Open Bug 1442821 Opened 6 years ago Updated 1 year ago

UBSan: member call on address which does not point to an object of type 'mozilla::media::TimeIntervals'

Categories

(Core :: Audio/Video: Playback, defect, P2)

Product:
Core
Component:
Audio/Video: Playback
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox60 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-undefined) 

This was triggered while loading a video on twitch.tv when built with -fsanitize=vptr

Found with mozilla-central changeset: 406399:f4e33c42faa7

mozilla-central/dom/media/MediaFormatReader.cpp:3466:24: runtime error: member call on address 0x61e0000c5658 which does not point to an object of type 'mozilla::media::TimeIntervals'
0x61e0000c5658: note: object is of type 'mozilla::media::IntervalSet<mozilla::media::TimeUnit>'
 00 e4 e4 e4  38 75 4e f1 e1 7f 00 00  68 56 0c 00 e0 61 00 00  01 00 00 00 04 00 00 80  00 00 00 00
              ^~~~~~~~~~~~~~~~~~~~~~~
              vptr for 'mozilla::media::IntervalSet<mozilla::media::TimeUnit>'
    #0 0x7fe1e42d72e5 in mozilla::MediaFormatReader::UpdateBuffered() mozilla-central/dom/media/MediaFormatReader.cpp:3466:24
    #1 0x7fe1e45ea796 in mozilla::WatchManager<mozilla::ReaderProxy>::PerCallbackWatcher::DoNotify() mozilla-central/objdir-ff-vptr/dist/include/mozilla/StateWatching.h:279:9
    #2 0x7fe1e45eaca7 in applyImpl<mozilla::WatchManager<mozilla::ReaderProxy>::PerCallbackWatcher, void (mozilla::WatchManager<mozilla::ReaderProxy>::PerCallbackWatcher::*)()> mozilla-central/objdir-ff-vptr/dist/include/nsThreadUtils.h:1149:12
    #3 0x7fe1e45eaca7 in apply<mozilla::WatchManager<mozilla::ReaderProxy>::PerCallbackWatcher, void (mozilla::WatchManager<mozilla::ReaderProxy>::PerCallbackWatcher::*)()> mozilla-central/objdir-ff-vptr/dist/include/nsThreadUtils.h:1155
    #4 0x7fe1e45eaca7 in mozilla::detail::RunnableMethodImpl<mozilla::WatchManager<mozilla::ReaderProxy>::PerCallbackWatcher*, void (mozilla::WatchManager<mozilla::ReaderProxy>::PerCallbackWatcher::*)(), true, (mozilla::RunnableKind)0>::Run() mozilla-central/objdir-ff-vptr/dist/include/nsThreadUtils.h:1200
    #5 0x7fe1db62f1b2 in mozilla::AutoTaskDispatcher::DrainDirectTasks() mozilla-central/objdir-ff-vptr/dist/include/mozilla/TaskDispatcher.h:104:10
    #6 0x7fe1db62fc83 in mozilla::AutoTaskDispatcher::TaskGroupRunnable::Run() mozilla-central/objdir-ff-vptr/dist/include/mozilla/TaskDispatcher.h:211:9
    #7 0x7fe1db63aae0 in mozilla::TaskQueue::Runner::Run() mozilla-central/xpcom/threads/TaskQueue.cpp:243:12
    #8 0x7fe1db66590b in nsThreadPool::Run() mozilla-central/xpcom/threads/nsThreadPool.cpp:228:14
    #9 0x7fe1db665f1c in non-virtual thunk to nsThreadPool::Run() mozilla-central/xpcom/threads/nsThreadPool.cpp
    #10 0x7fe1db6581ba in nsThread::ProcessNextEvent(bool, bool*) mozilla-central/xpcom/threads/nsThread.cpp:1040:14
    #11 0x7fe1db699d3e in NS_ProcessNextEvent(nsIThread*, bool) mozilla-central/xpcom/threads/nsThreadUtils.cpp:517:10
    #12 0x7fe1dcfc4408 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) mozilla-central/ipc/glue/MessagePump.cpp:334:20
    #13 0x7fe1dce4745d in RunHandler mozilla-central/ipc/chromium/src/base/message_loop.cc:319:3
    #14 0x7fe1dce4745d in MessageLoop::Run() mozilla-central/ipc/chromium/src/base/message_loop.cc:299
    #15 0x7fe1db64fe40 in nsThread::ThreadFunc(void*) mozilla-central/xpcom/threads/nsThread.cpp:423:11
    #16 0x7fe2017d54ab in _pt_root mozilla-central/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #17 0x7fe202a057fb in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x77fb)
    #18 0x7fe201a33b5e in clone /build/glibc-itYbWN/glibc-2.26/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
Here is another:

