Closed Bug 1071462 Opened 10 years ago Closed 10 years ago

Crash in mozilla::MediaOmxReader::NotifyDataArrived() with specific mp3 file

Categories

(Core :: Audio/Video, defect)

Product:
Core
Component:
Audio/Video
Platform:
ARM
Gonk (Firefox OS)
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1069602

People

(Reporter: swu, Unassigned)

References

Details

(Keywords: crash, topcrash-b2g, Whiteboard: [b2g-crash])

Crash Data

Attachments

(1 file)

zero_mp3.mp3
4.20 MB, audio/mpeg
Details 
Device: Flame JB 
Gaia: b630b8bcaf9653885539d4449bc65c3b592bd752
Gecko: 790f41c631cc
Build flags: B2G_DEBUG=1

STR:
1. Put an mp3 file in /storage/sdcard0
2. Run music app, then it crashed immediately
GDB backtrace as below.

Program received signal SIGSEGV, Segmentation fault.
0xb550f3de in mozilla::MediaOmxReader::NotifyDataArrived (this=0xb0703400, 
    aBuffer=0xb2f2f000 "\202\271<\266_\246\275]\213\062\274~\370FP\366\302[ \212\366\275\002\027:\216`ʺ\342a:\253\024v\n\255Ί\346\351.\260\272\353\071\315\rZ6\215\242\teaS5\212\002>\376w\275)}t2A\361\206\277\f\315\303%Q\032¶Ջ\365F\327\257\251\b\374\207,\017E\231R\"\363$u\204 IedH\026\267\031\033[\221\266ѽ\232h&\331 6\342~XiՓe\257\233<\275\275\333Y0u\022}\257\070bֹr\355\236~\325\240ϑvە\246ga\177\031\351X\205F\024\372\370\225\216f\022\066\344,\206Rʺ\031\350\212%\a,\245\246s\035\006\216w\020\033^o\035\254\207s\327-\231"..., aLength=32768, 
    aOffset=1409024) at ../../../../content/media/omx/MediaOmxReader.cpp:463
463	  ReentrantMonitorAutoEnter mon(mDecoder->GetReentrantMonitor());
(gdb) bt
#0  0xb550f3de in mozilla::MediaOmxReader::NotifyDataArrived (this=0xb0703400, 
    aBuffer=0xb2f2f000 "\202\271<\266_\246\275]\213\062\274~\370FP\366\302[ \212\366\275\002\027:\216`ʺ\342a:\253\024v\n\255Ί\346\351.\260\272\353\071\315\rZ6\215\242\teaS5\212\002>\376w\275)}t2A\361\206\277\f\315\303%Q\032¶Ջ\365F\327\257\251\b\374\207,\017E\231R\"\363$u\204 IedH\026\267\031\033[\221\266ѽ\232h&\331 6\342~XiՓe\257\233<\275\275\333Y0u\022}\257\070bֹr\355\236~\325\240ϑvە\246ga\177\031\351X\205F\024\372\370\225\216f\022\066\344,\206Rʺ\031\350\212%\a,\245\246s\035\006\216w\020\033^o\035\254\207s\327-\231"..., aLength=32768, 
    aOffset=1409024) at ../../../../content/media/omx/MediaOmxReader.cpp:463
#1  0xb550fb60 in NotifyDataArrived (this=0xb185a4f0) at ../../../../content/media/omx/MediaOmxReader.cpp:106
#2  mozilla::OmxReaderNotifyDataArrivedRunnable::Run (this=0xb185a4f0) at ../../../../content/media/omx/MediaOmxReader.cpp:93
#3  0xb482aa08 in nsThread::ProcessNextEvent (this=0xb3a4a230, aMayWait=<optimized out>, aResult=0xbe92bc6f)
    at ../../../xpcom/threads/nsThread.cpp:823
#4  0xb483f0ac in NS_ProcessNextEvent (aThread=0xb3a4a230, aMayWait=<optimized out>)
    at /home/sywu/work/mozilla-central/xpcom/glue/nsThreadUtils.cpp:265
#5  0xb49f38ec in mozilla::ipc::MessagePump::Run (this=0xb3a01c70, aDelegate=0xbe92bdc8) at ../../../ipc/glue/MessagePump.cpp:99
#6  0xb49e1f6c in MessageLoop::RunInternal (this=0xbe92bdc8) at ../../../ipc/chromium/src/base/message_loop.cc:234
#7  0xb49e1f86 in RunHandler (this=0xbe92bdc8) at ../../../ipc/chromium/src/base/message_loop.cc:227
#8  MessageLoop::Run (this=0xbe92bdc8) at ../../../ipc/chromium/src/base/message_loop.cc:201
#9  0xb535a31a in nsBaseAppShell::Run (this=0xb18592e0) at ../../../widget/xpwidgets/nsBaseAppShell.cpp:164
#10 0xb59a37fa in XRE_RunAppShell () at ../../../toolkit/xre/nsEmbedFunctions.cpp:713
#11 0xb49f3a1a in mozilla::ipc::MessagePumpForChildProcess::Run (this=0xb3a01c70, aDelegate=0xbe92bdc8)
    at ../../../ipc/glue/MessagePump.cpp:272
#12 0xb49e1f6c in MessageLoop::RunInternal (this=0xbe92bdc8) at ../../../ipc/chromium/src/base/message_loop.cc:234
#13 0xb49e1f86 in RunHandler (this=0xbe92bdc8) at ../../../ipc/chromium/src/base/message_loop.cc:227
#14 MessageLoop::Run (this=0xbe92bdc8) at ../../../ipc/chromium/src/base/message_loop.cc:201
#15 0xb59a36c4 in XRE_InitChildProcess (aArgc=<optimized out>, aArgv=<optimized out>) at ../../../toolkit/xre/nsEmbedFunctions.cpp:550
#16 0x000092a2 in content_process_main (argc=7, argv=0xbe92c8b4) at ../../../ipc/app/../contentproc/plugin-container.cpp:158
#17 0xb6e9dd38 in __libc_init (raw_args=0xbe92c8b0, onexit=<optimized out>, slingshot=0x9301 <main(int, char**)>, structors=<optimized out>)
    at bionic/libc/bionic/libc_init_dynamic.cpp:112
#18 0x00009188 in _start ()
(gdb)
It seems a lot like same as bug 1069602, but I didn't have to tap fastforward or rewind buttons to reproduce.
Below is the adb logcat for music app process.

