Closed Bug 1563949 Opened 5 years ago Closed 5 years ago

Crash in [@ mozilla::media::TimeUnit::operator<T>]

Categories

(Core :: Audio/Video: Playback, defect, P3)

Product:
Core
Component:
Audio/Video: Playback
Platform:
Unspecified
Windows 10
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla70
Tracking Flags:
Tracking Status
firefox-esr60 --- wontfix
firefox-esr68 --- wontfix
firefox68 --- wontfix
firefox69 --- wontfix
firefox70 --- fixed

People

(Reporter: jseward, Assigned: alwu)

References

Details

(Keywords: crash)

Crash Data

Attachments

(5 files)

Bug 1563949 - part1 : add function 'GetEndTimeCode'.
47 bytes, text/x-phabricator-request
Details | Review
Bug 1563949 - part2 : add 'AppendSample' to assert that a sample should always be valid
47 bytes, text/x-phabricator-request
Details | Review
Bug 1563949 - part4 : prevent direct usage of 'AppendElement()' to append sample.
47 bytes, text/x-phabricator-request
Details | Review
Bug 1563949 - part5 : return nullptr when time overflow.
47 bytes, text/x-phabricator-request
Details | Review
Bug 1563949 - part3 : handle invalid sample in demuxer.
47 bytes, text/x-phabricator-request
Details | Review

This bug is for crash report bp-619de1a5-cea9-499c-9db7-59c380190706.

This crash occurs in 3 different installations for the Windows nightly of 20190704094530.

Top 10 frames of crashing thread:

0 xul.dll mozilla::media::TimeUnit::operator<= dom/media/TimeUnits.h
1 xul.dll const class mozilla::MediaRawData* mozilla::TrackBuffersManager::GetSample dom/media/mediasource/TrackBuffersManager.cpp:2532
2 xul.dll struct already_AddRefed<mozilla::MediaRawData> mozilla::TrackBuffersManager::GetSample dom/media/mediasource/TrackBuffersManager.cpp:2575
3 xul.dll class RefPtr<mozilla::MozPromise<RefPtr<mozilla::MediaTrackDemuxer::SamplesHolder>, mozilla::MediaResult, 1> > mozilla::MediaSourceTrackDemuxer::DoGetSamples dom/media/mediasource/MediaSourceDemuxer.cpp:426
4 xul.dll nsresult mozilla::detail::ProxyRunnable<mozilla::MozPromise<RefPtr<mozilla::MediaTrackDemuxer::SamplesHolder>, mozilla::MediaResult, 1>, RefPtr<mozilla::MozPromise<RefPtr<mozilla::MediaTrackDemuxer::SamplesHolder>, mozilla::MediaResult, 1> >  xpcom/threads/MozPromise.h:1313
5 xul.dll nsresult mozilla::TaskQueue::Runner::Run xpcom/threads/TaskQueue.cpp:199
6 xul.dll nsresult nsThreadPool::Run xpcom/threads/nsThreadPool.cpp:244
7 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:1225
8 xul.dll NS_ProcessNextEvent xpcom/threads/nsThreadUtils.cpp:486
9 xul.dll mozilla::ipc::MessagePumpForNonMainThreads::Run ipc/glue/MessagePump.cpp:333
Flags: needinfo?(jgilbert)
Flags: needinfo?(jgilbert) → needinfo?(drno)

This is a checkedint assertion failure.
MOZ_RELEASE_ASSERT(mIsValid) (Invalid checked integer (division by zero or integer overflow))

Looks like a long standing low frequency assert crash.
Jean-Yves do you have a quick idea what could be going wrong here?

Flags: needinfo?(drno) → needinfo?(jyavenard)
Priority: -- → P3

This is no longer a MOZ_RELEASE_ASSERT, but a MOZ_DIAGNOSTIC_ASSERT

Here it's an overflow on aExpectedDts + aFuzz can easily fail that one before.

Assigning to :alwu as he's done similar work before.

Assignee: nobody → alwu
Flags: needinfo?(jyavenard)

We already have function GetEndTime(), so it's good to have a similar function GetEndTimeCode() so that we won't have to calculate end time code by ourselves.

It will be good to ensure all samples we use in the following media pipeline have valid time, duration, end time and end timecode.

So that we won't have to worry using any TimeUnit from MediaData with an invalid value.

We should always append sample by using AppendValidSample(), so making mSamples private can prevent direct a usage of the nsTarry's AppendElement() to append invalid sample.

If aExpectedDts or aExpectedPts is valid before adding Fuzz, but invalid after that, we should use the MAX or MIN boundary value as our bound to check if the sample is in the range.

Attachment #9078909 - Attachment description: Bug 1563949 - part2 : always ensure samples in sampleholder are valid. → Bug 1563949 - part2 : add 'AppendSample' to assert that a sample should always be valid

Return demux error when we get a invalid sample.

Attachment #9078910 - Attachment description: Bug 1563949 - part3 : prevent direct usage of 'AppendElement()' to append sample. → Bug 1563949 - part4 : prevent direct usage of 'AppendElement()' to append sample.
Attachment #9078911 - Attachment description: Bug 1563949 - part4 : prevent adding fuzz overflow. → Bug 1563949 - part5 : return nullptr when time overflow.
Pushed by alwu@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/5070c6dccc69
part1 : add function 'GetEndTimeCode'. r=jya
https://hg.mozilla.org/integration/autoland/rev/d259c4c81820
part2 : add 'AppendSample' to assert that a sample should always be valid r=jya
https://hg.mozilla.org/integration/autoland/rev/906d131e986c
part3 : handle invalid sample in demuxer. r=jya
https://hg.mozilla.org/integration/autoland/rev/ff9a24ac6c54
part4 : prevent direct usage of 'AppendElement()' to append sample. r=jya
https://hg.mozilla.org/integration/autoland/rev/9dbd561ce0e3
part5 : return nullptr when time overflow. r=jya
Regressions: 1605699
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: