Firefox crash in mozilla::MFTDecoder::Input(unsigned char const*, unsigned int, __int64)

RESOLVED FIXED in Firefox 37

Status

()

defect
P1
critical
RESOLVED FIXED
4 years ago
4 years ago

People

(Reporter: marcia, Assigned: mattwoodrow)

Tracking

(Blocks 1 bug, {crash})

37 Branch
mozilla39
x86
Windows NT
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox37+ fixed, firefox38+ fixed, firefox39 fixed)

Details

(crash signature)

Attachments

(1 attachment)

This bug was filed from the Socorro interface and is 
report bp-b620182d-ba98-4330-bc46-527a72150212.
=============================================================

Seen while looking at Aurora crash stats. Small volume crash seen as recently as Build 2015021200 with crashes dating back to 2015020300. Product breakdown shows other crashes on Beta and 35.0.1 as well, so not specific to Aurora.

Link to crashes: https://crash-stats.mozilla.com/report/list?signature=mozilla::MFTDecoder::Input%28unsigned%20char%20const*,%20unsigned%20int,%20__int64%29

Almost all URLs are youtube.com - some samples:

Truncate URLs
Total Count 	URL
2 	https://www.youtube.com/watch?v=-rdK1oDiQtI
1 	https://www.youtube.com/watch?v=FtuoEtohPv4
1 	http://www.youtube.com/watch?v=96VpplqGe6M
1 	https://www.youtube.com/watch?v=ct0StLPZI7Q
1 	https://www.youtube.com/watch?v=we9_CdNPuJg
1 	https://www.youtube.com/watch?v=fNSXAHLX0Uk
1 	https://www.youtube.com/watch?v=t7XtzYQYm5I
1 	https://www.youtube.com/watch?v=QrVoZ43eF_g


Frame 	Module 	Signature 	Source
0 	xul.dll 	mozilla::MFTDecoder::Input(unsigned char const*, unsigned int, __int64) 	dom/media/fmp4/wmf/MFTDecoder.cpp
1 	xul.dll 	mozilla::WMFVideoMFTManager::Input(mp4_demuxer::MP4Sample*) 	dom/media/fmp4/wmf/WMFVideoMFTManager.cpp
2 	xul.dll 	mozilla::WMFMediaDataDecoder::ProcessDecode(mp4_demuxer::MP4Sample*) 	dom/media/fmp4/wmf/WMFMediaDataDecoder.cpp
3 	xul.dll 	nsRunnableMethodImpl<void ( mozilla::DataStorage::*)(char const*), char const*, 1>::Run() 	xpcom/glue/nsThreadUtils.h
4 	xul.dll 	mozilla::MediaTaskQueue::Runner::Run() 	dom/media/MediaTaskQueue.cpp
5 	xul.dll 	nsThreadPool::Run() 	xpcom/threads/nsThreadPool.cpp
6 	xul.dll 	nsThread::ProcessNextEvent(bool, bool*) 	xpcom/threads/nsThread.cpp
7 	xul.dll 	NS_ProcessNextEvent(nsIThread*, bool) 	xpcom/glue/nsThreadUtils.cpp
8 	xul.dll 	mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) 	ipc/glue/MessagePump.cpp
9 	xul.dll 	MessageLoop::RunHandler() 	ipc/chromium/src/base/message_loop.cc
10 	xul.dll 	MessageLoop::Run() 	ipc/chromium/src/base/message_loop.cc
11 	xul.dll 	nsThread::ThreadFunc(void*) 	xpcom/threads/nsThread.cpp
12 	nss3.dll 	_PR_NativeRunThread 	nsprpub/pr/src/threads/combined/pruthr.c
13 	nss3.dll 	pr_root 	nsprpub/pr/src/md/windows/w95thred.c
14 	msvcr120.dll 	_callthreadstartex 	f:\dd\vctools\crt\crtw32\startup\threadex.c:376
15 	msvcr120.dll 	msvcr120.dll@0x2c000 	
16 	kernel32.dll 	BaseThreadInitThunk 	
17 	ntdll.dll 	__RtlUserThreadStart 	
18 	ntdll.dll 	_RtlUserThreadStart

Updated

4 years ago
Flags: needinfo?(cpearce)
Priority: -- → P1
Assignee

Comment 1

4 years ago
0x2c is the offset of mDecoder within MFTDecoder, so mDecoder in WMFVideoMFTManager::Input must be nullptr.

Comment 2

4 years ago
Matt, are you working on this? Just wondering what the next steps are.
Assignee

Comment 3

4 years ago
No, I assumed cpearce would be, I don't know this code very well.

I can take a look if cpearce is too busy with EME though. Chris?
(In reply to Matt Woodrow (:mattwoodrow) from comment #3)
> I can take a look if cpearce is too busy with EME though. Chris?

Yes please!
Flags: needinfo?(cpearce) → needinfo?(matt.woodrow)
Assignee

Comment 5

4 years ago
Looks like this can happen during MediaDecoderReader::Shutdown().

We call ReleaseMediaResources, which will (via the PDM task queue) call Shutdown, and release mDecoder.

We then also wait for the decoder task queue to complete, which could include a RequestVideoData/Input task.
Assignee: nobody → matt.woodrow
Flags: needinfo?(matt.woodrow)
Attachment #8568375 - Flags: review?(cpearce)
Attachment #8568375 - Flags: review?(cpearce) → review+
Comment on attachment 8568375 [details] [diff] [review]
Avoid crash when calling Input after Shutdown

Approval Request Comment
[Feature/regressing bug #]: MSE
[User impact if declined]: Crashes playing youtube and other MSE video.
[Describe test coverage new/current, TreeHerder]: Green on inbound.
[Risks and why]: Risk is minimal. Returns failure instead of crashing in an error condition.
[String/UUID change made/needed]: None
Attachment #8568375 - Flags: approval-mozilla-beta?
Attachment #8568375 - Flags: approval-mozilla-aurora?
https://hg.mozilla.org/mozilla-central/rev/4b19506f6313
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla39
Attachment #8568375 - Flags: approval-mozilla-beta?
Attachment #8568375 - Flags: approval-mozilla-beta+
Attachment #8568375 - Flags: approval-mozilla-aurora?
Attachment #8568375 - Flags: approval-mozilla-aurora+
You need to log in before you can comment on or make changes to this bug.