Closed Bug 1793496 Opened 2 years ago Closed 2 years ago

heap-use-after-free dom/media/systemservices/video_engine/tab_capturer.cc:213:14

Categories

(Core :: WebRTC, defect)

defect

Tracking

()

RESOLVED FIXED
107 Branch
Tracking Status
firefox107 --- fixed

People

(Reporter: chunmin, Assigned: pehrsons)

References

Details

Crash Data

Attachments

(4 files)

[task 2022-10-03T17:34:15.946Z] 17:34:15    ERROR - GECKO(8204) | ==8204==ERROR: AddressSanitizer: heap-use-after-free on address 0x619000b92d80 at pc 0x7f80cba73631 bp 0x7ffcde0a3110 sp 0x7ffcde0a3108
[task 2022-10-03T17:34:15.947Z] 17:34:15     INFO - GECKO(8204) | READ of size 8 at 0x619000b92d80 thread T0
[task 2022-10-03T17:34:17.061Z] 17:34:17     INFO - GECKO(8204) |     #0 0x7f80cba73630 in mozilla::TabCapturer::OnFrame(mozilla::dom::ImageBitmap*) /builds/worker/checkouts/gecko/dom/media/systemservices/video_engine/tab_capturer.cc:213:14
[task 2022-10-03T17:34:17.065Z] 17:34:17     INFO - GECKO(8204) |     #1 0x7f80cba8ae45 in mozilla::TabCapturedHandler::ResolvedCallback(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/media/systemservices/video_engine/tab_capturer.cc:129:14
[task 2022-10-03T17:34:17.066Z] 17:34:17     INFO - GECKO(8204) |     #2 0x7f80cccfcd73 in mozilla::dom::(anonymous namespace)::PromiseNativeHandlerShim::ResolvedCallback(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/promise/Promise.cpp:433:12
[task 2022-10-03T17:34:17.067Z] 17:34:17     INFO - GECKO(8204) |     #3 0x7f80cccfd910 in mozilla::dom::NativeHandlerCallback(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/promise/Promise.cpp
[task 2022-10-03T17:34:17.069Z] 17:34:17     INFO - GECKO(8204) |     #4 0x7f80d3eab733 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:458:13
[task 2022-10-03T17:34:17.071Z] 17:34:17     INFO - GECKO(8204) |     #5 0x7f80d3eab733 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:546:12
[task 2022-10-03T17:34:17.083Z] 17:34:17     INFO - GECKO(8204) |     #6 0x7f80d3ead2fe in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:613:10
[task 2022-10-03T17:34:17.083Z] 17:34:17     INFO - GECKO(8204) |     #7 0x7f80d3ead2fe in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:645:8
[task 2022-10-03T17:34:17.083Z] 17:34:17     INFO - GECKO(8204) |     #8 0x7f80d2a91653 in Call /builds/worker/checkouts/gecko/js/src/vm/Interpreter.h:116:10
[task 2022-10-03T17:34:17.083Z] 17:34:17     INFO - GECKO(8204) |     #9 0x7f80d2a91653 in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/js/src/builtin/Promise.cpp:2240:10
[task 2022-10-03T17:34:17.083Z] 17:34:17     INFO - GECKO(8204) |     #10 0x7f80d3eab733 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:458:13
[task 2022-10-03T17:34:17.083Z] 17:34:17     INFO - GECKO(8204) |     #11 0x7f80d3eab733 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:546:12
[task 2022-10-03T17:34:17.083Z] 17:34:17     INFO - GECKO(8204) |     #12 0x7f80d3ead2fe in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:613:10
[task 2022-10-03T17:34:17.084Z] 17:34:17     INFO - GECKO(8204) |     #13 0x7f80d3ead2fe in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:645:8
[task 2022-10-03T17:34:17.085Z] 17:34:17     INFO - GECKO(8204) |     #14 0x7f80d27fdf25 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:117:10
[task 2022-10-03T17:34:17.086Z] 17:34:17     INFO - GECKO(8204) |     #15 0x7f80c8e84c2c in mozilla::dom::PromiseJobCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/PromiseBinding.cpp:35:8
[task 2022-10-03T17:34:17.086Z] 17:34:17     INFO - GECKO(8204) |     #16 0x7f80c5219247 in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:88:12
[task 2022-10-03T17:34:17.091Z] 17:34:17     INFO - GECKO(8204) |     #17 0x7f80c5219247 in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:101:12
[task 2022-10-03T17:34:17.091Z] 17:34:17     INFO - GECKO(8204) |     #18 0x7f80c5219247 in mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) /builds/worker/checkouts/gecko/xpcom/base/CycleCollectedJSContext.cpp:213:18
[task 2022-10-03T17:34:17.092Z] 17:34:17     INFO - GECKO(8204) |     #19 0x7f80c51f9cb7 in mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) /builds/worker/checkouts/gecko/xpcom/base/CycleCollectedJSContext.cpp:676:17
[task 2022-10-03T17:34:17.093Z] 17:34:17     INFO - GECKO(8204) |     #20 0x7f80c51fa9ef in mozilla::CycleCollectedJSContext::AfterProcessTask(unsigned int) /builds/worker/checkouts/gecko/xpcom/base/CycleCollectedJSContext.cpp:463:3
[task 2022-10-03T17:34:17.094Z] 17:34:17     INFO - GECKO(8204) |     #21 0x7f80c6cc5010 in XPCJSContext::AfterProcessTask(unsigned int) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCJSContext.cpp:1480:28
[task 2022-10-03T17:34:17.094Z] 17:34:17     INFO - GECKO(8204) |     #22 0x7f80c5431a38 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1242:24
[task 2022-10-03T17:34:17.095Z] 17:34:17     INFO - GECKO(8204) |     #23 0x7f80c543b964 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:465:10
[task 2022-10-03T17:34:17.096Z] 17:34:17     INFO - GECKO(8204) |     #24 0x7f80c6a44ff8 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
[task 2022-10-03T17:34:17.096Z] 17:34:17     INFO - GECKO(8204) |     #25 0x7f80c68e18d1 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
[task 2022-10-03T17:34:17.097Z] 17:34:17     INFO - GECKO(8204) |     #26 0x7f80c68e18d1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
[task 2022-10-03T17:34:17.098Z] 17:34:17     INFO - GECKO(8204) |     #27 0x7f80c68e18d1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
[task 2022-10-03T17:34:17.098Z] 17:34:17     INFO - GECKO(8204) |     #28 0x7f80cd5203a7 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:150:27
[task 2022-10-03T17:34:17.099Z] 17:34:17     INFO - GECKO(8204) |     #29 0x7f80d2157ff7 in nsAppStartup::Run() /builds/worker/checkouts/gecko/toolkit/components/startup/nsAppStartup.cpp:295:30
[task 2022-10-03T17:34:17.100Z] 17:34:17     INFO - GECKO(8204) |     #30 0x7f80d2384155 in XREMain::XRE_mainRun() /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5723:22
[task 2022-10-03T17:34:17.100Z] 17:34:17     INFO - GECKO(8204) |     #31 0x7f80d2385eae in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5916:8
[task 2022-10-03T17:34:17.101Z] 17:34:17     INFO - GECKO(8204) |     #32 0x7f80d2386c2b in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5972:21
[task 2022-10-03T17:34:17.102Z] 17:34:17     INFO - GECKO(8204) |     #33 0x55d8f418da39 in do_main(int, char**, char**) /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:226:22
[task 2022-10-03T17:34:17.102Z] 17:34:17     INFO - GECKO(8204) |     #34 0x55d8f418cd57 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:430:16
[task 2022-10-03T17:34:17.103Z] 17:34:17     INFO - GECKO(8204) |     #35 0x7f80ec655b96 in __libc_start_main /tmp/glibc/csu/../csu/libc-start.c:310
[task 2022-10-03T17:34:17.104Z] 17:34:17     INFO - GECKO(8204) |     #36 0x55d8f40ccc80 in _start (/builds/worker/workspace/build/application/firefox/firefox+0x75c80) (BuildId: f4527b17799938c20a41b8f52ccba0a0112cc582)
[task 2022-10-03T17:34:17.104Z] 17:34:17     INFO - GECKO(8204) | 0x619000b92d80 is located 0 bytes inside of 936-byte region [0x619000b92d80,0x619000b93128)
[task 2022-10-03T17:34:17.105Z] 17:34:17     INFO - GECKO(8204) | freed by thread T95 (VideoCapture) here:
[task 2022-10-03T17:34:17.123Z] 17:34:17     INFO - GECKO(8204) |     #0 0x55d8f414eef2 in __interceptor_free /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3
[task 2022-10-03T17:34:17.126Z] 17:34:17     INFO - GECKO(8204) |     #1 0x7f80cba70fc8 in Release /builds/worker/checkouts/gecko/third_party/libwebrtc/rtc_base/ref_counted_object.h:61:7
