Assertion failure: mSrcStreamPausedGraphTime == GRAPH_TIME_MAX, at /builds/worker/workspace/build/src/dom/html/HTMLMediaElement.cpp:4665

RESOLVED FIXED in Firefox 66

Status

()

defect
P2
normal
Rank:
15
RESOLVED FIXED
8 months ago
7 months ago

People

(Reporter: jkratzer, Assigned: pehrsons)

Tracking

(Blocks 1 bug, {assertion, testcase})

Trunk
mozilla66
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite -

Firefox Tracking Flags

(firefox-esr60 unaffected, firefox64 unaffected, firefox65 wontfix, firefox66 fixed)

Details

Attachments

(3 attachments)

Posted file testcase.html
Testcase found while fuzzing mozilla-central rev 7ce7e9407a75.

Assertion failure: mSrcStreamPausedGraphTime == GRAPH_TIME_MAX, at /builds/worker/workspace/build/src/dom/html/HTMLMediaElement.cpp:4665

rax = 0x0000565088352e40   rdx = 0x0000000000000000
rcx = 0x00007f584ae44baa   rbx = 0x00007f583defa000
rsi = 0x00007f5857b308b0   rdi = 0x00007f5857b2f680
rbp = 0x00007ffcacfe5650   rsp = 0x00007ffcacfe5640
r8 = 0x00007f5857b308b0    r9 = 0x00007f5858c8d740
r10 = 0x0000000000000000   r11 = 0x0000000000000000
r12 = 0x00007f583cd35b68   r13 = 0x00007f583e3a07f8
r14 = 0x0000000000000004   r15 = 0x00007ffcacfe5808
rip = 0x00007f5846ef7635
OS|Linux|0.0.0 Linux 4.15.0-42-generic #45-Ubuntu SMP Thu Nov 15 19:32:57 UTC 2018 x86_64
CPU|amd64|family 6 model 78 stepping 3|1
GPU|||
Crash|SIGSEGV /SEGV_MAPERR|0x0|0
0|0|libxul.so|mozilla::dom::HTMLMediaElement::UpdateSrcStreamTime()|hg:hg.mozilla.org/mozilla-central:dom/html/HTMLMediaElement.cpp:7ce7e9407a751e1047379635510c0acdc6486200|4665|0x0
0|1|libxul.so|mozilla::WatchManager<mozilla::dom::HTMLMediaElement>::PerCallbackWatcher::Notify()::{lambda()#1}::operator()() const|||0x78
0|2|libxul.so|mozilla::detail::RunnableFunction<mozilla::WatchManager<mozilla::dom::HTMLMediaElement>::PerCallbackWatcher::Notify()::{lambda()#1}>::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.h:7ce7e9407a751e1047379635510c0acdc6486200|546|0x5
0|3|libxul.so|mozilla::AutoTaskDispatcher::DrainDirectTasks()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/TaskDispatcher.h:7ce7e9407a751e1047379635510c0acdc6486200|99|0x11
0|4|libxul.so|mozilla::EventTargetWrapper::FireTailDispatcher()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/AbstractThread.cpp:7ce7e9407a751e1047379635510c0acdc6486200|73|0x15
0|5|libxul.so|mozilla::detail::RunnableMethodImpl<mozilla::EventTargetWrapper*, void (mozilla::EventTargetWrapper::*)(), true, (mozilla::RunnableKind)0>::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.h:7ce7e9407a751e1047379635510c0acdc6486200|1106|0x13
0|6|libxul.so|mozilla::CycleCollectedJSContext::ProcessStableStateQueue()|hg:hg.mozilla.org/mozilla-central:xpcom/base/CycleCollectedJSContext.cpp:7ce7e9407a751e1047379635510c0acdc6486200|338|0x11
0|7|libxul.so|mozilla::CycleCollectedJSContext::AfterProcessTask(unsigned int)|hg:hg.mozilla.org/mozilla-central:xpcom/base/CycleCollectedJSContext.cpp:7ce7e9407a751e1047379635510c0acdc6486200|397|0x8
0|8|libxul.so|XPCJSContext::AfterProcessTask(unsigned int)|hg:hg.mozilla.org/mozilla-central:js/xpconnect/src/XPCJSContext.cpp:7ce7e9407a751e1047379635510c0acdc6486200|1252|0xb
0|9|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:7ce7e9407a751e1047379635510c0acdc6486200|1215|0xc
0|10|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:7ce7e9407a751e1047379635510c0acdc6486200|468|0x11
0|11|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:7ce7e9407a751e1047379635510c0acdc6486200|88|0xa
0|12|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:7ce7e9407a751e1047379635510c0acdc6486200|314|0x17
0|13|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:7ce7e9407a751e1047379635510c0acdc6486200|307|0x8
0|14|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:7ce7e9407a751e1047379635510c0acdc6486200|137|0xd
0|15|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:7ce7e9407a751e1047379635510c0acdc6486200|915|0x11
0|16|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:7ce7e9407a751e1047379635510c0acdc6486200|238|0x5
0|17|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:7ce7e9407a751e1047379635510c0acdc6486200|314|0x17
0|18|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:7ce7e9407a751e1047379635510c0acdc6486200|307|0x8
0|19|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:7ce7e9407a751e1047379635510c0acdc6486200|753|0xc
0|20|firefox-bin|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:7ce7e9407a751e1047379635510c0acdc6486200|49|0x14
0|21|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:7ce7e9407a751e1047379635510c0acdc6486200|265|0x11
0|22|libc-2.27.so||||0x21b97
0|23|firefox-bin|MOZ_ReportAssertionFailure|hg:hg.mozilla.org/mozilla-central:mfbt/Assertions.h:7ce7e9407a751e1047379635510c0acdc6486200|169|0x5
Flags: in-testsuite?
The assertion is added in bug 1423241, :pehrsons, do you have any idea what's happened here? Thanks.
Flags: needinfo?(apehrson)
Assignee: nobody → apehrson
Blocks: 1423241
Component: DOM → WebRTC: Audio/Video
Flags: needinfo?(apehrson)
Just loading this testcase doesn't reproduce it for me. I tried flipping some autoplay prefs to make it allowed to play and all, but no luck. What are the instructions for running this?
Flags: needinfo?(jkratzer)
Andreas, could you try again using the attached prefs?  You can use ffpuppet (https://github.com/MozillaSecurity/ffpuppet) to automatically create a new profile using those prefs.

