Closed Bug 1242774 Opened 8 years ago Closed 8 years ago

Seeking in media with video overhang can crash browser

Categories

(Core :: Audio/Video: Playback, defect, P1)

Product:
Core
Component:
Audio/Video: Playback
Version:
46 Branch
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla47
Tracking Flags:
Tracking Status
firefox45 --- unaffected
firefox46 + verified
firefox47 + verified

People

(Reporter: bryce, Assigned: alwu)

References

Details

(Keywords: crash, regression)

Crash Data

Attachments

(5 files, 6 obsolete files)

VideoOverhang.webm
57.11 KB, video/webm
Details
Crash stack
4.51 KB, text/plain
Details
Log
276.83 KB, text/plain
Details
Part 1 : Don't resolve promise again when the callback calls drain(). r=jwwang.
963 bytes, patch
alwu
: review+
lizzard
: approval-mozilla-beta+
Details | Diff | Splinter Review
Part 2 : Add the crash test. r=jwwang.
56.00 KB, patch
alwu
: review+
Details | Diff | Splinter Review
Attached video VideoOverhang.webm 
When seeking in a media with video longer than the audio a null pointer can occur. This can be done manually by rapidly seeking around where the audio finishes in such a file.

To do this with the attached file rapidly seek around the 4 second mark (as the 5 is displayed). This appears to be reproducible if the file is streamed or read from disk.

This appears to affect the nightly (46+), but not Aurora or Beta.
Can't repro on Linux nightly. What is your platform?
Flags: needinfo?(bvandyk)
(In reply to JW Wang [:jwwang] from comment #1)
> Can't repro on Linux nightly. What is your platform?

OSX
Flags: needinfo?(bvandyk)
Attached file Crash stack 

    
    

    
  
The crash stack points to a MozPromise crash in a cubeb callback:

Thread 71 Crashed:: com.apple.audio.IOThread.client
0   XUL                           	0x0000000102a95251 void mozilla::MozPromise<bool, nsresult, false>::Private::Resolve<bool&>(bool&&&, char const*) + 17 (Mutex.h:69)
1   XUL                           	0x0000000102a8f667 mozilla::media::DecodedAudioDataSink::Drained() + 103 (RefPtr.h:40)
2   XUL                           	0x00000001029b86e7 mozilla::AudioStream::StateCallback(cubeb_state) + 199 (Mutex.h:75)
3   XUL                           	0x0000000103a2c739 audiounit_output_callback + 201 (cubeb_audiounit.c:133)
...
Keywords: crash

    
  
Assignee: nobody → alwu

    
    

    
  

      
      
      
      

        Attached file
          
        Log
      

    


  

    
    

    
  


  
[Crash reason]
As the audio backend in OSX calls drain() twice, then we tried to resolve the promise which had already been resolved and released in previous drain().

[Solution]
Replace Resolve() with ResolveIfExists().

    
    

    
  

      
      
      
      

        Attached file
          
        Part 2 : Add the crash test (obsolete)
        — 
      

    


  

    
    

    
  
We have an easier reproducing way, and it's also used in my crash test.

STR.
1. Play video
2. Pause video when it becomes silent (blue screen)
3. Play video again 
4. *Crash*

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Part 2 : Add the crash test (obsolete)
        — Splinter Review
      

    


  
Only add crash test to other platforms, 
https://treeherder.mozilla.org/#/jobs?repo=try&revision=2898d3b3e797

        Attachment #8715722 -
        Attachment is obsolete: true

    
    

    
  
Comment on attachment 8715721 [details] [diff] [review]
Part 1 : Don't resolve promise again when the callback calls drain()

Hi, JW,
Could you help me review these patches?
I'll modify the comment in Drained() after getting the try-server result in comment9, then I would file a new bug and mention what platform has this problem. 
Very appreciate!

        Attachment #8715721 -
        Flags: review?(jwwang)

    
  

        Attachment #8716145 -
        Flags: review?(jwwang)

        Attachment #8715721 -
        Attachment is patch: true

        Attachment #8716145 -
        Attachment is patch: true

    
    

    
  
Comment on attachment 8715721 [details] [diff] [review]
Part 1 : Don't resolve promise again when the callback calls drain()

Review of attachment 8715721 [details] [diff] [review]:
-----------------------------------------------------------------

::: dom/media/mediasink/DecodedAudioDataSink.cpp
@@ +278,5 @@
>  void
>  DecodedAudioDataSink::Drained()
>  {
>    SINK_LOG("Drained");
> +  // In osx, the audio backend would triggled Drained() twice, then it would

s/would triggled Drained/could trigger Drained/.

'would' means it will happen for sure.

@@ +280,5 @@
>  {
>    SINK_LOG("Drained");
> +  // In osx, the audio backend would triggled Drained() twice, then it would
> +  // cause the crash because the promise had already been resolve and free.
> +  // We'll need to solve it in bugXXXXXX.

'bugXXXXXX' means nothing. You can use 'FIXME' or 'TODO' to indicate a future work item.

        Attachment #8715721 -
        Flags: review?(jwwang) → review+

    
    

    
  
Comment on attachment 8716145 [details] [diff] [review]
Part 2 : Add the crash test

Review of attachment 8716145 [details] [diff] [review]:
-----------------------------------------------------------------

::: dom/media/test/crashtests/audio-drained.html
@@ +1,1 @@
> +<html class="reftest-wait">

You need to call document.documentElement.removeAttribute("class") to finish the test. See oscillator-ended-1.html for an example.

@@ +1,3 @@
> +<html class="reftest-wait">
> +<head>
> +  <title>Bug 1242774 : video crashed if replay after audio drained</title>

Avoid using a term like 'drained' which is a term used by underlying implementation. You can say something like "video crashed if pause and play again after audio track ends".

@@ +9,5 @@
> +    dump("### Error : " + msg + "\n");
> +  }
> +}
> +
> +var SILENT_PART_START_TIME = 4.5;

Let's call this "AUDIO_END_TIME".

@@ +11,5 @@
> +}
> +
> +var SILENT_PART_START_TIME = 4.5;
> +var video = document.createElement('video');
> +video.src = "videoCrash.webm";

You need to "hg add" this file.

@@ +16,5 @@
> +video.play();
> +
> +video.ontimeupdate = function () {
> +  assert(SILENT_PART_START_TIME < video.duration,
> +         "Silent start time shouldn't beyond the duration!");

should be smaller than the duration.

        Attachment #8716145 -
        Flags: review?(jwwang) → review-

    
    

    
  
(In reply to JW Wang [:jwwang] from comment #12)
> @@ +11,5 @@
> > +}
> > +
> > +var SILENT_PART_START_TIME = 4.5;
> > +var video = document.createElement('video');
> > +video.src = "videoCrash.webm";
> 
> You need to "hg add" this file.
> 
It's already added, but it doesn't be showed in "review" mode.
Choose "overview" then you would see that file.

    
    

    
  
(In reply to JW Wang [:jwwang] from comment #12)
>
> You need to call document.documentElement.removeAttribute("class") to finish
> the test. See oscillator-ended-1.html for an example.
> 

I think that is only needed when you add some css attribute in the element. [1]

[1] removeAttribute : http://www.w3schools.com/jsref/met_element_removeattribute.asp

    
    

    
  
Do you mean the test can finish correctly without calling document.documentElement.removeAttribute("class") like oscillator-ended-1.html?

