Crash in [@mozilla::layers::MappedYCbCrChannelData::CopyInto]

RESOLVED DUPLICATE of bug 1232330

Status

()

Core
Audio/Video: Playback
--
critical
RESOLVED DUPLICATE of bug 1232330
3 years ago
2 years ago

People

(Reporter: tsmith, Unassigned)

Tracking

(Blocks: 1 bug, {crash, sec-high, testcase})

Trunk
x86
Windows 8.1
crash, sec-high, testcase
Points:
---

Firefox Tracking Flags

(firefox46 affected)

Details

Attachments

(3 attachments)

(Reporter)

Description

3 years ago
Created attachment 8698723 [details]
firefox-debug_0ef0_2015-12-15_16-24-11-966.log

This seems to only happen on windows, I could not reproduce it on linux.

It's strange that this media file is triggering a js bug, I won't pretend to know what's going on.

Steps to reproduce:
- Open browser
- Play attached test case
(Reporter)

Comment 1

3 years ago
Created attachment 8698724 [details]
test_case.mp4
Considering the crashing function and the output of |hg blame UbiNodeDominatorTree.h|, needinfo-ing fitzgen.
Flags: needinfo?(nfitzgerald)
I can't reproduce on OSX, either.

But, given that:

> WARNING: Stack unwind information not available. Following frames may be wrong.

And that the test case and STR has nothing to do with heap snapshots and dominator trees, I think this is a corrupt stack or at least bad stack capturing.

I will try and reproduce under windows.
Created attachment 8702329 [details]
Screen Shot 2015-12-28 at 10.10.16 AM.png

Seems to be some hand-rolled assembly deep in third party media code, which I am completely unfamiliar with.

ni'ing some folks who might know more.
Flags: needinfo?(nfitzgerald)
Flags: needinfo?(roc)
Flags: needinfo?(padenot)
Component: JavaScript Engine → Graphics
The point in the screenshot is definitely in media code.

But according to the log, isn't the crash here?

MSVCR120!memcpy+0x2a:
7319f20c f3a4            rep movs byte ptr es:[edi],byte ptr [esi]
?
Flags: needinfo?(roc)
(Reporter)

Comment 6

3 years ago
Third party media code you say? ... Adding some media folks. Hopefully they can help or add the correct people.
Better to NI. Chris, this is crashing when playing a particular mp4 on windows.
Flags: needinfo?(padenot) → needinfo?(cpearce)
Group: gfx-core-security
(Reporter)

Comment 8

3 years ago
I grabbed a better stack trace and it looks like this is a dup of bug 1232330.

VCRUNTIME140!memcpy+0x4e
xul!mozilla::layers::MappedYCbCrChannelData::CopyInto+0x48
xul!mozilla::layers::UpdateYCbCrTextureClient+0xd7
xul!mozilla::layers::ImageClientSingle::UpdateImage+0x366
xul!mozilla::layers::UpdateImageClientNow+0x32
xul!RunnableFunction<void (__cdecl*)(mozilla::layers::ImageClient *,RefPtr<mozilla::layers::ImageContainer> &&),mozilla::Tuple<mozilla::layers::ImageClient *,RefPtr<mozilla::layers::ImageContainer> > >::Run+0x10
xul!MessageLoop::DoWork+0x1ac
xul!base::MessagePumpDefault::Run+0x1a4
xul!MessageLoop::RunHandler+0xa4
xul!MessageLoop::Run+0x3f
xul!base::Thread::ThreadMain+0xb8
xul!`anonymous namespace'::ThreadFunc+0x9
KERNEL32!BaseThreadInitThunk+0x24
ntdll!__RtlUserThreadStart+0x2f
ntdll!_RtlUserThreadStart+0x1b
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → DUPLICATE
Summary: Crash in [@xul!JS::ubi::DominatorTree::root] → Crash in [@mozilla::layers::MappedYCbCrChannelData::CopyInto]
Duplicate of bug: 1232330
Flags: needinfo?(cpearce)
Component: Graphics → Audio/Video: Playback
(Reporter)

Updated

3 years ago
Group: gfx-core-security, javascript-core-security → media-core-security
(Reporter)

Updated

2 years ago
Blocks: 1289609
Group: media-core-security
Keywords: sec-high
You need to log in before you can comment on or make changes to this bug.