Closed
Bug 1066319
Opened 10 years ago
Closed 10 years ago
crash in OOM | large | mozalloc_abort(char const* const) | mozalloc_handle_oom(unsigned int) | moz_xmalloc | stagefright::MPEG4Source::start(stagefright::MetaData*)
Categories
(Core :: Audio/Video, defect)
Tracking
()
VERIFIED
FIXED
mozilla35
Tracking | Status | |
---|---|---|
firefox32 | --- | unaffected |
firefox33 | --- | unaffected |
firefox34 | + | verified |
firefox35 | + | verified |
People
(Reporter: lizzard, Assigned: rillian)
References
Details
(Keywords: crash)
Crash Data
Attachments
(1 file, 3 obsolete files)
3.39 KB,
patch
|
ajones
:
review+
lmandel
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
This bug was filed from the Socorro interface and is report bp-8c6c9625-d0fe-4238-8a8c-c1e702140905. ============================================================= This crash signature first appeared on 2014-08-29 with the 2014082803 build. It's showing up on Firefox 34 and 35. Most of the urls for the crashes are for YouTube videos. Regression window from mozilla-central: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=0753f7b93ab7&tochange=3be45b58fc47 Crashing thread: 0 mozalloc.dll mozalloc_abort(char const* const) memory/mozalloc/mozalloc_abort.cpp 1 mozalloc.dll mozalloc_handle_oom(unsigned int) memory/mozalloc/mozalloc_oom.cpp 2 mozalloc.dll moz_xmalloc memory/mozalloc/mozalloc.cpp 3 xul.dll stagefright::MPEG4Source::start(stagefright::MetaData*) media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp 4 xul.dll mp4_demuxer::MP4Demuxer::Init() media/libstagefright/binding/mp4_demuxer.cpp 5 xul.dll mozilla::MP4Reader::ReadMetadata(mozilla::MediaInfo*, nsDataHashtable<nsCStringHashKey, nsCString>**) content/media/fmp4/MP4Reader.cpp 6 xul.dll mozilla::MediaDecoderStateMachine::DecodeMetadata() content/media/MediaDecoderStateMachine.cpp 7 xul.dll mozilla::MediaDecoderStateMachine::CallDecodeMetadata() content/media/MediaDecoderStateMachine.cpp 8 xul.dll nsRunnableMethodImpl<tag_nsresult ( nsMemoryReporterManager::*)(void), void, 1>::Run() xpcom/glue/nsThreadUtils.h 9 xul.dll mozilla::MediaTaskQueue::Runner::Run() content/media/MediaTaskQueue.cpp 10 xul.dll nsThreadPool::Run() xpcom/threads/nsThreadPool.cpp 11 xul.dll nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp 12 xul.dll MessageLoop::RunHandler() ipc/chromium/src/base/message_loop.cc 13 xul.dll _SEH_epilog4
Reporter | ||
Comment 1•10 years ago
|
||
There are also some similar signatures showing up on the same day on Android.
Crash Signature: [@ OOM | large | mozalloc_abort(char const* const) | mozalloc_handle_oom(unsigned int) | moz_xmalloc | stagefright::MPEG4Source::start(stagefright::MetaData*)] → [@ OOM | large | mozalloc_abort(char const* const) | mozalloc_handle_oom(unsigned int) | moz_xmalloc | stagefright::MPEG4Source::start(stagefright::MetaData*)]
[@ abort | abort | __android_log_assert | stagefright::MPEG4Source::start(stagefright::MetaDa…
Assignee | ||
Comment 2•10 years ago
|
||
Probably MPEG4Extractor.cpp:2504 mSrcBuffer = new uint8_t[max_size]; We read max_size from the file, or estimate it if it's zero. It's possible files with corrupt values are asking for too large a buffer.
Assignee | ||
Comment 3•10 years ago
|
||
Assignee: nobody → giles
Attachment #8488883 -
Flags: review?(ajones)
Assignee | ||
Comment 4•10 years ago
|
||
Also handle overflow.
Attachment #8488883 -
Attachment is obsolete: true
Attachment #8488883 -
Flags: review?(ajones)
Attachment #8488888 -
Flags: review?(ajones)
Comment 5•10 years ago
|
||
Comment on attachment 8488888 [details] [diff] [review] Reject samples with unreasonable sizes. v2 Review of attachment 8488888 [details] [diff] [review]: ----------------------------------------------------------------- ::: media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp @@ +41,5 @@ > namespace stagefright { > > +// Reject samples with unreasonable size table entries. > +#define INPUT_SIZE_LIMIT (4*3110400) > +#define INPUT_SIZE_INVALID(size) (size <= 0 || size >= INPUT_SIZE_LIMIT) This should be a function rather than a #define. Make it inline if you prefer. Either add a comment about where the number comes from or show it as something like 4 * (1080 * 1920) * 3 / 2 to at least give some kind of hint. Suggestions: I wouldn't bother defining a constant separately. Consider that INPUT_SIZE_LIMIT doesn't add any information compared to INPUT_SIZE_INVALID. Additionally I'd prefer we give things affirmative names such as ValidInputSize() and then !ValidInputSize().
