Closed
Bug 1232854
Opened 9 years ago
Closed 8 years ago
Crash in [@mozilla::layers::MappedYCbCrChannelData::CopyInto]
Categories
(Core :: Audio/Video: Playback, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1232330
Tracking | Status | |
---|---|---|
firefox46 | --- | affected |
People
(Reporter: tsmith, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash, sec-high, testcase)
Attachments
(3 files)
This seems to only happen on windows, I could not reproduce it on linux. It's strange that this media file is triggering a js bug, I won't pretend to know what's going on. Steps to reproduce: - Open browser - Play attached test case
Reporter | ||
Comment 1•9 years ago
|
||
Comment 2•9 years ago
|
||
Considering the crashing function and the output of |hg blame UbiNodeDominatorTree.h|, needinfo-ing fitzgen.
Flags: needinfo?(nfitzgerald)
Comment 3•8 years ago
|
||
I can't reproduce on OSX, either.
But, given that:
> WARNING: Stack unwind information not available. Following frames may be wrong.
And that the test case and STR has nothing to do with heap snapshots and dominator trees, I think this is a corrupt stack or at least bad stack capturing.
I will try and reproduce under windows.
Comment 4•8 years ago
|
||
Seems to be some hand-rolled assembly deep in third party media code, which I am completely unfamiliar with. ni'ing some folks who might know more.
Flags: needinfo?(nfitzgerald)
Updated•8 years ago
|
Flags: needinfo?(roc)
Flags: needinfo?(padenot)
Updated•8 years ago
|
Component: JavaScript Engine → Graphics
The point in the screenshot is definitely in media code. But according to the log, isn't the crash here? MSVCR120!memcpy+0x2a: 7319f20c f3a4 rep movs byte ptr es:[edi],byte ptr [esi] ?
Flags: needinfo?(roc)
Reporter | ||
Comment 6•8 years ago
|
||
Third party media code you say? ... Adding some media folks. Hopefully they can help or add the correct people.
Comment 7•8 years ago
|
||
Better to NI. Chris, this is crashing when playing a particular mp4 on windows.
Flags: needinfo?(padenot) → needinfo?(cpearce)
Updated•8 years ago
|
Group: gfx-core-security
Reporter | ||
Comment 8•8 years ago
|
||
I grabbed a better stack trace and it looks like this is a dup of bug 1232330. VCRUNTIME140!memcpy+0x4e xul!mozilla::layers::MappedYCbCrChannelData::CopyInto+0x48 xul!mozilla::layers::UpdateYCbCrTextureClient+0xd7 xul!mozilla::layers::ImageClientSingle::UpdateImage+0x366 xul!mozilla::layers::UpdateImageClientNow+0x32 xul!RunnableFunction<void (__cdecl*)(mozilla::layers::ImageClient *,RefPtr<mozilla::layers::ImageContainer> &&),mozilla::Tuple<mozilla::layers::ImageClient *,RefPtr<mozilla::layers::ImageContainer> > >::Run+0x10 xul!MessageLoop::DoWork+0x1ac xul!base::MessagePumpDefault::Run+0x1a4 xul!MessageLoop::RunHandler+0xa4 xul!MessageLoop::Run+0x3f xul!base::Thread::ThreadMain+0xb8 xul!`anonymous namespace'::ThreadFunc+0x9 KERNEL32!BaseThreadInitThunk+0x24 ntdll!__RtlUserThreadStart+0x2f ntdll!_RtlUserThreadStart+0x1b
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
Summary: Crash in [@xul!JS::ubi::DominatorTree::root] → Crash in [@mozilla::layers::MappedYCbCrChannelData::CopyInto]
Updated•8 years ago
|
Flags: needinfo?(cpearce)
Updated•8 years ago
|
Component: Graphics → Audio/Video: Playback
Reporter | ||
Updated•8 years ago
|
Group: gfx-core-security, javascript-core-security → media-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•