1043845 - [tarako][monkey test] monkey test crash at libxul.so!mozalloc_abort(char const*) | libxul.so!mozilla::WaveReader::DecodeAudioData() [mozalloc.h : 213 + 0xd]

Status: RESOLVED WORKSFORME

(Firefox OS Graveyard :: General, defect)

Description

[Peipei Cheng (needinfo if you need my action)]

Monkey test crashed three times during 24 hours test.

Please find the slog here: https://mega.co.nz/#!dxlz2I6b!RAbDbyEDDAP1kcUlB2c-mrSrBbm3fYLl-DBM_SFC4lk

Operating system: Android
                  0.0.0 Linux 3.0.8+ #1 PREEMPT Wed Jul 23 17:40:28 CST 2014 armv7l Spreadtrum/sp6821a_gonk/sp6821a_gonk:4.0.4.0.4.0.4/OPENMASTER/552:userdebug/test-keys
CPU: arm
     0 CPUs

Crash reason:  SIGSEGV
Crash address: 0x0

Thread 62 (crashed)
 0  libxul.so!mozalloc_abort(char const*) [mozalloc_abort.cpp : 30 + 0x4]
     r4 = 0x00000000    r5 = 0x00000001    r6 = 0xffffffff    r7 = 0xffffffff
     r8 = 0x00000000    r9 = 0x00000001   r10 = 0x000493e0    fp = 0xffffffff
     sp = 0x43ecbd00    lr = 0x418cc9cb    pc = 0x418cc9ce
    Found by: given as instruction pointer in context
 1  libxul.so!mozalloc_handle_oom(unsigned int) [mozalloc_oom.cpp : 50 + 0x3]
     r4 = 0x00000000    r5 = 0x00000001    r6 = 0xffffffff    r7 = 0xffffffff
     r8 = 0x00000000    r9 = 0x00000001   r10 = 0x000493e0    fp = 0xffffffff
     sp = 0x43ecbd08    pc = 0x418cca47
    Found by: call frame info
 2  libxul.so!moz_xmalloc [mozalloc.cpp : 54 + 0x5]
     r4 = 0xfffffffe    r5 = 0x00000001    r6 = 0xffffffff    r7 = 0xffffffff
     r8 = 0x00000000    r9 = 0x00000001   r10 = 0x000493e0    fp = 0xffffffff
     sp = 0x43ecbd48    pc = 0x418cc9ab
    Found by: call frame info
 3  libxul.so!mozilla::WaveReader::DecodeAudioData() [mozalloc.h : 213 + 0xd]
     r4 = 0x45b0aa50    r5 = 0x00000001    r6 = 0xffffffff    r7 = 0xffffffff
     r8 = 0x00000000    r9 = 0x00000001   r10 = 0x000493e0    fp = 0xffffffff
     sp = 0x43ecbd50    pc = 0x4111e9e1
    Found by: call frame info
 4  libxul.so!mozilla::MediaDecoderStateMachine::DecodeLoop() [MediaDecoderStateMachine.cpp : 947 + 0x5]
     r4 = 0x43cc4c90    r5 = 0x00000001    r6 = 0x00000001    r7 = 0x00000000
     r8 = 0x00000001    r9 = 0x00000001   r10 = 0x000493e0    fp = 0x00000000
     sp = 0x43ecbdc0    pc = 0x410f2fc3
    Found by: call frame info
 5  libxul.so!mozilla::MediaDecoderStateMachine::DecodeThreadRun() [MediaDecoderStateMachine.cpp : 527 + 0x5]
     r4 = 0x43cc4c90    r5 = 0x449dba54    r6 = 0x00000001    r7 = 0x00000000
     r8 = 0x43ecbeaf    r9 = 0x443726cc   r10 = 0x00020000    fp = 0x00000001
     sp = 0x43ecbe50    pc = 0x410f30f3
    Found by: call frame info
 6  libxul.so!nsRunnableMethodImpl<nsresult (mozilla::net::<unnamed>::CacheFilesDeletor::*)(), void, true>::Run + 0x1b
     r4 = 0x443726a0    r5 = 0x00000000    r6 = 0x00000001    r7 = 0x00000000
     r8 = 0x43ecbeaf    r9 = 0x443726cc   r10 = 0x00020000    fp = 0x00000001
     sp = 0x43ecbe60    pc = 0x409df051
    Found by: call frame info
 7  libxul.so!nsThread::ProcessNextEvent(bool, bool*) [nsThread.cpp : 612 + 0x5]
     r4 = 0x443726a0    r5 = 0x00000000    r6 = 0x00000001    r7 = 0x00000000
     r8 = 0x43ecbeaf    r9 = 0x443726cc   r10 = 0x00020000    fp = 0x00000001
     sp = 0x43ecbe68    pc = 0x409f550d
    Found by: call frame info
 8  libxul.so!NS_ProcessNextEvent(nsIThread*, bool) [nsThreadUtils.cpp : 263 + 0xb]
     r4 = 0x00000001    r5 = 0x43ecbebc    r6 = 0x00000000    r7 = 0x443726cc
     r8 = 0x00000000    r9 = 0x44fc9a80   r10 = 0x00020000    fp = 0x00000001
     sp = 0x43ecbea8    pc = 0x409c7cb5
    Found by: call frame info
 9  libxul.so!nsThread::ThreadFunc(void*) [nsThread.cpp : 246 + 0x7]
     r4 = 0x443726a0    r5 = 0x43ecbebc    r6 = 0x00000000    r7 = 0x443726cc
     r8 = 0x00000000    r9 = 0x44fc9a80   r10 = 0x00020000    fp = 0x00000001
     sp = 0x43ecbeb8    pc = 0x409f5a33
    Found by: call frame info
10  libnss3.so!_pt_root [ptthread.c : 205 + 0x5]
     r4 = 0x44fc9a80    r5 = 0x00000000    r6 = 0x407439ac    r7 = 0x407439ac
     r8 = 0x00000000    r9 = 0x44fc9a80   r10 = 0x00020000    fp = 0x00000001
     sp = 0x43ecbed8    pc = 0x406a4861
    Found by: call frame info
11  libc.so!__thread_entry [pthread.c : 217 + 0x6]
     r4 = 0x43ecbf00    r5 = 0x406a47c9    r6 = 0x44fc9a80    r7 = 0x00000078
     r8 = 0x406a47c9    r9 = 0x44fc9a80   r10 = 0x00020000    fp = 0x00000001
     sp = 0x43ecbef0    pc = 0x40097158
    Found by: call frame info
12  libc.so!pthread_create [pthread.c : 357 + 0xe]
     r4 = 0x43ecbf00    r5 = 0x009916f0    r6 = 0x468ffcdc    r7 = 0x00000078
     r8 = 0x406a47c9    r9 = 0x44fc9a80   r10 = 0x00020000    fp = 0x00000001
     sp = 0x43ecbf00    pc = 0x40096cac
    Found by: call frame info