python -m ffpuppet -p prefs-default-e10s.js ~/firefox/firefox -u testcase.html
Flags: needinfo?(jkratzer)
Rank: 15
Priority: -- → P2
This is failing consistently for me today when I join a call on https://meet.google.com (in an opt+debug build, both Linux and OS X).
STR, just in case:
* start a meet.google.com meeting while logged into a Google account
* from a second computer join the meeting while not logged into a Google account, request permission to join the meeting
* from the first computer, approve the new participant
* the assertion then fires on the second computer
(In reply to Jason Kratzer [:jkratzer] from comment #3)
> Created attachment 9032947 [details]
> prefs-default-e10s.js
> 
> Andreas, could you try again using the attached prefs?  You can use ffpuppet
> (https://github.com/MozillaSecurity/ffpuppet) to automatically create a new
> profile using those prefs.
> 
> python -m ffpuppet -p prefs-default-e10s.js ~/firefox/firefox -u
> testcase.html

Thanks, this worked, even under rr.
Status: NEW → ASSIGNED
So this happens because the watch manager dispatches the updated values and makes the whole thing async. So after the time is updated we might still get paused before UpdateSrcStreamTime() runs.

I'll probably have to drop the asserts. It's not such a big deal, but it'd be nice to be certain that no updates are dispatched while we're paused, as it's nothing but wasted cycles.
This is harmless in non-debug and we should honestly have spotted it sooner. I'm not gonna bother with a crashtest.
This can legitimately happen while paused since the watchmanager calling this
is dispatching the calls. As such they're out of sync with the paused state,
and we need to allow updating the time while paused.

FireTimeUpdate does ignore the call if the time hasn't actually been updated,
so the only impact from this is that we could do a lot of unnecessary
dispatching while paused without noticing.
Pushed by pehrsons@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/efed3e60a249
Allow UpdateSrcStreamTime while paused. r=jya

Comment on attachment 9034430 [details]
Bug 1515068 - Allow UpdateSrcStreamTime while paused. r?jya

[Beta/Release Uplift Approval Request]

Feature/Bug causing the regression: Bug 1423241

User impact if declined: Debug build assertion failures

Is this code covered by automated tests?: No

Has the fix been verified in Nightly?: No

Needs manual test from QE?: No

If yes, steps to reproduce:

List of other uplifts needed: None

Risk to taking this patch: Low

Why is the change risky/not risky? (and alternatives if risky): Removes a few assertions that can legitimately happen. There's a change to logic too, but it's trivial and simply ignores redundant currentTime updates.

String changes made/needed:

Attachment #9034430 - Flags: approval-mozilla-beta?
Status: ASSIGNED → RESOLVED
Closed: 7 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla66

Comment on attachment 9034430 [details]
Bug 1515068 - Allow UpdateSrcStreamTime while paused. r?jya

Given that there's no real user impact here outside of debug builds, I think this can just ride the trains.

Attachment #9034430 - Flags: approval-mozilla-beta? → approval-mozilla-beta-
You need to log in before you can comment on or make changes to this bug.