1186721 - Stagefright: crash [@stagefright::SampleTable::setTimeToSampleParams]

Status: RESOLVED FIXED

(Core :: Audio/Video: Playback, defect, P1)

Description

[Tyson Smith [:tsmith]]

==32522==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000058 (pc 0x7f0bfab820cc sp 0x7f0b842f7d80 bp 0x7f0b842f7e50 T703)
    #0 0x7f0bfab820cb in setTimeToSampleParams /builds/slave/m-cen-l64-asan-000000000000000/build/src/media/libstagefright/frameworks/av/media/libstagefright/SampleTable.cpp:341
    #1 0x7f0bfab571a3 in parseChunk /builds/slave/m-cen-l64-asan-000000000000000/build/src/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp:1507
    #2 0x7f0bfab5c7ca in parseChunk /builds/slave/m-cen-l64-asan-000000000000000/build/src/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp:880
    #3 0x7f0bfab5c7ca in parseChunk /builds/slave/m-cen-l64-asan-000000000000000/build/src/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp:880
    #4 0x7f0bfab5c7ca in parseChunk /builds/slave/m-cen-l64-asan-000000000000000/build/src/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp:880
    #5 0x7f0bfab5c7ca in parseChunk /builds/slave/m-cen-l64-asan-000000000000000/build/src/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp:880
    #6 0x7f0bfab554fc in readMetaData /builds/slave/m-cen-l64-asan-000000000000000/build/src/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp:484
    #7 0x7f0bfab55324 in getMetaData /builds/slave/m-cen-l64-asan-000000000000000/build/src/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp:419
    #8 0x7f0bfab3ef59 in MP4Metadata /builds/slave/m-cen-l64-asan-000000000000000/build/src/media/libstagefright/binding/MP4Metadata.cpp:99
    #9 0x7f0bff710dad in MakeUnique<mp4_demuxer::MP4Metadata, nsRefPtr<mp4_demuxer::BufferStream> &> /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/media/fmp4/../../../dist/include/mozilla/UniquePtr.h:642
    #10 0x7f0bff2e5ae1 in AsyncReadMetadata /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/media/MediaFormatReader.cpp:290
    #11 0x7f0bff362d60 in Invoke /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/media/../../dist/include/mozilla/MozPromise.h:876
    #12 0x7f0bff3628a6 in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/media/../../dist/include/mozilla/MozPromise.h:936
    #13 0x7f0bff25dd0a in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/media/../../dist/include/mozilla/TaskDispatcher.h:180
    #14 0x7f0bff3f5995 in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/media/TaskQueue.cpp:257
    #15 0x7f0bfad153d1 in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:228
    #16 0x7f0bfad1578c in _ZThn8_N12nsThreadPool3RunEv /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/xpcom/threads/Unified_cpp_xpcom_threads0.cpp:242
    #17 0x7f0bfad0f2d7 in ProcessNextEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:867
    #18 0x7f0bfad7df1a in NS_ProcessNextEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:277
    #19 0x7f0bfb5e755f in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:326
    #20 0x7f0bfb57345c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
    #21 0x7f0bfad0b6f5 in ThreadFunc /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:360
    #22 0x7f0c09538135 in _pt_root /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:212
    #23 0x7f0c0ca5fe99 in start_thread /build/buildd/eglibc-2.15/nptl/pthread_create.c:308
    #24 0x7f0c0bb5c31c in ?? /build/buildd/eglibc-2.15/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:112

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 ??
Thread T703 (MediaPl~back #8) created by T698 (MediaPl~back #1) here:
    #0 0x45eae5 in __interceptor_pthread_create _asan_rtl_
    #1 0x7f0c09534abd in _PR_CreateThread /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:453
    #2 0x7f0c0953463a in PR_CreateThread /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:544
    #3 0x7f0bfad0cced in Init /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:470
    #4 0x7f0bfad12cee in NewThread /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThreadManager.cpp:249
    #5 0x7f0bfad143be in PutEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:109
    #6 0x7f0bfad15c97 in Dispatch /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:276
    #7 0x7f0bff3f5d30 in operator nsIEventTarget * /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/media/../../dist/include/nsIEventTarget.h:37
    #8 0x7f0bfad153d1 in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:228
    #9 0x7f0bfad1578c in _ZThn8_N12nsThreadPool3RunEv /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/xpcom/threads/Unified_cpp_xpcom_threads0.cpp:242
    #10 0x7f0bfad0f2d7 in ProcessNextEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:867
    #11 0x7f0bfad7df1a in NS_ProcessNextEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:277
    #12 0x7f0bfb5e755f in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:326
    #13 0x7f0bfb57345c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
    #14 0x7f0bfad0b6f5 in ThreadFunc /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:360
    #15 0x7f0c09538135 in _pt_root /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:212
    #16 0x7f0c0ca5fe99 in start_thread /build/buildd/eglibc-2.15/nptl/pthread_create.c:308

Thread T698 (MediaPl~back #1) created by T0 here:
    #0 0x45eae5 in __interceptor_pthread_create _asan_rtl_
    #1 0x7f0c09534abd in _PR_CreateThread /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:453
    #2 0x7f0c0953463a in PR_CreateThread /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:544
    #3 0x7f0bfad0cced in Init /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:470
    #4 0x7f0bfad12cee in NewThread /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThreadManager.cpp:249
    #5 0x7f0bfad143be in PutEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:109
    #6 0x7f0bfad15c97 in Dispatch /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:276
    #7 0x7f0bff3f40f9 in operator nsIEventTarget * /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/media/../../dist/include/nsIEventTarget.h:37
    #8 0x7f0bff3b8bec in Dispatch /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/media/platforms/../../../dist/include/mozilla/TaskQueue.h:47
    #9 0x7f0bff25d67c in DispatchTaskGroup /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/media/../../dist/include/mozilla/TaskDispatcher.h:232
    #10 0x7f0bff25c322 in ~AutoTaskDispatcher /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/media/../../dist/include/mozilla/TaskDispatcher.h:87
    #11 0x7f0bff25b471 in reset /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/media/../../dist/include/mozilla/Maybe.h:373
    #12 0x7f0bff25b610 in apply<mozilla::XPCOMThreadWrapper, void (mozilla::XPCOMThreadWrapper::*)()> /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/media/../../dist/include/nsThreadUtils.h:621
    #13 0x7f0c002b5125 in assign_assuming_AddRef /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/widget/../dist/include/nsCOMPtr.h:336
    #14 0x7f0c002b5ccd in AfterProcessNextEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/widget/nsBaseAppShell.h:95
    #15 0x7f0bfad0f7a0 in ProcessNextEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:881
    #16 0x7f0bfad7df1a in NS_ProcessNextEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:277
    #17 0x7f0bfad0e2ee in Shutdown /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:665
    #18 0x7f0bfad162aa in Shutdown /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:323
    #19 0x7f0bff406310 in apply<nsIThreadPool, nsresult (nsIThreadPool::*)()> /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/media/../../dist/include/nsThreadUtils.h:621
    #20 0x7f0bfad0f2d7 in ProcessNextEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:867
    #21 0x7f0bfad7df1a in NS_ProcessNextEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:277
    #22 0x7f0bfb5e65e9 in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:95
    #23 0x7f0bfb57345c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
    #24 0x7f0c002b38d7 in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/widget/nsBaseAppShell.cpp:165
    #25 0x7f0c020100f8 in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/components/startup/nsAppStartup.cpp:280
    #26 0x7f0c02118e17 in XRE_mainRun /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsAppRunner.cpp:4288
    #27 0x7f0c02119e75 in XRE_main /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsAppRunner.cpp:4385
    #28 0x7f0c0211acf5 in XRE_main /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsAppRunner.cpp:4474
    #29 0x48a6e4 in do_main /builds/slave/m-cen-l64-asan-000000000000000/build/src/browser/app/nsBrowserApp.cpp:212
    #30 0x7f0c0ba8976c in __libc_start_main /build/buildd/eglibc-2.15/csu/libc-start.c:226

==32522==ABORTING

Comment 1

[Xidorn Quan [:xidorn] UTC+11]

url:        https://hg.mozilla.org/integration/mozilla-inbound/rev/b3092b2ab776ff7022065c2bb0df98015249c4ad
changeset:  b3092b2ab776ff7022065c2bb0df98015249c4ad
user:       Xidorn Quan <quanxunzhen@gmail.com>
date:       Thu Aug 13 22:39:51 2015 +1000
description:
Bug 1186721 - Suppress line break due to soft hyphen inside ruby. r=jfkthame

Comment 2

[Wes Kocher (:KWierso) (Not reading bugmail; email directly if needed)]

https://hg.mozilla.org/mozilla-central/rev/b3092b2ab776

Comment 3

[Jean-Yves Avenard [:jya]]

I don't think this commit has anything to do with this bug.

Someone made a mistake in their commit comment.

Comment 4

[Xidorn Quan [:xidorn] UTC+11]

Ahh... I somehow incorrectly added the bug number by one in my patch... Sorry about that.

So the commit listed in comment 1 and comment 2 is for bug 1186720, not this bug.

Comment 5

[Ralph Giles (:rillian)]

Can you take a look at this one, please, Gerald?

Comment 6

[Gerald Squelart (he/him) (not at Mozilla since 2022-09-15)]

I believe this issue will be fixed by bug 1187067, as it's likely the SampleTable was accessed through an object pointed to by a null pointer.

Comment 7

[Gerald Squelart (he/him) (not at Mozilla since 2022-09-15)]

Tyson, can you please verify this is fixed now that bug 1187067 has landed?

Comment 8

[Tyson Smith [:tsmith]]

I am no longer seeing this issue when fuzzing.