Closed Bug 1156523 Opened 10 years ago Closed 10 years ago

MP4: OOM [@mp4_demuxer::Box::Read]

Categories

(Core :: Audio/Video, defect)

Product:
Core
Component:
Audio/Video
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1149278

People

(Reporter: posidron, Unassigned)

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(1 file)

Testcase
792.29 KB, application/octet-stream
Details
The following testcase crashes on mozilla-inbound-linux64-asan revision 20150331102803 See attachment. Backtrace: ==17028==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f6ae008d10e sp 0x7f6ab3b109d0 bp 0x7f6ab3b109d0 T28) #0 0x7f6ae008d10d in NS_ABORT_OOM(unsigned long) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/base/nsDebugImpl.cpp:622 #1 0x7f6ae00138b9 in SizeTooBig /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/toolkit/mozapps/extensions/../../../dist/include/nsTArray.h:189 #2 0x7f6ae00138b9 in nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>::EnsureCapacity(unsigned long, unsigned long) /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/toolkit/mozapps/extensions/../../../dist/include/nsTArray-inl.h:127 #3 0x7f6adffcdb88 in InsertSlotsAt /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/layout/generic/../../dist/include/nsTArray-inl.h:281 #4 0x7f6adffcdb88 in InsertElementsAt /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/layout/generic/../../dist/include/nsTArray.h:1561 #5 0x7f6adffcdb88 in nsTArray_Impl<unsigned char, nsTArrayInfallibleAllocator>::SetLength(unsigned long) /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/layout/generic/../../dist/include/nsTArray.h:1517 #6 0x7f6adffcd859 in mp4_demuxer::Box::Read(nsTArray<unsigned char>*, mozilla::MediaByteRange const&) /builds/slave/m-in-l64-asan-0000000000000000/build/src/media/libstagefright/binding/Box.cpp:132 #7 0x7f6adffcd39c in mp4_demuxer::Box::Box(mp4_demuxer::BoxContext*, unsigned long, mp4_demuxer::Box const*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/media/libstagefright/binding/Box.cpp:95 #8 0x7f6adffd7ce9 in mp4_demuxer::MoofParser::BlockingReadNextMoof() /builds/slave/m-in-l64-asan-0000000000000000/build/src/media/libstagefright/binding/MoofParser.cpp:108 #9 0x7f6adffd6224 in Get /builds/slave/m-in-l64-asan-0000000000000000/build/src/media/libstagefright/binding/Index.cpp:173 #10 0x7f6adffd6224 in mp4_demuxer::SampleIterator::GetNext() /builds/slave/m-in-l64-asan-0000000000000000/build/src/media/libstagefright/binding/Index.cpp:89 #11 0x7f6adffdc3d9 in mp4_demuxer::MP4Demuxer::DemuxAudioSample() /builds/slave/m-in-l64-asan-0000000000000000/build/src/media/libstagefright/binding/mp4_demuxer.cpp:212 #12 0x7f6adffdc341 in mp4_demuxer::MP4AudioDemuxer::DemuxSample() /builds/slave/m-in-l64-asan-0000000000000000/build/src/media/libstagefright/binding/MP4TrackDemuxer.cpp:22 #13 0x7f6ae48c7a97 in mozilla::MediaSample* mozilla::InvokeAndRetry<mozilla::TrackDemuxer, mozilla::MediaSample*>(mozilla::TrackDemuxer*, mozilla::MediaSample* (mozilla::TrackDemuxer::*)(), mozilla::MP4Stream*, mozilla::Monitor*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/fmp4/MP4Reader.cpp:127 #14 0x7f6ae48c78e9 in PopSampleLocked /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/fmp4/MP4Reader.cpp:815 #15 0x7f6ae48c78e9 in mozilla::MP4Reader::PopSample(mp4_demuxer::TrackType) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/fmp4/MP4Reader.cpp:801 #16 0x7f6ae48c6af6 in mozilla::MP4Reader::Update(mp4_demuxer::TrackType) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/fmp4/MP4Reader.cpp:744 #17 0x7f6ae48c9b8a in apply<mozilla::MP4Reader, void (mozilla::MP4Reader::*)(mp4_demuxer::TrackType)> /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/dom/media/fmp4/../../../dist/include/nsThreadUtils.h:587 #18 0x7f6ae48c9b8a in nsRunnableMethodImpl<void (mozilla::MP4Reader::*)(mp4_demuxer::TrackType), true, mp4_demuxer::TrackType>::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/dom/media/fmp4/../../../dist/include/nsThreadUtils.h:666 #19 0x7f6ae4624fb8 in mozilla::MediaTaskQueue::Runner::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/MediaTaskQueue.cpp:226 #20 0x7f6ae01a3dda in nsThreadPool::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:225 #21 0x7f6ae01a419c in non-virtual thunk to nsThreadPool::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/xpcom/threads/Unified_cpp_xpcom_threads0.cpp:239 #22 0x7f6ae019e224 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThread.cpp:848 #23 0x7f6ae020031a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265 #24 0x7f6ae0a505cf in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/glue/MessagePump.cpp:339 #25 0x7f6ae09e1c2c in RunInternal /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:233 #26 0x7f6ae09e1c2c in RunHandler /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:226 #27 0x7f6ae09e1c2c in MessageLoop::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:200 #28 0x7f6ae019acd8 in nsThread::ThreadFunc(void*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThread.cpp:349 #29 0x7f6aec632135 in _pt_root /builds/slave/m-in-l64-asan-0000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:212 #30 0x7f6aecc70181 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8181) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/base/nsDebugImpl.cpp:622 NS_ABORT_OOM(unsigned long) Thread T28 (Media P~back #3) created by T26 (Media P~back #1) here: #0 0x4610d5 in pthread_create /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:175 #1 0x7f6aec62eabd in _PR_CreateThread /builds/slave/m-in-l64-asan-0000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:453 #2 0x7f6aec62e63a in PR_CreateThread /builds/slave/m-in-l64-asan-0000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:544 #3 0x7f6ae019c03b in nsThread::Init() /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThread.cpp:460 #4 0x7f6ae01a181e in nsThreadManager::NewThread(unsigned int, unsigned int, nsIThread**) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThreadManager.cpp:349 #5 0x7f6ae01a2e45 in nsThreadPool::PutEvent(nsIRunnable*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:101 #6 0x7f6ae01a46a6 in nsThreadPool::Dispatch(nsIRunnable*, unsigned int) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:266 #7 0x7f6ae4622e38 in mozilla::MediaTaskQueue::DispatchLocked(mozilla::TemporaryRef<nsIRunnable>, mozilla::MediaTaskQueue::DispatchMode) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/MediaTaskQueue.cpp:60 #8 0x7f6ae46230ea in mozilla::MediaTaskQueue::ForceDispatch(mozilla::TemporaryRef<nsIRunnable>) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/MediaTaskQueue.cpp:41 #9 0x7f6ae4546c26 in mozilla::AbstractThreadImpl<mozilla::MediaTaskQueue>::Dispatch(already_AddRefed<nsIRunnable>) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/AbstractThread.cpp:19 #10 0x7f6ae45d35d7 in ProxyInternal<mozilla::MediaPromise<nsRefPtr<mozilla::MetadataHolder>, mozilla::ReadMetadataFailureReason, true>, mozilla::MediaTaskQueue> /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/MediaPromise.h:656 #11 0x7f6ae45d35d7 in DecodeTaskQueue /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/MediaPromise.h:671 #12 0x7f6ae45d35d7 in mozilla::MediaDecoderStateMachine::RunStateMachine() /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/MediaDecoderStateMachine.cpp:2581 #13 0x7f6ae4638660 in apply<mozilla::MediaDecoderStateMachine, nsresult (mozilla::MediaDecoderStateMachine::*)()> /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/dom/media/../../dist/include/nsThreadUtils.h:574 #14 0x7f6ae4638660 in nsRunnableMethodImpl<nsresult (mozilla::MediaDecoderStateMachine::*)(), true>::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/dom/media/../../dist/include/nsThreadUtils.h:666 #15 0x7f6ae4624fb8 in mozilla::MediaTaskQueue::Runner::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/MediaTaskQueue.cpp:226 #16 0x7f6ae01a3dda in nsThreadPool::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:225 #17 0x7f6ae01a419c in non-virtual thunk to nsThreadPool::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/xpcom/threads/Unified_cpp_xpcom_threads0.cpp:239 #18 0x7f6ae019e224 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThread.cpp:848 #19 0x7f6ae020031a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265 #20 0x7f6ae0a505cf in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/glue/MessagePump.cpp:339 #21 0x7f6ae09e1c2c in RunInternal /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:233 #22 0x7f6ae09e1c2c in RunHandler /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:226 #23 0x7f6ae09e1c2c in MessageLoop::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:200 #24 0x7f6ae019acd8 in nsThread::ThreadFunc(void*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThread.cpp:349 #25 0x7f6aec632135 in _pt_root /builds/slave/m-in-l64-asan-0000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:212 #26 0x7f6aecc70181 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8181) Thread T26 (Media P~back #1) created by T0 (Web Content) here: #0 0x4610d5 in pthread_create /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:175 #1 0x7f6aec62eabd in _PR_CreateThread /builds/slave/m-in-l64-asan-0000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:453 #2 0x7f6aec62e63a in PR_CreateThread /builds/slave/m-in-l64-asan-0000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:544 #3 0x7f6ae019c03b in nsThread::Init() /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThread.cpp:460 #4 0x7f6ae01a181e in nsThreadManager::NewThread(unsigned int, unsigned int, nsIThread**) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThreadManager.cpp:349 #5 0x7f6ae01a2e45 in nsThreadPool::PutEvent(nsIRunnable*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:101 #6 0x7f6ae01a46a6 in nsThreadPool::Dispatch(nsIRunnable*, unsigned int) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:266 #7 0x7f6ae4622e38 in mozilla::MediaTaskQueue::DispatchLocked(mozilla::TemporaryRef<nsIRunnable>, mozilla::MediaTaskQueue::DispatchMode) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/MediaTaskQueue.cpp:60 #8 0x7f6ae4593f1b in TaskQueue /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/MediaTaskQueue.cpp:34 #9 0x7f6ae4593f1b in mozilla::MediaDecoderStateMachine::ScheduleStateMachine() /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/MediaDecoderStateMachine.cpp:3290 #10 0x7f6ae4592c46 in ScheduleStateMachineThread /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/MediaDecoder.cpp:753 #11 0x7f6ae4592c46 in mozilla::MediaDecoder::InitializeStateMachine(mozilla::MediaDecoder*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/MediaDecoder.cpp:719 #12 0x7f6ae43a2f45 in mozilla::dom::HTMLMediaElement::FinishDecoderSetup(mozilla::MediaDecoder*, mozilla::MediaResource*, nsIStreamListener**, mozilla::MediaDecoder*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/html/HTMLMediaElement.cpp:2800 #13 0x7f6ae438ef60 in mozilla::dom::HTMLMediaElement::InitializeDecoderForChannel(nsIChannel*, nsIStreamListener**) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/html/HTMLMediaElement.cpp:2757 #14 0x7f6ae438dc0c in mozilla::dom::HTMLMediaElement::MediaLoadListener::OnStartRequest(nsIRequest*, nsISupports*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/html/HTMLMediaElement.cpp:366 #15 0x7f6ae02fe33b in nsBaseChannel::OnStartRequest(nsIRequest*, nsISupports*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/netwerk/base/nsBaseChannel.cpp:754 #16 0x7f6ae033cabe in nsInputStreamPump::OnStateStart() /builds/slave/m-in-l64-asan-0000000000000000/build/src/netwerk/base/nsInputStreamPump.cpp:531 #17 0x7f6ae033c08e in nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/netwerk/base/nsInputStreamPump.cpp:433 #18 0x7f6ae0162039 in nsInputStreamReadyEvent::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/io/nsStreamUtils.cpp:91 #19 0x7f6ae019e224 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThread.cpp:848 #20 0x7f6ae020031a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265 #21 0x7f6ae0a4f789 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/glue/MessagePump.cpp:99 #22 0x7f6ae09e1c2c in RunInternal /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:233 #23 0x7f6ae09e1c2c in RunHandler /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:226 #24 0x7f6ae09e1c2c in MessageLoop::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:200 #25 0x7f6ae53c0c77 in nsBaseAppShell::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/widget/nsBaseAppShell.cpp:164 #26 0x7f6ae6f3ab72 in XRE_RunAppShell /builds/slave/m-in-l64-asan-0000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:746 #27 0x7f6ae09e1c2c in RunInternal /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:233 #28 0x7f6ae09e1c2c in RunHandler /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:226 #29 0x7f6ae09e1c2c in MessageLoop::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:200 #30 0x7f6ae6f3a1a3 in XRE_InitChildProcess /builds/slave/m-in-l64-asan-0000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:583 #31 0x48ce71 in content_process_main(int, char**) /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/app/../contentproc/plugin-container.cpp:211 #32 0x7f6addd1aec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
Attached file Testcase
bug 1149278 removes the call from Box::Box() to Box::Read() that is causing this crash.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: