Closed
Bug 1264991
Opened 7 years ago
Closed 7 years ago
Crash [@ Construct<const mozilla::AudioConfig::Channel &>]
Categories
(Core :: Audio/Video, defect)
Tracking
()
RESOLVED
FIXED
mozilla48
| Tracking | Status | |
|---|---|---|
| firefox48 | --- | fixed |
People
(Reporter: posidron, Assigned: jya)
Details
(Keywords: crash, testcase)
Crash Data
Attachments
(2 files)
The following testcase crashes on en-us.linux-x86_64-asan.tar.bz2 revision 45c1bcc538ddeb36e06ad117d0fc09b9cb076e4b
See attachment.
Backtrace:
==16761==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f617aa0385d sp 0x7f612e1fd9b0 bp 0x7f612e1fd9f0 T1484)
#0 0x7f617aa0385c in Construct<const mozilla::AudioConfig::Channel &> /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/dist/include/nsTArray.h:520:36
#1 0x7f617aa0385c in implementation<mozilla::AudioConfig::Channel, mozilla::AudioConfig::Channel, unsigned long, unsigned long> /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/dist/include/nsTArray.h:548
#2 0x7f617aa0385c in AssignRange<mozilla::AudioConfig::Channel> /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/dist/include/nsTArray.h:2025
#3 0x7f617aa0385c in AppendElements<mozilla::AudioConfig::Channel, nsTArrayInfallibleAllocator> /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/dist/include/nsTArray.h:1513
#4 0x7f617aa0385c in ChannelLayout /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/MediaInfo.h:507
#5 0x7f617aa0385c in mozilla::AudioConfig::ChannelLayout::ChannelLayout(unsigned int) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/MediaInfo.h:504
#6 0x7f617aa03591 in mozilla::AudioConfig::AudioConfig(unsigned int, unsigned int, mozilla::AudioConfig::SampleFormat, bool) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/MediaInfo.cpp:188
#7 0x7f617a878b5e in mozilla::AudioStream::Init(unsigned int, unsigned int, mozilla::dom::AudioChannel) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/AudioStream.cpp:356
#8 0x7f617ab94d48 in mozilla::media::DecodedAudioDataSink::InitializeAudioStream(mozilla::media::MediaSink::PlaybackParams const&) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/mediasink/DecodedAudioDataSink.cpp:139
#9 0x7f617ab94a20 in mozilla::media::DecodedAudioDataSink::Init(mozilla::media::MediaSink::PlaybackParams const&) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/mediasink/DecodedAudioDataSink.cpp:53
#10 0x7f617ab934ff in mozilla::media::AudioSinkWrapper::Start(long, mozilla::MediaInfo const&) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/mediasink/AudioSinkWrapper.cpp:191
#11 0x7f617aba1b97 in mozilla::media::VideoSink::Start(long, mozilla::MediaInfo const&) /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/mediasink/VideoSink.cpp:162
#12 0x7f617a93dcfa in mozilla::MediaDecoderStateMachine::StartMediaSink() /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/MediaDecoderStateMachine.cpp:1794
#13 0x7f617a93d90a in mozilla::MediaDecoderStateMachine::MaybeStartPlayback() /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/MediaDecoderStateMachine.cpp:1127
#14 0x7f617a94c074 in mozilla::MediaDecoderStateMachine::RunStateMachine() /builds/slave/m-in-l64-asan-0000000000000000/build/src/dom/media/MediaDecoderStateMachine.cpp:2224
#15 0x7f617a95be10 in applyImpl<mozilla::MediaDecoderStateMachine, nsresult (mozilla::MediaDecoderStateMachine::*)()> /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/dist/include/nsThreadUtils.h:670
#16 0x7f617a95be10 in apply<mozilla::MediaDecoderStateMachine, nsresult (mozilla::MediaDecoderStateMachine::*)()> /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/dist/include/nsThreadUtils.h:676
#17 0x7f617a95be10 in nsRunnableMethodImpl<nsresult (mozilla::MediaDecoderStateMachine::*)(), true>::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/dist/include/nsThreadUtils.h:704
#18 0x7f61758c81fa in mozilla::AutoTaskDispatcher::TaskGroupRunnable::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/dist/include/mozilla/TaskDispatcher.h:192
#19 0x7f61758a7820 in mozilla::TaskQueue::Runner::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/TaskQueue.cpp:171
#20 0x7f61758bcdd3 in nsThreadPool::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:228
#21 0x7f61758bd40c in non-virtual thunk to nsThreadPool::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/xpcom/threads/Unified_cpp_xpcom_threads0.cpp:242
#22 0x7f61758b6390 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThread.cpp:994
#23 0x7f61759300da in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:297
#24 0x7f6176622fe1 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/glue/MessagePump.cpp:340
#25 0x7f6176599d3c in RunInternal /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:230
#26 0x7f6176599d3c in RunHandler /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:223
#27 0x7f6176599d3c in MessageLoop::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:203
#28 0x7f61758b1dde in nsThread::ThreadFunc(void*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThread.cpp:396
#29 0x7f618bbb73ef in _pt_root /builds/slave/m-in-l64-asan-0000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:216
#30 0x7f618f0d9181 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8181)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/dist/include/nsTArray.h:520 Construct<const mozilla::AudioConfig::Channel &>
Thread T1484 (MediaPl~back #1) created by T0 here:
#0 0x45ea55 in __interceptor_pthread_create /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:175
#1 0x7f618bbb3b40 in _PR_CreateThread /builds/slave/m-in-l64-asan-0000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:457
#2 0x7f618bbb36aa in PR_CreateThread /builds/slave/m-in-l64-asan-0000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:548
#3 0x7f61758b356d in nsThread::Init() /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThread.cpp:526
#4 0x7f61758b9e6e in nsThreadManager::NewThread(unsigned int, unsigned int, nsIThread**) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThreadManager.cpp:253
#5 0x7f61758bb87e in nsThreadPool::PutEvent(already_AddRefed<nsIRunnable>&&, unsigned int) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:106
#6 0x7f61758bd916 in nsThreadPool::Dispatch(already_AddRefed<nsIRunnable>&&, unsigned int) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThreadPool.cpp:277
#7 0x7f61758a61b0 in mozilla::TaskQueue::DispatchLocked(nsCOMPtr<nsIRunnable>&, mozilla::TaskQueue::DispatchMode, mozilla::AbstractThread::DispatchFailureHandling, mozilla::AbstractThread::DispatchReason) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/TaskQueue.cpp:67
#8 0x7f61758bf681 in mozilla::TaskQueue::Dispatch(already_AddRefed<nsIRunnable>, mozilla::AbstractThread::DispatchFailureHandling, mozilla::AbstractThread::DispatchReason) /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/dist/include/mozilla/TaskQueue.h:49
#9 0x7f61758c7b5c in mozilla::AutoTaskDispatcher::DispatchTaskGroup(mozilla::UniquePtr<mozilla::AutoTaskDispatcher::PerThreadTaskGroup, mozilla::DefaultDelete<mozilla::AutoTaskDispatcher::PerThreadTaskGroup> >) /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/dist/include/mozilla/TaskDispatcher.h:244
#10 0x7f61758c8a61 in mozilla::AutoTaskDispatcher::~AutoTaskDispatcher() /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/dist/include/mozilla/TaskDispatcher.h:90
#11 0x7f61758cc921 in reset /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/dist/include/mozilla/Maybe.h:373
#12 0x7f61758cc921 in mozilla::XPCOMThreadWrapper::FireTailDispatcher() /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/AbstractThread.cpp:81
#13 0x7f61758ccac0 in applyImpl<mozilla::XPCOMThreadWrapper, void (mozilla::XPCOMThreadWrapper::*)()> /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/dist/include/nsThreadUtils.h:670
#14 0x7f61758ccac0 in apply<mozilla::XPCOMThreadWrapper, void (mozilla::XPCOMThreadWrapper::*)()> /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/dist/include/nsThreadUtils.h:676
#15 0x7f61758ccac0 in nsRunnableMethodImpl<void (mozilla::XPCOMThreadWrapper::*)(), true>::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/dist/include/nsThreadUtils.h:704
#16 0x7f6175781019 in mozilla::CycleCollectedJSRuntime::ProcessStableStateQueue() /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/base/CycleCollectedJSRuntime.cpp:1327
#17 0x7f6177161811 in XPCJSRuntime::AfterProcessTask(unsigned int) /builds/slave/m-in-l64-asan-0000000000000000/build/src/js/xpconnect/src/XPCJSRuntime.cpp:3728
#18 0x7f61758b684f in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/threads/nsThread.cpp:1009
#19 0x7f61759300da in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-in-l64-asan-0000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:297
#20 0x7f6176621d6e in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/glue/MessagePump.cpp:98
#21 0x7f6176599d3c in RunInternal /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:230
#22 0x7f6176599d3c in RunHandler /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:223
#23 0x7f6176599d3c in MessageLoop::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:203
#24 0x7f617bb55cf7 in nsBaseAppShell::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/widget/nsBaseAppShell.cpp:156
#25 0x7f617da07a98 in nsAppStartup::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/toolkit/components/startup/nsAppStartup.cpp:281
#26 0x7f617db06a2a in XREMain::XRE_mainRun() /builds/slave/m-in-l64-asan-0000000000000000/build/src/toolkit/xre/nsAppRunner.cpp:4340
#27 0x7f617db07c96 in XREMain::XRE_main(int, char**, nsXREAppData const*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/toolkit/xre/nsAppRunner.cpp:4437
#28 0x7f617db08ade in XRE_main /builds/slave/m-in-l64-asan-0000000000000000/build/src/toolkit/xre/nsAppRunner.cpp:4543
#29 0x48a793 in do_main /builds/slave/m-in-l64-asan-0000000000000000/build/src/browser/app/nsBrowserApp.cpp:220
#30 0x48a793 in main /builds/slave/m-in-l64-asan-0000000000000000/build/src/browser/app/nsBrowserApp.cpp:360
#31 0x7f618e101ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
|
Reporter | |
Comment 1•7 years ago
|
||
|
Assignee | |
Updated•7 years ago
|
Assignee: nobody → jyavenard
|
|
Assignee | |
Comment 2•7 years ago
|
||
Where is the original fuzzdata/samples/wav/big.wav?
Flags: needinfo?(cdiehl)
|
|
Assignee | |
Comment 3•7 years ago
|
||
This can't happen following bug 1262753
|
|
Assignee | |
Comment 4•7 years ago
|
||
Review commit: https://reviewboard.mozilla.org/r/46895/diff/#index_header See other reviews: https://reviewboard.mozilla.org/r/46895/
Attachment #8742014 -
Flags: review?(gsquelart)
|
||
Comment 5•7 years ago
|
||
Comment on attachment 8742014 [details] MozReview Request: Bug 1264991: Don't construct invalid channel configuration. r?gerald https://reviewboard.mozilla.org/r/46895/#review43495
Attachment #8742014 -
Flags: review?(gsquelart) → review+
|
|
Reporter | |
Comment 6•7 years ago
|
||
(In reply to Jean-Yves Avenard [:jya] from comment #2) > Where is the original fuzzdata/samples/wav/big.wav? https://github.com/MozillaSecurity/fuzzdata/tree/master/samples/wav
Flags: needinfo?(cdiehl)
|
|
Assignee | |
Comment 7•7 years ago
|
||
this went in earlier today. bot appears broken: https://hg.mozilla.org/integration/mozilla-inbound/rev/37ae3a4b4185ff3b9cb0066cddf5500fdd976081
|
||
Comment 8•7 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/37ae3a4b4185
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox48:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
You need to log in
before you can comment on or make changes to this bug.
Description
•