09-23 16:14:15.554 I/Gecko   (15441): [15441] WARNING: XPCOM objects created/destroyed from static ctor/dtor: file ../../../xpcom/base/nsTraceRefcnt.cpp, line 144
09-23 16:14:15.554 I/Gecko   (15441): [15441] WARNING: XPCOM objects created/destroyed from static ctor/dtor: file ../../../xpcom/base/nsTraceRefcnt.cpp, line 144
09-23 16:14:15.554 I/Gecko   (15441): [15441] WARNING: XPCOM objects created/destroyed from static ctor/dtor: file ../../../xpcom/base/nsTraceRefcnt.cpp, line 144
09-23 16:14:15.554 I/Gecko   (15441): [15441] WARNING: XPCOM objects created/destroyed from static ctor/dtor: file ../../../xpcom/base/nsTraceRefcnt.cpp, line 144
09-23 16:14:15.554 I/Gecko   (15441): [15441] WARNING: XPCOM objects created/destroyed from static ctor/dtor: file ../../../xpcom/base/nsTraceRefcnt.cpp, line 144
09-23 16:14:15.554 I/Gecko   (15441): [15441] WARNING: XPCOM objects created/destroyed from static ctor/dtor: file ../../../xpcom/base/nsTraceRefcnt.cpp, line 144
09-23 16:14:15.554 I/Gecko   (15441): [15441] WARNING: XPCOM objects created/destroyed from static ctor/dtor: file ../../../xpcom/base/nsTraceRefcnt.cpp, line 144
09-23 16:14:15.564 I/Gecko   (15441): [15441] WARNING: XPCOM objects created/destroyed from static ctor/dtor: file ../../../xpcom/base/nsTraceRefcnt.cpp, line 144
09-23 16:14:15.564 I/Gecko   (15441): [15441] WARNING: XPCOM objects created/destroyed from static ctor/dtor: file ../../../xpcom/base/nsTraceRefcnt.cpp, line 144
09-23 16:14:15.564 I/Gecko   (15441): [15441] WARNING: XPCOM objects created/destroyed from static ctor/dtor: file ../../../xpcom/base/nsTraceRefcnt.cpp, line 144
09-23 16:14:15.574 I/Gecko   (15441): [Child 15441] WARNING: '!compMgr', file /home/sywu/work/mozilla-central/xpcom/glue/nsComponentManagerUtils.cpp, line 63
09-23 16:14:15.574 I/Gecko   (15441): [Child 15441] WARNING: NS_ENSURE_TRUE(svc) failed: file ../../../dom/ipc/nsIContentChild.cpp, line 31
09-23 16:14:15.574 I/Gecko   (15441): [Child 15441] WARNING: '!compMgr', file /home/sywu/work/mozilla-central/xpcom/glue/nsComponentManagerUtils.cpp, line 63
09-23 16:14:15.704 E/(Preallocated app)(15441): Failed to load native module at path '/system/b2g/components/libxpcomsample.so': (80004005) dlopen failed: library "/system/b2g/components/libxpcomsample.so" not found
09-23 16:14:16.034 E/(Preallocated app)(15441): [JavaScript Warning: "SyntaxError: octal literals and octal escape sequences are deprecated" {file: "jar:file:///system/b2g/omni.ja!/components/DirectoryProvider.js" line: 205 column: 46 source: "        dir.create(Ci.nsIFile.DIRECTORY_TYPE, 0770);
09-23 16:14:16.034 E/(Preallocated app)(15441): "}]
09-23 16:14:16.034 E/(Preallocated app)(15441): [JavaScript Warning: "SyntaxError: octal literals and octal escape sequences are deprecated" {file: "jar:file:///system/b2g/omni.ja!/components/DirectoryProvider.js" line: 205 column: 46 source: "        dir.create(Ci.nsIFile.DIRECTORY_TYPE, 0770);
09-23 16:14:16.034 E/(Preallocated app)(15441): "}]
09-23 16:14:16.034 E/(Preallocated app)(15441): [JavaScript Warning: "SyntaxError: octal literals and octal escape sequences are deprecated" {file: "jar:file:///system/b2g/omni.ja!/components/DirectoryProvider.js" line: 205 column: 46 source: "        dir.create(Ci.nsIFile.DIRECTORY_TYPE, 0770);
09-23 16:14:16.034 E/(Preallocated app)(15441): "}]
09-23 16:14:16.124 I/Gecko   (15441): [Child 15441] WARNING: Unable to printf the requested string due to error.: file ../../../ipc/chromium/src/base/string_util.cc, line 427
09-23 16:14:16.374 I/Gecko   (15441): [Child 15441] WARNING: nsWindow::GetNativeData not implemented for this type: file ../../../widget/xpwidgets/PuppetWidget.cpp, line 792
09-23 16:14:16.374 I/Gecko   (15441): ++DOCSHELL 0xb1869400 == 1 [pid = 15441] [id = 1]
09-23 16:14:16.374 I/Gecko   (15441): ++DOMWINDOW == 1 (0xb2e99390) [pid = 15441] [serial = 1] [outer = 0x0]
09-23 16:14:16.444 I/Gecko   (15441): ###################################### forms.js loaded
09-23 16:14:16.464 I/Gecko   (15441): ############################### browserElementPanning.js loaded
09-23 16:14:16.514 I/Gecko   (15441): ######################## BrowserElementChildPreload.js loaded
09-23 16:14:16.584 I/Gecko   (15441): ++DOMWINDOW == 2 (0xb2e99730) [pid = 15441] [serial = 2] [outer = 0xb2e99390]
09-23 16:14:17.404 I/Gecko   (15441): [Child 15441] WARNING: Channel provided to SetRequestContext is not an nsIHttpChannel so referrer is not available for reporting.: file ../../../../content/base/src/nsCSPContext.cpp, line 578
09-23 16:14:17.424 I/Gecko   (15441): ++DOMWINDOW == 3 (0xb2e99e70) [pid = 15441] [serial = 3] [outer = 0xb2e99390]
09-23 16:14:17.964 I/Gecko   (15441): [Child 15441] WARNING: NS_ENSURE_TRUE(startupCache) failed: file ../../../dom/xbl/nsXBLDocumentInfo.cpp, line 237
09-23 16:14:17.974 I/Gecko   (15441): [Child 15441] WARNING: NS_ENSURE_TRUE(startupCache) failed: file ../../../dom/xbl/nsXBLDocumentInfo.cpp, line 305
09-23 16:14:18.154 I/Gecko   (15441): [Child 15441] ###!!! ASSERTION: style context has old rule node: 'n == mRuleTree', file ../../../layout/style/nsStyleSet.cpp, line 247
09-23 16:14:18.174 I/Gecko   (15441): [Child 15441] ###!!! ASSERTION: old rule tree still referenced: 'Not Reached', file ../../../layout/style/nsStyleSet.cpp, line 2076
09-23 16:14:18.334 I/Gecko   (15441): [Child 15441] WARNING: NS_ENSURE_TRUE(NS_SUCCEEDED(rv) && isAbout) failed: file ../../../dom/quota/QuotaManager.cpp, line 2035
09-23 16:14:18.544 I/Gecko   (15441): [Child 15441] ###!!! ASSERTION: style context has old rule node: 'n == mRuleTree', file ../../../layout/style/nsStyleSet.cpp, line 247
09-23 16:14:18.544 I/Gecko   (15441): [Child 15441] ###!!! ASSERTION: old rule tree still referenced: 'Not Reached', file ../../../layout/style/nsStyleSet.cpp, line 2076
09-23 16:14:19.154 I/Gecko   (15441): [Child 15441] WARNING: Bluetooth has already been enabled/disabled before or the toggling is failed.: file ../../../dom/bluetooth/BluetoothService.cpp, line 527
09-23 16:14:19.174 I/Gecko   (15441): [Child 15441] WARNING: Channel provided to SetRequestContext is not an nsIHttpChannel so referrer is not available for reporting.: file ../../../../content/base/src/nsCSPContext.cpp, line 578
09-23 16:14:19.524 I/Gecko   (15441): [Child 15441] WARNING: Don't know if this stream is seekable yet!: file ../../../dom/ipc/Blob.cpp, line 415
09-23 16:14:19.594 E/WVMExtractor(15441): Failed to open libwvm.so
09-23 16:14:19.604 D/QCUtils (15441): extended extractor not needed, return default
09-23 16:14:19.604 I/OMXClient(15441): Using client-side OMX mux.
09-23 16:14:19.614 E/OMXMaster(15441): A component of name 'OMX.qcom.audio.decoder.aac' already exists, ignoring this one.
09-23 16:14:19.614 I/Gecko   (15441): [Child 15441] WARNING: Couldn't create OMX audio source: file ../../../../content/media/omx/OmxDecoder.cpp, line 340
09-23 16:14:19.614 I/Gecko   (15441): [Child 15441] WARNING: Decoder=b0a01480 ReadMetadata failed, res=80004005 HasValidMedia=0: file ../../../content/media/MediaDecoderStateMachine.cpp, line 1943
09-23 16:14:19.614 I/Gecko   (15441): [Child 15441] WARNING: Decoder=b0a01480 Decode metadata failed, shutting down decoder: file ../../../content/media/MediaDecoderStateMachine.cpp, line 1902
09-23 16:14:19.614 I/Gecko   (15441): [Child 15441] WARNING: Decoder=b0a01480 Decode error, changed state to SHUTDOWN due to error: file ../../../content/media/MediaDecoderStateMachine.cpp, line 1875
09-23 16:14:19.624 E/Music   (15441): [JavaScript Warning: "Media resource blob:app://music.gaiamobile.org/24df6c3c-ad99-4edb-ad25-f7fec1f66cef could not be decoded." {file: "app://music.gaiamobile.org/index.html#mix" line: 0}]
Hi Shian-Yow,

