Closed Bug 1462111 Opened 6 years ago Closed 4 years ago

Crash [@ mozilla::ReaderProxy::ResetDecode]

Categories

(Core :: Audio/Video: Playback, defect, P3)

Product:
Core
Component:
Audio/Video: Playback
Version:
59 Branch
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase)

Attachments

(2 files, 1 obsolete file)

harness.html
68 bytes, text/html
Details
trigger.html
10.34 KB, text/html
Details
Attached file trigger.html (obsolete) —
Testcase found while fuzzing mozilla-central rev 3c9d69736f4a421218e5eb01b6571d535d38318a. The attached testcase is not fully reduced. Further reduction caused it to be unreliable. In order to reproduce this issue, you must serve up the attached files using a local webserver and navigate to harness.html as the entry-point. ==31485==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fd1e3508451 bp 0x7fd1bdd57950 sp 0x7fd1bdd57930 T35) ==31485==The signal is caused by a WRITE memory access. ==31485==Hint: address points to the zero page. #0 0x7fd1e3508450 in mozilla::ReaderProxy::ResetDecode(mozilla::EnumSet<mozilla::TrackInfo::TrackType>) /builds/worker/workspace/build/src/dom/media/ReaderProxy.cpp:227:3 #1 0x7fd1e3506566 in mozilla::ReaderProxy::OnAudioDataRequestFailed(mozilla::MediaResult const&) /builds/worker/workspace/build/src/dom/media/ReaderProxy.cpp:99:3 #2 0x7fd1e35145c2 in InvokeMethod<mozilla::ReaderProxy, RefPtr<mozilla::MozPromise<RefPtr<mozilla::AudioData>, mozilla::MediaResult, true> > (mozilla::ReaderProxy::*)(const mozilla::MediaResult &), mozilla::MediaResult> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/MozPromise.h:520:12 #3 0x7fd1e35145c2 in InvokeCallbackMethod<true, mozilla::ReaderProxy, RefPtr<mozilla::MozPromise<RefPtr<mozilla::AudioData>, mozilla::MediaResult, true> > (mozilla::ReaderProxy::*)(const mozilla::MediaResult &), mozilla::MediaResult, RefPtr<mozilla::MozPromise<RefPtr<mozilla::AudioData>, mozilla::MediaResult, true>::Private> > /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/MozPromise.h:544 #4 0x7fd1e35145c2 in mozilla::MozPromise<RefPtr<mozilla::AudioData>, mozilla::MediaResult, true>::ThenValue<mozilla::ReaderProxy*, RefPtr<mozilla::MozPromise<RefPtr<mozilla::AudioData>, mozilla::MediaResult, true> > (mozilla::ReaderProxy::*)(RefPtr<mozilla::AudioData>), RefPtr<mozilla::MozPromise<RefPtr<mozilla::AudioData>, mozilla::MediaResult, true> > (mozilla::ReaderProxy::*)(mozilla::MediaResult const&)>::DoResolveOrRejectInternal(mozilla::MozPromise<RefPtr<mozilla::AudioData>, mozilla::MediaResult, true>::ResolveOrRejectValue&) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/MozPromise.h:631 #5 0x7fd1e33a509e in mozilla::MozPromise<RefPtr<mozilla::AudioData>, mozilla::MediaResult, true>::ThenValueBase::ResolveOrRejectRunnable::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/MozPromise.h:402:21 #6 0x7fd1dcf15c88 in mozilla::AutoTaskDispatcher::TaskGroupRunnable::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/TaskDispatcher.h:214:37 #7 0x7fd1dcf2271d in mozilla::TaskQueue::Runner::Run() /builds/worker/workspace/build/src/xpcom/threads/TaskQueue.cpp:243:12 #8 0x7fd1dcf51c67 in nsThreadPool::Run() /builds/worker/workspace/build/src/xpcom/threads/nsThreadPool.cpp:229:14 #9 0x7fd1dcf523dc in non-virtual thunk to nsThreadPool::Run() /builds/worker/workspace/build/src/xpcom/threads/nsThreadPool.cpp #10 0x7fd1dcf3b096 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1090:14 #11 0x7fd1dcf56fd0 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10 #12 0x7fd1dde3820b in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:334:20 #13 0x7fd1ddd8a8a9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10 #14 0x7fd1ddd8a8a9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319 #15 0x7fd1ddd8a8a9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299 #16 0x7fd1dcf35948 in nsThread::ThreadFunc(void*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:425:11 #17 0x7fd1fa70e47e in _pt_root /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:201:5 #18 0x7fd1fdd146b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9) #19 0x7fd1fcd9141c in clone /build/glibc-Cl5G7W/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109 AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/dom/media/ReaderProxy.cpp:227:3 in mozilla::ReaderProxy::ResetDecode(mozilla::EnumSet<mozilla::TrackInfo::TrackType>) Thread T35 (MediaPl~back #3) created by T29 (MediaPl~back #1) here: #0 0x4ae80d in __interceptor_pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:204:3 #1 0x7fd1fa70b1cf in _PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:433:14 #2 0x7fd1fa70adbe in PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:518:12 #3 0x7fd1dcf378c3 in nsThread::Init(nsTSubstring<char> const&) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:608:8 #4 0x7fd1dcf40eaa in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /builds/worker/workspace/build/src/xpcom/threads/nsThreadManager.cpp:471:22 #5 0x7fd1dcf509bf in NS_NewNamedThread /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:143:45 #6 0x7fd1dcf509bf in nsThreadPool::PutEvent(already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/workspace/build/src/xpcom/threads/nsThreadPool.cpp:109 #7 0x7fd1dcf52596 in nsThreadPool::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/workspace/build/src/xpcom/threads/nsThreadPool.cpp:278:5 #8 0x7fd1dcf2130b in mozilla::TaskQueue::DispatchLocked(nsCOMPtr<nsIRunnable>&, mozilla::AbstractThread::DispatchReason) /builds/worker/workspace/build/src/xpcom/threads/TaskQueue.cpp:125:26 #9 0x7fd1dcf43651 in mozilla::TaskQueue::Dispatch(already_AddRefed<nsIRunnable>, mozilla::AbstractThread::DispatchReason) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/TaskQueue.h:71:14 #10 0x7fd1dcf13dbe in DispatchTaskGroup /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/TaskDispatcher.h:265:20 #11 0x7fd1dcf13dbe in mozilla::AutoTaskDispatcher::~AutoTaskDispatcher() /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/TaskDispatcher.h:90 #12 0x7fd1dcf227e1 in ~AutoTaskGuard /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/TaskQueue.h:176:5 #13 0x7fd1dcf227e1 in mozilla::TaskQueue::Runner::Run() /builds/worker/workspace/build/src/xpcom/threads/TaskQueue.cpp:244 #14 0x7fd1dcf51c67 in nsThreadPool::Run() /builds/worker/workspace/build/src/xpcom/threads/nsThreadPool.cpp:229:14 #15 0x7fd1dcf523dc in non-virtual thunk to nsThreadPool::Run() /builds/worker/workspace/build/src/xpcom/threads/nsThreadPool.cpp #16 0x7fd1dcf3b096 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1090:14 #17 0x7fd1dcf56fd0 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10 #18 0x7fd1dde3820b in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:334:20 #19 0x7fd1ddd8a8a9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10 #20 0x7fd1ddd8a8a9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319 #21 0x7fd1ddd8a8a9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299 #22 0x7fd1dcf35948 in nsThread::ThreadFunc(void*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:425:11 #23 0x7fd1fa70e47e in _pt_root /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:201:5 #24 0x7fd1fdd146b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9) Thread T29 (MediaPl~back #1) created by T0 (file:// Content) here: #0 0x4ae80d in __interceptor_pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:204:3 #1 0x7fd1fa70b1cf in _PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:433:14 #2 0x7fd1fa70adbe in PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:518:12 #3 0x7fd1dcf378c3 in nsThread::Init(nsTSubstring<char> const&) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:608:8 #4 0x7fd1dcf40eaa in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /builds/worker/workspace/build/src/xpcom/threads/nsThreadManager.cpp:471:22 #5 0x7fd1dcf509bf in NS_NewNamedThread /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:143:45 #6 0x7fd1dcf509bf in