Closed Bug 1188323 Opened 9 years ago Closed 8 years ago

Intermittent test_getUserMedia_audioCapture.html | application crashed [@ mozilla::StreamBuffer::TrackIter::FindMatch()][@ mozilla::AudioCaptureStream::ProcessInput(long long, long long, unsigned int)]

Categories

(Core :: Audio/Video: MediaStreamGraph, defect, P1)

Product:
Core
Component:
Audio/Video: MediaStreamGraph
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: cbook, Assigned: padenot)

References

(
URL
)

Details

(5 keywords)

Attachments

(1 obsolete file) 

https://treeherder.mozilla.org/logviewer.html#?job_id=3949854&repo=fx-team


22:10:27 WARNING - PROCESS-CRASH | dom/media/tests/mochitest/test_getUserMedia_audioCapture.html | application crashed [@ mozilla::AudioCaptureStream::ProcessInput(long long, long long, unsigned int)]
22:10:27 INFO - Crash dump filename: /var/folders/ys/g9dt_gzn2n9byqt80y89_7j800000w/T/tmpu3RG0n.mozrunner/minidumps/1330420B-F7E8-4B8D-A9A0-6E2FE760E2EE.dmp
22:10:27 INFO - Operating system: Mac OS X
22:10:27 INFO - 10.10.2 14C109
22:10:27 INFO - CPU: amd64
22:10:27 INFO - family 6 model 42 stepping 7
22:10:27 INFO - 8 CPUs
22:10:27 INFO - Crash reason: EXC_BAD_ACCESS / KERN_INVALID_ADDRESS
22:10:27 INFO - Crash address: 0x40
22:10:27 INFO - Thread 111 (crashed)
22:10:27 INFO - 0 XUL!mozilla::AudioCaptureStream::ProcessInput(long long, long long, unsigned int) [nsTArray.h:3f8000cec1c4 : 362 + 0x4]
22:10:27 INFO - rbx = 0x0000000000000001 r12 = 0x0000000000000000
22:10:27 INFO - r13 = 0x00000001457808c0 r14 = 0x0000000000000000
22:10:27 INFO - r15 = 0x00000001003a2b80 rip = 0x00000001028ee53d
22:10:27 INFO - rsp = 0x0000000145780850 rbp = 0x0000000145780910
22:10:27 INFO - Found by: given as instruction pointer in context
22:10:27 INFO - 1 XUL!mozilla::MediaStreamGraphImpl::Process(long long, long long) [MediaStreamGraph.cpp:3f8000cec1c4 : 1333 + 0x14]
22:10:27 INFO - rbx = 0x000000010617c4d0 r12 = 0x000000000000002f
22:10:27 INFO - r13 = 0x00000000003bc900 r14 = 0x0000000000000000
22:10:27 INFO - r15 = 0x00000000003bc980 rip = 0x0000000102970d08
22:10:27 INFO - rsp = 0x0000000145780920 rbp = 0x0000000145780980
22:10:27 INFO - Found by: call frame info
22:10:27 INFO - 2 XUL!mozilla::MediaStreamGraphImpl::OneIteration(long long, long long, long long, long long) [MediaStreamGraph.cpp:3f8000cec1c4 : 1514 + 0xe]
22:10:27 INFO - rbx = 0x000000012210cbc0 r12 = 0x0000000000000100
22:10:27 INFO - r13 = 0x000000011f8b5060 r14 = 0x00000000003bcb00
22:10:27 INFO - r15 = 0x000000011f8b5000 rip = 0x00000001029711c2
22:10:27 INFO - rsp = 0x0000000145780990 rbp = 0x0000000145780a00
22:10:27 INFO - Found by: call frame info
22:10:27 INFO - 3 XUL!mozilla::AudioCallbackDriver::DataCallback(float*, long) [GraphDriver.cpp:3f8000cec1c4 : 899 + 0x10]
22:10:27 INFO - rbx = 0x00000001064a5678 r12 = 0x0000000000000100
22:10:27 INFO - r13 = 0x000000011f8b5060 r14 = 0x0000000000000200
22:10:27 INFO - r15 = 0x000000011f8b5000 rip = 0x0000000102905b87
22:10:27 INFO - rsp = 0x0000000145780a10 rbp = 0x0000000145780a60
22:10:27 INFO - Found by: call frame info
22:10:27 INFO - 4 XUL!audiounit_output_callback [cubeb_audiounit.c:3f8000cec1c4 : 139 + 0x13]
22:10:27 INFO - rbx = 0x00000001164f4a10 r12 = 0x0000000000000200
22:10:27 INFO - r13 = 0x00000001164f4a68 r14 = 0x0000000000000200
22:10:27 INFO - r15 = 0x0000000115519500 rip = 0x00000001039d411e
22:10:27 INFO - rsp = 0x0000000145780a70 rbp = 0x0000000145780ab0
22:10:27 INFO - Found by: call frame info
22:10:27 INFO - 5 CoreAudio + 0x8d44
22:10:27 INFO - rbx = 0x00000001447a7878 r12 = 0x0000000000000200
22:10:27 INFO - r13 = 0x00000001447a7800 r14 = 0x00000001155194e0
22:10:27 INFO - r15 = 0x0000000115519500 rip = 0x0000000145008d45
22:10:27 INFO - rsp = 0x0000000145780ac0 rbp = 0x0000000145780b20
22:10:27 INFO - Found by: call frame info
22:10:27 INFO - 6 CoreAudio + 0x676d
22:10:27 INFO - rip = 0x000000014500676e rsp = 0x0000000145780b3
Keywords: crash
Component: Audio/Video → Audio/Video: MSG/cubeb
Summary: Intermittent test_getUserMedia_audioCapture.html | application crashed [@ mozilla::AudioCaptureStream::ProcessInput(long long, long long, unsigned int)] → Intermittent test_getUserMedia_audioCapture.html | application crashed [@ mozilla::StreamBuffer::TrackIter::FindMatch()][@ mozilla::AudioCaptureStream::ProcessInput(long long, long long, unsigned int)]
Assignee: nobody → padenot
Comment on attachment 8642483 [details] [diff] [review]
Part 9 - Make the necessary changes to VoEExternalMediaImpl::ExternalRecordingInsertData so that it the number of channels is forwarded down the webrtc.org code. r=

(wrong bug)
Attachment #8642483 - Attachment is obsolete: true
Any news here?
Flags: needinfo?(padenot)
I don't know what's up here. It's a bit crazy. I need to write some instrumentation and push on try.
Flags: needinfo?(padenot)
Honza - is there a reason you linked all these oranges to this bug?  They seem unrelated and from across the tree.
Flags: needinfo?(honzab.moz)
(In reply to Randell Jesup [:jesup] from comment #61)
> Honza - is there a reason you linked all these oranges to this bug?  They
> seem unrelated and from across the tree.

Randal, I'm sorry.  I think I did that only by mistake.  I wanted to just star known issues on one of my try runs and misclicked the save button to also mark the bugs.  Please ignore these or mark as spam.

Sorry for inconvenience.
Flags: needinfo?(honzab.moz)
Group: core-security
erahm points out that this looks like a buffer overflow, so I'm hiding this.
Group: core-security → media-core-security
Keywords: csectype-bounds
For reference it's crashing at an nsTArray bounds check [1] that got inlined.

[1] https://dxr.mozilla.org/mozilla-central/rev/1a157155a4fe0074b3d03b54fe9e466472c2cd56/xpcom/glue/nsTArray.h#985
So as best I can tell, this hasn't happened since the week ending Oct 11th.  (Orange factor won't show me the bug hits from the 11th, perhaps because it's sec now).  Comparing current code, use of mStreams (presumably the array) in that function seems good; all uses for adding and removing entries seem to be gated on running a Command on the graph thread.  Perhaps a hole in switching between externally-driven graph thread and internally-driven was fixed?  I don't see anything obvious in the MSG.cpp vc logs though.

We could add a thread assertion to the add/remove code I suppose.  Padenot: any ideas?  Does this in fact seem to be gone, and does that make sense?
Flags: needinfo?(padenot)
Once this bug was hidden, it isn't going to get starred any more. So you can't really conclude anything from that about whether it is happening. (I probably shouldn't have hid it...) You could look for dupes that were filed but maybe they just got starred as something else.
I haven't seen any instances of dups, and crashes tend to get reported.  No other bugs filed against this test.  And OrangeFactor Robot would have reported any crashes on 10/18, and didn't. Moving to sec seems to have wiped any record of crashes logged by OrangeFactor Robot, which is unfortunate.
(In reply to Randell Jesup [:jesup] from comment #96)
> So as best I can tell, this hasn't happened since the week ending Oct 11th. 
> (Orange factor won't show me the bug hits from the 11th, perhaps because
> it's sec now).  Comparing current code, use of mStreams (presumably the
> array) in that function seems good; all uses for adding and removing entries
> seem to be gated on running a Command on the graph thread.  Perhaps a hole
> in switching between externally-driven graph thread and internally-driven
> was fixed?  I don't see anything obvious in the MSG.cpp vc logs though.
> 
> We could add a thread assertion to the add/remove code I suppose.  Padenot:
> any ideas?  Does this in fact seem to be gone, and does that make sense?

I've never been able to identify the cause for this, we don't do anything crazier than for AudioCaptureStream than for other streams, I think. I'm uploading hardening code for the GraphDriver today, in any case.
Flags: needinfo?(padenot)
I realize this is in a "wait and see" mode for now.
Rank: 10
Priority: -- → P1
Given the lack of duplicates being reported, and the GraphDriver/etc hardening that landed a month ago, we should close this now.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WORKSFORME
Group: media-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: