Closed
Bug 1636515
Opened 4 years ago
Closed 4 years ago
Assertion failure: ms.mLiveTracks.Length() == length - 1, at /builds/worker/checkouts/gecko/dom/html/HTMLMediaElement.cpp:3538
Categories
(Core :: Audio/Video: Playback, defect, P3)
Core
Audio/Video: Playback
Tracking
()
VERIFIED
FIXED
mozilla78
| Tracking | Status | |
|---|---|---|
| firefox-esr68 | --- | unaffected |
| firefox76 | --- | wontfix |
| firefox77 | --- | wontfix |
| firefox78 | --- | verified |
People
(Reporter: jkratzer, Assigned: achronop)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(2 files)
Testcase found while fuzzing mozilla-central rev 19e273db8019 (built with --enable-debug).
Assertion failure: ms.mLiveTracks.Length() == length - 1, at /builds/worker/checkouts/gecko/dom/html/HTMLMediaElement.cpp:3538
rax = 0x00007f26c97405ff rdx = 0x0000000000000000
rcx = 0x000055d45ac76a48 rbx = 0x0000000000000000
rsi = 0x00007f26da6ad8b0 rdi = 0x00007f26da6ac680
rbp = 0x00007ffeefdd8300 rsp = 0x00007ffeefdd8040
r8 = 0x00007f26da6ad8b0 r9 = 0x00007f26db813780
r10 = 0x0000000000000002 r11 = 0x0000000000000000
r12 = 0x000055d45c277280 r13 = 0x0000000000000000
r14 = 0x000055d45c410150 r15 = 0x0000000000000000
rip = 0x00007f26c397ccf5
OS|Linux|0.0.0 Linux 5.3.0-46-generic #38~18.04.1-Ubuntu SMP Tue Mar 31 04:17:56 UTC 2020 x86_64
CPU|amd64|family 6 model 94 stepping 3|8
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|mozilla::dom::HTMLMediaElement::UpdateOutputTrackSources()|hg:hg.mozilla.org/mozilla-central:dom/html/HTMLMediaElement.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|3538|0x0
0|1|libxul.so|mozilla::detail::RunnableFunction<mozilla::WatchManager<mozilla::dom::HTMLMediaElement>::PerCallbackWatcher::Notify()::{lambda()#1}>::Run()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.h:19e273db80195cc5de59647fcaf16bafad9bbcce|557|0x43
0|2|libxul.so|mozilla::AutoTaskDispatcher::DrainDirectTasks()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/TaskDispatcher.h:19e273db80195cc5de59647fcaf16bafad9bbcce|99|0x11
0|3|libxul.so|mozilla::XPCOMThreadWrapper::MaybeFireTailDispatcher()|hg:hg.mozilla.org/mozilla-central:xpcom/threads/AbstractThread.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|115|0x11
0|4|libxul.so|non-virtual thunk to mozilla::XPCOMThreadWrapper::AfterProcessNextEvent(nsIThreadInternal*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/AbstractThread.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|0|0xd
0|5|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|1216|0x42
0|6|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|481|0xc
0|7|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|87|0x7
0|8|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:19e273db80195cc5de59647fcaf16bafad9bbcce|315|0x17
0|9|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:19e273db80195cc5de59647fcaf16bafad9bbcce|290|0x8
0|10|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|137|0xd
0|11|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|909|0xe
0|12|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|237|0x5
0|13|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:19e273db80195cc5de59647fcaf16bafad9bbcce|315|0x17
0|14|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:19e273db80195cc5de59647fcaf16bafad9bbcce|290|0x8
0|15|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|740|0x5
0|16|firefox-bin|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|56|0x11
0|17|firefox-bin|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:19e273db80195cc5de59647fcaf16bafad9bbcce|303|0x20
0|18|libc.so.6||||0x21b97
0|19|firefox-bin|<name omitted>|hg:hg.mozilla.org/mozilla-central:mfbt/UniquePtr.h:19e273db80195cc5de59647fcaf16bafad9bbcce|253|0x17
Flags: in-testsuite?
|
||
Comment 1•4 years ago
|
||
Because this bug's Severity is normal and has not been changed, and this bug's priority is -- (none,) indicating it has has not been previously triaged, the bug's Severity is being updated to -- (default, untriaged.)
Severity: normal → --
|
||
Updated•4 years ago
|
Severity: -- → S3
|
|
||
Updated•4 years ago
|
|
||
Updated•4 years ago
|
Has Regression Range: --- → yes
|
||
Updated•4 years ago
|
Keywords: regression
|
||
Updated•4 years ago
|
status-firefox76:
--- → wontfix
status-firefox77:
--- → wontfix
status-firefox-esr68:
--- → unaffected
|
|
||
Comment 2•4 years ago
|
||
Paul, you reviewed bug 1592289, care to take a look?
Flags: needinfo?(padenot)
|
Reporter | |
Updated•4 years ago
|
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
|
|
Reporter | |
Comment 3•4 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200518152416-a627b6676824.
The bug appears to have been introduced in the following build range:
> Start: 0089f7e6daa0e3daec27e9e0d603efc1379f6512 (20191120152120)
> End: 32cdf5bcfd8449e67564ab6229e5e7da1c667d03 (20191120152733)
> Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=0089f7e6daa0e3daec27e9e0d603efc1379f6512&tochange=32cdf5bcfd8449e67564ab6229e5e7da1c667d03
|
Assignee | |
Comment 4•4 years ago
|
||
I can reproduce, I asked Paul offline and I will take a look at it.
Flags: needinfo?(padenot) → needinfo?(achronop)
|
||
Updated•4 years ago
|
Component: DOM: Core & HTML → Audio/Video: Playback
|
|
Assignee | |
Comment 5•4 years ago
|
||
The problem here is that the stream is captured from the element and it is driven to the srcObject attribute of the same media element. Our code does not expect that and it crashes as a side effect. Unfortunately, the spec does not mention anything about that case. I will open an issue in the spec. In the meantime I will create a patch that will not allow setting the captured stream to the capture from element.
Flags: needinfo?(achronop)
|
|
Assignee | |
Updated•4 years ago
|
Assignee: nobody → achronop
Priority: -- → P3
|
|
Assignee | |
Comment 6•4 years ago
|
||
Feeding a media element with the captured stream from the same media element does not make sense. Currently the spec does not mention anything about it. I'll clarify the case in the spec. In the meantime, when a cycle is detected, the setting of the srcObject is ignored and a warning is produced in the console.
Pushed by achronopoulos@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/01f96c18970f
Handle cycle in media element when it is fed with the captured stream. r=padenot
|
||
Comment 8•4 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla78
|
|
Reporter | |
Updated•4 years ago
|
|
|
Reporter | |
Comment 9•4 years ago
|
||
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20200529095426-2ea544687871.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
You need to log in
before you can comment on or make changes to this bug.
Description
•