nsThreadPool::PutEvent(already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/workspace/build/src/xpcom/threads/nsThreadPool.cpp:109 #7 0x7fd1dcf52596 in nsThreadPool::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/workspace/build/src/xpcom/threads/nsThreadPool.cpp:278:5 #8 0x7fd1dcf2130b in mozilla::TaskQueue::DispatchLocked(nsCOMPtr<nsIRunnable>&, mozilla::AbstractThread::DispatchReason) /builds/worker/workspace/build/src/xpcom/threads/TaskQueue.cpp:125:26 #9 0x7fd1dcf43651 in mozilla::TaskQueue::Dispatch(already_AddRefed<nsIRunnable>, mozilla::AbstractThread::DispatchReason) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/TaskQueue.h:71:14 #10 0x7fd1dcf13dbe in DispatchTaskGroup /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/TaskDispatcher.h:265:20 #11 0x7fd1dcf13dbe in mozilla::AutoTaskDispatcher::~AutoTaskDispatcher() /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/TaskDispatcher.h:90 #12 0x7fd1dcf1343c in reset /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Maybe.h:496:17 #13 0x7fd1dcf1343c in mozilla::EventTargetWrapper::FireTailDispatcher() /builds/worker/workspace/build/src/xpcom/threads/AbstractThread.cpp:75 #14 0x7fd1dcf17924 in applyImpl<mozilla::EventTargetWrapper, void (mozilla::EventTargetWrapper::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1165:12 #15 0x7fd1dcf17924 in apply<mozilla::EventTargetWrapper, void (mozilla::EventTargetWrapper::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1171 #16 0x7fd1dcf17924 in mozilla::detail::RunnableMethodImpl<mozilla::EventTargetWrapper*, void (mozilla::EventTargetWrapper::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1216 #17 0x7fd1dcd94670 in mozilla::CycleCollectedJSContext::ProcessStableStateQueue() /builds/worker/workspace/build/src/xpcom/base/CycleCollectedJSContext.cpp:312:12 #18 0x7fd1dcd96805 in mozilla::CycleCollectedJSContext::AfterProcessTask(unsigned int) /builds/worker/workspace/build/src/xpcom/base/CycleCollectedJSContext.cpp:377:3 #19 0x7fd1de828e3d in XPCJSContext::AfterProcessTask(unsigned int) /builds/worker/workspace/build/src/js/xpconnect/src/XPCJSContext.cpp:1258:30 #20 0x7fd1dcf3b91d in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1125:24 #21 0x7fd1dcf56fd0 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10 #22 0x7fd1dde3721a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21 #23 0x7fd1ddd8a8a9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10 #24 0x7fd1ddd8a8a9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319 #25 0x7fd1ddd8a8a9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299 #26 0x7fd1e498c4da in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:157:27 #27 0x7fd1e8bd968b in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:893:22 #28 0x7fd1ddd8a8a9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10 #29 0x7fd1ddd8a8a9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319 #30 0x7fd1ddd8a8a9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299 #31 0x7fd1e8bd9050 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:719:34 #32 0x4f50dc in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30 #33 0x4f50dc in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:282 #34 0x7fd1fccaa82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
Flags: in-testsuite?
Attached file harness.html
Component: Audio/Video → Audio/Video: Playback
Error is on a MOZ_DIAGNOSTIC_ASSERT that a task dispatch succeeded.
I can't reproduce here with the trigger.html page the JS doesn't even load due to the error: "domino is not defined" line 61
Flags: needinfo?(jkratzer)
Priority: -- → P3
Attached file trigger.html
Apologies. Looks like I uploaded an incomplete version of the testcase.
Attachment #8976289 - Attachment is obsolete: true
Flags: needinfo?(jkratzer)

The attached test case no longer reproduces the issue and it was last hit by the fuzzers in November 2018. Assuming this has been fixed elsewhere.

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Resolution: FIXED → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: