Closed Bug 1257699 Opened 8 years ago Closed 8 years ago

Crash [@ ne_read_block_duration] with WebM/VP9 test

Categories

(Core :: Audio/Video: Playback, defect, P2)

x86_64
Linux
defect

Tracking

()

RESOLVED FIXED
mozilla48
Tracking Status
firefox48 --- fixed

People

(Reporter: decoder, Assigned: kinetik)

References

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(3 files, 1 obsolete file)

The attached testcase crashes on mozilla-inbound revision f30fc906416f (build with --enable-optimize --disable-debug --enable-address-sanitizer).

For detailed crash information, see attachment.

To reproduce the issue, you can run the testcase through the "MediaDataDecoder.VP9" gtest. Example STR:

1. Change into objdir/dist/bin of your Firefox build
2. Place attached testcase into objdir, keep the name "vp9cake.webm"
3. Run: GTEST_FILTER=MediaDataDecoder.VP9 MOZ_RUN_GTEST=1 ./firefox -unittest
Attached file Testcase
Assignee: nobody → kinetik
Status: NEW → ASSIGNED
Attached patch bug1257699_wip.patch (obsolete) — Splinter Review
This is a temporary patch so you can keep fuzzing without hitting these particular issues.

It fixes this bug and bug 1257700 by adding a simple null check.  That'll probably be the final fix for them, but I want to spend more time analyzing the issue first.

It works around bug 1257701 by disabling the BlockAdditional parsing code since we don't use that in Gecko right now (it's for WebM alpha support, primarily).  There are a bunch of allocation sizing issues here that need investigating.  I'll take a look next week.
Attached patch v0Splinter Review
Fix for this bug and bug 1257700.

ne_parse hits EOS after skipping a bunch of trash elements, which clears ctx->ancestor.  We then try to use ctx->ancestor->node and hit a NULL deref.
Attachment #8732002 - Attachment is obsolete: true
Attachment #8733167 - Flags: review?(giles)
Comment on attachment 8733167 [details] [diff] [review]
v0

Review of attachment 8733167 [details] [diff] [review]:
-----------------------------------------------------------------

Are you adding this upstream too?
Attachment #8733167 - Flags: review?(giles) → review+
(In reply to Ralph Giles (:rillian) from comment #5)
> Are you adding this upstream too?

Yep (b513227a4314999b9a1a70c0fdb207cd2b79d01b).  The actual check-in will be completed using update.sh on an upstream tree.
Blocks: 1257700
Blocks: 1258882
Priority: -- → P2
https://hg.mozilla.org/mozilla-central/rev/dd12327c3e0c
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
Depends on: 1261900
No longer blocks: 1265512
Depends on: 1266712
Depends on: 1271866
You need to log in before you can comment on or make changes to this bug.