Would you mind sharing your mp3 file?

I've tried my flame with the following configuration but no similar crash issue occurred.
 - base image: v123
 - gecko: 206591:790f41c631cc
 - gaia: a0fa29db8e9e15afe3b1787bf494caa86a033f10
 - build flags: B2G_DEBUG=1, NOFTU=1
(In reply to Bruce Sun [:brsun] from comment #4)
> Hi Shian-Yow,
> 
> Would you mind sharing your mp3 file?
> 
> I've tried my flame with the following configuration but no similar crash
> issue occurred.
>  - base image: v123
>  - gecko: 206591:790f41c631cc
>  - gaia: a0fa29db8e9e15afe3b1787bf494caa86a033f10
>  - build flags: B2G_DEBUG=1, NOFTU=1

I have sent the mp3 file to you by e-mail.  Yes, it seems the crash is related to mp3 file been tested.
(In reply to Shian-Yow Wu [:swu] from comment #5)
> I have sent the mp3 file to you by e-mail.  Yes, it seems the crash is
> related to mp3 file been tested.

I got the same crash with that specific mp3 file as reported (no matter B2G_DEBUG=1 or B2G_DEBUG=0.)
Summary: Crash in mozilla::MediaOmxReader::NotifyDataArrived() → Crash in mozilla::MediaOmxReader::NotifyDataArrived() with specific mp3 file
Blocks: 1039901
Blocks: 927884
This might be the same cause as bug 1069602 and Randy is working on that.

Hi Hi Shian-Yow,
Can you attach the problematic MP3 file to this bug to make it more accessible for test?
Depends on: 1069602
Flags: needinfo?(swu)
Attached audio zero_mp3.mp3 
Attached is the mp3 to reproduce the crash.
Flags: needinfo?(swu)
This crash signature is one of our top crashes right now on FxOS Nightly, seen with Flame, hamachi, Open C and Keon devices in the last week. Find more reports at https://crash-stats.mozilla.com/report/list?signature=mozilla%3A%3AMediaOmxReader%3A%3ANotifyDataArrived%28char%20const%2A%2C%20unsigned%20int%2C%20long%20long%29#tab-reports
blocking-b2g: --- → 2.2?
Crash Signature: [@ mozilla::MediaOmxReader::NotifyDataArrived(char const*, unsigned int, long long) ]
Keywords: crash, topcrash-b2g
Whiteboard: [b2g-crash]
Also note that those crash reports in the list in comment #9 have an address of 0x5a5a5a66, which is a small offset to the 5a5a... value we poison freed memory with.
And the earliest build they appear with is 20140917114326 (Flame and hamachi), so there's a good chance the regressing patch landed in the 12h before that.
This issue also happens on flame kk with that mp3 file.
Thanks Shian-Yow, 
Cause by ProcessCachedData runnable is running but reader has been destroyed.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
blocking-b2g: 2.2? → ---
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: