Closed Bug 1389299 Opened 7 years ago Closed 7 years ago

OOM in [@ mp4_demuxer::Moof::GetAuxInfo]

Categories

(Core :: Audio/Video: Playback, defect, P1)

defect

Tracking

()

RESOLVED FIXED
mozilla57
Tracking Status
firefox-esr52 --- unaffected
firefox55 --- wontfix
firefox56 --- wontfix
firefox57 --- fixed

People

(Reporter: tsmith, Assigned: ayang)

References

(Blocks 1 open bug)

Details

(Keywords: crash, csectype-oom, testcase)

Attachments

(2 files)

Attached video test_case.mp4
==41419==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f64bab0ac57 bp 0x7f64a73fb1d0 sp 0x7f64a73fb1d0 T60)
==41419==The signal is caused by a WRITE memory access.
==41419==Hint: address points to the zero page.
    #0 0x7f64bab0ac56 in NS_ABORT_OOM(unsigned long) src/xpcom/base/nsDebugImpl.cpp:610:3
    #1 0x7f64baa5aedf in nsTArrayInfallibleAllocator::ResultTypeProxy nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>::EnsureCapacity<nsTArrayInfallibleAllocator>(unsigned long, unsigned long) src/obj-firefox/dist/include/nsTArray-inl.h:128:5
    #2 0x7f64baa3a28d in SetCapacity<nsTArrayInfallibleAllocator> src/obj-firefox/dist/include/nsTArray.h:1820:47
    #3 0x7f64baa3a28d in mp4_demuxer::Moof::GetAuxInfo(mp4_demuxer::AtomType, nsTArray<mozilla::media::Interval<long> >*) src/media/libstagefright/binding/MoofParser.cpp:487
    #4 0x7f64baa39a79 in mp4_demuxer::Moof::ProcessCenc() src/media/libstagefright/binding/MoofParser.cpp:514:8
    #5 0x7f64baa35326 in mp4_demuxer::Moof::Moof(mp4_demuxer::Box&, mp4_demuxer::Trex&, mp4_demuxer::Mvhd&, mp4_demuxer::Mdhd&, mp4_demuxer::Edts&, mp4_demuxer::Sinf&, unsigned long*, bool) src/media/libstagefright/binding/MoofParser.cpp:456:5
    #6 0x7f64baa29ec2 in mp4_demuxer::MoofParser::RebuildFragmentedIndex(mp4_demuxer::BoxContext&) src/media/libstagefright/binding/MoofParser.cpp:66:12
    #7 0x7f64baa18786 in RebuildFragmentedIndex src/media/libstagefright/binding/MoofParser.cpp:36:10
    #8 0x7f64baa18786 in mp4_demuxer::MoofParser::RebuildFragmentedIndex(mozilla::media::IntervalSet<long> const&, bool*) src/media/libstagefright/binding/MoofParser.cpp:52
    #9 0x7f64baa181d1 in mp4_demuxer::Index::UpdateMoofIndex(mozilla::media::IntervalSet<long> const&, bool) src/media/libstagefright/binding/Index.cpp:433:16
    #10 0x7f64c048642f in mozilla::MP4TrackDemuxer::EnsureUpToDateIndex() src/dom/media/fmp4/MP4Demuxer.cpp:407:11
    #11 0x7f64c0485c34 in mozilla::MP4TrackDemuxer::MP4TrackDemuxer(mozilla::MP4Demuxer*, mozilla::UniquePtr<mozilla::TrackInfo, mozilla::DefaultDelete<mozilla::TrackInfo> >&&, mp4_demuxer::IndiceWrapper const&) src/dom/media/fmp4/MP4Demuxer.cpp:364:3
    #12 0x7f64c0481fdd in mozilla::MP4Demuxer::Init() src/dom/media/fmp4/MP4Demuxer.cpp:221:13
    #13 0x7f64bfe28534 in operator() src/dom/media/MediaFormatReader.cpp:1027:47
    #14 0x7f64bfe28534 in mozilla::detail::ProxyFunctionRunnable<mozilla::MediaFormatReader::DemuxerProxy::Init()::$_10, mozilla::MozPromise<mozilla::MediaResult, mozilla::MediaResult, true> >::Run() src/obj-firefox/dist/include/mozilla/MozPromise.h:1510
    #15 0x7f64bac740a4 in mozilla::TaskQueue::Runner::Run() src/xpcom/threads/TaskQueue.cpp:246:12
    #16 0x7f64baca5de8 in nsThreadPool::Run() src/xpcom/threads/nsThreadPool.cpp:225:14
    #17 0x7f64baca652c in non-virtual thunk to nsThreadPool::Run() src/xpcom/threads/nsThreadPool.cpp:154:15
    #18 0x7f64bac9c2ee in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1446:14
    #19 0x7f64baca2488 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:480:10
    #20 0x7f64bbaab7f0 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:339:20
    #21 0x7f64bba0ca8b in RunInternal src/ipc/chromium/src/base/message_loop.cc:326:10
    #22 0x7f64bba0ca8b in RunHandler src/ipc/chromium/src/base/message_loop.cc:319
    #23 0x7f64bba0ca8b in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299
    #24 0x7f64bac93e8d in nsThread::ThreadFunc(void*) src/xpcom/threads/nsThread.cpp:506:11
    #25 0x7f64d5c85453 in _pt_root src/nsprpub/pr/src/pthreads/ptthread.c:216:5
    #26 0x7f64d95956b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
    #27 0x7f64d861e3dc in clone /build/glibc-bfm8X4/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109
Flags: in-testsuite?
Version: unspecified → Trunk
Alfredo, 
Can you check it?
Flags: needinfo?(ayang)
Priority: -- → P1
Assignee: nobody → ayang
Flags: needinfo?(ayang)
Comment on attachment 8900603 [details]
Bug 1389299 - use fallible nsTArray to avoid OOM.

https://reviewboard.mozilla.org/r/172014/#review177294
Attachment #8900603 - Flags: review?(kinetik) → review+
(In reply to Matthew Gregan [:kinetik] from comment #3)
> Comment on attachment 8900603 [details]
> Bug 1389299 - use fallible nsTArray to avoid OOM.
> 
> https://reviewboard.mozilla.org/r/172014/#review177294

Thanks for quick review!
Pushed by ayang@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/81dd51cf8168
use fallible nsTArray to avoid OOM. r=kinetik
https://hg.mozilla.org/mozilla-central/rev/81dd51cf8168
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla57
Is there a user impact here that justifies backport consideration or can this ride the 57 train?
Flags: needinfo?(ayang)
Flags: in-testsuite?
Flags: in-testsuite+
(In reply to Ryan VanderMeulen [:RyanVM] from comment #8)
> Is there a user impact here that justifies backport consideration or can
> this ride the 57 train?

That's an invalid stream, ride on 57 train should be good enough.
Flags: needinfo?(ayang)
You need to log in before you can comment on or make changes to this bug.