panicked at 'attempt to subtract with overflow' [@ mp4parse_capi::SampleToChunkIterator]

RESOLVED FIXED in Firefox 58

Status

()

P2
normal
RESOLVED FIXED
a year ago
a year ago

People

(Reporter: tsmith, Assigned: ayang)

Tracking

(Blocks: 1 bug, {crash, testcase})

Trunk
mozilla58
crash, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox-esr52 unaffected, firefox55 disabled, firefox56 wontfix, firefox57 wontfix, firefox58 fixed)

Details

Attachments

(3 attachments)

(Reporter)

Description

a year ago
Created attachment 8895682 [details]
test_case.mp4

thread '<unnamed>' panicked at 'attempt to subtract with overflow', /home/worker/workspace/build/src/media/libstagefright/binding/mp4parse_capi/src/lib.rs:846

stack backtrace:
   0:     0x7f38a90a5093 - std::sys::imp::backtrace::tracing::imp::unwind_backtrace::hcab99e0793da62c7
                               at /checkout/src/libstd/sys/unix/backtrace/tracing/gcc_s.rs:49
   1:     0x7f38a90a03b6 - std::sys_common::backtrace::_print::hbfe5b0c7e79c0711
                               at /checkout/src/libstd/sys_common/backtrace.rs:71
   2:     0x7f38a90b272a - std::panicking::default_hook::{{closure}}::h9ba2c6973907a2be
                               at /checkout/src/libstd/sys_common/backtrace.rs:60
                               at /checkout/src/libstd/panicking.rs:355
   3:     0x7f38a90b232b - std::panicking::default_hook::he4d55e2dd21c3cca
                               at /checkout/src/libstd/panicking.rs:371
   4:     0x7f38a90b2b3b - std::panicking::rust_panic_with_hook::ha138c05cd33ad44d
                               at /checkout/src/libstd/panicking.rs:549
   5:     0x7f38a90b2a14 - std::panicking::begin_panic::hcdbfa35c94142fa2
                               at /checkout/src/libstd/panicking.rs:511
   6:     0x7f38a90b2949 - std::panicking::begin_panic_fmt::hc09fe500d9b7be81
                               at /checkout/src/libstd/panicking.rs:495
   7:     0x7f38a90b28d7 - rust_begin_unwind
                               at /checkout/src/libstd/panicking.rs:471
   8:     0x7f38a90c7c7d - core::panicking::panic_fmt::h883a028e9f4b4457
                               at /checkout/src/libcore/panicking.rs:69
   9:     0x7f38a90c7bb4 - core::panicking::panic::hdb3cf3207dda37bb
                               at /checkout/src/libcore/panicking.rs:49
  10:     0x7f38a88c6748 - <mp4parse_capi::SampleToChunkIterator<'a> as core::iter::iterator::Iterator>::next::{{closure}}::hb6d080c5782f6d45
                               at /home/worker/workspace/build/src/media/libstagefright/binding/mp4parse_capi/src/lib.rs:846
  11:     0x7f38a88c6679 - <mp4parse_capi::SampleToChunkIterator<'a> as core::iter::iterator::Iterator>::next::h8b9e906f15dfb324
                               at /home/worker/workspace/build/src/media/libstagefright/binding/mp4parse_capi/src/lib.rs:831
  12:     0x7f38a88c6a1a - mp4parse_capi::create_sample_table::h92f09543e5d20cc9
                               at /home/worker/workspace/build/src/media/libstagefright/binding/mp4parse_capi/src/lib.rs:884
  13:     0x7f38a88c6392 - mp4parse_get_indice_table
                               at /home/worker/workspace/build/src/media/libstagefright/binding/mp4parse_capi/src/lib.rs:701
  14:     0x7f389e7235cc - _ZN11mp4_demuxer15MP4MetadataRust15ReadTrackIndiceEP18mp4parse_byte_datai
                               at /home/worker/workspace/build/src/media/libstagefright/binding/MP4Metadata.cpp:1008
  15:     0x7f389e72260f - _ZN11mp4_demuxer11MP4Metadata14GetTrackIndiceEi
                               at /home/worker/workspace/build/src/media/libstagefright/binding/MP4Metadata.cpp:433
  16:     0x7f38a3214f78 - _ZN7mozilla10MP4Demuxer4InitEv
                               at /home/worker/workspace/build/src/dom/media/fmp4/MP4Demuxer.cpp:213
  17:     0x7f38a2ce76e5 - _ZZN7mozilla17MediaFormatReader12DemuxerProxy4InitEvENK4$_10clEv
                               at /home/worker/workspace/build/src/dom/media/MediaFormatReader.cpp:1027
  18:     0x7f38a2ce7396 - _ZN7mozilla6detail21ProxyFunctionRunnableIZNS_17MediaFormatReader12DemuxerProxy4InitEvE4$_10NS_10MozPromiseINS_11MediaResultES6_Lb1EEEE3RunEv
                               at /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/MozPromise.h:1510
  19:     0x7f389e94d2f5 - _ZN7mozilla9TaskQueue6Runner3RunEv
                               at /home/worker/workspace/build/src/xpcom/threads/TaskQueue.cpp:246
  20:     0x7f389e9894be - _ZN12nsThreadPool3RunEv
                               at /home/worker/workspace/build/src/xpcom/threads/nsThreadPool.cpp:225
  21:     0x7f389e98993c - _ZThn16_N12nsThreadPool3RunEv
                               at /home/worker/workspace/build/src/xpcom/threads/nsThreadPool.cpp:154
  22:     0x7f389e981010 - _ZN8nsThread16ProcessNextEventEbPb
                               at /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1446
  23:     0x7f389e986c50 - _Z19NS_ProcessNextEventP9nsIThreadb
                               at /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:480
  24:     0x7f389f4ebd9c - _ZN7mozilla3ipc28MessagePumpForNonMainThreads3RunEPN4base11MessagePump8DelegateE
                               at /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:369
  25:     0x7f389f43bb17 - _ZN11MessageLoop11RunInternalEv
                               at /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326
  26:     0x7f389f43b9a9 - _ZN11MessageLoop3RunEv
                               at /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
  27:     0x7f389e97917b - _ZN8nsThread10ThreadFuncEPv
                               at /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:506
  28:     0x7f38ba7745ed - _pt_root
                               at /home/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:216
  29:     0x7f38be1796b9 - start_thread
  30:     0x7f38bd2023dc - clone
  31:                0x0 - <unknown>
Flags: in-testsuite?
Priority: -- → P1
Mass change P1->P2 to align with new Mozilla triage process
Priority: P1 → P2
(Assignee)

Updated

a year ago
Assignee: nobody → ayang
Comment hidden (mozreview-request)
Comment hidden (mozreview-request)

Comment 5

a year ago
mozreview-review
Comment on attachment 8913053 [details]
Bug 1388991 - check subtraction underflow.

https://reviewboard.mozilla.org/r/184442/#review189626
Attachment #8913053 - Flags: review?(kinetik) → review+

Comment 6

a year ago
mozreview-review
Comment on attachment 8913054 [details]
Bug 1388991 - add test case for subtraction underfolw in SampleToChunkIterator.

https://reviewboard.mozilla.org/r/184444/#review189628
Attachment #8913054 - Flags: review?(kinetik) → review+

Comment 8

a year ago
We're sorry, Autoland could not rebase your commits for you automatically. Please manually rebase your commits and try again.

hg error in cmd: hg rebase -s 60ad1be20581 -d 0ce8d073a16e: rebasing 423082:60ad1be20581 "Bug 1388991 - check subtraction underflow. r=kinetik"
rebasing 423083:d9083b36d396 "Bug 1388991 - add test case for subtraction underfolw in SampleToChunkIterator. r=kinetik" (tip)
merging media/libstagefright/gtest/TestParser.cpp
merging media/libstagefright/gtest/moz.build
warning: conflicts while merging media/libstagefright/gtest/TestParser.cpp! (edit, then use 'hg resolve --mark')
unresolved conflicts (see hg resolve, then hg rebase --continue)
Comment hidden (mozreview-request)
Comment hidden (mozreview-request)

Comment 11

a year ago
Pushed by ayang@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/f2df51e1bf8a
check subtraction underflow. r=kinetik
https://hg.mozilla.org/integration/autoland/rev/c8631efa2592
add test case for subtraction underfolw in SampleToChunkIterator. r=kinetik

Comment 12

a year ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/f2df51e1bf8a
https://hg.mozilla.org/mozilla-central/rev/c8631efa2592
Status: NEW → RESOLVED
Last Resolved: a year ago
status-firefox58: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla58

Comment 13

a year ago
bughunter has seen this on one url so far: http://www.templeos.org/. It is fixed on Nightly/58 but still reproduces on Beta/57.
Is there a user impact here that justifies uplift to Beta for 57 or can this ride the 58 train?
Blocks: 1340980
status-firefox55: --- → disabled
status-firefox56: --- → wontfix
status-firefox-esr52: --- → unaffected
Flags: needinfo?(ayang)
Flags: in-testsuite?
Flags: in-testsuite+
(Assignee)

Comment 15

a year ago
(In reply to Bob Clary [:bc:] from comment #13)
> bughunter has seen this on one url so far: http://www.templeos.org/. It is
> fixed on Nightly/58 but still reproduces on Beta/57.

hmm... this bug happens on debug build only, it won't happen on release.
The video in http://www.templeos.org/ is fragmented mp4 video, not the same kind of mp4 in this bug.
I don't have check it yet bug I think it is not the same problem as this bug.
(Assignee)

Comment 16

a year ago
(In reply to Ryan VanderMeulen [:RyanVM] from comment #14)
> Is there a user impact here that justifies uplift to Beta for 57 or can this
> ride the 58 train?

It is an invalid stream, 58 train is good enough.
Flags: needinfo?(ayang)
status-firefox57: affected → wontfix
You need to log in before you can comment on or make changes to this bug.