Open Bug 1601385 Opened 4 months ago Updated 4 months ago

Crash near [@ mozilla::dom::HTMLMediaElement::UpdateOutputTrackSources]

Categories

(Core :: Audio/Video: Playback, defect, P2)

defect

Tracking

()

Tracking Status
firefox73 --- affected

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase)

Attachments

(1 file)

Attached file testcase.html

Testcase found while fuzzing mozilla-central rev 6989fcd6bab3.

==4407==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x7f95878c72d3 bp 0x7fff8676dc90 sp 0x7fff8676d640 T0)
==4407==The signal is caused by a READ memory access.
==4407==Hint: address points to the zero page.
    #0 0x7f95878c72d2 in get /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:278:27
    #1 0x7f95878c72d2 in operator-> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:308:12
    #2 0x7f95878c72d2 in mozilla::dom::HTMLMediaElement::UpdateOutputTrackSources() /builds/worker/workspace/build/src/dom/html/HTMLMediaElement.cpp:3567:15
    #3 0x7f95878f0083 in mozilla::dom::HTMLMediaElement::MetadataLoaded(mozilla::MediaInfo const*, mozilla::UniquePtr<nsDataHashtable<nsCStringHashKey, nsTString<char> > const, mozilla::DefaultDelete<nsDataHashtable<nsCStringHashKey, nsTString<char> > const> >) /builds/worker/workspace/build/src/dom/html/HTMLMediaElement.cpp:5343:3
    #4 0x7f9587ba74fe in mozilla::MediaDecoder::MetadataLoaded(mozilla::UniquePtr<mozilla::MediaInfo, mozilla::DefaultDelete<mozilla::MediaInfo> >, mozilla::UniquePtr<nsDataHashtable<nsCStringHashKey, nsTString<char> >, mozilla::DefaultDelete<nsDataHashtable<nsCStringHashKey, nsTString<char> > > >, mozilla::MediaDecoderEventVisibility) /builds/worker/workspace/build/src/dom/media/MediaDecoder.cpp:698:17
    #5 0x7f9587b104bd in mozilla::ChannelMediaDecoder::MetadataLoaded(mozilla::UniquePtr<mozilla::MediaInfo, mozilla::DefaultDelete<mozilla::MediaInfo> >, mozilla::UniquePtr<nsDataHashtable<nsCStringHashKey, nsTString<char> >, mozilla::DefaultDelete<nsDataHashtable<nsCStringHashKey, nsTString<char> > > >, mozilla::MediaDecoderEventVisibility) /builds/worker/workspace/build/src/dom/media/ChannelMediaDecoder.cpp:547:17
    #6 0x7f9587be912b in operator() /builds/worker/workspace/build/src/obj-firefox/dist/include/MediaEventSource.h:343:7
    #7 0x7f9587be912b in mozilla::EnableIf<TakeArgs<mozilla::AbstractThread>::value, void>::Type mozilla::detail::ListenerImpl<mozilla::AbstractThread, mozilla::EnableIf<TakeArgs<void (mozilla::MediaDecoder::*)(mozilla::UniquePtr<mozilla::MediaInfo, mozilla::DefaultDelete<mozilla::MediaInfo> >, mozilla::UniquePtr<nsDataHashtable<nsCStringHashKey, nsTString<char> >, mozilla::DefaultDelete<nsDataHashtable<nsCStringHashKey, nsTString<char> > > >, mozilla::MediaDecoderEventVisibility)>::value, mozilla::MediaEventListener>::Type mozilla::MediaEventSourceImpl<(mozilla::ListenerPolicy)0, mozilla::UniquePtr<mozilla::MediaInfo, mozilla::DefaultDelete<mozilla::MediaInfo> >, mozilla::UniquePtr<nsDataHashtable<nsCStringHashKey, nsTString<char> >, mozilla::DefaultDelete<nsDataHashtable<nsCStringHashKey, nsTString<char> > > >, mozilla::MediaDecoderEventVisibility>::ConnectInternal<mozilla::AbstractThread, mozilla::MediaDecoder, void (mozilla::MediaDecoder::*)(mozilla::UniquePtr<mozilla::MediaInfo, mozilla::DefaultDelete<mozilla::MediaInfo> >, mozilla::UniquePtr<nsDataHashtable<nsCStringHashKey, nsTString<char> >, mozilla::DefaultDelete<nsDataHashtable<nsCStringHashKey, nsTString<char> > > >, mozilla::MediaDecoderEventVisibility)>(mozilla::AbstractThread*, mozilla::MediaDecoder*, void (mozilla::MediaDecoder::*)(mozilla::UniquePtr<mozilla::MediaInfo, mozilla::DefaultDelete<mozilla::MediaInfo> >, mozilla::UniquePtr<nsDataHashtable<nsCStringHashKey, nsTString<char> >, mozilla::DefaultDelete<nsDataHashtable<nsCStringHashKey, nsTString<char> > > >, mozilla::MediaDecoderEventVisibility))::'lambda'(mozilla::UniquePtr<mozilla::MediaInfo, mozilla::DefaultDelete<mozilla::MediaInfo> >&&, mozilla::UniquePtr<nsDataHashtable<nsCStringHashKey, nsTString<char> >, mozilla::DefaultDelete<nsDataHashtable<nsCStringHashKey, nsTString<char> > > >&&, mozilla::MediaDecoderEventVisibility&&), mozilla::UniquePtr<mozilla::MediaInfo, mozilla::DefaultDelete<mozilla::MediaInfo> >, mozilla::UniquePtr<nsDataHashtable<nsCStringHashKey, nsTString<char> >, mozilla::DefaultDelete<nsDataHashtable<nsCStringHashKey, nsTString<char> > > >, mozilla::MediaDecoderEventVisibility>::ApplyWithArgsImpl<mozilla::EnableIf<TakeArgs<void (mozilla::MediaDecoder::*)(mozilla::UniquePtr<mozilla::MediaInfo, mozilla::DefaultDelete<mozilla::MediaInfo> >, mozilla::UniquePtr<nsDataHashtable<nsCStringHashKey, nsTString<char> >, mozilla::DefaultDelete<nsDataHashtable<nsCStringHashKey, nsTString<char> > > >, mozilla::MediaDecoderEventVisibility)>::value, mozilla::MediaEventListener>::Type mozilla::MediaEventSourceImpl<(mozilla::ListenerPolicy)0, mozilla::UniquePtr<mozilla::MediaInfo, mozilla::DefaultDelete<mozilla::MediaInfo> >, mozilla::UniquePtr<nsDataHashtable<nsCStringHashKey, nsTString<char> >, mozilla::DefaultDelete<nsDataHashtable<nsCStringHashKey, nsTString<char> > > >, mozilla::MediaDecoderEventVisibility>::ConnectInternal<mozilla::AbstractThread, mozilla::MediaDecoder, void (mozilla::MediaDecoder::*)(mozilla::UniquePtr<mozilla::MediaInfo, mozilla::DefaultDelete<mozilla::MediaInfo> >, mozilla::UniquePtr<nsDataHashtable<nsCStringHashKey, nsTString<char> >, mozilla::DefaultDelete<nsDataHashtable<nsCStringHashKey, nsTString<char> > > >, mozilla::MediaDecoderEventVisibility)>(mozilla::AbstractThread*, mozilla::MediaDecoder*, void (mozilla::MediaDecoder::*)(mozilla::UniquePtr<mozilla::MediaInfo, mozilla::DefaultDelete<mozilla::MediaInfo> >, mozilla::UniquePtr<nsDataHashtable<nsCStringHashKey, nsTString<char> >, mozilla::DefaultDelete<nsDataHashtable<nsCStringHashKey, nsTString<char> > > >, mozilla::MediaDecoderEventVisibility))::'lambda'(mozilla::UniquePtr<mozilla::MediaInfo, mozilla::DefaultDelete<mozilla::MediaInfo> >&&, mozilla::UniquePtr<nsDataHashtable<nsCStringHashKey, nsTString<char> >, mozilla::DefaultDelete<nsDataHashtable<nsCStringHashKey, nsTString<char> > > >&&, mozilla::MediaDecoderEventVisibility&&)>(mozilla::AbstractThread const&, mozilla::UniquePtr<mozilla::MediaInfo, mozilla::DefaultDelete<mozilla::MediaInfo> >&&, mozilla::UniquePtr<nsDataHashtable<nsCStringHashKey, nsTString<char> >, mozilla::DefaultDelete<nsDataHashtable<nsCStringHashKey, nsTString<char> > > >&&, mozilla::MediaDecoderEventVisibility&&) /builds/worker/workspace/build/src/obj-firefox/dist/include/MediaEventSource.h:191:5
    #8 0x7f9587ce9eba in applyImpl<mozilla::detail::Listener<mozilla::UniquePtr<mozilla::MediaInfo, mozilla::DefaultDelete<mozilla::MediaInfo> >, mozilla::UniquePtr<nsDataHashtable<nsCStringHashKey, nsTString<char> >, mozilla::DefaultDelete<nsDataHashtable<nsCStringHashKey, nsTString<char> > > >, mozilla::MediaDecoderEventVisibility>, void (mozilla::detail::Listener<mozilla::UniquePtr<mozilla::MediaInfo, mozilla::DefaultDelete<mozilla::MediaInfo> >, mozilla::UniquePtr<nsDataHashtable<nsCStringHashKey, nsTString<char> >, mozilla::DefaultDelete<nsDataHashtable<nsCStringHashKey, nsTString<char> > > >, mozilla::MediaDecoderEventVisibility>::*)(mozilla::UniquePtr<mozilla::MediaInfo, mozilla::DefaultDelete<mozilla::MediaInfo> > &&, mozilla::UniquePtr<nsDataHashtable<nsCStringHashKey, nsTString<char> >, mozilla::DefaultDelete<nsDataHashtable<nsCStringHashKey, nsTString<char> > > > &&, mozilla::MediaDecoderEventVisibility &&), StoreCopyPassByRRef<mozilla::UniquePtr<mozilla::MediaInfo, mozilla::DefaultDelete<mozilla::MediaInfo> > >, StoreCopyPassByRRef<mozilla::UniquePtr<nsDataHashtable<nsCStringHashKey, nsTString<char> >, mozilla::DefaultDelete<nsDataHashtable<nsCStringHashKey, nsTString<char> > > > >, StoreCopyPassByRRef<mozilla::MediaDecoderEventVisibility> , 0, 1, 2> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1124:12
    #9 0x7f9587ce9eba in apply<mozilla::detail::Listener<mozilla::UniquePtr<mozilla::MediaInfo, mozilla::DefaultDelete<mozilla::MediaInfo> >, mozilla::UniquePtr<nsDataHashtable<nsCStringHashKey, nsTString<char> >, mozilla::DefaultDelete<nsDataHashtable<nsCStringHashKey, nsTString<char> > > >, mozilla::MediaDecoderEventVisibility>, void (mozilla::detail::Listener<mozilla::UniquePtr<mozilla::MediaInfo, mozilla::DefaultDelete<mozilla::MediaInfo> >, mozilla::UniquePtr<nsDataHashtable<nsCStringHashKey, nsTString<char> >, mozilla::DefaultDelete<nsDataHashtable<nsCStringHashKey, nsTString<char> > > >, mozilla::MediaDecoderEventVisibility>::*)(mozilla::UniquePtr<mozilla::MediaInfo, mozilla::DefaultDelete<mozilla::MediaInfo> > &&, mozilla::UniquePtr<nsDataHashtable<nsCStringHashKey, nsTString<char> >, mozilla::DefaultDelete<nsDataHashtable<nsCStringHashKey, nsTString<char> > > > &&, mozilla::MediaDecoderEventVisibility &&)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1130:12
    #10 0x7f9587ce9eba in mozilla::detail::RunnableMethodImpl<mozilla::detail::Listener<mozilla::UniquePtr<mozilla::MediaInfo, mozilla::DefaultDelete<mozilla::MediaInfo> >, mozilla::UniquePtr<nsDataHashtable<nsCStringHashKey, nsTString<char> >, mozilla::DefaultDelete<nsDataHashtable<nsCStringHashKey, nsTString<char> > > >, mozilla::MediaDecoderEventVisibility>*, void (mozilla::detail::Listener<mozilla::UniquePtr<mozilla::MediaInfo, mozilla::DefaultDelete<mozilla::MediaInfo> >, mozilla::UniquePtr<nsDataHashtable<nsCStringHashKey, nsTString<char> >, mozilla::DefaultDelete<nsDataHashtable<nsCStringHashKey, nsTString<char> > > >, mozilla::MediaDecoderEventVisibility>::*)(mozilla::UniquePtr<mozilla::MediaInfo, mozilla::DefaultDelete<mozilla::MediaInfo> >&&, mozilla::UniquePtr<nsDataHashtable<nsCStringHashKey, nsTString<char> >, mozilla::DefaultDelete<nsDataHashtable<nsCStringHashKey, nsTString<char> > > >&&, mozilla::MediaDecoderEventVisibility&&), true, (mozilla::RunnableKind)0, mozilla::UniquePtr<mozilla::MediaInfo, mozilla::DefaultDelete<mozilla::MediaInfo> >&&, mozilla::UniquePtr<nsDataHashtable<nsCStringHashKey, nsTString<char> >, mozilla::DefaultDelete<nsDataHashtable<nsCStringHashKey, nsTString<char> > > >&&, mozilla::MediaDecoderEventVisibility&&>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1176:13
    #11 0x7f9580898bd9 in mozilla::AutoTaskDispatcher::TaskGroupRunnable::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/TaskDispatcher.h:197:35
    #12 0x7f95808958d2 in mozilla::EventTargetWrapper::Runner::Run() /builds/worker/workspace/build/src/xpcom/threads/AbstractThread.cpp:113:25
    #13 0x7f95808906c1 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:295:32
    #14 0x7f95808c05da in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1250:14
    #15 0x7f95808c7a81 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
    #16 0x7f9581b093ff in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21
    #17 0x7f9581a11412 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #18 0x7f9581a11412 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308:3
    #19 0x7f9581a11412 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290:3
    #20 0x7f958976e628 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
    #21 0x7f958d834d76 in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:932:20
    #22 0x7f9581a11412 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #23 0x7f9581a11412 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308:3
    #24 0x7f9581a11412 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290:3
    #25 0x7f958d8345ff in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:767:34
    #26 0x5628b75a45cc in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #27 0x5628b75a45cc in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:272:18
    #28 0x7f95a3bb0b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #29 0x5628b74f99dc in _start (/home/user/builds/mc-asan/firefox+0x559dc)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:278:27 in get
Flags: in-testsuite?
Component: DOM: Core & HTML → Audio/Video: Playback
Priority: -- → P2
You need to log in before you can comment on or make changes to this bug.