1119033 - Firefox crash in mozilla::TrackBuffer::EvictData(unsigned int)

Status: VERIFIED FIXED

(Core :: Audio/Video, defect, P1)

Description

[Marcia Knous [:marcia]]

This bug was filed from the Socorro interface and is 
report bp-ee52499a-eafa-41ea-a80a-c0b682150107.
=============================================================

Seen while combing through Mac specific crashes. This appears to be the same user with several dupes, but the stack looked like it might be of interest - report are here: https://crash-stats.mozilla.com/report/list?signature=mozilla::TrackBuffer::EvictData%28unsigned%20int%29.

Adding matt since it looks as if he touched code in this area at some point. I looked around crash-stats and I could not find any Windows report with a similar signature.

Frame 	Module 	Signature 	Source
0 	XUL 	mozilla::TrackBuffer::EvictData(unsigned int) 	dom/media/mediasource/TrackBuffer.cpp
1 	XUL 	mozilla::dom::SourceBuffer::PrepareAppend(mozilla::ErrorResult&) 	dom/media/mediasource/SourceBuffer.cpp
2 	XUL 	mozilla::dom::SourceBuffer::AppendData(unsigned char const*, unsigned int, mozilla::ErrorResult&) 	dom/media/mediasource/SourceBuffer.cpp
3 	XUL 	mozilla::dom::SourceBufferBinding::appendBuffer 	obj-firefox/x86_64/dom/bindings/SourceBufferBinding.cpp
4 	XUL 	mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) 	dom/bindings/BindingUtils.cpp
5 	XUL 	js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) 	js/src/jscntxtinlines.h
6 	XUL 	Interpret 	js/src/vm/Interpreter.cpp
7 	XUL 	js::RunScript(JSContext*, js::RunState&) 	js/src/vm/Interpreter.cpp
8 	XUL 	js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) 	js/src/vm/Interpreter.cpp
9 	XUL 	js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) 	js/src/vm/Interpreter.cpp
10 	XUL 	JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) 	js/src/jsapi.cpp
11 	XUL 	mozilla::dom::PromiseInit::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JSObject*>, JS::Handle<JSObject*>, mozilla::ErrorResult&) 	obj-firefox/x86_64/dom/bindings/PromiseBinding.cpp
12 	XUL 	mozilla::dom::Promise::CallInitFunction(mozilla::dom::GlobalObject const&, mozilla::dom::PromiseInit&, mozilla::ErrorResult&) 	obj-firefox/x86_64/dist/include/mozilla/dom/PromiseBinding.h
13 	XUL 	mozilla::dom::Promise::Constructor(mozilla::dom::GlobalObject const&, mozilla::dom::PromiseInit&, mozilla::ErrorResult&) 	dom/promise/Promise.cpp
14 	XUL 	mozilla::dom::PromiseBinding::_constructor 	obj-firefox/x86_64/dom/bindings/PromiseBinding.cpp
15 	XUL 	js::InvokeConstructor(JSContext*, JS::CallArgs) 	js/src/jscntxtinlines.h
16 	XUL 	Interpret 	js/src/vm/Interpreter.cpp
17 	XUL 	js::RunScript(JSContext*, js::RunState&) 	js/src/vm/Interpreter.cpp
18 	XUL 	js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) 	js/src/vm/Interpreter.cpp
19 	XUL 	js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) 	js/src/vm/Interpreter.cpp
20 	XUL 	JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) 	js/src/jsapi.cpp
21 	XUL 	mozilla::dom::AnyCallback::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) 	obj-firefox/x86_64/dom/bindings/PromiseBinding.cpp
22 	XUL 	mozilla::dom::WrapperPromiseCallback::Call(JSContext*, JS::Handle<JS::Value>) 	obj-firefox/x86_64/dist/include/mozilla/dom/PromiseBinding.h
23 	XUL 	mozilla::dom::PromiseCallbackTask::Run() 	dom/promise/Promise.cpp
24 	XUL 	mozilla::dom::Promise::PerformMicroTaskCheckpoint() 	dom/promise/Promise.cpp
25 	XUL 	_ZThn8_N11nsXPConnect21AfterProcessNextEventEP17nsIThreadInternaljb 	js/xpconnect/src/nsXPConnect.cpp
26 	XUL 	nsThread::ProcessNextEvent(bool, bool*) 	xpcom/threads/nsThread.cpp
27 	XUL 	NS_ProcessPendingEvents(nsIThread*, unsigned int) 	xpcom/glue/nsThreadUtils.cpp
28 	XUL 	nsBaseAppShell::NativeEventCallback() 	widget/nsBaseAppShell.cpp
29 	XUL 	nsAppShell::ProcessGeckoEvents(void*) 	widget/cocoa/nsAppShell.mm
Ø 30 	CoreFoundation 	CoreFoundation@0x80660 	
Ø 31 	CoreFoundation 	CoreFoundation@0x727ec 	
Ø 32 	CoreFoundation 	CoreFoundation@0x71e1e 	
Ø 33 	CoreFoundation 	CoreFoundation@0x71837 	
Ø 34 	HIToolbox 	HIToolbox@0x2e43e 	
Ø 35 	HIToolbox 	HIToolbox@0x2e1b9 	
Ø 36 	HIToolbox 	HIToolbox@0x2dffa 	
Ø 37 	AppKit 	AppKit@0x246d0 	
Ø 38 	AppKit 	AppKit@0x23e7f 	
39 	XUL 	-[GeckoNSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] 	widget/cocoa/nsAppShell.mm
Ø 40 	AppKit 	AppKit@0x17e22 	
41 	XUL 	nsAppShell::Run() 	widget/cocoa/nsAppShell.mm
42 	XUL 	XRE_RunAppShell 	toolkit/xre/nsEmbedFunctions.cpp
43 	XUL 	MessageLoop::Run() 	ipc/chromium/src/base/message_loop.cc
44 	XUL 	XRE_InitChildProcess 	toolkit/xre/nsEmbedFunctions.cpp
45 	plugin-container 	main 	ipc/contentproc/plugin-container.cpp
46 	plugin-container 	start

Comment 1

[Matt Woodrow (:mattwoodrow)]

Attachment: Handle an empty decoder list

Comment 2

[Matt Woodrow (:mattwoodrow)]

https://hg.mozilla.org/integration/mozilla-inbound/rev/225fd7ea8fc6

Comment 3

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/225fd7ea8fc6

Comment 4

[Ralph Giles (:rillian)]

Comment on attachment 8547272 [details] [diff] [review]
Handle an empty decoder list

Approval Request Comment
[Feature/regressing bug #]: MSE
[User impact if declined]: Crashes with YouTube.
[Describe test coverage new/current, TBPL]: Landed on m-c.
[Risks and why]: Low. One line, MSE-specific change.
[String/UUID change made/needed]: None.

Comment 5

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-beta/rev/a78eb4dd84f0

Comment 6

[Bogdan Maris, Desktop Test Engineering]

Was unable to reproduce this issue, checking with Socorro no crashes were recorded in the last 14 days.
https://crash-stats.mozilla.com/report/list?range_unit=days&range_value=14&signature=mozilla%3A%3ATrackBuffer%3A%3AEvictData%28unsigned+int%29