Closed Bug 1232854 Opened 9 years ago Closed 8 years ago

Crash in [@mozilla::layers::MappedYCbCrChannelData::CopyInto]

Categories

(Core :: Audio/Video: Playback, defect)

Product:
Core
Component:
Audio/Video: Playback
Platform:
x86
Windows 8.1
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1232330
Tracking Flags:
Tracking Status
firefox46 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, sec-high, testcase)

Attachments

(3 files)

firefox-debug_0ef0_2015-12-15_16-24-11-966.log
145.65 KB, text/x-log
Details
test_case.mp4
13.33 KB, video/mp4
Details
Screen Shot 2015-12-28 at 10.10.16 AM.png
408.39 KB, image/png
Details 
This seems to only happen on windows, I could not reproduce it on linux.

It's strange that this media file is triggering a js bug, I won't pretend to know what's going on.

Steps to reproduce:
- Open browser
- Play attached test case
Attached video test_case.mp4 

    
    

    
  
Considering the crashing function and the output of |hg blame UbiNodeDominatorTree.h|, needinfo-ing fitzgen.
Flags: needinfo?(nfitzgerald)

    
    

    
  
I can't reproduce on OSX, either.

But, given that:

> WARNING: Stack unwind information not available. Following frames may be wrong.

And that the test case and STR has nothing to do with heap snapshots and dominator trees, I think this is a corrupt stack or at least bad stack capturing.

I will try and reproduce under windows.

    
    

    
  


  
Seems to be some hand-rolled assembly deep in third party media code, which I am completely unfamiliar with.

ni'ing some folks who might know more.
Flags: needinfo?(nfitzgerald)
Flags: needinfo?(roc)
Flags: needinfo?(padenot)
Component: JavaScript Engine → Graphics

    
    

    
  
The point in the screenshot is definitely in media code.

But according to the log, isn't the crash here?

MSVCR120!memcpy+0x2a:
7319f20c f3a4            rep movs byte ptr es:[edi],byte ptr [esi]
?
Flags: needinfo?(roc)

    
    

    
  
Third party media code you say? ... Adding some media folks. Hopefully they can help or add the correct people.

    
    

    
  
Better to NI. Chris, this is crashing when playing a particular mp4 on windows.
Flags: needinfo?(padenot) → needinfo?(cpearce)
Group: gfx-core-security

    
    

    
  
I grabbed a better stack trace and it looks like this is a dup of bug 1232330.

VCRUNTIME140!memcpy+0x4e
xul!mozilla::layers::MappedYCbCrChannelData::CopyInto+0x48
xul!mozilla::layers::UpdateYCbCrTextureClient+0xd7
xul!mozilla::layers::ImageClientSingle::UpdateImage+0x366
xul!mozilla::layers::UpdateImageClientNow+0x32
xul!RunnableFunction<void (__cdecl*)(mozilla::layers::ImageClient *,RefPtr<mozilla::layers::ImageContainer> &&),mozilla::Tuple<mozilla::layers::ImageClient *,RefPtr<mozilla::layers::ImageContainer> > >::Run+0x10
xul!MessageLoop::DoWork+0x1ac
xul!base::MessagePumpDefault::Run+0x1a4
xul!MessageLoop::RunHandler+0xa4
xul!MessageLoop::Run+0x3f
xul!base::Thread::ThreadMain+0xb8
xul!`anonymous namespace'::ThreadFunc+0x9
KERNEL32!BaseThreadInitThunk+0x24
ntdll!__RtlUserThreadStart+0x2f
ntdll!_RtlUserThreadStart+0x1b
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
Summary: Crash in [@xul!JS::ubi::DominatorTree::root] → Crash in [@mozilla::layers::MappedYCbCrChannelData::CopyInto]
Flags: needinfo?(cpearce)
Component: Graphics → Audio/Video: Playback

    
  
Group: gfx-core-security, javascript-core-security → media-core-security

    
  
Blocks: grizzly
Group: media-core-security
Keywords: sec-high

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: