1601799 - Assertion failure: !mOutputTracks.IsEmpty(), at /builds/worker/workspace/build/src/dom/media/mediasink/DecodedStream.cpp:409

Status: RESOLVED FIXED

(Core :: WebRTC: Audio/Video, defect, P3)

Description

[Jason Kratzer [:jkratzer]]

Attachment: testcase.html

Testcase found while fuzzing mozilla-central rev 3dc70a33491f.

==31768==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7f24edf4d769 bp 0x7f243ff1c870 sp 0x7f243ff1c460 T37)
==31768==The signal is caused by a WRITE memory access.
==31768==Hint: address points to the zero page.
    #0 0x7f24edf4d768 in SendData /builds/worker/workspace/build/src/dom/media/mediasink/DecodedStream.cpp:850:8
    #1 0x7f24edf4d768 in mozilla::DecodedStream::Start(mozilla::media::TimeUnit const&, mozilla::MediaInfo const&) /builds/worker/workspace/build/src/dom/media/mediasink/DecodedStream.cpp:486:5
    #2 0x7f24edf5a222 in mozilla::VideoSink::Start(mozilla::media::TimeUnit const&, mozilla::MediaInfo const&) /builds/worker/workspace/build/src/dom/media/mediasink/VideoSink.cpp:277:29
    #3 0x7f24ed9e59c2 in mozilla::MediaDecoderStateMachine::StartMediaSink() /builds/worker/workspace/build/src/dom/media/MediaDecoderStateMachine.cpp:3230:29
    #4 0x7f24ed9c6698 in mozilla::MediaDecoderStateMachine::MaybeStartPlayback() /builds/worker/workspace/build/src/dom/media/MediaDecoderStateMachine.cpp:2873:3
    #5 0x7f24ed9c5bb3 in mozilla::MediaDecoderStateMachine::DecodingState::Step() /builds/worker/workspace/build/src/dom/media/MediaDecoderStateMachine.cpp:2333:14
    #6 0x7f24edad238b in applyImpl<mozilla::MediaDecoderStateMachine, void (mozilla::MediaDecoderStateMachine::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1124:12
    #7 0x7f24edad238b in apply<mozilla::MediaDecoderStateMachine, void (mozilla::MediaDecoderStateMachine::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1130:12
    #8 0x7f24edad238b in mozilla::detail::RunnableMethodImpl<mozilla::MediaDecoderStateMachine*, void (mozilla::MediaDecoderStateMachine::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1176:13
    #9 0x7f24e6642a89 in mozilla::AutoTaskDispatcher::TaskGroupRunnable::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/TaskDispatcher.h:197:35
    #10 0x7f24e664d96d in mozilla::TaskQueue::Runner::Run() /builds/worker/workspace/build/src/xpcom/threads/TaskQueue.cpp:201:12
    #11 0x7f24e6675969 in nsThreadPool::Run() /builds/worker/workspace/build/src/xpcom/threads/nsThreadPool.cpp:304:14
    #12 0x7f24e66766bc in non-virtual thunk to nsThreadPool::Run() /builds/worker/workspace/build/src/xpcom/threads/nsThreadPool.cpp
    #13 0x7f24e666a48a in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1250:14
    #14 0x7f24e6671931 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
    #15 0x7f24e78b4f85 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:303:20
    #16 0x7f24e77bb832 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #17 0x7f24e77bb832 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308:3
    #18 0x7f24e77bb832 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290:3
    #19 0x7f24e6663f11 in nsThread::ThreadFunc(void*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:458:11
    #20 0x7f250ae48ec5 in _pt_root /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #21 0x7f250aa916da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
    #22 0x7f2509a6f88e in clone /build/glibc-OTsEL5/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/dom/media/mediasink/DecodedStream.cpp:850:8 in SendData
Thread T37 (MediaDe~hine #1) created by T0 (file:// Content) here:
    #0 0x55706737e0ba in pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:209:3
    #1 0x7f250ae3ab99 in _PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:458:14
    #2 0x7f250ae241ee in PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:533:12
    #3 0x7f24e6666376 in nsThread::Init(nsTSubstring<char> const&) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:673:8
    #4 0x7f24e6670aa1 in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /builds/worker/workspace/build/src/xpcom/threads/nsThreadManager.cpp:550:12
    #5 0x7f24e6674a93 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, nsIRunnable*, unsigned int) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:139:57
    #6 0x7f24e6674271 in nsThreadPool::PutEvent(already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/workspace/build/src/xpcom/threads/nsThreadPool.cpp:119:17
    #7 0x7f24e667686c in nsThreadPool::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/workspace/build/src/xpcom/threads/nsThreadPool.cpp:353:5
    #8 0x7f24e664c7a4 in mozilla::TaskQueue::DispatchLocked(nsCOMPtr<nsIRunnable>&, unsigned int, mozilla::AbstractThread::DispatchReason) /builds/worker/workspace/build/src/xpcom/threads/TaskQueue.cpp:107:26
    #9 0x7f24e66822f5 in mozilla::TaskQueue::Dispatch(already_AddRefed<nsIRunnable>, mozilla::AbstractThread::DispatchReason) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/TaskQueue.h:70:14
    #10 0x7f24e664267e in mozilla::AutoTaskDispatcher::DispatchTaskGroup(mozilla::UniquePtr<mozilla::AutoTaskDispatcher::PerThreadTaskGroup, mozilla::DefaultDelete<mozilla::AutoTaskDispatcher::PerThreadTaskGroup> >) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/TaskDispatcher.h:245:20
    #11 0x7f24e6640b55 in mozilla::AutoTaskDispatcher::~AutoTaskDispatcher() /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/TaskDispatcher.h:87:7
    #12 0x7f24e6640895 in reset /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Maybe.h:444:17
    #13 0x7f24e6640895 in mozilla::EventTargetWrapper::FireTailDispatcher() /builds/worker/workspace/build/src/xpcom/threads/AbstractThread.cpp:72:21
    #14 0x7f24e66450f4 in applyImpl<mozilla::EventTargetWrapper, void (mozilla::EventTargetWrapper::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1124:12
    #15 0x7f24e66450f4 in apply<mozilla::EventTargetWrapper, void (mozilla::EventTargetWrapper::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1130:12
    #16 0x7f24e66450f4 in mozilla::detail::RunnableMethodImpl<mozilla::EventTargetWrapper*, void (mozilla::EventTargetWrapper::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1176:13
    #17 0x7f24e6470458 in mozilla::CycleCollectedJSContext::ProcessStableStateQueue() /builds/worker/workspace/build/src/xpcom/base/CycleCollectedJSContext.cpp:399:12
    #18 0x7f24e6474557 in mozilla::CycleCollectedJSContext::AfterProcessTask(unsigned int) /builds/worker/workspace/build/src/xpcom/base/CycleCollectedJSContext.cpp:458:3
    #19 0x7f24e8ae395d in XPCJSContext::AfterProcessTask(unsigned int) /builds/worker/workspace/build/src/js/xpconnect/src/XPCJSContext.cpp:1329:28
    #20 0x7f24e666b1b1 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1313:24
    #21 0x7f24e6671931 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
    #22 0x7f24e78b382f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21
    #23 0x7f24e77bb832 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #24 0x7f24e77bb832 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308:3
    #25 0x7f24e77bb832 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290:3
    #26 0x7f24ef51ba48 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
    #27 0x7f24f35e44e6 in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:943:20
    #28 0x7f24e77bb832 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #29 0x7f24e77bb832 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308:3
    #30 0x7f24e77bb832 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290:3
    #31 0x7f24f35e3d6f in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:778:34
    #32 0x5570673c65cc in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #33 0x5570673c65cc in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:303:18
    #34 0x7f250996fb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

Comment 1

[Jason Kratzer [:jkratzer]]

Attachment: c3f2ab0ca87e837a5ffc6dfc1e757e1357c49d1f.webm

Comment 2

[Tyson Smith [:tsmith]]

A Pernosco session is available here: https://pernos.co/debug/ZGsu8GYT8WBcftMIJeibDw/index.html

Comment 3

[Andreas Pehrson [:pehrsons]]

This requires the pref media.track.enabled to be true (it's false by default). Enabling that by default is not currently on our radar.

The best fix for this is not immediately obvious. I suppose the simplest may be to run the decoder but without connecting it to the output track. Basically removing the assert.

Comment 4

[Andreas Pehrson [:pehrsons]]

To run the decoder we need a MediaTrackGraph (for the clock driving the whole thing), and to get a graph we need a track. I solved this by passing a SharedDummyTrack on the side. I need to write a test that is a bit more complete than this crashtest, but that should be it.

Comment 5

[Andreas Pehrson [:pehrsons]]

Attachment: Bug 1601799 - Add mochitest for disabled MediaTracks with mozCaptureStream. r?karlt!

Comment 6

[Andreas Pehrson [:pehrsons]]

Attachment: Bug 1601799 - Allow running DecodedStream without output tracks. r?karlt!

Comment 7

[Andreas Pehrson [:pehrsons]]

Attachment: Bug 1601799 - Use a SharedDummyTrack for graph access in DecodedStream. r?karlt!

When enabling our MediaTrack implementation (which we don't plan to by default,
NB) and disabling all audio tracks and unselecting all video tracks while having
an active captureStream leads to having no output tracks in DecodedStream.

In this case, DecodedStream doesn't know which graph to use for creating the
intermediary tracks it feeds data to. We don't want to resort to the default
graph either, since two graphs on different clocks could then race each other.

With this patch we plumb down a SharedDummyTrack from the media element where
the captureStream was triggered, through MediaDecoder, to DecodedStream. The
SharedDummyTrack guarantees to keep the graph alive, and holds the graph used
for the output tracks.

Comment 8

[Pulsebot]

Pushed by pehrsons@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/6710c73dfa89
Add mochitest for disabled MediaTracks with mozCaptureStream. r=karlt
https://hg.mozilla.org/integration/autoland/rev/feb8e835dba8
Allow running DecodedStream without output tracks. r=karlt
https://hg.mozilla.org/integration/autoland/rev/61407047ca1a
Use a SharedDummyTrack for graph access in DecodedStream. r=karlt

Comment 9

[Andreea Pavel [:apavel]]

https://hg.mozilla.org/mozilla-central/rev/6710c73dfa89
https://hg.mozilla.org/mozilla-central/rev/feb8e835dba8
https://hg.mozilla.org/mozilla-central/rev/61407047ca1a