    
    

    
  
Now I am waiting the result on window, now only OSX crashed.
https://treeherder.mozilla.org/#/jobs?repo=try&revision=e58d3d1d2543&group_state=expanded

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Part 2 : Add the crash test (obsolete)
        — Splinter Review
      

    


  

        Attachment #8716145 -
        Attachment is obsolete: true

        Attachment #8716194 -
        Flags: review?(jwwang)

    
    

    
  
Comment on attachment 8716194 [details] [diff] [review]
Part 2 : Add the crash test

Review of attachment 8716194 [details] [diff] [review]:
-----------------------------------------------------------------

::: dom/media/test/crashtests/video-replay-after-audio-end.html
@@ +11,5 @@
> +}
> +
> +var AUDIO_END_TIME = 4.5;
> +var video = document.createElement('video');
> +video.src = "videoCrash.webm";

The convention is lowercase like "video-crash.webm".

        Attachment #8716194 -
        Flags: review?(jwwang) → review+

    
    

    
  
The test also crashed on the Window, but the crash point isn't the same [1].

In the crash stack, we can find the following stack
> 2  xul.dll!mozilla::AudioStream::Resume() [AudioStream.cpp:e58d3d1d2543 : 471 + 0x8]
> 3  xul.dll!mozilla::media::DecodedAudioDataSink::SetPlaying(bool)

Is it correct to resume the AudioStream after drained?

[1] https://treeherder.mozilla.org/logviewer.html#?job_id=16373175&repo=try
Flags: needinfo?(jwwang)

    
    

    
  
Try-server result for all patches, we can see whether the crash happens on Window after applying the patch.
https://treeherder.mozilla.org/#/jobs?repo=try&revision=8f91bbf7a22f

    
    

    
  
It looks like to me wasapi should handle the case where wasapi_stream_start() is called after drained correctly.
Flags: needinfo?(jwwang)

    
  
See Also:  → 1246104

    
  
See Also:  → 1246108

    
    

    
  


  

        Attachment #8716194 -
        Attachment is obsolete: true

        Attachment #8716233 -
        Flags: review+

    
  

        Attachment #8716232 -
        Flags: review+

    
  
Keywords: checkin-needed

        Attachment #8716233 -
        Attachment is patch: true

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/b1c27c182412
https://hg.mozilla.org/mozilla-central/rev/561d4d620aa3
Status: NEW → RESOLVED
Closed: 8 years ago

          status-firefox47:
          --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla47

    
    

    
  
Backed out the crashtest in https://hg.mozilla.org/integration/mozilla-inbound/rev/2914d1a8153c - apparently Linux32 thinks it's a little aggressive with memory, or leaves things around, or something: caused at least bug 1247122 and bug 1247506 and I think there are some other flavors of the same OOMish thing that we didn't yet get around to filing.
Blocks: 1247122, 1247506
Flags: in-testsuite?

    
    

    
  


  
per comment27, skip this test on Linux.

        Attachment #8716233 -
        Attachment is obsolete: true

        Attachment #8719359 -
        Flags: review+

    
  

        Attachment #8719359 -
        Attachment description: Add the crash test. r=jwwang. → Part 2 : Add the crash test. r=jwwang.

        Attachment #8719359 -
        Attachment is patch: true

    
  
Keywords: checkin-needed

    
    

    
  
(In reply to Alastor Wu [:alwu] from comment #28)
> Created attachment 8719359 [details] [diff] [review]
> Part 2 : Add the crash test. r=jwwang.
> 
> per comment27, skip this test on Linux.

Please file follow-up bugs to ensure they will be fixed on Linux and Windows.

    
  
Blocks: 1248313

    
    

    
  
Open the bug1248313 to track it.
Keywords: checkin-needed

    
    

    
  
backed out for causing https://treeherder.mozilla.org/logviewer.html#?job_id=21739600&repo=mozilla-inbound and others. please conside a try run before  next landing try
Flags: needinfo?(alwu)

    
    

    
  
All the tests are green light now.
Flags: needinfo?(alwu)
Keywords: checkin-needed

    
    

    
  


  
MozReview-Commit-ID: EBRigaPn5Du

    
  

        Attachment #8719359 -
        Attachment is obsolete: true

    
    

    
  
Comment on attachment 8720324 [details] [diff] [review]
Part 2 : Add the crash test. r=jwwang.

Sorry, I forgot to update the new patch....

        Attachment #8720324 -
        Attachment description: add crash test → Part 2 : Add the crash test. r=jwwang.
Flags: needinfo?(alwu)

        Attachment #8720324 -
        Flags: review+

    
    

    
  
The try result is in the comment34, the reason of the back-out is I forgot to update the new patch.
Sorry!
Keywords: checkin-needed

    
    

    
  
Comment on attachment 8716232 [details] [diff] [review]
Part 1 : Don't resolve promise again when the callback calls drain(). r=jwwang.

Approval Request Comment
[Feature/regressing bug #]:948267
[User impact if declined]:crash might happen during playback when video duration is longer than audio duration.
[Describe test coverage new/current, TreeHerder]:TreeHerder
[Risks and why]: low, the change is simple and has been Aurora and Central for quite a while.
[String/UUID change made/needed]:none

        Attachment #8716232 -
        Flags: approval-mozilla-beta?

    
    

    
  
Comment on attachment 8716232 [details] [diff] [review]
Part 1 : Don't resolve promise again when the callback calls drain(). r=jwwang.

Crash fix, recent regression (46), includes a test. 
Yay, put it on beta too please so we don't ship this.

        Attachment #8716232 -
        Flags: approval-mozilla-beta? → approval-mozilla-beta+
Blocks: 948267

    
    

    
  
This crash accounted for 1539 of 4941 of crashes recorded under signature mozilla::MozPromise<T>::Private::Resolve<T> in the period 2016-03-01 -> 2016-03-24 in 46 beta.
Crash Signature: [@ mozilla::MozPromise<T>::Private::Resolve<T>]

    
    

    
  
I have 3037 crashes in beta 2 with this signature. This fix landed the day we shipped beta 2; there wasn't a beta 3, so it should be in beta 4. We don't have a ton of data yet for beta 4 but I'd love for us to verify this fix in a couple of days.
Flags: qe-verify+

    
    

    
  
This signature has disappeared past beta 2. Marking verified.
Status: RESOLVED → VERIFIED

          status-firefox46:
          fixedverified

          status-firefox47:
          fixedverified

    
    

    
  
Crash volume for signature 'mozilla::MozPromise<T>::Private::Resolve<T>':
 - nightly (version 50): 1 crash from 2016-06-06.
 - aurora  (version 49): 0 crashes from 2016-06-07.
 - beta    (version 48): 4 crashes from 2016-06-06.
 - release (version 47): 35 crashes from 2016-05-31.
 - esr     (version 45): 1 crash from 2016-04-07.

Crash volume on the last weeks:
            W. N-1  W. N-2  W. N-3  W. N-4  W. N-5  W. N-6  W. N-7
 - nightly       0       0       0       0       1       0       0
 - aurora        0       0       0       0       0       0       0
 - beta          0       0       0       1       1       1       1
 - release       5       4       6       7       5       5       0
 - esr           1       0       0       0       0       0       0

Affected platform: Windows

          status-firefox48:
          --- → affected

          status-firefox50:
          --- → affected

          status-firefox-esr45:
          --- → affected

    
    

    
  
So this is fixed in 47 but we're still seeing it in 48 and 50?
Flags: needinfo?(lhenry)

    
    

    
  
Yes, I think that here, the bot should not be reporting on this bug.... The threshhold of having a few crashes like this doesn't seem worth reporting.  Calixte what do you think? I'm seeing a lot of this kind of thing (Months untouched, fixed bugs with a few crashes on release channel, getting a bot update)
Flags: needinfo?(lhenry) → needinfo?(cdenizet)

    
    

    
  
I think it is noise (and would like to be able to explain why but this is a different story...)

          status-firefox48:
          affected → ---

          status-firefox50:
          affected → ---

          status-firefox-esr45:
          affected → ---
Flags: needinfo?(cdenizet)

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: