1610375 - crash at null [@ mozilla::WebMContainerParser::ParseStartAndEndTimestamps]

Status: RESOLVED FIXED

(Core :: Audio/Video: Playback, defect, P3)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Reduced with m-c 20200116-3f72a81bd12c

dom/media/mediasource/ContainerParser.cpp:198:25: runtime error: member call on null pointer of type 'nsTArray_Impl<unsigned char, nsTArrayInfallibleAllocator>'
    #0 0x7f462fa49f38 in mozilla::WebMContainerParser::ParseStartAndEndTimestamps(mozilla::MediaSpan const&, long&, long&) dom/media/mediasource/ContainerParser.cpp:198:25
    #1 0x7f462fa1e699 in mozilla::TrackBuffersManager::SegmentParserLoop() dom/media/mediasource/TrackBuffersManager.cpp:831:18
    #2 0x7f462fa7b04a in mozilla::detail::RunnableMethodImpl<mozilla::TrackBuffersManager*, void (mozilla::TrackBuffersManager::*)(), true, (mozilla::RunnableKind)0>::Run() objdir-ff-ubsan/dist/include/nsThreadUtils.h:1216:13
    #3 0x7f46285ec2b7 in mozilla::TaskQueue::Runner::Run() xpcom/threads/TaskQueue.cpp:207:18
    #4 0x7f4628607c18 in nsThreadPool::Run() xpcom/threads/nsThreadPool.cpp:299:14
    #5 0x7f462860838c in non-virtual thunk to nsThreadPool::Run() xpcom/threads/nsThreadPool.cpp
    #6 0x7f46285fdbf9 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:1220:14
    #7 0x7f4628604bc6 in NS_ProcessNextEvent(nsIThread*, bool) xpcom/threads/nsThreadUtils.cpp:486:10
    #8 0x7f46299fc5a4 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:332:5
    #9 0x7f462983f0a4 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:290:3
    #10 0x7f46285f8e59 in nsThread::ThreadFunc(void*) xpcom/threads/nsThread.cpp:464:10
    #11 0x7f465000d3e8 in _pt_root nsprpub/pr/src/pthreads/ptthread.c:201:5
    #12 0x7f46544d66da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
    #13 0x7f46534b488e in clone /build/glibc-OTsEL5/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Comment 1

[Tyson Smith [:tsmith]]

Attachment: test.webm

The test case must be served via a web server to trigger the issue.

Comment 2

[Tyson Smith [:tsmith]]

A Pernosco session is available here: https://pernos.co/debug/pslryWxNAd1pYO091ka8hw/index.html

Comment 3

[Bryce Seager van Dyk [:bryce] (he/him) - Not reading bugmail]

jya, are you still looking at this?

Comment 4

[Jean-Yves Avenard [:jya]]

Here we get into a weird combination between having a mediasegment and what looks like an init segment but still have invalid data.

We don't error on stream with invalid data, instead we skip over it normally.
https://searchfox.org/mozilla-central/source/dom/media/mediasource/TrackBuffersManager.cpp#781
// 2. If the input buffer contains bytes that violate the SourceBuffer
// byte stream format specification, then run the append error algorithm
// with the decode error parameter set to true and abort this algorithm.
// TODO

simple fix.

Comment 5

[Jean-Yves Avenard [:jya]]

Attachment: Bug 1610375 - Never use the ContainerParser for media segments unless we have first received an init segment. r?bryce

An error will be returned should it occur, we keep the code flow as-is in order to closely follow the MSE spec steps (https://w3c.github.io/media-source/#sourcebuffer-segment-parser-loop)

Comment 6

[Pulsebot]

Pushed by jyavenard@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/889a6414e2d2
Never use the ContainerParser for media segments unless we have first received an init segment. r=bryce

Comment 7

[Cosmin Sabou [:CosminS]]

https://hg.mozilla.org/mozilla-central/rev/889a6414e2d2

Comment 8

[BugBot [:suhaib / :marco/ :calixte]]

Since the status are different for nightly and release, what's the status for beta?
For more information, please visit auto_nag documentation.

Comment 9

[Julien Cristau [:jcristau]]

This is fairly low volume, but feel free to request uplift if you think it's worth it.