[task 2022-10-03T17:34:17.129Z] 17:34:17     INFO - GECKO(8204) |     #2 0x7f80cba70fc8 in non-virtual thunk to rtc::RefCountedObject<webrtc::DesktopCaptureImpl>::Release() const /builds/worker/checkouts/gecko/third_party/libwebrtc/rtc_base/ref_counted_object.h
[task 2022-10-03T17:34:17.131Z] 17:34:17     INFO - GECKO(8204) |     #3 0x7f80cba70294 in operator= /builds/worker/checkouts/gecko/third_party/libwebrtc/api/scoped_refptr.h:127:13
[task 2022-10-03T17:34:17.133Z] 17:34:17     INFO - GECKO(8204) |     #4 0x7f80cba70294 in operator() /builds/worker/checkouts/gecko/dom/media/systemservices/VideoEngine.cpp:127:31
[task 2022-10-03T17:34:17.136Z] 17:34:17     INFO - GECKO(8204) |     #5 0x7f80cba70294 in std::_Function_handler<void (mozilla::camera::VideoEngine::CaptureEntry&), mozilla::camera::VideoEngine::ReleaseVideoCapture(int)::$_22>::_M_invoke(std::_Any_data const&, mozilla::camera::VideoEngine::CaptureEntry&) /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/std_function.h:316:2
[task 2022-10-03T17:34:17.140Z] 17:34:17     INFO - GECKO(8204) |     #6 0x7f80cba2e9dc in mozilla::camera::VideoEngine::WithEntry(int, std::function<void (mozilla::camera::VideoEngine::CaptureEntry&)> const&&) /builds/worker/checkouts/gecko/dom/media/systemservices/VideoEngine.cpp:242:3
[task 2022-10-03T17:34:17.141Z] 17:34:17     INFO - GECKO(8204) |     #7 0x7f80cba2d387 in mozilla::camera::VideoEngine::ReleaseVideoCapture(int) /builds/worker/checkouts/gecko/dom/media/systemservices/VideoEngine.cpp:126:5
[task 2022-10-03T17:34:17.142Z] 17:34:17     INFO - GECKO(8204) |     #8 0x7f80cba53ccf in ReleaseCapture /builds/worker/checkouts/gecko/dom/media/systemservices/CamerasParent.cpp:771:21
[task 2022-10-03T17:34:17.143Z] 17:34:17     INFO - GECKO(8204) |     #9 0x7f80cba53ccf in operator() /builds/worker/checkouts/gecko/dom/media/systemservices/CamerasParent.cpp:784:23
[task 2022-10-03T17:34:17.144Z] 17:34:17     INFO - GECKO(8204) |     #10 0x7f80cba53ccf in mozilla::media::LambdaRunnable<mozilla::camera::CamerasParent::RecvReleaseCapture(mozilla::camera::CaptureEngine const&, int const&)::$_9>::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/media/MediaUtils.h:77:27
[task 2022-10-03T17:34:17.145Z] 17:34:17     INFO - GECKO(8204) |     #11 0x7f80c5431d0e in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16
[task 2022-10-03T17:34:17.146Z] 17:34:17     INFO - GECKO(8204) |     #12 0x7f80c543b964 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:465:10
[task 2022-10-03T17:34:17.147Z] 17:34:17     INFO - GECKO(8204) |     #13 0x7f80c6a461a8 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300:20
[task 2022-10-03T17:34:17.148Z] 17:34:17     INFO - GECKO(8204) |     #14 0x7f80c68e18d1 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
[task 2022-10-03T17:34:17.148Z] 17:34:17     INFO - GECKO(8204) |     #15 0x7f80c68e18d1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
[task 2022-10-03T17:34:17.149Z] 17:34:17     INFO - GECKO(8204) |     #16 0x7f80c68e18d1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
[task 2022-10-03T17:34:17.150Z] 17:34:17     INFO - GECKO(8204) |     #17 0x7f80c691207a in base::Thread::ThreadMain() /builds/worker/checkouts/gecko/ipc/chromium/src/base/thread.cc:187:16
[task 2022-10-03T17:34:17.151Z] 17:34:17     INFO - GECKO(8204) |     #18 0x7f80c68f7444 in ThreadFunc(void*) /builds/worker/checkouts/gecko/ipc/chromium/src/base/platform_thread_posix.cc:40:13
[task 2022-10-03T17:34:17.151Z] 17:34:17     INFO - GECKO(8204) |     #19 0x7f80ed7776da in start_thread /tmp/glibc/nptl/pthread_create.c:463
[task 2022-10-03T17:34:17.159Z] 17:34:17     INFO - GECKO(8204) | previously allocated by thread T0 here:
[task 2022-10-03T17:34:17.160Z] 17:34:17     INFO - GECKO(8204) |     #0 0x55d8f414f19e in malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
[task 2022-10-03T17:34:17.161Z] 17:34:17     INFO - GECKO(8204) |     #1 0x55d8f4193cb5 in moz_xmalloc /builds/worker/checkouts/gecko/memory/mozalloc/mozalloc.cpp:52:15
[task 2022-10-03T17:34:17.162Z] 17:34:17     INFO - GECKO(8204) |     #2 0x7f80cba6fb85 in operator new /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:33:10
[task 2022-10-03T17:34:17.162Z] 17:34:17     INFO - GECKO(8204) |     #3 0x7f80cba6fb85 in Create /builds/worker/checkouts/gecko/dom/media/systemservices/video_engine/desktop_capture_impl.cc:130:10
[task 2022-10-03T17:34:17.163Z] 17:34:17     INFO - GECKO(8204) |     #4 0x7f80cba6fb85 in operator() /builds/worker/checkouts/gecko/dom/media/systemservices/VideoEngine.cpp:80:15
[task 2022-10-03T17:34:17.164Z] 17:34:17     INFO - GECKO(8204) |     #5 0x7f80cba6fb85 in mozilla::media::LambdaRunnable<mozilla::camera::VideoEngine::CreateVideoCapture(char const*)::$_21>::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/media/MediaUtils.h:77:27
[task 2022-10-03T17:34:17.165Z] 17:34:17     INFO - GECKO(8204) |     #6 0x7f80c5452b3c in nsThreadSyncDispatch::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadSyncDispatch.h:35:51
[task 2022-10-03T17:34:17.168Z] 17:34:17     INFO - GECKO(8204) |     #7 0x7f80c544fa82 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:538:16
[task 2022-10-03T17:34:17.169Z] 17:34:17     INFO - GECKO(8204) |     #8 0x7f80c541018d in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:851:26
[task 2022-10-03T17:34:17.170Z] 17:34:17     INFO - GECKO(8204) |     #9 0x7f80c540d2f8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:683:15
[task 2022-10-03T17:34:17.171Z] 17:34:17     INFO - GECKO(8204) |     #10 0x7f80c540da20 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:461:36
[task 2022-10-03T17:34:17.171Z] 17:34:17     INFO - GECKO(8204) |     #11 0x7f80c5458ab1 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:187:37
[task 2022-10-03T17:34:17.172Z] 17:34:17     INFO - GECKO(8204) |     #12 0x7f80c5458ab1 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
[task 2022-10-03T17:34:17.173Z] 17:34:17     INFO - GECKO(8204) |     #13 0x7f80c54314e7 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1205:16
[task 2022-10-03T17:34:17.173Z] 17:34:17     INFO - GECKO(8204) |     #14 0x7f80c543b964 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:465:10
[task 2022-10-03T17:34:17.176Z] 17:34:17     INFO - GECKO(8204) |     #15 0x7f80c6a44ff8 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
[task 2022-10-03T17:34:17.176Z] 17:34:17     INFO - GECKO(8204) |     #16 0x7f80c68e18d1 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
[task 2022-10-03T17:34:17.177Z] 17:34:17     INFO - GECKO(8204) |     #17 0x7f80c68e18d1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
[task 2022-10-03T17:34:17.178Z] 17:34:17     INFO - GECKO(8204) |     #18 0x7f80c68e18d1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
[task 2022-10-03T17:34:17.179Z] 17:34:17     INFO - GECKO(8204) |     #19 0x7f80cd5203a7 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:150:27
[task 2022-10-03T17:34:17.179Z] 17:34:17     INFO - GECKO(8204) |     #20 0x7f80d2157ff7 in nsAppStartup::Run() /builds/worker/checkouts/gecko/toolkit/components/startup/nsAppStartup.cpp:295:30
[task 2022-10-03T17:34:17.180Z] 17:34:17     INFO - GECKO(8204) |     #21 0x7f80d2384155 in XREMain::XRE_mainRun() /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5723:22
[task 2022-10-03T17:34:17.181Z] 17:34:17     INFO - GECKO(8204) |     #22 0x7f80d2385eae in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5916:8
[task 2022-10-03T17:34:17.182Z] 17:34:17     INFO - GECKO(8204) |     #23 0x7f80d2386c2b in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5972:21
[task 2022-10-03T17:34:17.183Z] 17:34:17     INFO - GECKO(8204) |     #24 0x55d8f418da39 in do_main(int, char**, char**) /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:226:22
