Assertion failure: aStart <= aEnd, at src/dom/media/mp4/MP4Interval.h:17
Categories
(Core :: Audio/Video: Playback, defect, P3)
Tracking
()
People
(Reporter: tsmith, Assigned: padenot)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, crash, testcase, Whiteboard: [bugmon:bisected,confirmed])
Crash Data
Attachments
(1 file)
|
1.27 KB,
video/mp4
|
Details |
Assertion failure: aStart <= aEnd, at src/dom/media/mp4/MP4Interval.h:17
#0 0x7fdb118b4828 in mozilla::MP4Interval<long>::MP4Interval(long, long) src/dom/media/mp4/MP4Interval.h:17:5
#1 0x7fdb118cb14a in mozilla::Moof::ParseTrun(mozilla::Box&, mozilla::Mvhd&, mozilla::Mdhd&, mozilla::Edts&, unsigned long*, bool) src/dom/media/mp4/MoofParser.cpp:816:34
#2 0x7fdb118c9326 in mozilla::Moof::ParseTraf(mozilla::Box&, mozilla::Variant<mozilla::ParseAllTracks, unsigned int> const&, mozilla::Trex&, mozilla::Mvhd&, mozilla::Mdhd&, mozilla::Edts&, mozilla::Sinf&, unsigned long*, bool) src/dom/media/mp4/MoofParser.cpp:713:11
#3 0x7fdb118c72eb in mozilla::Moof::Moof(mozilla::Box&, mozilla::Variant<mozilla::ParseAllTracks, unsigned int> const&, mozilla::Trex&, mozilla::Mvhd&, mozilla::Mdhd&, mozilla::Edts&, mozilla::Sinf&, unsigned long*, bool, nsTArray<mozilla::TrackEndCts>&) src/dom/media/mp4/MoofParser.cpp:449:7
#4 0x7fdb118c21b4 in mozilla::MoofParser::RebuildFragmentedIndex(mozilla::BoxContext&) src/dom/media/mp4/MoofParser.cpp:80:12
#5 0x7fdb118c1da1 in mozilla::MoofParser::RebuildFragmentedIndex(mozilla::media::IntervalSet<long> const&) src/dom/media/mp4/MoofParser.cpp:48:10
#6 0x7fdb118bdfe3 in UpdateMoofIndex src/dom/media/mp4/Index.cpp:523:16
#7 0x7fdb118bdfe3 in UpdateMoofIndex src/dom/media/mp4/Index.cpp:501:3
#8 0x7fdb118bdfe3 in mozilla::MP4TrackDemuxer::EnsureUpToDateIndex() src/dom/media/mp4/MP4Demuxer.cpp:349:11
#9 0x7fdb118bda63 in mozilla::MP4TrackDemuxer::MP4TrackDemuxer(mozilla::MediaResource*, mozilla::UniquePtr<mozilla::TrackInfo, mozilla::DefaultDelete<mozilla::TrackInfo> >&&, mozilla::IndiceWrapper const&) src/dom/media/mp4/MP4Demuxer.cpp:315:3
#10 0x7fdb118ba34f in mozilla::MP4Demuxer::Init() src/dom/media/mp4/MP4Demuxer.cpp:224:45
#11 0x7fdb1131a17c in operator() src/dom/media/MediaFormatReader.cpp:740:47
#12 0x7fdb1131a17c in mozilla::detail::ProxyFunctionRunnable<mozilla::MediaFormatReader::DemuxerProxy::Init()::$_65, mozilla::MozPromise<mozilla::MediaResult, mozilla::MediaResult, true> >::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:1564:29
#13 0x7fdb0dc65062 in mozilla::TaskQueue::Runner::Run() src/xpcom/threads/TaskQueue.cpp:158:20
#14 0x7fdb0dc7cba4 in nsThreadPool::Run() src/xpcom/threads/nsThreadPool.cpp:299:14
#15 0x7fdb0dc74931 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1197:14
#16 0x7fdb0dc7a43a in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:513:10
#17 0x7fdb0e56a866 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:332:5
#18 0x7fdb0e4dbfa3 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:334:10
#19 0x7fdb0e4dbebd in RunHandler src/ipc/chromium/src/base/message_loop.cc:327:3
#20 0x7fdb0e4dbebd in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:309:3
#21 0x7fdb0dc7103e in nsThread::ThreadFunc(void*) src/xpcom/threads/nsThread.cpp:442:10
#22 0x7fdb223ebabb in _pt_root src/nsprpub/pr/src/pthreads/ptthread.c:201:5
#23 0x7fdb22a94608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477:8
#24 0x7fdb2265d292 in clone /build/glibc-ZN95T4/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
|
||
Comment 1•5 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20201015215335-c8b4cf6696dd.
Failed to bisect testcase (Start build crashes!):
Start: e8b7c48d4e7ed1b63aeedff379b51e566ea499d9 (20191107015224)
End: 7b96efde9ee17f2c79245b7a6047fd686d7f4621 (20201015035702)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=False, coverage=False, valgrind=False)
|
Reporter | |
Comment 2•5 years ago
|
||
A Pernosco session is available here: https://pernos.co/debug/K4W-7-jacppMq0VukMtILQ/index.html
|
||
Comment 4•5 years ago
|
||
Locally reproduced, though on a non-debug build, this gives an appropriate error rather than crashing (hence the S3). Similar results on Safari and Chrome. Was this testcase developed via fuzzing?
|
|
Reporter | |
Comment 5•5 years ago
|
||
(In reply to Jon Bauman [:jbauman:] from comment #4)
Was this testcase developed via fuzzing?
Yes it was.
|
|
||
Updated•4 years ago
|
|
||
Comment 6•2 years ago
|
||
Testcase crashes using the initial build (mozilla-central 20220618214506-d0ec12c7f65d) but not with tip (mozilla-central 20230617092009-29e4ffb2c397.)
The bug appears to have been fixed in the following build range:
Start: e1a08bab18008646938a96dfab802d2471fcadc1 (20230529155256)
End: 90b70a4d4a673f3057de61f893693fb6488235c8 (20230529183356)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=e1a08bab18008646938a96dfab802d2471fcadc1&tochange=90b70a4d4a673f3057de61f893693fb6488235c8
tsmith, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
|
Reporter | |
Comment 7•2 years ago
|
||
Fixed by bug 1835164.
|
||
Updated•2 years ago
|
Description
•