7f4499948145 in mozilla::SimpleTaskQueue::DrainTasks() /builds/worker/workspace/obj-build/dist/include/mozilla/TaskDispatcher.h:42:10
    #6 0x7f4499948203 in DrainDirectTasks /builds/worker/checkouts/gecko/xpcom/threads/TaskQueue.cpp:270:16
    #7 0x7f4499948203 in non-virtual thunk to mozilla::TaskQueue::DrainDirectTasks() /builds/worker/checkouts/gecko/xpcom/threads/TaskQueue.cpp
    #8 0x7f449994080b in MaybeDrainDirectTasks /builds/worker/workspace/obj-build/dist/include/mozilla/TaskDispatcher.h:240:41
    #9 0x7f449994080b in mozilla::AutoTaskDispatcher::TaskGroupRunnable::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/TaskDispatcher.h:224:7
    #10 0x7f4499947566 in mozilla::TaskQueue::Runner::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskQueue.cpp:208:20
    #11 0x7f449995fb4b in nsThreadPool::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:303:14
    #12 0x7f44999567b8 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1153:16
    #13 0x7f449995d3aa in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:548:10
    #14 0x7f449a27983b in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300:20
    #15 0x7f449a1e26c7 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #16 0x7f449a1e25e2 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #17 0x7f449a1e25e2 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #18 0x7f4499952f4f in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:395:10
    #19 0x7f44b073aa57 in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #20 0x7f44b0cac608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477:8
Flags: in-testsuite?

Same root cause as bug 1708536, and I forgot to address this one in bug1708536.

Assignee: nobody → alwu
Component: Audio/Video → Audio/Video: MediaStreamGraph

Depends on D114015

Severity: -- → S2
Priority: -- → P1
Pushed by alwu@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/5727a6f52c63
only access 'mData' when it's not null. r=padenot

https://hg.mozilla.org/mozilla-central/rev/5727a6f52c63

Status: NEW → RESOLVED
Closed: 3 years ago
status-firefox90: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 90 Branch
status-firefox88: --- → unaffected
status-firefox89: --- → unaffected
status-firefox-esr78: --- → unaffected
Flags: in-testsuite? → in-testsuite+

Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20210503214210-c97286566c45.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox90: fixedverified
Keywords: bugmon

:alwu, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.

Flags: needinfo?(alwu)

Sorry, bug in the bot.

Flags: needinfo?(alwu)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: