crash in @0x0 | mozilla::DXVA2Manager::CreateD3D9DXVA

VERIFIED FIXED in Firefox 51

Status

()

Core
Audio/Video: Playback
--
critical
VERIFIED FIXED
2 years ago
a year ago

People

(Reporter: philipp, Assigned: mattwoodrow)

Tracking

({crash, regression})

43 Branch
mozilla51
x86
Windows NT
crash, regression
Points:
---

Firefox Tracking Flags

(firefox42 unaffected, firefox43 affected, firefox44 affected, firefox45 affected, firefox48 wontfix, firefox49 wontfix, firefox51 verified)

Details

(crash signature)

Attachments

(1 attachment)

(Reporter)

Description

2 years ago
This bug was filed from the Socorro interface and is 
report bp-602dc026-d109-4c9b-b8d1-091e52151202.
=============================================================
0 		@0x0 	
1 	xul.dll 	mozilla::DXVA2Manager::CreateD3D9DXVA(nsACString_internal&) 	dom/media/platforms/wmf/DXVA2Manager.cpp
2 	xul.dll 	mozilla::CreateDXVAManagerEvent::Run() 	dom/media/platforms/wmf/WMFVideoMFTManager.cpp
3 	xul.dll 	nsThreadSyncDispatch::Run() 	xpcom/threads/nsThread.cpp
4 	xul.dll 	nsThread::ProcessNextEvent(bool, bool*) 	xpcom/threads/nsThread.cpp
5 	xul.dll 	NS_ProcessNextEvent(nsIThread*, bool) 	xpcom/glue/nsThreadUtils.cpp
6 	xul.dll 	mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) 	ipc/glue/MessagePump.cpp
7 	xul.dll 	MessageLoop::RunHandler() 	ipc/chromium/src/base/message_loop.cc
8 	xul.dll 	nsThreadManager::GetMainThread(nsIThread**) 	xpcom/threads/nsThreadManager.cpp
9 	xul.dll 	nsBaseAppShell::Run() 	widget/nsBaseAppShell.cpp
10 	xul.dll 	nsAppStartup::Run() 	toolkit/components/startup/nsAppStartup.cpp
11 	xul.dll 	XREMain::XRE_mainRun() 	toolkit/xre/nsAppRunner.cpp
12 	xul.dll 	XREMain::XRE_main(int, char** const, nsXREAppData const*) 	toolkit/xre/nsAppRunner.cpp
13 	xul.dll 	XRE_main 	toolkit/xre/nsAppRunner.cpp
Ø 14 	nvwgf2um.dll 	nvwgf2um.dll@0x4a6cb8 	
Ø 15 	nvd3dum.dll 	nvd3dum.dll@0x35ffff

this crash signature is showing up in 43 builds for the first time. the crash numbers are fairly low during the beta cycle, but since it's a regression i wanted to get it on file.
Component: Audio/Video → Audio/Video: Playback
Seems to have disappeared in 47. I guess we wait until 47 goes to beta.
Crash volume for signature '@0x0 | mozilla::DXVA2Manager::CreateD3D9DXVA':
 - nightly (version 51): 0 crashes from 2016-08-01.
 - aurora  (version 50): 0 crashes from 2016-08-01.
 - beta    (version 49): 70 crashes from 2016-08-02.
 - release (version 48): 78 crashes from 2016-07-25.
 - esr     (version 45): 0 crashes from 2016-05-02.

Crash volume on the last weeks (Week N is from 08-22 to 08-28):
            W. N-1  W. N-2  W. N-3
 - nightly       0       0       0
 - aurora        0       0       0
 - beta         27      22       2
 - release      19      33      18
 - esr           0       0       0

Affected platform: Windows

Crash rank on the last 7 days:
           Browser     Content   Plugin
 - nightly
 - aurora
 - beta    #542
 - release #1174
 - esr
status-firefox48: --- → affected
status-firefox49: --- → affected
Anthony --  This was found and marked by the bot on Friday as a carryover regression affecting Beta and Release back to Fx43.   Looks like it's a low volume crash and a NULL deref that we don't see until the Release gets to Beta.  (Looks like it affects only users who have older cards.) Can you prioritize this and decide when it needs to get into a Release?  Thanks.
Flags: needinfo?(ajones)
Too late for beta and as Maire points out it is pretty low volume even on release. Up to anthony and team if they want to fix this for 50/51.
status-firefox48: affected → wontfix
status-firefox49: affected → wontfix
Matt - if I read this correctly d3d9Manager->Init is null here:

  nsAutoPtr<D3D9DXVA2Manager> d3d9Manager(new D3D9DXVA2Manager());
  hr = d3d9Manager->Init(aFailureReason); <----
  if (SUCCEEDED(hr)) {	
    return d3d9Manager.forget();

https://hg.mozilla.org/releases/mozilla-beta/annotate/fbc5a78c8d67/dom/media/platforms/wmf/DXVA2Manager.cpp#l458

Any idea what is happening?
Flags: needinfo?(ajones) → needinfo?(matt.woodrow)
(Assignee)

Comment 6

2 years ago
Init() isn't virtual, so we can't really jump to the wrong place when calling it.

I suspect the contents of Init() have been inlined and the crash dump is doing a poor job of showing line numbers.

I'll grab the minidump soon and see if that shows anything useful.
(Assignee)

Comment 7

2 years ago
Real crash is here: https://hg.mozilla.org/releases/mozilla-beta/annotate/fbc5a78c8d67/dom/media/platforms/wmf/DXVA2Manager.cpp#l265

d3d9Create is null.
Flags: needinfo?(matt.woodrow)
(Assignee)

Comment 8

2 years ago
Created attachment 8787510 [details] [diff] [review]
d3d9-null-crash

I'm not sure if this is just really old d3d9 versions, or broken dll's, but either way we shouldn't crash on it.
Assignee: nobody → matt.woodrow
Attachment #8787510 - Flags: review?(ajones)
Attachment #8787510 - Flags: review?(ajones) → review+

Comment 9

2 years ago
Pushed by mwoodrow@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/49baab4a1099
Null check D3D9 creation function in DXVA2Manager. r=ajones

Comment 10

2 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/49baab4a1099
Status: NEW → RESOLVED
Last Resolved: 2 years ago
status-firefox51: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla51
Updating status for 51 based on the fact that there were no crashes reported with this signature for the last 3 months -- see http://preview.tinyurl.com/z7sl7uo.
Status: RESOLVED → VERIFIED
status-firefox51: fixed → verified
You need to log in before you can comment on or make changes to this bug.