Stagefright: crash [@stagefright::MPEG4Extractor::parseSegmentIndex]

RESOLVED FIXED in mozilla43

Status

()

Core
Audio/Video: Playback
--
critical
RESOLVED FIXED
3 years ago
2 years ago

People

(Reporter: posidron, Assigned: gerald)

Tracking

(Blocks: 1 bug, {crash, testcase})

Trunk
mozilla43
x86_64
Mac OS X
crash, testcase
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

Attachments

(1 attachment)

134.98 KB, application/octet-stream
Details
(Reporter)

Description

3 years ago
The following testcase crashes on mozilla-inbound-linux64-asan revision 20150331102803

See attachment.

Backtrace:

==9708==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x7f168e165a13 sp 0x7f166d7e8f60 bp 0x7f166d7e9190 T27)
    #0 0x7f168e165a12 in operator-> /builds/slave/m-in-l64-asan-0000000000000000/build/src/media/libstagefright/system/core/include/utils/StrongPointer.h:88
    #1 0x7f168e165a12 in stagefright::MPEG4Extractor::parseSegmentIndex(long, unsigned long) /builds/slave/m-in-l64-asan-0000000000000000/build/src/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp:2075
    #2 0x7f168e15f716 in stagefright::MPEG4Extractor::parseChunk(long*, int) /builds/slave/m-in-l64-asan-0000000000000000/build/src/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp:1900
    #3 0x7f168e158f6c in stagefright::MPEG4Extractor::readMetaData() /builds/slave/m-in-l64-asan-0000000000000000/build/src/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp:481
    #4 0x7f168e15991d in stagefright::MPEG4Extractor::countTracks() /builds/slave/m-in-l64-asan-0000000000000000/build/src/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp:425
    #5 0x7f168e153ad8 in mp4_demuxer::MP4Demuxer::Init() /builds/slave/m-in-l64-asan-0000000000000000/build/src/media/libstagefright/binding/mp4_demuxer.cpp:103
    #6 0x7f1692a27df9 in bool mozilla::InvokeAndRetry<mozilla::MP4Reader, bool>(mozilla::MP4Reader*, bool (mozilla::MP4Reader::*)(), mozilla::MP4Stream*, mozilla::Monitor*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/fmp4/MP4Reader.cpp:127
    #7 0x7f1692a26558 in mozilla::MP4Reader::ReadMetadata(mozilla::MediaInfo*, nsDataHashtable<nsCStringHashKey, nsCString>**) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/fmp4/MP4Reader.cpp:351
    #8 0x7f169270980b in mozilla::MediaDecoderReader::CallReadMetadata() /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/MediaDecoderReader.cpp:211
    #9 0x7f1692799870 in mozilla::detail::MethodCallWithNoArgs<mozilla::MediaPromise<nsRefPtr<mozilla::MetadataHolder>, mozilla::ReadMetadataFailureReason, true>, mozilla::MediaDecoderReader>::Invoke() /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/MediaPromise.h:594
    #10 0x7f169279817a in mozilla::detail::ProxyRunnable<mozilla::MediaPromise<nsRefPtr<mozilla::MetadataHolder>, mozilla::ReadMetadataFailureReason, true> >::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/MediaPromise.h:638
    #11 0x7f1692789fb8 in mozilla::MediaTaskQueue::Runner::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/MediaTaskQueue.cpp:226
    #12 0x7f168e308dda in nsThreadPool::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:225
    #13 0x7f168e30919c in non-virtual thunk to nsThreadPool::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/xpcom/threads/Unified_cpp_xpcom_threads0.cpp:239
    #14 0x7f168e303224 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThread.cpp:848
    #15 0x7f168e36531a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265
    #16 0x7f168ebb55cf in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/glue/MessagePump.cpp:339
    #17 0x7f168eb46c2c in RunInternal /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:233
    #18 0x7f168eb46c2c in RunHandler /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:226
    #19 0x7f168eb46c2c in MessageLoop::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:200
    #20 0x7f168e2ffcd8 in nsThread::ThreadFunc(void*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThread.cpp:349
    #21 0x7f169a797135 in _pt_root /builds/slave/m-in-l64-asan-0000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:212
    #22 0x7f169add5181 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8181)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/slave/m-in-l64-asan-0000000000000000/build/src/media/libstagefright/system/core/include/utils/StrongPointer.h:88 operator->
Thread T27 (Media P~back #2) created by T26 (Media P~back #1) here:
    #0 0x4610d5 in pthread_create /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:175
    #1 0x7f169a793abd in _PR_CreateThread /builds/slave/m-in-l64-asan-0000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:453
    #2 0x7f169a79363a in PR_CreateThread /builds/slave/m-in-l64-asan-0000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:544
    #3 0x7f168e30103b in nsThread::Init() /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThread.cpp:460
    #4 0x7f168e30681e in nsThreadManager::NewThread(unsigned int, unsigned int, nsIThread**) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThreadManager.cpp:349
    #5 0x7f168e307e45 in nsThreadPool::PutEvent(nsIRunnable*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:101
    #6 0x7f168e3096a6 in nsThreadPool::Dispatch(nsIRunnable*, unsigned int) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:266
    #7 0x7f169278a2da in mozilla::MediaTaskQueue::Runner::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/MediaTaskQueue.cpp:258
    #8 0x7f168e308dda in nsThreadPool::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:225
    #9 0x7f168e30919c in non-virtual thunk to nsThreadPool::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/xpcom/threads/Unified_cpp_xpcom_threads0.cpp:239
    #10 0x7f168e303224 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThread.cpp:848
    #11 0x7f168e36531a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265
    #12 0x7f168ebb55cf in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/glue/MessagePump.cpp:339
    #13 0x7f168eb46c2c in RunInternal /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:233
    #14 0x7f168eb46c2c in RunHandler /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:226
    #15 0x7f168eb46c2c in MessageLoop::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:200
    #16 0x7f168e2ffcd8 in nsThread::ThreadFunc(void*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThread.cpp:349
    #17 0x7f169a797135 in _pt_root /builds/slave/m-in-l64-asan-0000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:212
    #18 0x7f169add5181 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8181)

Thread T26 (Media P~back #1) created by T0 (Web Content) here:
    #0 0x4610d5 in pthread_create /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:175
    #1 0x7f169a793abd in _PR_CreateThread /builds/slave/m-in-l64-asan-0000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:453
    #2 0x7f169a79363a in PR_CreateThread /builds/slave/m-in-l64-asan-0000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:544
    #3 0x7f168e30103b in nsThread::Init() /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThread.cpp:460
    #4 0x7f168e30681e in nsThreadManager::NewThread(unsigned int, unsigned int, nsIThread**) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThreadManager.cpp:349
    #5 0x7f168e307e45 in nsThreadPool::PutEvent(nsIRunnable*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:101
    #6 0x7f168e3096a6 in nsThreadPool::Dispatch(nsIRunnable*, unsigned int) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:266
    #7 0x7f1692787e38 in mozilla::MediaTaskQueue::DispatchLocked(mozilla::TemporaryRef<nsIRunnable>, mozilla::MediaTaskQueue::DispatchMode) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/MediaTaskQueue.cpp:60
    #8 0x7f16926f8f1b in TaskQueue /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/MediaTaskQueue.cpp:34
    #9 0x7f16926f8f1b in mozilla::MediaDecoderStateMachine::ScheduleStateMachine() /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/MediaDecoderStateMachine.cpp:3290
    #10 0x7f16926f7c46 in ScheduleStateMachineThread /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/MediaDecoder.cpp:753
    #11 0x7f16926f7c46 in mozilla::MediaDecoder::InitializeStateMachine(mozilla::MediaDecoder*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/MediaDecoder.cpp:719
    #12 0x7f1692507f45 in mozilla::dom::HTMLMediaElement::FinishDecoderSetup(mozilla::MediaDecoder*, mozilla::MediaResource*, nsIStreamListener**, mozilla::MediaDecoder*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/html/HTMLMediaElement.cpp:2800
    #13 0x7f16924f3f60 in mozilla::dom::HTMLMediaElement::InitializeDecoderForChannel(nsIChannel*, nsIStreamListener**) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/html/HTMLMediaElement.cpp:2757
    #14 0x7f16924f2c0c in mozilla::dom::HTMLMediaElement::MediaLoadListener::OnStartRequest(nsIRequest*, nsISupports*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/html/HTMLMediaElement.cpp:366
    #15 0x7f168e46333b in nsBaseChannel::OnStartRequest(nsIRequest*, nsISupports*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/netwerk/base/nsBaseChannel.cpp:754
    #16 0x7f168e4a1abe in nsInputStreamPump::OnStateStart() /builds/slave/m-in-l64-asan-0000000000000000/build/src/netwerk/base/nsInputStreamPump.cpp:531
    #17 0x7f168e4a108e in nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/netwerk/base/nsInputStreamPump.cpp:433
    #18 0x7f168e2c7039 in nsInputStreamReadyEvent::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/io/nsStreamUtils.cpp:91
    #19 0x7f168e303224 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThread.cpp:848
    #20 0x7f168e36531a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265
    #21 0x7f168ebb4789 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/glue/MessagePump.cpp:99
    #22 0x7f168eb46c2c in RunInternal /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:233
    #23 0x7f168eb46c2c in RunHandler /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:226
    #24 0x7f168eb46c2c in MessageLoop::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:200
    #25 0x7f1693525c77 in nsBaseAppShell::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/widget/nsBaseAppShell.cpp:164
    #26 0x7f169509fb72 in XRE_RunAppShell /builds/slave/m-in-l64-asan-0000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:746
    #27 0x7f168eb46c2c in RunInternal /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:233
    #28 0x7f168eb46c2c in RunHandler /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:226
    #29 0x7f168eb46c2c in MessageLoop::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:200
    #30 0x7f169509f1a3 in XRE_InitChildProcess /builds/slave/m-in-l64-asan-0000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:583
    #31 0x48ce71 in content_process_main(int, char**) /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/app/../contentproc/plugin-container.cpp:211
    #32 0x7f168be7fec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
(Reporter)

Comment 1

3 years ago
Created attachment 8594986 [details]
Testcase
(Reporter)

Updated

2 years ago
Blocks: 872136
(Assignee)

Comment 2

2 years ago
This was fixed by bug 1187067 (and/or other recent libstagefright fixes).
The following try-run uses the test case file from this bug in the libstagefright unit tests:
https://treeherder.mozilla.org/#/jobs?repo=try&revision=427f65be7b10
Assignee: nobody → gsquelart
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Component: Audio/Video → Audio/Video: Playback
Resolution: --- → FIXED
Target Milestone: --- → mozilla43
You need to log in before you can comment on or make changes to this bug.