Firefox crash in mozilla::TrackBuffer::EvictData(unsigned int)

VERIFIED FIXED in Firefox 36

Status

()

defect
P1
critical
VERIFIED FIXED
4 years ago
4 years ago

People

(Reporter: marcia, Assigned: mattwoodrow)

Tracking

(Blocks 1 bug, {crash})

Trunk
mozilla37
All
macOS
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox36 verified, firefox37 verified)

Details

(crash signature)

Attachments

(1 attachment)

This bug was filed from the Socorro interface and is 
report bp-ee52499a-eafa-41ea-a80a-c0b682150107.
=============================================================

Seen while combing through Mac specific crashes. This appears to be the same user with several dupes, but the stack looked like it might be of interest - report are here: https://crash-stats.mozilla.com/report/list?signature=mozilla::TrackBuffer::EvictData%28unsigned%20int%29.

Adding matt since it looks as if he touched code in this area at some point. I looked around crash-stats and I could not find any Windows report with a similar signature.

Frame 	Module 	Signature 	Source
0 	XUL 	mozilla::TrackBuffer::EvictData(unsigned int) 	dom/media/mediasource/TrackBuffer.cpp
1 	XUL 	mozilla::dom::SourceBuffer::PrepareAppend(mozilla::ErrorResult&) 	dom/media/mediasource/SourceBuffer.cpp
2 	XUL 	mozilla::dom::SourceBuffer::AppendData(unsigned char const*, unsigned int, mozilla::ErrorResult&) 	dom/media/mediasource/SourceBuffer.cpp
3 	XUL 	mozilla::dom::SourceBufferBinding::appendBuffer 	obj-firefox/x86_64/dom/bindings/SourceBufferBinding.cpp
4 	XUL 	mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) 	dom/bindings/BindingUtils.cpp
5 	XUL 	js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) 	js/src/jscntxtinlines.h
6 	XUL 	Interpret 	js/src/vm/Interpreter.cpp
7 	XUL 	js::RunScript(JSContext*, js::RunState&) 	js/src/vm/Interpreter.cpp
8 	XUL 	js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) 	js/src/vm/Interpreter.cpp
9 	XUL 	js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) 	js/src/vm/Interpreter.cpp
10 	XUL 	JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) 	js/src/jsapi.cpp
11 	XUL 	mozilla::dom::PromiseInit::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JSObject*>, JS::Handle<JSObject*>, mozilla::ErrorResult&) 	obj-firefox/x86_64/dom/bindings/PromiseBinding.cpp
12 	XUL 	mozilla::dom::Promise::CallInitFunction(mozilla::dom::GlobalObject const&, mozilla::dom::PromiseInit&, mozilla::ErrorResult&) 	obj-firefox/x86_64/dist/include/mozilla/dom/PromiseBinding.h
13 	XUL 	mozilla::dom::Promise::Constructor(mozilla::dom::GlobalObject const&, mozilla::dom::PromiseInit&, mozilla::ErrorResult&) 	dom/promise/Promise.cpp
14 	XUL 	mozilla::dom::PromiseBinding::_constructor 	obj-firefox/x86_64/dom/bindings/PromiseBinding.cpp
15 	XUL 	js::InvokeConstructor(JSContext*, JS::CallArgs) 	js/src/jscntxtinlines.h
16 	XUL 	Interpret 	js/src/vm/Interpreter.cpp
17 	XUL 	js::RunScript(JSContext*, js::RunState&) 	js/src/vm/Interpreter.cpp
18 	XUL 	js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) 	js/src/vm/Interpreter.cpp
19 	XUL 	js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) 	js/src/vm/Interpreter.cpp
20 	XUL 	JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) 	js/src/jsapi.cpp
21 	XUL 	mozilla::dom::AnyCallback::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) 	obj-firefox/x86_64/dom/bindings/PromiseBinding.cpp
22 	XUL 	mozilla::dom::WrapperPromiseCallback::Call(JSContext*, JS::Handle<JS::Value>) 	obj-firefox/x86_64/dist/include/mozilla/dom/PromiseBinding.h
23 	XUL 	mozilla::dom::PromiseCallbackTask::Run() 	dom/promise/Promise.cpp
24 	XUL 	mozilla::dom::Promise::PerformMicroTaskCheckpoint() 	dom/promise/Promise.cpp
25 	XUL 	_ZThn8_N11nsXPConnect21AfterProcessNextEventEP17nsIThreadInternaljb 	js/xpconnect/src/nsXPConnect.cpp
26 	XUL 	nsThread::ProcessNextEvent(bool, bool*) 	xpcom/threads/nsThread.cpp
27 	XUL 	NS_ProcessPendingEvents(nsIThread*, unsigned int) 	xpcom/glue/nsThreadUtils.cpp
28 	XUL 	nsBaseAppShell::NativeEventCallback() 	widget/nsBaseAppShell.cpp
29 	XUL 	nsAppShell::ProcessGeckoEvents(void*) 	widget/cocoa/nsAppShell.mm
Ø 30 	CoreFoundation 	CoreFoundation@0x80660 	
Ø 31 	CoreFoundation 	CoreFoundation@0x727ec 	
Ø 32 	CoreFoundation 	CoreFoundation@0x71e1e 	
Ø 33 	CoreFoundation 	CoreFoundation@0x71837 	
Ø 34 	HIToolbox 	HIToolbox@0x2e43e 	
Ø 35 	HIToolbox 	HIToolbox@0x2e1b9 	
Ø 36 	HIToolbox 	HIToolbox@0x2dffa 	
Ø 37 	AppKit 	AppKit@0x246d0 	
Ø 38 	AppKit 	AppKit@0x23e7f 	
39 	XUL 	-[GeckoNSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] 	widget/cocoa/nsAppShell.mm
Ø 40 	AppKit 	AppKit@0x17e22 	
41 	XUL 	nsAppShell::Run() 	widget/cocoa/nsAppShell.mm
42 	XUL 	XRE_RunAppShell 	toolkit/xre/nsEmbedFunctions.cpp
43 	XUL 	MessageLoop::Run() 	ipc/chromium/src/base/message_loop.cc
44 	XUL 	XRE_InitChildProcess 	toolkit/xre/nsEmbedFunctions.cpp
45 	plugin-container 	main 	ipc/contentproc/plugin-container.cpp
46 	plugin-container 	start

Updated

4 years ago
Blocks: ytb37
Assignee: nobody → matt.woodrow
Attachment #8547272 - Flags: review?(ajones)
Attachment #8547272 - Flags: review?(ajones) → review+
https://hg.mozilla.org/mozilla-central/rev/225fd7ea8fc6
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla37
Comment on attachment 8547272 [details] [diff] [review]
Handle an empty decoder list

Approval Request Comment
[Feature/regressing bug #]: MSE
[User impact if declined]: Crashes with YouTube.
[Describe test coverage new/current, TBPL]: Landed on m-c.
[Risks and why]: Low. One line, MSE-specific change.
[String/UUID change made/needed]: None.
Attachment #8547272 - Flags: approval-mozilla-beta?
Attachment #8547272 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
You need to log in before you can comment on or make changes to this bug.