mozilla-central/dom/media/MediaFormatReader.cpp:1209:15: runtime error: member call on address 0x61300027fff0 which does not point to an object of type 'mozilla::media::TimeIntervals'
0x61300027fff0: note: object is of type 'mozilla::media::IntervalSet<mozilla::media::TimeUnit>'
 00 20 61 00  38 75 4e f1 e1 7f 00 00  00 00 28 00 30 61 00 00  01 00 00 00 04 00 00 80  00 00 00 00
              ^~~~~~~~~~~~~~~~~~~~~~~
              vptr for 'mozilla::media::IntervalSet<mozilla::media::TimeUnit>'
    #0 0x7fe1e440e131 in mozilla::MediaFormatReader::DemuxerProxy::Wrapper::UpdateBuffered() mozilla-central/dom/media/MediaFormatReader.cpp:1209:15
    #1 0x7fe1e43119de in operator() mozilla-central/dom/media/MediaFormatReader.cpp:1294:28
    #2 0x7fe1e43119de in mozilla::detail::ProxyFunctionRunnable<mozilla::MediaFormatReader::DemuxerProxy::NotifyDataArrived()::$_38, mozilla::MozPromise<bool, mozilla::MediaResult, true> >::Run() mozilla-central/objdir-ff-vptr/dist/include/mozilla/MozPromise.h:1512
    #3 0x7fe1db63aae0 in mozilla::TaskQueue::Runner::Run() mozilla-central/xpcom/threads/TaskQueue.cpp:243:12
    #4 0x7fe1db66590b in nsThreadPool::Run() mozilla-central/xpcom/threads/nsThreadPool.cpp:228:14
    #5 0x7fe1db665f1c in non-virtual thunk to nsThreadPool::Run() mozilla-central/xpcom/threads/nsThreadPool.cpp
    #6 0x7fe1db6581ba in nsThread::ProcessNextEvent(bool, bool*) mozilla-central/xpcom/threads/nsThread.cpp:1040:14
    #7 0x7fe1db699d3e in NS_ProcessNextEvent(nsIThread*, bool) mozilla-central/xpcom/threads/nsThreadUtils.cpp:517:10
    #8 0x7fe1dcfc4408 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) mozilla-central/ipc/glue/MessagePump.cpp:334:20
    #9 0x7fe1dce4745d in RunHandler mozilla-central/ipc/chromium/src/base/message_loop.cc:319:3
    #10 0x7fe1dce4745d in MessageLoop::Run() mozilla-central/ipc/chromium/src/base/message_loop.cc:299
    #11 0x7fe1db64fe40 in nsThread::ThreadFunc(void*) mozilla-central/xpcom/threads/nsThread.cpp:423:11
    #12 0x7fe2017d54ab in _pt_root mozilla-central/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #13 0x7fe202a057fb in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x77fb)
    #14 0x7fe201a33b5e in clone /build/glibc-itYbWN/glibc-2.26/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
Component: Audio/Video → Audio/Video: Playback
jya is the current expert for this code.
Assignee: nobody → jyavenard
Priority: -- → P2
Assignee: jya-moz → nobody
Severity: normal → S3
Blocks: ubsan
You need to log in before you can comment on or make changes to this bug.