[PeerConnection] Fix crash: Old state information surfaced in SLD/SRD. #16350
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
wpt-pr-bot
approved these changes
Apr 15, 2019
chromium-wpt-export-bot
force-pushed
the
chromium-export-cl-1566346
branch
from
772815d
to
abd9838
Compare
Because of WebRTC's blocking-invoke threading model, the order of events are not always the same in the content and webrtc layers, causing bugs in some edge-cases. For example, addTrack() and setLocalDescription() both modify the set of transceivers. addTrack() does so with a blocking-invoke, and SLD() does so asynchronously, where the state change is surfaced in a callback. In rare cases, it is possible for addTrack() to modify the sender's track and then for a setLocalDescription() callback carrying outdated transceiver state information to null the track. And similarly this could happen reverting changes to the transceiver's direction. This makes the content layer not reflect the webrtc layer, which in the referenced bug even causes a crash because a track adapter no longer exists. The fix is not to update "transceiver.sender.track" or "transceiver.direction" in SLD/SRD callbacks for transceivers that already exists. This is valid, because these fields can only be modified by other APIs (addTrack, replaceTrack, direction, etc) and not by SDP. Bug: 950280 Change-Id: Icdcc65c5f8b5861550bda588597b88f6103c4f70 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1566346 Commit-Queue: Henrik Boström <hbos@chromium.org> Reviewed-by: Guido Urdaneta <guidou@chromium.org> Cr-Commit-Position: refs/heads/master@{#651234}
chromium-wpt-export-bot
force-pushed
the
chromium-export-cl-1566346
branch
from
abd9838
to
ca3b50a
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Because of WebRTC's blocking-invoke threading model, the order of events
are not always the same in the content and webrtc layers, causing bugs
in some edge-cases.
For example, addTrack() and setLocalDescription() both modify the set
of transceivers. addTrack() does so with a blocking-invoke, and SLD()
does so asynchronously, where the state change is surfaced in a
callback.
In rare cases, it is possible for addTrack() to modify the sender's
track and then for a setLocalDescription() callback carrying outdated
transceiver state information to null the track. And similarly this
could happen reverting changes to the transceiver's direction.
This makes the content layer not reflect the webrtc layer, which in
the referenced bug even causes a crash because a track adapter no
longer exists.
The fix is not to update "transceiver.sender.track" or
"transceiver.direction" in SLD/SRD callbacks for transceivers that
already exists. This is valid, because these fields can only be
modified by other APIs (addTrack, replaceTrack, direction, etc) and
not by SDP.
Bug: 950280
Change-Id: Icdcc65c5f8b5861550bda588597b88f6103c4f70
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1566346
Commit-Queue: Henrik Boström <hbos@chromium.org>
Reviewed-by: Guido Urdaneta <guidou@chromium.org>
Cr-Commit-Position: refs/heads/master@{#651234}