Closed Bug 1149814 Opened 10 years ago Closed 9 years ago

Mac OS X Kernel Panic

Categories

(Core :: Audio/Video: Playback, defect, P1)

Product:
Core
Component:
Audio/Video: Playback
Version:
36 Branch
Platform:
x86_64
macOS
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: andrysco, Unassigned, NeedInfo)

References

Details

(Keywords: crash, sec-vector, Whiteboard: Apple bug #20557141)

Attachments

(5 files)

macos-kernel-panic-1.txt
8.17 KB, text/plain
Details
macos-kernel-panic-2.txt
7.35 KB, text/plain
Details
macos-kernel-panic-3.txt
8.07 KB, text/plain
Details
macos-kernel-panic-4.txt
8.31 KB, text/plain
Details
macos-kernel-panic-5.txt
8.28 KB, text/plain
Details
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0 Build ID: 20150306140302 Steps to reproduce: We ran a fuzz testing tool that simultaneously plays hundreds of MP4 video files using the video tag. Source code on github: https://github.com/marcandrysco/CSE227-Project Actual results: Mac OS X kernel panic. Expected results: No kernel panic.
OS: Linux → Mac OS X
Can you provide more info (dumps etc.) from the kernel panic? Have you reported this to Apple?
Flags: needinfo?(andrysco)
I just added the 5 kernel dumps we were able to collect. As you'll see, it varies between a page fault and a general protection fault, but always in Apple's video decoder process. Furthermore, the kernel panic doesn't happen until we have at least 400 or so corrupted MP4s playing simultaneously, so we suspect there may be a race condition involved. We have not submitted a bug report to Apple yet, as we weren't able to trigger the panic from any other browser.
Component: Untriaged → Video/Audio
Flags: needinfo?(ajones)
Product: Firefox → Core
Flags: needinfo?(andrysco)
Flags: needinfo?(ajones)
Blocks: MSE
Priority: -- → P1
Anthony: why does this block the MSE bug? The linked fuzzer doesn't appear to use MediaSource in any way.
Flags: needinfo?(ajones)
Marc: do you have any clues which video(s) were being played when you got the kernel panics?
Flags: needinfo?(andrysco)
(In reply to Daniel Veditz [:dveditz] from comment #10) > Anthony: why does this block the MSE bug? The linked fuzzer doesn't appear > to use MediaSource in any way. The blocking MSE flag is used to track bugs that do/could break MSE.
Flags: needinfo?(ajones)
Marc, can you file a bug with Apple regardless? Even if it turns out to be something we can address in Firefox, the fact that it happens in Apple's video decoder process would be something that would concern them.
I've filed a bug with Apple (#20557141, but I'm guessing it won't be publicly visible). I'm not convinced there's a specific video that causes the panic, rather it appears to be a race condition. We initially got the panic after loading a page with around 1000 MP4s playing. I tried to narrow down the source by playing one video at a time, but could not reproduce the panic. Then I tried adding videos to the page incrementally, and was able to reproduce the panic consistently once about 420 videos were playing simultaneously (the selection of videos did not seem to matter).
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: sec-vector
Whiteboard: Apple bug #20557141
Jean-Yves, do you think this kernel panic is related to the VideoToolbox crash in bug 1187103 (fixed by bug 1061525)?
Component: Audio/Video → Audio/Video: Playback
Flags: needinfo?(jyavenard)
Keywords: crash
See Also: → 1187103, 1061525
could be... it's hard to say really. the symptoms are extremely different so while it's certainly a bug in Apple's VideoToolbox ; I doubt it's the same.
Flags: needinfo?(jyavenard)
Group: core-security → media-core-security
Not an MSE issue ; and I'm assuming the problem with the RGBA VT bug which we now avoid
No longer blocks: MSE
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → WORKSFORME
Group: media-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: