Crash in [@ mozilla::CheckedInt<T>::value] via AudioSink::NotifyAudioNeeded

RESOLVED FIXED in Firefox 68

Status

()

defect
P1
critical
Rank:
9
RESOLVED FIXED
3 months ago
2 months ago

People

(Reporter: mccr8, Assigned: alwu)

Tracking

(Regression, {crash, regression})

unspecified
mozilla68
Unspecified
Android
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox-esr60 unaffected, firefox66 wontfix, firefox67 wontfix, firefox68 fixed)

Details

(Whiteboard: [geckoview:fenix:m4][gvtv:p1][media-q2], crash signature)

Attachments

(1 attachment)

Reporter

Description

3 months ago

This bug is for crash report bp-2c32d602-5a18-46e1-8b5b-b30bc0190401.

Top 10 frames of crashing thread:

0 libxul.so mozilla::CheckedInt<long long>::value const mfbt/CheckedInt.h:535
1 libxul.so mozilla::TimeUnitToFrames dom/media/TimeUnits.h:88
2 libxul.so mozilla::AudioSink::NotifyAudioNeeded dom/media/mediasink/AudioSink.cpp:378
3 libxul.so mozilla::detail::RunnableMethodImpl<RefPtr<mozilla::MediaFormatReader> const, void  xpcom/threads/nsThreadUtils.h:1128
4 libxul.so mozilla::AutoTaskDispatcher::TaskGroupRunnable::Run xpcom/threads/TaskDispatcher.h:197
5 libxul.so mozilla::TaskQueue::Runner::Run xpcom/threads/TaskQueue.cpp:199
6 libxul.so nsThreadPool::Run xpcom/threads/nsThreadPool.cpp:244
7 libxul.so non-virtual thunk to nsThreadPool::Run xpcom/threads/nsThreadPool.cpp
8 libxul.so nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:1180
9 libxul.so NS_ProcessNextEvent xpcom/threads/nsThreadUtils.cpp:482

Alex made integer overflow checks into release asserts, and this is one of the crashes. It is Android-only.

Reporter

Updated

3 months ago
Blocks: 1533777
Rank: 9
Priority: -- → P1
Whiteboard: [geckoview:fenix:m4][gvtv:p1]

This CheckedInt assertion failure is a top crash for Fennec 68 Nightly.

Whiteboard: [geckoview:fenix:m4][gvtv:p1] → [geckoview:fenix:m4][gvtv:p1][media-q2]

Jean-Yves is this something you can take a look at (feel free to redirect if you don't have enough cycles in between colour conversion)?

Flags: needinfo?(jyavenard)

Realized that it's probably easier to address this together with other bugs.

Flags: needinfo?(jyavenard)
Depends on: 1540748
Assignee

Updated

2 months ago
Assignee: nobody → alwu
Assignee

Comment 4

2 months ago

It's possible to overflow if mStartTime contains a super large value or mTime contains a super small negative value.

Attachment #9057409 - Attachment description: Bug 1540746 - ensure 'timeOffset' should not overflow. → Bug 1540746 - TimeUnitToFrames() should handle the case where the input TimeInit is overflow.
Attachment #9057409 - Attachment description: Bug 1540746 - TimeUnitToFrames() should handle the case where the input TimeInit is overflow. → Bug 1540746 - TimeUnitToFrames() should handle the case where the input TimeUnit is overflow.

Comment 5

2 months ago
Pushed by alwu@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/6ecaea77b9d5
TimeUnitToFrames() should handle the case where the input TimeUnit is overflow. r=jya

Comment 6

2 months ago
Backout by aiakab@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/50efd1672ffb
Backed out changeset 6ecaea77b9d5 for causing multiple build bustages on CheckedInt.h CLOSED TREE
Assignee

Comment 8

2 months ago

Sorry, will update my patch.

Flags: needinfo?(alwu)

Alastor, should we uplift your TimeUnit fix to 67 Beta? I know CheckedInt's MOZ_RELEASE_ASSERT check is not in 67 Beta, but is this TimeUnit overflow a bug that could affect 67 Beta?

Flags: needinfo?(alwu)

Comment 10

2 months ago
Pushed by alwu@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/473513f68366
TimeUnitToFrames() should handle the case where the input TimeUnit is overflow. r=jya

Comment 11

2 months ago
bugherder
Status: NEW → RESOLVED
Closed: 2 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla68
Assignee

Comment 12

2 months ago

As this one is a tiny fix, we could uplift it with a low risk, we don't sure it would help with 67 though.

Flags: needinfo?(alwu)
Assignee

Comment 13

2 months ago

Comment on attachment 9057409 [details]
Bug 1540746 - TimeUnitToFrames() should handle the case where the input TimeUnit is overflow.

Beta/Release Uplift Approval Request

  • User impact if declined: There might happen the integer overflow, which would cause unexpected behaviors.
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): This fix contains a simple check to know whether the overflow happens, if so, returns error. So it's like an enhancement, we didn't change any behavior or introduce new functionality.
  • String changes made/needed:
Attachment #9057409 - Flags: approval-mozilla-beta?

Comment on attachment 9057409 [details]
Bug 1540746 - TimeUnitToFrames() should handle the case where the input TimeUnit is overflow.

It's a tiny fix but we have no crash reported for this signature on beta, so I don't think we need to uplift new code. Thanks

Attachment #9057409 - Flags: approval-mozilla-beta? → approval-mozilla-beta-
No longer blocks: 1533777
Regressed by: 1533777
You need to log in before you can comment on or make changes to this bug.