1344580 - Crash in audiounit_layout_init

Status: RESOLVED FIXED

(Core :: Audio/Video: cubeb, defect, P1)

Description

[Nicholas Nethercote [inactive]]

This bug was filed from the Socorro interface and is 
report bp-87245b40-f1f9-4788-b37a-9770b2170305.
=============================================================

This Mac-only crash first appeared in Nightly 20170225030208, though it's infrequent enough that it's possible the cause landed earlier than that. Having said that, it looks likely that the cubeb update in bug 1342363 that landed on Feb 24 is the cause.

It's the #2 Mac topcrash in Nightly 20170303030202, but with only 4 crashes... we don't have a lot of Nightly Mac users.

Alex, can you please investigate?

Comment 1

[C.M.Chang[:chunmin]]

There is one thread using cubeb. The report says the reason is EXC_BAD_ACCESS / KERN_INVALID_ADDRESS, which relates to accessing deallocated memory. It crashes at media/libcubeb/src/cubeb_audiounit.cpp:1353[0], where audiounit_get_current_channel_layout is called. In audiounit_get_current_channel_layout, we allocate one memory chunk for |AudioChannelLayout| with malloc. If it's accessed after releasing, it might be the cause. However, there should be no such case.

[0] https://hg.mozilla.org/mozilla-central/annotate/eb2364853477/media/libcubeb/src/cubeb_audiounit.cpp#l1353

Comment 2

[Marcia Knous [:marcia]]

I see some other Mac crashes in today's build that also have cubeb in them - http://bit.ly/2mtWxf - not sure if they belong in this bug or not: [@ audiounit_setup_stream]

Comment 3

[Paul Adenot (:padenot)]

Chun-Min, any idea about Marcia's comment ?

Comment 4

[C.M.Chang[:chunmin]]

I can't open this link: http://bit.ly/2mtWxf . Is it correct?
I guess it might be causes by auto_channel_layout::size()[0]. It returns the size of pointer of AudioChannelLayout instead of the size of AudioChannelLayout array allocated. I'll update a patch to fix it.

[0] http://searchfox.org/mozilla-central/rev/1bc7720a434af3c13b68b8d69f92078cae8890c4/media/libcubeb/src/cubeb_audiounit.cpp#175

Comment 5

[C.M.Chang[:chunmin]]

Attachment: pull on github

I can't reproduce it so I just guess and fix some incorrect code.

Comment 6

[Blake Wu [:bwu][:blakewu]]

For comment 4.

Comment 7

[Marcia Knous [:marcia]]

Corrected link: http://bit.ly/2lYv0Ar

Individual crash report example: https://crash-stats.mozilla.com/report/index/e02650cd-29db-4fa2-92d1-eeda72170307

Comment 8

[C.M.Chang[:chunmin]]

The patch is merged in
https://github.com/kinetiknz/cubeb/commit/f1a6eed0ef1829ea3ac589feefa0f46bf594cdaa

We could observe for a while to check whether the crash happens again.

Comment 9

[Alex Chronopoulos [:achronop]]

Clear NI based on previous comment

Comment 11

[Alex Chronopoulos [:achronop]]

Landed in 55 and 54 with Bug 1345049.

Comment 12

[Ting-Yu Chou [:ting] (away)]

I am still seeing audiounit_setup_stream on 54 and 55, and audiounit_layout_init on 54.

https://crash-stats.mozilla.com/signature/?product=Firefox&signature=audiounit_setup_stream&date=%3E%3D2017-04-05T03%3A11%3A01.000Z&date=%3C2017-04-12T03%3A11%3A01.000Z&_columns=date&_columns=product&_columns=version&_columns=build_id&_columns=platform&_columns=reason&_columns=address&_columns=install_time&_sort=-date&page=1#aggregations

https://crash-stats.mozilla.com/signature/?signature=audiounit_layout_init&date=%3E%3D2017-03-29T03%3A12%3A09.000Z&date=%3C2017-04-12T03%3A12%3A09.000Z&_columns=date&_columns=product&_columns=version&_columns=build_id&_columns=platform&_columns=reason&_columns=address&_columns=install_time&_sort=-date&page=1#aggregations

Comment 13

[C.M.Chang[:chunmin]]

Thanks for the report. I'll try an ASAN build to test it.

Comment 14

[Ting-Yu Chou [:ting] (away)]

Just double checked, it seems that audiounit_layout_init is fixed, but not audiounit_setup_stream.

Comment 15

[[:philipp]]

i've filed a cloned bug about the [@ audiounit_setup_stream] signature in order to be able to easier track its state.