Comment 1

[Ming]

49530 07-25 16:37:04.020   620 19086 E Gecko   : mozalloc_abort: out of memory: 0x00000000FFFFFFFE bytes oequested

0x00000000FFFFFFFE bytes seems wrong.

Comment 2

[James Zhang (Spreadtrum)]

Please add some code to protect this case.


diff --git a/content/media/wave/WaveReader.cpp b/content/media/wave/WaveReader.cpp
index 3badd35..17a295c 100644
--- a/content/media/wave/WaveReader.cpp
+++ b/content/media/wave/WaveReader.cpp
@@ -200,6 +200,10 @@ bool WaveReader::DecodeAudioData()
                 sizeof(AudioDataValue) / MAX_CHANNELS,
                 "bufferSize calculation could overflow.");
   const size_t bufferSize = static_cast<size_t>(frames * mChannels);
+
+  if (bufferSize < 0)
+    return false;
+
   nsAutoArrayPtr<AudioDataValue> sampleBuffer(new AudioDataValue[bufferSize]);

Comment 3

[Wayne Chang [:wchang]]

James,
We'll only spend resource on critical issues for 1.3t, and refrain from adding things to 1.3t since its close to launch.

Thomas, can you check and discuss about this issue with your team first.

Comment 4

[Eric Chou [:ericchou] [:echou]]

(In reply to Peipei Cheng from comment #0)
> Monkey test crashed three times during 24 hours test.
> 
> Please find the slog here:
> https://mega.co.nz/#!dxlz2I6b!RAbDbyEDDAP1kcUlB2c-mrSrBbm3fYLl-DBM_SFC4lk
> 
> Operating system: Android
>                   0.0.0 Linux 3.0.8+ #1 PREEMPT Wed Jul 23 17:40:28 CST 2014
> armv7l
> Spreadtrum/sp6821a_gonk/sp6821a_gonk:4.0.4.0.4.0.4/OPENMASTER/552:userdebug/
> test-keys
> CPU: arm
>      0 CPUs
> 
> Crash reason:  SIGSEGV
> Crash address: 0x0
> 
> Thread 62 (crashed)
>  0  libxul.so!mozalloc_abort(char const*) [mozalloc_abort.cpp : 30 + 0x4]
>      r4 = 0x00000000    r5 = 0x00000001    r6 = 0xffffffff    r7 = 0xffffffff
>      r8 = 0x00000000    r9 = 0x00000001   r10 = 0x000493e0    fp = 0xffffffff
>      sp = 0x43ecbd00    lr = 0x418cc9cb    pc = 0x418cc9ce
>     Found by: given as instruction pointer in context
>  1  libxul.so!mozalloc_handle_oom(unsigned int) [mozalloc_oom.cpp : 50 + 0x3]
>      r4 = 0x00000000    r5 = 0x00000001    r6 = 0xffffffff    r7 = 0xffffffff
>      r8 = 0x00000000    r9 = 0x00000001   r10 = 0x000493e0    fp = 0xffffffff
>      sp = 0x43ecbd08    pc = 0x418cca47
>     Found by: call frame info
>  2  libxul.so!moz_xmalloc [mozalloc.cpp : 54 + 0x5]
>      r4 = 0xfffffffe    r5 = 0x00000001    r6 = 0xffffffff    r7 = 0xffffffff
>      r8 = 0x00000000    r9 = 0x00000001   r10 = 0x000493e0    fp = 0xffffffff
>      sp = 0x43ecbd48    pc = 0x418cc9ab
>     Found by: call frame info
>  3  libxul.so!mozilla::WaveReader::DecodeAudioData() [mozalloc.h : 213 + 0xd]
>      r4 = 0x45b0aa50    r5 = 0x00000001    r6 = 0xffffffff    r7 = 0xffffffff
>      r8 = 0x00000000    r9 = 0x00000001   r10 = 0x000493e0    fp = 0xffffffff
>      sp = 0x43ecbd50    pc = 0x4111e9e1
>     Found by: call frame info
>  4  libxul.so!mozilla::MediaDecoderStateMachine::DecodeLoop()
> [MediaDecoderStateMachine.cpp : 947 + 0x5]
>      r4 = 0x43cc4c90    r5 = 0x00000001    r6 = 0x00000001    r7 = 0x00000000
>      r8 = 0x00000001    r9 = 0x00000001   r10 = 0x000493e0    fp = 0x00000000
>      sp = 0x43ecbdc0    pc = 0x410f2fc3
>     Found by: call frame info

Frame 3 doesn't seem to have full frame information. My guess is either 

  nsAutoArrayPtr<AudioDataValue> sampleBuffer(new AudioDataValue[bufferSize]);

or

  nsAutoArrayPtr<char> dataBuffer(new char[static_cast<size_t>(readSize)]);

caused the crash because of the lack of memory.

I honestly don't think we should make any big change right now since 1.3t is at the final stage of testing -- unless we have STR or at lease valid backtrace.

I'm still going to ni media experts Chris and Bruce to see if they have good suggestions of how to handle this kind of exception, and I also ni Peipei to see if we can get a more clear STR.

Comment 5

[Chris Pearce [:cpearce (Not reading bugmail)]]

cajbir is in charge of the WaveReader now, so I'll defer to him on this.

Comment 6

[Eric Chou [:ericchou] [:echou]]

(In reply to Chris Pearce (:cpearce) from comment #5)
> cajbir is in charge of the WaveReader now, so I'll defer to him on this.

Thanks!

Comment 7

[Bruce Sun [:brsun]]

I am not an expert of memory allocation. I believe the size of |new []| operator and the used data type could affect the size of |malloc|, but I don't have any idea how the size of |malloc|, 0xFFFFFFFE(-2), could be indirectly calculated from the size of |new []| inside WaveReader::DecodeAudioData(). Maybe having initial values on all member data of WaveReader could relieve this problem? Not sure.

If there are any media files that could reproduce this issue, it would be easier to find out the real root cause.

Comment 8

[James Zhang (Spreadtrum)]

Attachment: mozilla1043845.patch

Add log and guard code.

Comment 9

[Chris Pearce [:cpearce (Not reading bugmail)]]

cajbir must be away.

Is there a known way to reproduce this crash?

Returning false if (bufferSize < 0) as in James' patch would be a low risk mitigation.

Comment 10

[Peipei Cheng (needinfo if you need my action)]

(In reply to Chris Pearce (:cpearce) from comment #9)
> cajbir must be away.
> 
> Is there a known way to reproduce this crash?
> 
> Returning false if (bufferSize < 0) as in James' patch would be a low risk
> mitigation.

This crash was found by monkey test. And we are still unable to find a way to reproduce this crash. According to partner QA, they only have some video in the device which has this crash. I will try to get those videos and double check.

Comment 11

[Peipei Cheng (needinfo if you need my action)]

keep ni on me.

Comment 12

[Peipei Cheng (needinfo if you need my action)]

I would like to close this bug as WorksForMe since we don't see this bug now. We  could reopen if it appears again.