Closed
Bug 1156505
Opened 10 years ago
Closed 9 years ago
Stagefright: crash [@stagefright::SampleTable::isValid]
Categories
(Core :: Audio/Video: Playback, defect)
Tracking
()
RESOLVED
FIXED
mozilla44
People
(Reporter: posidron, Assigned: mozbugz)
References
Details
(Keywords: crash, testcase)
Crash Data
Attachments
(3 files, 2 obsolete files)
|
15.57 KB,
application/octet-stream
|
Details | |
|
5.25 KB,
patch
|
mozbugz
:
review+
Sylvestre
:
approval-mozilla-aurora+
Sylvestre
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
|
1.84 KB,
patch
|
mozbugz
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-inbound-linux64-asan revision 20150331102803
See attachment.
Backtrace:
==28131==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x7f3d80de4bf8 sp 0x7f3d51f706f0 bp 0x7f3d51f706f0 T27)
#0 0x7f3d80de4bf7 in stagefright::SampleTable::isValid() const /builds/slave/m-in-l64-asan-0000000000000000/build/src/media/libstagefright/frameworks/av/media/libstagefright/SampleTable.cpp:173
#1 0x7f3d80dc4ac1 in stagefright::MPEG4Extractor::verifyTrack(stagefright::MPEG4Extractor::Track*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp:2426
#2 0x7f3d80dc287d in stagefright::MPEG4Extractor::parseChunk(long*, int) /builds/slave/m-in-l64-asan-0000000000000000/build/src/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp:900
#3 0x7f3d80dc2344 in stagefright::MPEG4Extractor::parseChunk(long*, int) /builds/slave/m-in-l64-asan-0000000000000000/build/src/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp:871
#4 0x7f3d80dbaf6c in stagefright::MPEG4Extractor::readMetaData() /builds/slave/m-in-l64-asan-0000000000000000/build/src/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp:481
#5 0x7f3d80dbb91d in stagefright::MPEG4Extractor::countTracks() /builds/slave/m-in-l64-asan-0000000000000000/build/src/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp:425
#6 0x7f3d80db5ad8 in mp4_demuxer::MP4Demuxer::Init() /builds/slave/m-in-l64-asan-0000000000000000/build/src/media/libstagefright/binding/mp4_demuxer.cpp:103
#7 0x7f3d85689df9 in bool mozilla::InvokeAndRetry<mozilla::MP4Reader, bool>(mozilla::MP4Reader*, bool (mozilla::MP4Reader::*)(), mozilla::MP4Stream*, mozilla::Monitor*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/fmp4/MP4Reader.cpp:127
#8 0x7f3d85688558 in mozilla::MP4Reader::ReadMetadata(mozilla::MediaInfo*, nsDataHashtable<nsCStringHashKey, nsCString>**) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/fmp4/MP4Reader.cpp:351
#9 0x7f3d8536b80b in mozilla::MediaDecoderReader::CallReadMetadata() /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/MediaDecoderReader.cpp:211
#10 0x7f3d853fb870 in mozilla::detail::MethodCallWithNoArgs<mozilla::MediaPromise<nsRefPtr<mozilla::MetadataHolder>, mozilla::ReadMetadataFailureReason, true>, mozilla::MediaDecoderReader>::Invoke() /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/MediaPromise.h:594
#11 0x7f3d853fa17a in mozilla::detail::ProxyRunnable<mozilla::MediaPromise<nsRefPtr<mozilla::MetadataHolder>, mozilla::ReadMetadataFailureReason, true> >::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/MediaPromise.h:638
#12 0x7f3d853ebfb8 in mozilla::MediaTaskQueue::Runner::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/MediaTaskQueue.cpp:226
#13 0x7f3d80f6adda in nsThreadPool::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:225
#14 0x7f3d80f6b19c in non-virtual thunk to nsThreadPool::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/xpcom/threads/Unified_cpp_xpcom_threads0.cpp:239
#15 0x7f3d80f65224 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThread.cpp:848
#16 0x7f3d80fc731a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265
#17 0x7f3d818175cf in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/glue/MessagePump.cpp:339
#18 0x7f3d817a8c2c in RunInternal /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:233
#19 0x7f3d817a8c2c in RunHandler /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:226
#20 0x7f3d817a8c2c in MessageLoop::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:200
#21 0x7f3d80f61cd8 in nsThread::ThreadFunc(void*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThread.cpp:349
#22 0x7f3d8d3f9135 in _pt_root /builds/slave/m-in-l64-asan-0000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:212
#23 0x7f3d8da37181 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8181)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/slave/m-in-l64-asan-0000000000000000/build/src/media/libstagefright/frameworks/av/media/libstagefright/SampleTable.cpp:173 stagefright::SampleTable::isValid() const
Thread T27 (Media P~back #2) created by T26 (Media P~back #1) here:
#0 0x4610d5 in pthread_create /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:175
#1 0x7f3d8d3f5abd in _PR_CreateThread /builds/slave/m-in-l64-asan-0000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:453
#2 0x7f3d8d3f563a in PR_CreateThread /builds/slave/m-in-l64-asan-0000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:544
#3 0x7f3d80f6303b in nsThread::Init() /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThread.cpp:460
#4 0x7f3d80f6881e in nsThreadManager::NewThread(unsigned int, unsigned int, nsIThread**) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThreadManager.cpp:349
#5 0x7f3d80f69e45 in nsThreadPool::PutEvent(nsIRunnable*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:101
#6 0x7f3d80f6b6a6 in nsThreadPool::Dispatch(nsIRunnable*, unsigned int) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:266
#7 0x7f3d853ec2da in mozilla::MediaTaskQueue::Runner::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/MediaTaskQueue.cpp:258
#8 0x7f3d80f6adda in nsThreadPool::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:225
#9 0x7f3d80f6b19c in non-virtual thunk to nsThreadPool::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/xpcom/threads/Unified_cpp_xpcom_threads0.cpp:239
#10 0x7f3d80f65224 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThread.cpp:848
#11 0x7f3d80fc731a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265
#12 0x7f3d818175cf in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/glue/MessagePump.cpp:339
#13 0x7f3d817a8c2c in RunInternal /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:233
#14 0x7f3d817a8c2c in RunHandler /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:226
#15 0x7f3d817a8c2c in MessageLoop::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:200
#16 0x7f3d80f61cd8 in nsThread::ThreadFunc(void*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThread.cpp:349
#17 0x7f3d8d3f9135 in _pt_root /builds/slave/m-in-l64-asan-0000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:212
#18 0x7f3d8da37181 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8181)
Thread T26 (Media P~back #1) created by T0 (Web Content) here:
#0 0x4610d5 in pthread_create /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:175
#1 0x7f3d8d3f5abd in _PR_CreateThread /builds/slave/m-in-l64-asan-0000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:453
#2 0x7f3d8d3f563a in PR_CreateThread /builds/slave/m-in-l64-asan-0000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:544
#3 0x7f3d80f6303b in nsThread::Init() /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThread.cpp:460
#4 0x7f3d80f6881e in nsThreadManager::NewThread(unsigned int, unsigned int, nsIThread**) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThreadManager.cpp:349
#5 0x7f3d80f69e45 in nsThreadPool::PutEvent(nsIRunnable*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:101
#6 0x7f3d80f6b6a6 in nsThreadPool::Dispatch(nsIRunnable*, unsigned int) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:266
#7 0x7f3d853e9e38 in mozilla::MediaTaskQueue::DispatchLocked(mozilla::TemporaryRef<nsIRunnable>, mozilla::MediaTaskQueue::DispatchMode) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/MediaTaskQueue.cpp:60
#8 0x7f3d8535af1b in TaskQueue /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/MediaTaskQueue.cpp:34
#9 0x7f3d8535af1b in mozilla::MediaDecoderStateMachine::ScheduleStateMachine() /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/MediaDecoderStateMachine.cpp:3290
#10 0x7f3d85359c46 in ScheduleStateMachineThread /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/MediaDecoder.cpp:753
#11 0x7f3d85359c46 in mozilla::MediaDecoder::InitializeStateMachine(mozilla::MediaDecoder*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/MediaDecoder.cpp:719
#12 0x7f3d85169f45 in mozilla::dom::HTMLMediaElement::FinishDecoderSetup(mozilla::MediaDecoder*, mozilla::MediaResource*, nsIStreamListener**, mozilla::MediaDecoder*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/html/HTMLMediaElement.cpp:2800
#13 0x7f3d85155f60 in mozilla::dom::HTMLMediaElement::InitializeDecoderForChannel(nsIChannel*, nsIStreamListener**) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/html/HTMLMediaElement.cpp:2757
#14 0x7f3d85154c0c in mozilla::dom::HTMLMediaElement::MediaLoadListener::OnStartRequest(nsIRequest*, nsISupports*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/html/HTMLMediaElement.cpp:366
#15 0x7f3d810c533b in nsBaseChannel::OnStartRequest(nsIRequest*, nsISupports*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/netwerk/base/nsBaseChannel.cpp:754
#16 0x7f3d81103abe in nsInputStreamPump::OnStateStart() /builds/slave/m-in-l64-asan-0000000000000000/build/src/netwerk/base/nsInputStreamPump.cpp:531
#17 0x7f3d8110308e in nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/netwerk/base/nsInputStreamPump.cpp:433
#18 0x7f3d80f29039 in nsInputStreamReadyEvent::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/io/nsStreamUtils.cpp:91
#19 0x7f3d80f65224 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThread.cpp:848
#20 0x7f3d80fc731a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265
#21 0x7f3d81816789 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/glue/MessagePump.cpp:99
#22 0x7f3d817a8c2c in RunInternal /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:233
#23 0x7f3d817a8c2c in RunHandler /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:226
#24 0x7f3d817a8c2c in MessageLoop::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:200
#25 0x7f3d86187c77 in nsBaseAppShell::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/widget/nsBaseAppShell.cpp:164
#26 0x7f3d87d01b72 in XRE_RunAppShell /builds/slave/m-in-l64-asan-0000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:746
#27 0x7f3d817a8c2c in RunInternal /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:233
#28 0x7f3d817a8c2c in RunHandler /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:226
#29 0x7f3d817a8c2c in MessageLoop::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:200
#30 0x7f3d87d011a3 in XRE_InitChildProcess /builds/slave/m-in-l64-asan-0000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:583
#31 0x48ce71 in content_process_main(int, char**) /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/app/../contentproc/plugin-container.cpp:211
#32 0x7f3d7eae1ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
|
Reporter | |
Comment 1•10 years ago
|
||
|
|
Reporter | |
Updated•10 years ago
|
Summary: OpenH264: crash [@stagefright::SampleTable::isValid] → Stagefright: crash [@stagefright::SampleTable::isValid]
|
|
Reporter | |
Updated•10 years ago
|
No longer blocks: WebRTC-OpenH264, fuzzing-openh264
|
|
Reporter | |
Updated•10 years ago
|
Component: WebRTC: Audio/Video → Video/Audio
|
|
Reporter | |
Updated•9 years ago
|
Blocks: fuzzing-stagefright
|
||
Updated•9 years ago
|
Component: Audio/Video → Audio/Video: Playback
|
Assignee | |
Updated•9 years ago
|
Assignee: nobody → gsquelart
|
|
Assignee | |
Comment 2•9 years ago
|
||
Part 1: Test case in gtest.
Attachment #8668311 -
Flags: review?(giles)
|
|
Assignee | |
Comment 3•9 years ago
|
||
Part 2: Null-check sampleTable before use.
Attachment #8668312 -
Flags: review?(giles)
|
||
Updated•9 years ago
|
Attachment #8668311 -
Flags: review?(giles) → review+
|
|
||
Comment 4•9 years ago
|
||
Comment on attachment 8668312 [details] [diff] [review]
1156505-p2-nulltest-sampletable.patch
Review of attachment 8668312 [details] [diff] [review]:
-----------------------------------------------------------------
::: media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
@@ -2538,5 @@
> if (track == NULL) {
> return NULL;
> }
>
> - ALOGV("getTrack called, pssh: %d", mPssh.size());
Huh. I didn't know nsTArray had a ::size() method. Where does this come from?
Attachment #8668312 -
Flags: review?(giles) → review+
|
|
Assignee | |
Comment 5•9 years ago
|
||
(In reply to Ralph Giles (:rillian) from comment #4)
> Comment on attachment 8668312 [details] [diff] [review]
> 1156505-p2-nulltest-sampletable.patch
>
> Review of attachment 8668312 [details] [diff] [review]:
> -----------------------------------------------------------------
>
> :::
> media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
> @@ -2532,1 @@
> > - ALOGV("getTrack called, pssh: %d", mPssh.size());
>
> Huh. I didn't know nsTArray had a ::size() method. Where does this come from?
mPssh was previously a stagefright Vector, which has a size() method. It was changed to nsTArray in bug 1185115.
But this line was missed because it's only compiled when verbose logging is enabled.
|
|
Assignee | |
Comment 6•9 years ago
|
||
In fact, the size->Length fix has already been done in bug 1207909!
(It was in this patch so that I could debug&test it in isolation before bug 1207909 landed.)
This is a simple rebase without that obsolete hunk. Carrying r+ from comment 4.
Attachment #8668312 -
Attachment is obsolete: true
Attachment #8669212 -
Flags: review+
|
|
Assignee | |
Comment 7•9 years ago
|
||
Keywords: checkin-needed
https://hg.mozilla.org/integration/mozilla-inbound/rev/b05d8992f36c
https://hg.mozilla.org/integration/mozilla-inbound/rev/dd628d2021d5
Keywords: checkin-needed
|
|
Assignee | |
Comment 10•9 years ago
|
||
Part 1 with actual test file. Carrying r+.
Attachment #8668311 -
Attachment is obsolete: true
Attachment #8669594 -
Flags: review+
|
|
Assignee | |
Comment 11•9 years ago
|
||
Try with correct files matching those in this bug: https://treeherder.mozilla.org/#/jobs?repo=try&revision=f364ae7d0c39
Keywords: checkin-needed
|
||
Comment 12•9 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/22384f4ad5e1
https://hg.mozilla.org/integration/mozilla-inbound/rev/29467b3d2124
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/22384f4ad5e1
https://hg.mozilla.org/mozilla-central/rev/29467b3d2124
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox44:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
|
|
Assignee | |
Comment 14•9 years ago
|
||
Comment on attachment 8669212 [details] [diff] [review]
1156505-p2-nulltest-sampletable.patch v2
Approval Request Comment
[Feature/regressing bug #]: mp4 playback
[User impact if declined]: crashes with some invalid videos
[Describe test coverage new/current, TreeHerder]: gtest, 2 weeks in central
[Risks and why]: none, it's only adding a pointer check before dereferencing
[String/UUID change made/needed]: n/a
Attachment #8669212 -
Flags: approval-mozilla-beta?
Attachment #8669212 -
Flags: approval-mozilla-aurora?
|
||
Updated•9 years ago
|
status-firefox42:
--- → affected
status-firefox43:
--- → affected
|
|
||
Comment 15•9 years ago
|
||
Comment on attachment 8669212 [details] [diff] [review]
1156505-p2-nulltest-sampletable.patch v2
Fix a crash, taking it, should be in 42 beta 9
Attachment #8669212 -
Flags: approval-mozilla-beta?
Attachment #8669212 -
Flags: approval-mozilla-beta+
Attachment #8669212 -
Flags: approval-mozilla-aurora?
Attachment #8669212 -
Flags: approval-mozilla-aurora+
|
||
Comment 16•9 years ago
|
||
|
|
||
Comment 17•9 years ago
|
||
this does not apply to beta, gerald could you take a look :
merging media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
warning: conflicts during merge.
merging media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp incomplete! (edit conflicts, then use 'hg resolve --mark')
abort: unresolved conflicts, can't continue
(use hg resolve and hg graft --continue)
Flags: needinfo?(gsquelart)
|
|
||
Comment 18•9 years ago
|
||
the conflict was caused because that bug here needed another bug that landed now on beta.
So landed again :)
https://hg.mozilla.org/releases/mozilla-beta/rev/6b8a2f0f4e2e
Flags: needinfo?(gsquelart)
You need to log in
before you can comment on or make changes to this bug.
Description
•