Crash in mozilla::ResourceQueue::CopyData(unsigned long long, unsigned int, char*)

RESOLVED DUPLICATE of bug 1102612

Status

()

P1
critical
RESOLVED DUPLICATE of bug 1102612
4 years ago
4 years ago

People

(Reporter: bobbyholley, Assigned: mattwoodrow)

Tracking

(Blocks: 1 bug)

Firefox Tracking Flags

(Not tracked)

Details

(URL)

https://crash-stats.mozilla.com/report/index/3a295154-0901-40e8-be67-e203b2150104

This is Nick's crash, which he posted on yammer. It like a demuxer race on first glance (since calling out to read releases the demuxer lock), but the buffer passed on is freshly new[]ed, and I don't see how it could be getting switched out from under us.

Nick, can you reproduce this reliably?
Flags: needinfo?(nick)
This can happen if InputExhausted() gets called from the decoder queue after the MediaSource gets torn down. That will call PopSample() which calls SourceBufferResource::Read().
Matt - can I get you to look into this one?
Flags: needinfo?(matt.woodrow)
Assignee: nobody → matt.woodrow
Flags: needinfo?(matt.woodrow)
Severity: normal → critical
(Assignee)

Comment 3

4 years ago
(In reply to Anthony Jones (:kentuckyfriedtakahe, :k17e) from comment #1)
> This can happen if InputExhausted() gets called from the decoder queue after
> the MediaSource gets torn down. That will call PopSample() which calls
> SourceBufferResource::Read().

Can you explain this more please :)

From what I can see, the source data is strongly owned by ResourceItem objects in the ResourceQueue, and the destination pointer was allocated just up the stack in SampleIterator::GetNext.

I can't see how either of those could be invalid, so we must instead be adjusting one of them by an invalid offset, or using an invalid length.

My guess would be that we're overflowing somewhere, or getting signed/unsigned mixed up. It's hard to tell exactly which from the crash report, though a debugger or minidump would make this fairly easy to track down.

I also only see one instance of this crash on crash-stats, are we sure this is critical?
(Assignee)

Comment 5

4 years ago
Neither of those appear to be this bug (though they are the same as each other, and probably want a bug filed).

Updated

4 years ago
Blocks: 1118945
Haven't seen this since, will follow up if I do.
Flags: needinfo?(nick)
Taking off beta blocking list. We will debug a Windows crash dump if we see one.
No longer blocks: 1118945
(Assignee)

Comment 9

4 years ago
Dropping priority to P2, given the lack of crash reports.
Priority: P1 → P2

Comment 10

4 years ago
Matt, is this a dup of another bug? Anthony thinks it is.
Flags: needinfo?(matt.woodrow)
Priority: P2 → P1
(Assignee)

Updated

4 years ago
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Flags: needinfo?(matt.woodrow)
Resolution: --- → DUPLICATE
Duplicate of bug: 1102612
You need to log in before you can comment on or make changes to this bug.