Closed
Bug 1345179
Opened 8 years ago
Closed 8 years ago
Crash in OOM | large | mozalloc_abort | mozalloc_handle_oom | moz_xmalloc | mozilla::MakeUnique<T>
Categories
(Core :: Audio/Video: Playback, defect)
Tracking
()
RESOLVED
FIXED
mozilla55
People
(Reporter: alex_mayorga, Assigned: kaku)
References
Details
(Keywords: crash, nightly-community)
Crash Data
Attachments
(1 file)
This bug was filed from the Socorro interface and is
report bp-71a3295a-4127-4d9f-a5df-c721d2170306.
=============================================================
¡Hola!
Crashed like above, found 104 other crashes at https://crash-stats.mozilla.com/signature/?product=Firefox&signature=OOM%20%7C%20large%20%7C%20mozalloc_abort%20%7C%20mozalloc_handle_oom%20%7C%20moz_xmalloc%20%7C%20mozilla%3A%3AMakeUnique%3CT%3E#summary
Unfortunately I have no steps that lead to the crash.
¡Gracias!
Alex
|
||
Comment 1•8 years ago
|
||
Your crash seems to be associated with allocating data for a <video> element:
https://hg.mozilla.org/mozilla-central/annotate/966464a68a2c/dom/media/platforms/agnostic/BlankDecoderModule.cpp#l136
(changing the Component based on that)
I'm guessing "sizeY + sizeCbCr" is controlled by content, so this allocation
should probably be fallible and return an error when it fails (if possible).
Component: DOM → Audio/Video
|
|
||
Comment 2•8 years ago
|
||
(There are other root causes associated with this signature though, so we should add
"mozilla::MakeUnique<T>" to the ignore list to get the next stack frame added to
the signature so we can differentiate between them. I filed bug 1345196 on that.)
|
|
||
Comment 3•8 years ago
|
||
BTW, is there a security issue here? (assuming that mFrameWidth and mFrameHeight are
controlled by content, they can be chosen to overflow uint32_t when multiplied)
Also, why are we using a natural (signed) 'int' for the result?
That just seems wrong in addition to not follow our coding style rules.
Flags: needinfo?(kaku)
|
Assignee | |
Comment 4•8 years ago
|
||
Bug 1309492 is also modifying this part of code. So, I will handle this bug after Bug 1309492 is landed (should be soon and keep myself be NI-ed.)
Bug 1309492 is going to remove the temporary `const int sizeY and const int sizeCbCr`, so the security issue will no longer exist.
Also, I think we could replace the MakeUnique() with MakeUniqueFallible() which should solve the root cause of this bug.
|
||
Updated•8 years ago
|
Component: Audio/Video → Audio/Video: Playback
| Comment hidden (mozreview-request) |
|
|
Assignee | |
Comment 6•8 years ago
|
||
Try:
https://treeherder.mozilla.org/#/jobs?repo=try&revision=1e1d00531f7918eadac02caac9b339626a490bbd
https://treeherder.mozilla.org/#/jobs?repo=try&revision=f8ce9e1299ec35b1c706e5476053cfb023448525
Assignee: nobody → kaku
Status: NEW → ASSIGNED
Flags: needinfo?(kaku)
|
||
Comment 7•8 years ago
|
||
| mozreview-review | ||
Comment on attachment 8847923 [details]
Bug 1345179 - use MakeUniqueFallible() in BlankVideoDataCreator;
https://reviewboard.mozilla.org/r/120836/#review122822
Attachment #8847923 -
Flags: review?(jwwang) → review+
Pushed by cbook@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/0d4976ed4a31
use MakeUniqueFallible() in BlankVideoDataCreator; r=jwwang
Keywords: checkin-needed
|
|
||
Comment 10•8 years ago
|
||
I'm concerned about "mFrameWidth * mFrameHeight" overflowing (they are uint32_t).
I think you need to use CheckedInt<> for this code to be safe, unless mFrameWidth and
mFrameHeight are always clamped when they are assigned so that they cannot possibly
overflow when multiplied. Is that the case?
Flags: needinfo?(kaku)
|
||
Comment 11•8 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
|
||
Comment 12•8 years ago
|
||
How can we get crash report of a code that isn't enabled to start with?
|
|
Assignee | |
Comment 13•8 years ago
|
||
(In reply to Jean-Yves Avenard [:jya] from comment #12)
> How can we get crash report of a code that isn't enabled to start with?
Not sure what you mean. The BlankDecoderModule WAS used as the dummy decoder module for the suspend-video-decoder feature and it is enabled in nightly. (We have switched to NullDecoderModule for the suspend-video-decoder now.)
|
|
Assignee | |
Comment 14•8 years ago
|
||
(In reply to Mats Palmgren (:mats) from comment #10)
> I'm concerned about "mFrameWidth * mFrameHeight" overflowing (they are
> uint32_t).
> I think you need to use CheckedInt<> for this code to be safe, unless
> mFrameWidth and
> mFrameHeight are always clamped when they are assigned so that they cannot
> possibly
> overflow when multiplied. Is that the case?
Fair enough, open bug 1348237 for this issue.
Flags: needinfo?(kaku)
|
||
Comment 15•8 years ago
|
||
Looks like this might still be happening?
https://crash-stats.mozilla.com/report/index/944cefe5-1caa-435c-b286-0089a2170319
status-firefox-esr52:
--- → affected
Flags: needinfo?(kaku)
|
|
||
Comment 16•8 years ago
|
||
Ryan, please file a new bug report since that's a different call site.
(we need a fix for bug 1345196 to differentiate these)
Flags: needinfo?(kaku)
|
|
||
Comment 17•8 years ago
|
||
In that case, please request Aurora/Beta/ESR52 approval on this when you get a chance :)
Flags: needinfo?(kaku)
|
|
Assignee | |
Comment 18•8 years ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM] from comment #17)
> In that case, please request Aurora/Beta/ESR52 approval on this when you get
> a chance :)
Sorry for my late reply. Actually, all the client coded that might trigger this issue are not enabled in Aurora/Beta/Release channels, so I think that we don't need to uplift all of this because, make sense?
Flags: needinfo?(kaku)
|
|
||
Comment 19•8 years ago
|
||
Sounds good to me, thanks for the update.
You need to log in
before you can comment on or make changes to this bug.
Description
•