Closed Bug 1610375 Opened 3 months ago Closed 1 month ago

crash at null [@ mozilla::WebMContainerParser::ParseStartAndEndTimestamps]

Categories

(Core :: Audio/Video: Playback, defect, P3)

defect

Tracking

()

RESOLVED FIXED
mozilla76
Tracking Status
firefox-esr68 --- wontfix
firefox73 --- wontfix
firefox74 --- wontfix
firefox75 --- wontfix
firefox76 --- fixed

People

(Reporter: tsmith, Assigned: jya)

References

(Blocks 1 open bug)

Details

(Keywords: crash, csectype-nullptr, testcase)

Crash Data

Attachments

(3 files)

Attached file testcase.html

Reduced with m-c 20200116-3f72a81bd12c

dom/media/mediasource/ContainerParser.cpp:198:25: runtime error: member call on null pointer of type 'nsTArray_Impl<unsigned char, nsTArrayInfallibleAllocator>'
    #0 0x7f462fa49f38 in mozilla::WebMContainerParser::ParseStartAndEndTimestamps(mozilla::MediaSpan const&, long&, long&) dom/media/mediasource/ContainerParser.cpp:198:25
    #1 0x7f462fa1e699 in mozilla::TrackBuffersManager::SegmentParserLoop() dom/media/mediasource/TrackBuffersManager.cpp:831:18
    #2 0x7f462fa7b04a in mozilla::detail::RunnableMethodImpl<mozilla::TrackBuffersManager*, void (mozilla::TrackBuffersManager::*)(), true, (mozilla::RunnableKind)0>::Run() objdir-ff-ubsan/dist/include/nsThreadUtils.h:1216:13
    #3 0x7f46285ec2b7 in mozilla::TaskQueue::Runner::Run() xpcom/threads/TaskQueue.cpp:207:18
    #4 0x7f4628607c18 in nsThreadPool::Run() xpcom/threads/nsThreadPool.cpp:299:14
    #5 0x7f462860838c in non-virtual thunk to nsThreadPool::Run() xpcom/threads/nsThreadPool.cpp
    #6 0x7f46285fdbf9 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:1220:14
    #7 0x7f4628604bc6 in NS_ProcessNextEvent(nsIThread*, bool) xpcom/threads/nsThreadUtils.cpp:486:10
    #8 0x7f46299fc5a4 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:332:5
    #9 0x7f462983f0a4 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:290:3
    #10 0x7f46285f8e59 in nsThread::ThreadFunc(void*) xpcom/threads/nsThread.cpp:464:10
    #11 0x7f465000d3e8 in _pt_root nsprpub/pr/src/pthreads/ptthread.c:201:5
    #12 0x7f46544d66da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
    #13 0x7f46534b488e in clone /build/glibc-OTsEL5/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
Flags: in-testsuite?
Attached video test.webm

The test case must be served via a web server to trigger the issue.

A Pernosco session is available here: https://pernos.co/debug/pslryWxNAd1pYO091ka8hw/index.html

Assignee: nobody → jyavenard
Priority: -- → P2

jya, are you still looking at this?

Flags: needinfo?(jyavenard)
Priority: P2 → P3

Here we get into a weird combination between having a mediasegment and what looks like an init segment but still have invalid data.

We don't error on stream with invalid data, instead we skip over it normally.
https://searchfox.org/mozilla-central/source/dom/media/mediasource/TrackBuffersManager.cpp#781
// 2. If the input buffer contains bytes that violate the SourceBuffer
// byte stream format specification, then run the append error algorithm
// with the decode error parameter set to true and abort this algorithm.
// TODO

simple fix.

Flags: needinfo?(jyavenard)

An error will be returned should it occur, we keep the code flow as-is in order to closely follow the MSE spec steps (https://w3c.github.io/media-source/#sourcebuffer-segment-parser-loop)

Pushed by jyavenard@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/889a6414e2d2
Never use the ContainerParser for media segments unless we have first received an init segment. r=bryce
Status: NEW → RESOLVED
Closed: 1 month ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla76

Since the status are different for nightly and release, what's the status for beta?
For more information, please visit auto_nag documentation.

Crash Signature: [@ mozilla::WebMContainerParser::ParseStartAndEndTimestamps]
Flags: in-testsuite? → in-testsuite-

This is fairly low volume, but feel free to request uplift if you think it's worth it.

You need to log in before you can comment on or make changes to this bug.