[task 2022-10-03T17:34:17.184Z] 17:34:17     INFO - GECKO(8204) |     #25 0x55d8f418cd57 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:430:16
[task 2022-10-03T17:34:17.185Z] 17:34:17     INFO - GECKO(8204) |     #26 0x7f80ec655b96 in __libc_start_main /tmp/glibc/csu/../csu/libc-start.c:310
[task 2022-10-03T17:34:17.186Z] 17:34:17     INFO - GECKO(8204) | Thread T95 (VideoCapture) created by T7 (IPDL Background) here:
[task 2022-10-03T17:34:17.202Z] 17:34:17     INFO - GECKO(8204) |     #0 0x55d8f41386fc in __interceptor_pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:208:3
[task 2022-10-03T17:34:17.205Z] 17:34:17     INFO - GECKO(8204) |     #1 0x7f80c68f0824 in CreateThread /builds/worker/checkouts/gecko/ipc/chromium/src/base/platform_thread_posix.cc:123:14
[task 2022-10-03T17:34:17.208Z] 17:34:17     INFO - GECKO(8204) |     #2 0x7f80c68f0824 in PlatformThread::Create(unsigned long, PlatformThread::Delegate*, unsigned long*) /builds/worker/checkouts/gecko/ipc/chromium/src/base/platform_thread_posix.cc:134:10
[task 2022-10-03T17:34:17.209Z] 17:34:17     INFO - GECKO(8204) |     #3 0x7f80c691172d in base::Thread::StartWithOptions(base::Thread::Options const&) /builds/worker/checkouts/gecko/ipc/chromium/src/base/thread.cc:93:8
[task 2022-10-03T17:34:17.210Z] 17:34:17     INFO - GECKO(8204) |     #4 0x7f80cba30529 in mozilla::camera::CamerasParent::RecvPCamerasConstructor() /builds/worker/checkouts/gecko/dom/media/systemservices/CamerasParent.cpp:1160:31
[task 2022-10-03T17:34:17.211Z] 17:34:17     INFO - GECKO(8204) |     #5 0x7f80c6adfe5b in mozilla::ipc::PBackgroundParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundParent.cpp:4076:52
[task 2022-10-03T17:34:17.212Z] 17:34:17     INFO - GECKO(8204) |     #6 0x7f80c6a3ef5d in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1756:25
[task 2022-10-03T17:34:17.213Z] 17:34:17     INFO - GECKO(8204) |     #7 0x7f80c6a3ca30 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message> >) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1681:9
[task 2022-10-03T17:34:17.214Z] 17:34:17     INFO - GECKO(8204) |     #8 0x7f80c6a3d3d2 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1481:3
[task 2022-10-03T17:34:17.215Z] 17:34:17     INFO - GECKO(8204) |     #9 0x7f80c6a3e14e in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1579:14
[task 2022-10-03T17:34:17.215Z] 17:34:17     INFO - GECKO(8204) |     #10 0x7f80c5431d0e in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16
[task 2022-10-03T17:34:17.216Z] 17:34:17     INFO - GECKO(8204) |     #11 0x7f80c543b964 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:465:10
[task 2022-10-03T17:34:17.217Z] 17:34:17     INFO - GECKO(8204) |     #12 0x7f80c6a46309 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:330:5
[task 2022-10-03T17:34:17.218Z] 17:34:17     INFO - GECKO(8204) |     #13 0x7f80c68e18d1 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
[task 2022-10-03T17:34:17.218Z] 17:34:17     INFO - GECKO(8204) |     #14 0x7f80c68e18d1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
[task 2022-10-03T17:34:17.219Z] 17:34:17     INFO - GECKO(8204) |     #15 0x7f80c68e18d1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
[task 2022-10-03T17:34:17.220Z] 17:34:17     INFO - GECKO(8204) |     #16 0x7f80c5428e64 in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:384:10
[task 2022-10-03T17:34:17.221Z] 17:34:17     INFO - GECKO(8204) |     #17 0x7f80eda44c0e in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
[task 2022-10-03T17:34:17.221Z] 17:34:17     INFO - GECKO(8204) |     #18 0x7f80ed7776da in start_thread /tmp/glibc/nptl/pthread_create.c:463
[task 2022-10-03T17:34:17.222Z] 17:34:17     INFO - GECKO(8204) | Thread T7 (IPDL Background) created by T0 here:
[task 2022-10-03T17:34:17.279Z] 17:34:17     INFO - GECKO(8204) |     #0 0x55d8f41386fc in __interceptor_pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:208:3
[task 2022-10-03T17:34:17.281Z] 17:34:17     INFO - GECKO(8204) |     #1 0x7f80eda34cbc in _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:458:14
[task 2022-10-03T17:34:17.281Z] 17:34:17     INFO - GECKO(8204) |     #2 0x7f80eda2605e in PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:533:12
[task 2022-10-03T17:34:17.282Z] 17:34:17     INFO - GECKO(8204) |     #3 0x7f80c542bde5 in nsThread::Init(nsTSubstring<char> const&) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:618:18
[task 2022-10-03T17:34:17.283Z] 17:34:17     INFO - GECKO(8204) |     #4 0x7f80c5439208 in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadManager.cpp:534:12
[task 2022-10-03T17:34:17.285Z] 17:34:17     INFO - GECKO(8204) |     #5 0x7f80c5445669 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:161:57
[task 2022-10-03T17:34:17.285Z] 17:34:17     INFO - GECKO(8204) |     #6 0x7f80c6a032b6 in NS_NewNamedThread<16UL> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:74:10
[task 2022-10-03T17:34:17.285Z] 17:34:17     INFO - GECKO(8204) |     #7 0x7f80c6a032b6 in (anonymous namespace)::ParentImpl::CreateBackgroundThread() /builds/worker/checkouts/gecko/ipc/glue/BackgroundImpl.cpp:941:7
[task 2022-10-03T17:34:17.287Z] 17:34:17     INFO - GECKO(8204) |     #8 0x7f80c69cc10b in (anonymous namespace)::ParentImpl::AllocStarter(mozilla::dom::ContentParent*, mozilla::ipc::Endpoint<mozilla::ipc::PBackgroundStarterParent>&&, bool) /builds/worker/checkouts/gecko/ipc/glue/BackgroundImpl.cpp:873:30
[task 2022-10-03T17:34:17.287Z] 17:34:17     INFO - GECKO(8204) |     #9 0x7f80c69cc73d in (anonymous namespace)::ChildImpl::Startup() /builds/worker/checkouts/gecko/ipc/glue/BackgroundImpl.cpp:1237:5
[task 2022-10-03T17:34:17.288Z] 17:34:17     INFO - GECKO(8204) |     #10 0x7f80cc82cfdf in mozilla::dom::ContentParent::StartUp() /builds/worker/checkouts/gecko/dom/ipc/ContentParent.cpp:668:3
[task 2022-10-03T17:34:17.288Z] 17:34:17     INFO - GECKO(8204) |     #11 0x7f80ce3f73cb in nsLayoutStatics::Initialize() /builds/worker/checkouts/gecko/layout/build/nsLayoutStatics.cpp:146:3
[task 2022-10-03T17:34:17.289Z] 17:34:17     INFO - GECKO(8204) |     #12 0x7f80ce3f727d in nsLayoutModuleInitialize() /builds/worker/checkouts/gecko/layout/build/nsLayoutModule.cpp:104:7
[task 2022-10-03T17:34:17.290Z] 17:34:17     INFO - GECKO(8204) |     #13 0x7f80c53d9390 in nsComponentManagerImpl::Init() /builds/worker/checkouts/gecko/xpcom/components/nsComponentManager.cpp:371:5
[task 2022-10-03T17:34:17.291Z] 17:34:17     INFO - GECKO(8204) |     #14 0x7f80c54a997f in NS_InitXPCOM /builds/worker/checkouts/gecko/xpcom/build/XPCOMInit.cpp:430:51
[task 2022-10-03T17:34:17.291Z] 17:34:17     INFO - GECKO(8204) |     #15 0x7f80d23721b6 in ScopedXPCOMStartup::Initialize(bool) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:2078:8
[task 2022-10-03T17:34:17.292Z] 17:34:17     INFO - GECKO(8204) |     #16 0x7f80d2385e93 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5912:22
[task 2022-10-03T17:34:17.292Z] 17:34:17     INFO - GECKO(8204) |     #17 0x7f80d2386c2b in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5972:21
[task 2022-10-03T17:34:17.293Z] 17:34:17     INFO - GECKO(8204) |     #18 0x55d8f418da39 in do_main(int, char**, char**) /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:226:22
[task 2022-10-03T17:34:17.294Z] 17:34:17     INFO - GECKO(8204) |     #19 0x55d8f418cd57 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:430:16
[task 2022-10-03T17:34:17.295Z] 17:34:17     INFO - GECKO(8204) |     #20 0x7f80ec655b96 in __libc_start_main /tmp/glibc/csu/../csu/libc-start.c:310
[task 2022-10-03T17:34:17.295Z] 17:34:17     INFO - GECKO(8204) | SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/checkouts/gecko/dom/media/systemservices/video_engine/tab_capturer.cc:213:14 in mozilla::TabCapturer::OnFrame(mozilla::dom::ImageBitmap*)

The failure log is here, found in this build

Andreas, should we be dispatching this code to the main thread since that is where the creation happens (see here)?

Flags: needinfo?(apehrson)

(In reply to Michael Froman [:mjf] from comment #1)

Andreas, should we be dispatching this code to the main thread since that is where the creation happens (see here)?

Well the race appears to be between destroy and the frame callback. So creation is probably not relevant? OTOH that DISPATCH_SYNC could be problematic because it's not really sync. I'm thinking we might be processing other IPC messages while in an intermediate state.

I guess we violate the lifetime assumption here.

Analysing how this could be I see some things that are ... unfortunate.

  • TabCapturer that holds the callback handler is refcounted. This makes it hard to reason about its lifetime when destroying the callback handler.
  • Work was done to ensure CaptureFrame is sync, to ensure it doesn't run away async while we destroy the callback handler. But StartRunnable does the same async operation and doesn't care about this.

The former is just leaving room for improvement. The latter could definitely be causing a UAF.

What I think we should really do is block ~TabCapturer until no more captures are happening. A TaskQueue on top of main thread seems reasonable for dispatching the capture requests. We can just shut that down and block until drained on destroy. And we won't need a sync CaptureFrame, i.e. we can drop the monitor.

Assignee: nobody → apehrson
Status: NEW → ASSIGNED
Flags: needinfo?(apehrson)

This patch makes TabCapturerWebrtc::CaptureFrame synchronous through
SyncRunnable rather than a manually handled Monitor Wait/Notify dance.

Being synchronous means we can also do some cleanup:

  • The refcounted internal class is gone.
  • The monitor is gone.
  • The previously async CaptureFrame() in Start() now reuses the sync path.

I wasn't able to reproduce this or bug 1678060 on try but as mentioned in comment 2 there is clearly a race in the tab capturer. These patches will be a nice improvement to readability and lifetime guarantees. However, the parent process main thread is pretty heavily loaded when doing tab capture, and it was only 1 FPS. Something might have to be done about that if we ever aim to ship this.

Pushed by pehrsons@gmail.com: https://hg.mozilla.org/integration/autoland/rev/baa1e294ed95 Restore mochitests. r=mjf https://hg.mozilla.org/integration/autoland/rev/2ff23b90bbf7 Make TabCapturerWebrtc captures truly synchronous. r=mjf https://hg.mozilla.org/integration/autoland/rev/fac342123da8 Make TabCapturerWebrtc frame capture async, by blocking the destructor. r=mjf https://hg.mozilla.org/integration/autoland/rev/14a0c1fa3707 Silence a narrowing-conversion warning in TabCapturerWebrtc. r=mjf
Regressions: 1795542
Duplicate of this bug: 1678060

Copying crash signatures from duplicate bugs.

Crash Signature: [@ mozilla::TabCapturer::OnFrame(mozilla::dom::ImageBitmap*)]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: