Closed Bug 1364828 Opened 6 years ago Closed 6 years ago

Crash in moz_abort | arena_run_split | arena_malloc_large | je_realloc | mozilla::Vector<T>::growStorageBy

Categories

(Core :: Audio/Video: Playback, defect)

Product:
Core
Component:
Audio/Video: Playback
Version:
54 Branch
Platform:
x86_64
Windows 10
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla55
Tracking Flags:
Tracking Status
firefox-esr52 --- wontfix
firefox53 --- wontfix
firefox54 --- wontfix
firefox55 --- fixed

People

(Reporter: ziggi, Assigned: mozbugz)

Details

(Keywords: crash)

Crash Data

Attachments

(1 file)

Bug 1364828 - Use nsTArray (with fallible append) in mp4_demuxer::ByteWriter -
59 bytes, text/x-review-board-request
jya
: review+
Details 
This bug was filed from the Socorro interface and is 
report bp-2ee8a067-688d-46a6-b404-dac180170513.
=============================================================
Constant crashes somehow linked to certain video elements on a webpage.
Severity: major → critical
Component: General → Audio/Video
Keywords: crash
Product: Firefox → Core
Component: Audio/Video → Audio/Video: Playback
Jean-Yves - is this an OOM by another name?
Flags: needinfo?(jyavenard)
That code is supposed to be fallible.. :gerald made it so...

The stack trace is a bit confusing, looks like it has inline the writer code.

:gerald what do you think?
Flags: needinfo?(jyavenard) → needinfo?(gsquelart)
Hmm, I'm not 100% sure now...

I assumed Vector::append was fallible because of the `MOST_MUST_USE bool` return value.

But looking at https://hg.mozilla.org/releases/mozilla-aurora/annotate/105e456d811b/mfbt/Vector.h#l680 , it says "Potentially fallible append operations" -- Does that mean that these operations can potentially fail when we ask for too much, or they can potentially fail depending on what type of objects are stored??

And trying to follow the code for Vector<uint8_t>, it seems to go to pod_alloc instead of maybe_pod_alloc, so we may in fact be doomed!

But I need more time to investigate...
Assignee: nobody → gsquelart
Flags: needinfo?(gsquelart)
Comment on attachment 8875091 [details]
Bug 1364828 - Use nsTArray (with fallible append) in mp4_demuxer::ByteWriter -

https://reviewboard.mozilla.org/r/146462/#review150640

nsTArray has a great memory footprint than Vector :(
it allocates memory by a multiple of 2... and IIRC 8kB minimum
Attachment #8875091 - Flags: review?(jyavenard) → review+
Pushed by gsquelart@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/4795dae51ea6
Use nsTArray (with fallible append) in mp4_demuxer::ByteWriter - r=jya
https://hg.mozilla.org/mozilla-central/rev/4795dae51ea6
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
status-firefox55: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
Both 53, 54 and esr52 are affected as the code was there too... May not show in the crash report but it's definitely there.

Bug 1307945 was supposed to make things infallible, but wasn't quite so.
There's a couple ESR52 reports in crash-stats, but doesn't seem high-volume enough to warrant backport consideration. Feel free to set the status back to affected and nominate it for approval if you feel otherwise, however :)
status-firefox-esr52: affectedwontfix
You need to log in before you can comment on or make changes to this bug.