Closed Bug 1156523 Opened 9 years ago Closed 9 years ago

MP4: OOM [@mp4_demuxer::Box::Read]

Tracking

()

Status:

RESOLVED DUPLICATE of bug 1149278

People

(Reporter: posidron, Unassigned)

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(1 file)

Testcase 9 years ago Christoph Diehl [:posidron] 792.29 KB, application/octet-stream		Details

Christoph Diehl [:posidron]

Reporter

Description

•

9 years ago

The following testcase crashes on mozilla-inbound-linux64-asan revision 20150331102803

See attachment.

Backtrace:

==17028==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f6ae008d10e sp 0x7f6ab3b109d0 bp 0x7f6ab3b109d0 T28)
    #0 0x7f6ae008d10d in NS_ABORT_OOM(unsigned long) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/base/nsDebugImpl.cpp:622
    #1 0x7f6ae00138b9 in SizeTooBig /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/toolkit/mozapps/extensions/../../../dist/include/nsTArray.h:189
    #2 0x7f6ae00138b9 in nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>::EnsureCapacity(unsigned long, unsigned long) /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/toolkit/mozapps/extensions/../../../dist/include/nsTArray-inl.h:127
    #3 0x7f6adffcdb88 in InsertSlotsAt /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/layout/generic/../../dist/include/nsTArray-inl.h:281
    #4 0x7f6adffcdb88 in InsertElementsAt /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/layout/generic/../../dist/include/nsTArray.h:1561
    #5 0x7f6adffcdb88 in nsTArray_Impl<unsigned char, nsTArrayInfallibleAllocator>::SetLength(unsigned long) /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/layout/generic/../../dist/include/nsTArray.h:1517
    #6 0x7f6adffcd859 in mp4_demuxer::Box::Read(nsTArray<unsigned char>*, mozilla::MediaByteRange const&) /builds/slave/m-in-l64-asan-0000000000000000/build/src/media/libstagefright/binding/Box.cpp:132
    #7 0x7f6adffcd39c in mp4_demuxer::Box::Box(mp4_demuxer::BoxContext*, unsigned long, mp4_demuxer::Box const*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/media/libstagefright/binding/Box.cpp:95
    #8 0x7f6adffd7ce9 in mp4_demuxer::MoofParser::BlockingReadNextMoof() /builds/slave/m-in-l64-asan-0000000000000000/build/src/media/libstagefright/binding/MoofParser.cpp:108
    #9 0x7f6adffd6224 in Get /builds/slave/m-in-l64-asan-0000000000000000/build/src/media/libstagefright/binding/Index.cpp:173
    #10 0x7f6adffd6224 in mp4_demuxer::SampleIterator::GetNext() /builds/slave/m-in-l64-asan-0000000000000000/build/src/media/libstagefright/binding/Index.cpp:89
    #11 0x7f6adffdc3d9 in mp4_demuxer::MP4Demuxer::DemuxAudioSample() /builds/slave/m-in-l64-asan-0000000000000000/build/src/media/libstagefright/binding/mp4_demuxer.cpp:212
    #12 0x7f6adffdc341 in mp4_demuxer::MP4AudioDemuxer::DemuxSample() /builds/slave/m-in-l64-asan-0000000000000000/build/src/media/libstagefright/binding/MP4TrackDemuxer.cpp:22
    #13 0x7f6ae48c7a97 in mozilla::MediaSample* mozilla::InvokeAndRetry<mozilla::TrackDemuxer, mozilla::MediaSample*>(mozilla::TrackDemuxer*, mozilla::MediaSample* (mozilla::TrackDemuxer::*)(), mozilla::MP4Stream*, mozilla::Monitor*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/fmp4/MP4Reader.cpp:127
    #14 0x7f6ae48c78e9 in PopSampleLocked /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/fmp4/MP4Reader.cpp:815
    #15 0x7f6ae48c78e9 in mozilla::MP4Reader::PopSample(mp4_demuxer::TrackType) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/fmp4/MP4Reader.cpp:801
    #16 0x7f6ae48c6af6 in mozilla::MP4Reader::Update(mp4_demuxer::TrackType) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/fmp4/MP4Reader.cpp:744
    #17 0x7f6ae48c9b8a in apply<mozilla::MP4Reader, void (mozilla::MP4Reader::*)(mp4_demuxer::TrackType)> /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/dom/media/fmp4/../../../dist/include/nsThreadUtils.h:587
    #18 0x7f6ae48c9b8a in nsRunnableMethodImpl<void (mozilla::MP4Reader::*)(mp4_demuxer::TrackType), true, mp4_demuxer::TrackType>::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/dom/media/fmp4/../../../dist/include/nsThreadUtils.h:666
    #19 0x7f6ae4624fb8 in mozilla::MediaTaskQueue::Runner::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/MediaTaskQueue.cpp:226
    #20 0x7f6ae01a3dda in nsThreadPool::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:225
    #21 0x7f6ae01a419c in non-virtual thunk to nsThreadPool::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/xpcom/threads/Unified_cpp_xpcom_threads0.cpp:239
    #22 0x7f6ae019e224 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThread.cpp:848
    #23 0x7f6ae020031a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265
    #24 0x7f6ae0a505cf in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/glue/MessagePump.cpp:339
    #25 0x7f6ae09e1c2c in RunInternal /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:233
    #26 0x7f6ae09e1c2c in RunHandler /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:226
    #27 0x7f6ae09e1c2c in MessageLoop::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:200
    #28 0x7f6ae019acd8 in nsThread::ThreadFunc(void*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThread.cpp:349
    #29 0x7f6aec632135 in _pt_root /builds/slave/m-in-l64-asan-0000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:212
    #30 0x7f6aecc70181 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8181)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/base/nsDebugImpl.cpp:622 NS_ABORT_OOM(unsigned long)
Thread T28 (Media P~back #3) created by T26 (Media P~back #1) here:
    #0 0x4610d5 in pthread_create /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:175
    #1 0x7f6aec62eabd in _PR_CreateThread /builds/slave/m-in-l64-asan-0000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:453
    #2 0x7f6aec62e63a in PR_CreateThread /builds/slave/m-in-l64-asan-0000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:544
    #3 0x7f6ae019c03b in nsThread::Init() /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThread.cpp:460
    #4 0x7f6ae01a181e in nsThreadManager::NewThread(unsigned int, unsigned int, nsIThread**) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThreadManager.cpp:349
    #5 0x7f6ae01a2e45 in nsThreadPool::PutEvent(nsIRunnable*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:101
    #6 0x7f6ae01a46a6 in nsThreadPool::Dispatch(nsIRunnable*, unsigned int) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:266
    #7 0x7f6ae4622e38 in mozilla::MediaTaskQueue::DispatchLocked(mozilla::TemporaryRef<nsIRunnable>, mozilla::MediaTaskQueue::DispatchMode) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/MediaTaskQueue.cpp:60
    #8 0x7f6ae46230ea in mozilla::MediaTaskQueue::ForceDispatch(mozilla::TemporaryRef<nsIRunnable>) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/MediaTaskQueue.cpp:41
    #9 0x7f6ae4546c26 in mozilla::AbstractThreadImpl<mozilla::MediaTaskQueue>::Dispatch(already_AddRefed<nsIRunnable>) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/AbstractThread.cpp:19
    #10 0x7f6ae45d35d7 in ProxyInternal<mozilla::MediaPromise<nsRefPtr<mozilla::MetadataHolder>, mozilla::ReadMetadataFailureReason, true>, mozilla::MediaTaskQueue> /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/MediaPromise.h:656
    #11 0x7f6ae45d35d7 in DecodeTaskQueue /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/MediaPromise.h:671
    #12 0x7f6ae45d35d7 in mozilla::MediaDecoderStateMachine::RunStateMachine() /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/MediaDecoderStateMachine.cpp:2581
    #13 0x7f6ae4638660 in apply<mozilla::MediaDecoderStateMachine, nsresult (mozilla::MediaDecoderStateMachine::*)()> /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/dom/media/../../dist/include/nsThreadUtils.h:574
    #14 0x7f6ae4638660 in nsRunnableMethodImpl<nsresult (mozilla::MediaDecoderStateMachine::*)(), true>::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/dom/media/../../dist/include/nsThreadUtils.h:666
    #15 0x7f6ae4624fb8 in mozilla::MediaTaskQueue::Runner::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/MediaTaskQueue.cpp:226
    #16 0x7f6ae01a3dda in nsThreadPool::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:225
    #17 0x7f6ae01a419c in non-virtual thunk to nsThreadPool::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/xpcom/threads/Unified_cpp_xpcom_threads0.cpp:239
    #18 0x7f6ae019e224 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThread.cpp:848
    #19 0x7f6ae020031a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265
    #20 0x7f6ae0a505cf in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/glue/MessagePump.cpp:339
    #21 0x7f6ae09e1c2c in RunInternal /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:233
    #22 0x7f6ae09e1c2c in RunHandler /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:226
    #23 0x7f6ae09e1c2c in MessageLoop::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:200
    #24 0x7f6ae019acd8 in nsThread::ThreadFunc(void*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThread.cpp:349
    #25 0x7f6aec632135 in _pt_root /builds/slave/m-in-l64-asan-0000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:212
    #26 0x7f6aecc70181 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8181)

Thread T26 (Media P~back #1) created by T0 (Web Content) here:
    #0 0x4610d5 in pthread_create /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:175
    #1 0x7f6aec62eabd in _PR_CreateThread /builds/slave/m-in-l64-asan-0000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:453
    #2 0x7f6aec62e63a in PR_CreateThread /builds/slave/m-in-l64-asan-0000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:544
    #3 0x7f6ae019c03b in nsThread::Init() /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThread.cpp:460
    #4 0x7f6ae01a181e in nsThreadManager::NewThread(unsigned int, unsigned int, nsIThread**) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThreadManager.cpp:349
    #5 0x7f6ae01a2e45 in nsThreadPool::PutEvent(nsIRunnable*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:101
    #6 0x7f6ae01a46a6 in nsThreadPool::Dispatch(nsIRunnable*, unsigned int) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:266
    #7 0x7f6ae4622e38 in mozilla::MediaTaskQueue::DispatchLocked(mozilla::TemporaryRef<nsIRunnable>, mozilla::MediaTaskQueue::DispatchMode) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/MediaTaskQueue.cpp:60
    #8 0x7f6ae4593f1b in TaskQueue /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/MediaTaskQueue.cpp:34
    #9 0x7f6ae4593f1b in mozilla::MediaDecoderStateMachine::ScheduleStateMachine() /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/MediaDecoderStateMachine.cpp:3290
    #10 0x7f6ae4592c46 in ScheduleStateMachineThread /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/MediaDecoder.cpp:753
    #11 0x7f6ae4592c46 in mozilla::MediaDecoder::InitializeStateMachine(mozilla::MediaDecoder*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/MediaDecoder.cpp:719
    #12 0x7f6ae43a2f45 in mozilla::dom::HTMLMediaElement::FinishDecoderSetup(mozilla::MediaDecoder*, mozilla::MediaResource*, nsIStreamListener**, mozilla::MediaDecoder*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/html/HTMLMediaElement.cpp:2800
    #13 0x7f6ae438ef60 in mozilla::dom::HTMLMediaElement::InitializeDecoderForChannel(nsIChannel*, nsIStreamListener**) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/html/HTMLMediaElement.cpp:2757
    #14 0x7f6ae438dc0c in mozilla::dom::HTMLMediaElement::MediaLoadListener::OnStartRequest(nsIRequest*, nsISupports*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/html/HTMLMediaElement.cpp:366
    #15 0x7f6ae02fe33b in nsBaseChannel::OnStartRequest(nsIRequest*, nsISupports*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/netwerk/base/nsBaseChannel.cpp:754
    #16 0x7f6ae033cabe in nsInputStreamPump::OnStateStart() /builds/slave/m-in-l64-asan-0000000000000000/build/src/netwerk/base/nsInputStreamPump.cpp:531
    #17 0x7f6ae033c08e in nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/netwerk/base/nsInputStreamPump.cpp:433
    #18 0x7f6ae0162039 in nsInputStreamReadyEvent::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/io/nsStreamUtils.cpp:91
    #19 0x7f6ae019e224 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThread.cpp:848
    #20 0x7f6ae020031a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265
    #21 0x7f6ae0a4f789 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/glue/MessagePump.cpp:99
    #22 0x7f6ae09e1c2c in RunInternal /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:233
    #23 0x7f6ae09e1c2c in RunHandler /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:226
    #24 0x7f6ae09e1c2c in MessageLoop::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:200
    #25 0x7f6ae53c0c77 in nsBaseAppShell::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/widget/nsBaseAppShell.cpp:164
    #26 0x7f6ae6f3ab72 in XRE_RunAppShell /builds/slave/m-in-l64-asan-0000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:746
    #27 0x7f6ae09e1c2c in RunInternal /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:233
    #28 0x7f6ae09e1c2c in RunHandler /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:226
    #29 0x7f6ae09e1c2c in MessageLoop::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:200
    #30 0x7f6ae6f3a1a3 in XRE_InitChildProcess /builds/slave/m-in-l64-asan-0000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:583
    #31 0x48ce71 in content_process_main(int, char**) /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/app/../contentproc/plugin-container.cpp:211
    #32 0x7f6addd1aec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)

Christoph Diehl [:posidron]

Reporter

Comment 1

•

9 years ago

Attached file Testcase — Details

Anthony Jones (:ajones, :kentuckyfriedtakahe, :k17e)

Comment 2

•

9 years ago

bug 1149278 removes the call from Box::Box() to Box::Read() that is causing this crash.

Status: NEW → RESOLVED

Closed: 9 years ago

Resolution: --- → DUPLICATE

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

MP4: OOM [@mp4_demuxer::Box::Read]

Categories

(Core :: Audio/Video, defect)

Tracking

()

People

(Reporter: posidron, Unassigned)

References

Details

(Keywords: crash, testcase)

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Comment 1

Comment 2

Attachment

General

Description

File Name

Content Type