Attachment #8488888 -
Flags: review?(ajones) → review+
Assignee | ||
Comment 6•10 years ago
|
||
Make validation check a function, and document size constant inline. > Either add a comment about where the number comes from or show it as > something like 4 * (1080 * 1920) * 3 / 2 to at least give some kind of hint. I was just following local style. :-) v2 patch was green on try. https://tbpl.mozilla.org/?tree=Try&rev=e0604057d776
Attachment #8488888 -
Attachment is obsolete: true
Attachment #8489022 -
Flags: review?(ajones)
Assignee | ||
Comment 7•10 years ago
|
||
Fix typo, conform to more local style.
Attachment #8489022 -
Attachment is obsolete: true
Attachment #8489022 -
Flags: review?(ajones)
Attachment #8489027 -
Flags: review?(ajones)
Comment 8•10 years ago
|
||
(In reply to Ralph Giles (:rillian) from comment #6) > I was just following local style. :-) Stupid stagefright.
Updated•10 years ago
|
Attachment #8489027 -
Flags: review?(ajones) → review+
Assignee | ||
Comment 9•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/2a7fe756a652
Comment 10•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/2a7fe756a652
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla35
Assignee | ||
Comment 11•10 years ago
|
||
Liz, can you verify this fixes the crash, or provide STR so I can?
Flags: needinfo?(lhenry)
Reporter | ||
Comment 12•10 years ago
|
||
Hi Ralph! I will follow up by checking crash stats over the next few days. I don't have good STR so will verify off of crash-stats to see if any crashes happen in later builds from this list : https://crash-stats.mozilla.com/report/list?product=Firefox&signature=OOM+|+large+|+mozalloc_abort%28char+const*+const%29+|+mozalloc_handle_oom%28unsigned+int%29+|+moz_xmalloc+|+stagefright%3A%3AMPEG4Source%3A%3Astart%28stagefright%3A%3AMetaData*%29#tab-table Do you want to try uplifting it to Aurora as well?
Flags: needinfo?(lhenry) → needinfo?(giles)
Assignee | ||
Comment 14•10 years ago
|
||
Comment on attachment 8489027 [details] [diff] [review] Reject samples with unreasonable sizes. v4 Approval Request Comment [Feature/regressing bug #]: 1043696 [User impact if declined]: Viewing some videos will crash the browser. [Describe test coverage new/current, TBPL]: Landed on m-c. Manual testing. No automated coverage. [Risks and why]: Risk is low. This is a clean change to better handle errors. We don't have good steps-to-reproduce, so this may not address the complete problem, but the code is clearly better with the patch. [String/UUID change made/needed]: none.
Attachment #8489027 -
Flags: approval-mozilla-aurora?
Updated•10 years ago
|
Comment 15•10 years ago
|
||
Do we have enough data from crash-stats to verify this fix yet?
Flags: needinfo?(lhenry)
Reporter | ||
Comment 16•10 years ago
|
||
Yes, I can verify this for 35, and there are still a few crashes on Aurora in the 2014091700 and 2014091600 builds.
Flags: needinfo?(lhenry)
Assignee | ||
Comment 17•10 years ago
|
||
Thanks, Liz!
Comment 18•10 years ago
|
||
Comment on attachment 8489027 [details] [diff] [review] Reject samples with unreasonable sizes. v4 Now that this has been verified on m-c, Aurora+.
Attachment #8489027 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Assignee | ||
Comment 19•10 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/0d23cb46b0f3
Comment 20•10 years ago
|
||
Looking in Socorro I see the following data: 1. OOM | large | mozalloc_abort(char const* const) | mozalloc_handle_oom(unsigned int) | moz_xmalloc | stagefright::MPEG4Source::start(stagefright::MetaData*) - NO crashes in versions 35 or 34 for builds after 19.09 2. abort | abort | __android_log_assert | stagefright::MPEG4Source::start(stagefright::MetaData*) - 156 crashes in version 34 for builds after 19.09 3. abort | abort | __android_log_assert | stagefright::VectorImpl::itemLocation(unsigned int) - 275 in versions 35 or 34 for builds after 19.09 Any thoughts?
Reporter | ||
Comment 21•10 years ago
|
||
I think there is more to do here, but this seems to have had a positive effect. We should report the 2nd and 3rd crash sigs in a different bug. Ralph, does that sound reasonable?
Flags: needinfo?(giles)
Assignee | ||
Comment 22•10 years ago
|
||
Please do. That number 2 is 34-specific suggests there's something we need to backport. Number 3 looks like an unknown bug.
Flags: needinfo?(giles)
Comment 23•10 years ago
|
||
Filled 2 bugs for the two signatures. Marking this as Verified.
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•