Closed Bug 1540830 Opened 1 year ago Closed 1 year ago

crash in [@ dav1d_lpf_v_sb_y_avx2]

Categories

(Core :: Audio/Video: Playback, defect, P2)

defect

Tracking

()

VERIFIED FIXED
mozilla68
Tracking Status
firefox-esr60 --- unaffected
firefox66 --- wontfix
firefox67 --- wontfix
firefox68 --- verified

People

(Reporter: tsmith, Assigned: achronop)

References

(Blocks 1 open bug)

Details

(4 keywords)

Crash Data

Attachments

(3 files)

Attached video testcase.webm

Found with m-c 20190331-339760ce8b1f

This does not reproduce on ASan builds.

This can be triggered by playing the attached test case a few times.

rax = 0x0000000000000008   rdx = 0x00007ffbe5ffdd4b
rcx = 0x00007ffbe3cfff61   rbx = 0x00007ffbe4e49d60
rsi = 0x0000000000000080   rdi = 0x00007ffbe4e49e60
rbp = 0x00007ffbe5ffdc48   rsp = 0x00007ffbe5ffdae0
r8 = 0x0000000000000080    r9 = 0x00007ffbe68fd310
r10 = 0x0000000000000180   r11 = 0xffffffffffffff80
r12 = 0x0000000000000020   r13 = 0x00007ffbe3c44af4
r14 = 0x000000000000001f   r15 = 0x00007ffbe4e49e00
rip = 0x00007ffbef0fcc68
OS|Linux|0.0.0 Linux 4.15.0-46-generic #49~16.04.1-Ubuntu SMP Tue Feb 12 17:45:24 UTC 2019 x86_64
CPU|amd64|family 6 model 158 stepping 9|1
GPU|||
Crash|SIGSEGV|0x7ffbe3d00000|9
9|0|libxul.so|dav1d_lpf_v_sb_y_avx2|||0x1218
9|1|||||0x7ffbe68fc3a0
9|2|libxul.so|dav1d_filter_sbrow_8bpc|s3:gecko-generated-sources:2d154ba6ba009b6a4265ead533a825e7e7079ff614273882b072deef2d5939265757e3062ee939943a9cd0fcf3e816650d805130a7233a6a328aff4deb13111a/media/libdav1d/8bd_recon_tmpl.c:|1602|0x19
9|3|libxul.so|dav1d_decode_frame|hg:hg.mozilla.org/mozilla-central:third_party/dav1d/src/decode.c:a5a5ddfb5178f8a2b30d186d3cf478da38f324ba|2979|0xc
9|4|libxul.so|dav1d_frame_task|hg:hg.mozilla.org/mozilla-central:third_party/dav1d/src/thread_task.c:a5a5ddfb5178f8a2b30d186d3cf478da38f324ba|44|0x8
9|5|libpthread-2.23.so||||0x76ba
9|6|libc-2.23.so||||0x10741d
Flags: in-testsuite?

Alex is this a known problem?

Flags: needinfo?(achronop)
Priority: -- → P2

We haven't had a crash on Linux for a long time now. I am testing here but I cannot repro. I am creating a debug build to test there also. Can you reproduce every time? Are you using an opt build?

Flags: needinfo?(achronop)

(In reply to Alex Chronopoulos [:achronop] from comment #2)

Can you reproduce every time?

After a few refreshes once the video plays (less than 30 seconds of trying). The most consistent way to reproduce is to open the video in a few tabs and hit F5 repeatedly in one tab.

Are you using an opt build?

Opt and debug.

I just verified again with m-c:
Changeset: 41e4fc459ec96f96d1e49a203717a7d233f075ce
Build ID: 20190402142436

From https://tools.taskcluster.net/index/gecko.v2.mozilla-central.latest.firefox/linux-opt

Thanks Tyson, I reproduced on the builds from the task cluster and this morning I mananged to reproduce it on a local (opt) build with symbols. I have opened a bug upstream on dav1d repository: https://code.videolan.org/videolan/dav1d/issues/269

Based on the upstream bug report, this is a real memory overread, but is unlikely to lead to an information leak because the overread byte does not contribute to the output. That said, it's still a crash so we need to fix it.

That said, do you think we can remove the secure flag?

Group: media-core-security
Keywords: csectype-bounds

The fix has landed upstream. We need a new import to bring it in.

Assignee: nobody → achronop
Pushed by achronopoulos@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/a5108ffbd311
Update dav1d from upstream to 1f7a7e8. r=TD-Linux
https://hg.mozilla.org/integration/autoland/rev/8ce9905a2eec
Update build files after new import. r=TD-Linux
Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla68
Regressions: 1546070
Regressions: 1546071
Crash Signature: [@ dav1d_lpf_v_sb_y_avx2]

Comment on attachment 9059510 [details]
Bug 1540830 - Update dav1d from upstream to 1f7a7e8. r?TD-Linux

Beta/Release Uplift Approval Request

  • User impact if declined: Initial support for dav1d ships in 67. This fixes a know crash bug and if combined with the patch from bug 1546070 and gets us into a state where after 7 days in Nightly there are no known crashes any more. AV1 usage in 67 Beta is 11% of all videos watched with Firefox already. Additionally to fixing crashes these patches also result in a decent performance boost. Uplifting these two patches gets us very close to the tip of the dav1d development branch, which makes getting support from the dav1d team a lot easier compared to an older release branch. As seen in bug 1546070 the dav1d team is super responsive with providing fixes if we should encounter any issues in 67.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce: See comment #3
  • List of other uplifts needed: Bug 1546070
  • Risk to taking this patch: Medium
  • Why is the change risky/not risky? (and alternatives if risky): It's not a small patch, which not only addresses the crash but also comes with performance improvements. Thus there is some risk involved uplifting this. But it has been stable for 7 days in Nightly. If we should encounter problems with this code the dav1d team has been very responsive in providing patches.
  • String changes made/needed: N/A
Attachment #9059510 - Flags: approval-mozilla-beta?
Attachment #9059511 - Flags: approval-mozilla-beta?
Duplicate of this bug: 1548144

We currently don't have enough bake time in nightly to take this uplift in our last beta before RC but I am keeping the uplift request open as I think it could be a good ridealong for a 67 dot release if we do not detect any serious stability regression on Deved/beta 68 in the next 2 to 3 weeks.

Regressions: 1549915

Comment on attachment 9059510 [details]
Bug 1540830 - Update dav1d from upstream to 1f7a7e8. r?TD-Linux

67 is now on mozilla-release.

Attachment #9059510 - Flags: approval-mozilla-beta? → approval-mozilla-release?
Attachment #9059511 - Flags: approval-mozilla-beta? → approval-mozilla-release?
Flags: qe-verify+
QA Whiteboard: [qa-triaged]

Hi, Tyson! It seems that I'm having hard times reproducing this bug on Linux 18.04 x64 and 16.04 x86. I've tried several times with the steps from comment 3, but the affected Nightly (20190402142436) build opt and debug does not crash on my end.

Given the fact that I wasn't able to reproduce this bug, could you please help us verify it on your machine, and let us know if it is fixed?

Flags: needinfo?(twsmith)

I have verified the fix in my machine. I have also mentioned that upstream [1]. It's safe to mark it as verified. Feel free to redirect to me any question you may receive about it. Thanks

[1] https://code.videolan.org/videolan/dav1d/issues/269#note_32924

Flags: needinfo?(twsmith)

Thank you! Closing this as verified fixed per comment 17.

Status: RESOLVED → VERIFIED
Flags: qe-verify+

(In reply to Alex Chronopoulos [:achronop] from comment #17)

I have verified the fix in my machine.

Thanks Alex!

Comment on attachment 9059510 [details]
Bug 1540830 - Update dav1d from upstream to 1f7a7e8. r?TD-Linux

Not taking this in a dot release as I am not taking bug 1546070 which is a dependency.

Attachment #9059510 - Flags: approval-mozilla-release? → approval-mozilla-release-
Attachment #9059511 - Flags: approval-mozilla-release? → approval-mozilla-release-
You need to log in before you can comment on or make changes to this bug.