Fix possible crash TransceiverStateSurfacer::Initialize() crash.

It may be possible that a peer connection is closed, garbage collected and that any local track adapters associated with it is destroyed before the setLocalDescription/setRemoteDescription observer callback is invoked on the signaling thread due to webrtc::PeerConnection invoking the observer with an asynchronous delay. TransceiverStateSurfacer::Initialize() will crash if local track adapters are missing. This CL makes WebRtcSet[Local/Remote]DescriptionObserverHandler not surface any transceivers if the webrtc-layer peer connection is closed. This should be fine, because the spec says to abort the SLD/SRD steps if the PC has been closed. This is a speculative fix for https://crbug.com/897251. The stack trace produced by the new unittest before the fix is the same as that bug, but the cause of the referenced bug being that the PC was closed and GC'd, as assumed by this CL, has not been confirmed. NOTE: This CL contains just the fix. https://chromium-review.googlesource.com/c/chromium/src/+/1309792 contains tests too but we broke up the CL to allow this to land before a dependent testing related CL lands. TBR=guidou@chromium.org Bug: 897251 Change-Id: Ibf621c45fd5a683d847596edeea1f88018783289 Reviewed-on: https://chromium-review.googlesource.com/c/1311919Reviewed-by: Henrik Boström <hbos@chromium.org> Commit-Queue: Henrik Boström <hbos@chromium.org> Cr-Commit-Position: refs/heads/master@{#604548}

Fix possible crash TransceiverStateSurfacer::Initialize() crash.
It may be possible that a peer connection is closed, garbage collected and that any local track adapters associated with it is destroyed before the setLocalDescription/setRemoteDescription observer callback is invoked on the signaling thread due to webrtc::PeerConnection invoking the observer with an asynchronous delay. TransceiverStateSurfacer::Initialize() will crash if local track adapters are missing. This CL makes WebRtcSet[Local/Remote]DescriptionObserverHandler not surface any transceivers if the webrtc-layer peer connection is closed. This should be fine, because the spec says to abort the SLD/SRD steps if the PC has been closed. This is a speculative fix for https://crbug.com/897251. The stack trace produced by the new unittest before the fix is the same as that bug, but the cause of the referenced bug being that the PC was closed and GC'd, as assumed by this CL, has not been confirmed. NOTE: This CL contains just the fix. https://chromium-review.googlesource.com/c/chromium/src/+/1309792 contains tests too but we broke up the CL to allow this to land before a dependent testing related CL lands. TBR=guidou@chromium.org Bug: 897251 Change-Id: Ibf621c45fd5a683d847596edeea1f88018783289 Reviewed-on: https://chromium-review.googlesource.com/c/1311919Reviewed-by: Henrik Boström <hbos@chromium.org> Commit-Queue: Henrik Boström <hbos@chromium.org> Cr-Commit-Position: refs/heads/master@{#604548}
18cb7920 · Henrik Boström · Commit Bot · 50d29054 · 18cb7920
Commit 18cb7920 authored Nov 01, 2018 by Henrik Boström Committed by Commit Bot Nov 01, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 12 additions and 5 deletions

content/renderer/media/webrtc/webrtc_set_description_observer.cc .../renderer/media/webrtc/webrtc_set_description_observer.cc +12 -5

No files found.
--- a/content/renderer/media/webrtc/webrtc_set_description_observer.cc
+++ b/content/renderer/media/webrtc/webrtc_set_description_observer.cc
@@ -53,12 +53,19 @@ void WebRtcSetDescriptionObserverHandlerImpl::OnSetDescriptionComplete(
  std::vector<rtc::scoped_refptr<webrtc::RtpTransceiverInterface>>
      receiver_only_transceivers;
  std::vector<rtc::scoped_refptr<webrtc::RtpTransceiverInterface>> transceivers;
-  if (surface_receivers_only_) {
-    for (const auto& receiver : pc_->GetReceivers()) {
-      transceivers.push_back(new SurfaceReceiverStateOnly(receiver));
+  // Only surface transceiver/receiver states if the peer connection is not
+  // closed. If the peer connection is closed, the peer connection handler may
+  // have been destroyed along with any track adapters that
+  // TransceiverStateSurfacer assumes exist. This is treated as a special case
+  // due to https://crbug.com/897251.
+  if (pc_->signaling_state() != webrtc::PeerConnectionInterface::kClosed) {
+    if (surface_receivers_only_) {
+      for (const auto& receiver : pc_->GetReceivers()) {
+        transceivers.push_back(new SurfaceReceiverStateOnly(receiver));
+      }
+    } else {
+      transceivers = pc_->GetTransceivers();
    }
-  } else {
-    transceivers = pc_->GetTransceivers();
  }
  TransceiverStateSurfacer transceiver_state_surfacer(main_task_runner_,
                                                      signaling_task_runner_);