Closed
Bug 1706772
Opened 3 years ago
Closed 3 years ago
[@ NS_ABORT_OOM | @ WebCore::ReverbAccumulationBuffer::ReverbAccumulationBuffer]
Categories
(Core :: Web Audio, defect, P1)
Core
Web Audio
Tracking
()
VERIFIED
FIXED
90 Branch
People
(Reporter: jkratzer, Assigned: karlt)
References
(Blocks 1 open bug)
Details
(Keywords: crash, testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(3 files)
Testcase found while fuzzing mozilla-central rev 6531d095b2a7 (built with --enable-address-sanitizer --enable-fuzzing).
Testcase can be reproduced using the following commands:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 6531d095b2a7 --asan --fuzzing -n mc-asan
$ python -m grizzly.replay --xvfb ./mc-asan/firefox ./testcase.html
==1101295==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7f9c284fcf0f bp 0x7fffd4675360 sp 0x7fffd4675360 T0)
==1101295==The signal is caused by a WRITE memory access.
==1101295==Hint: address points to the zero page.
#0 0x7f9c284fcf0f in NS_ABORT_OOM(unsigned long) /builds/worker/checkouts/gecko/xpcom/base/nsDebugImpl.cpp:618:3
#1 0x7f9c284ab304 in nsTArrayInfallibleAllocator::ResultTypeProxy nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_RelocateUsingMemutils>::EnsureCapacity<nsTArrayInfallibleAllocator>(unsigned long, unsigned long) /builds/worker/workspace/obj-build/dist/include/nsTArray-inl.h:154:5
#2 0x7f9c284aad11 in nsTArrayInfallibleAllocator::ResultTypeProxy nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_RelocateUsingMemutils>::ExtendCapacity<nsTArrayInfallibleAllocator>(unsigned long, unsigned long, unsigned long) /builds/worker/workspace/obj-build/dist/include/nsTArray-inl.h:135:16
#3 0x7f9c2ae52615 in InsertSlotsAt<nsTArrayInfallibleAllocator> /builds/worker/workspace/obj-build/dist/include/nsTArray-inl.h:406:17
#4 0x7f9c2ae52615 in float* nsTArray_Impl<float, nsTArrayInfallibleAllocator>::InsertElementsAtInternal<nsTArrayInfallibleAllocator>(unsigned long, unsigned long) /builds/worker/workspace/obj-build/dist/include/nsTArray.h:2295:49
#5 0x7f9c2ae0eed9 in nsTArrayInfallibleAllocator::ResultType nsTArray_Impl<float, nsTArrayInfallibleAllocator>::SetLength<nsTArrayInfallibleAllocator>(unsigned long) /builds/worker/workspace/obj-build/dist/include/nsTArray.h:2224:11
#6 0x7f9c2ecff33a in SetLength /builds/worker/checkouts/gecko/dom/media/webaudio/AlignedTArray.h:88:49
#7 0x7f9c2ecff33a in WebCore::ReverbAccumulationBuffer::ReverbAccumulationBuffer(unsigned long) /builds/worker/checkouts/gecko/dom/media/webaudio/blink/ReverbAccumulationBuffer.cpp:40:12
#8 0x7f9c2ecffa72 in WebCore::ReverbConvolver::ReverbConvolver(float const*, unsigned long, unsigned long, unsigned long, bool) /builds/worker/checkouts/gecko/dom/media/webaudio/blink/ReverbConvolver.cpp:64:7
#9 0x7f9c2ecfe217 in WebCore::Reverb::initialize(nsTArray<float const*> const&, unsigned long, unsigned long, bool) /builds/worker/checkouts/gecko/dom/media/webaudio/blink/Reverb.cpp:152:13
#10 0x7f9c2ecfddfe in WebCore::Reverb::Reverb(mozilla::AudioChunk const&, unsigned long, bool, bool, float, bool*) /builds/worker/checkouts/gecko/dom/media/webaudio/blink/Reverb.cpp:112:3
#11 0x7f9c2eca2a28 in mozilla::dom::ConvolverNode::SetBuffer(JSContext*, mozilla::dom::AudioBuffer*, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/media/webaudio/ConvolverNode.cpp:460:43
#12 0x7f9c2d15077b in mozilla::dom::ConvolverNode_Binding::set_buffer(JSContext*, JS::Handle<JSObject*>, void*, JSJitSetterCallArgs) /builds/worker/workspace/obj-build/dom/bindings/ConvolverNodeBinding.cpp:221:24
#13 0x7f9c2d6affe6 in bool mozilla::dom::binding_detail::GenericSetter<mozilla::dom::binding_detail::NormalThisPolicy>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3180:8
#14 0x7f9c33d2a974 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:437:13
#15 0x7f9c33d2a974 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:522:12
#16 0x7f9c33d2c799 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:582:10
#17 0x7f9c33d2ca1b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:599:8
#18 0x7f9c33d2e3a3 in js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:739:10
#19 0x7f9c34235fb1 in SetExistingProperty(JSContext*, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<js::NativeObject*>, js::PropertyResult const&, JS::ObjectOpResult&) /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2699:8
#20 0x7f9c3423561e in bool js::NativeSetProperty<(js::QualifiedBool)1>(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2733:14
#21 0x7f9c33d11d19 in SetProperty /builds/worker/checkouts/gecko/js/src/vm/ObjectOperations-inl.h:300:10
#22 0x7f9c33d11d19 in SetPropertyOperation /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:272:10
#23 0x7f9c33d11d19 in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3013:12
#24 0x7f9c33cfa44e in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:406:13
#25 0x7f9c33d2aab3 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:554:13
#26 0x7f9c33d2c799 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:582:10
#27 0x7f9c33d2ca1b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:599:8
#28 0x7f9c345a4de2 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jsapi.cpp:2830:10
#29 0x7f9c2d1ebd39 in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventListenerBinding.cpp:58:8
#30 0x7f9c2de4e4e8 in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:65:12
#31 0x7f9c2de4df4f in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1108:43
#32 0x7f9c2de4f667 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1305:17
#33 0x7f9c2de3c9be in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:354:17
#34 0x7f9c2de3b230 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:556:16
#35 0x7f9c2de3f4b8 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1099:11
#36 0x7f9c2de44d29 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp
#37 0x7f9c2bd8ae3a in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:1331:17
#38 0x7f9c2b85bf2f in nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:4183:28
#39 0x7f9c2b85bc73 in nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:4153:10
#40 0x7f9c2bad9e34 in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:7684:3
#41 0x7f9c2bb9a2bf in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1148:12
#42 0x7f9c2bb9a2bf in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1154:12
#43 0x7f9c2bb9a2bf in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1201:13
#44 0x7f9c286f990c in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:143:20
#45 0x7f9c2873d8ca in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:473:16
#46 0x7f9c28709e30 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:757:26
#47 0x7f9c28707967 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:612:15
#48 0x7f9c28707dbd in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:396:36
#49 0x7f9c28746cc1 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:135:37
#50 0x7f9c28746cc1 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:534:5
#51 0x7f9c28724aa3 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1159:16
#52 0x7f9c2872fa2c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:548:10
#53 0x7f9c2995f7ef in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
#54 0x7f9c2986a041 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
#55 0x7f9c2986a041 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
#56 0x7f9c2986a041 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3
#57 0x7f9c2ffc85f7 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
#58 0x7f9c33ada15f in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:906:20
#59 0x7f9c2986a041 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
#60 0x7f9c2986a041 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
#61 0x7f9c2986a041 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3
#62 0x7f9c33ad99ef in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:738:34
#63 0x560e17ec020d in content_process_main(mozilla::Bootstrap*, int, char**) /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#64 0x560e17ec0631 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:309:18
#65 0x7f9c470ae0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
Flags: in-testsuite?
|
||
Comment 1•3 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210421212740-683c2a81d1a3.
The bug appears to have been introduced in the following build range:
Start: 1e9779538e9493590ddc45f16bb852ac79325bf8 (20210412154438)
End: 64b1938f0ed6fc36f8e82160d7bb968c5dec7d72 (20210412161323)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=1e9779538e9493590ddc45f16bb852ac79325bf8&tochange=64b1938f0ed6fc36f8e82160d7bb968c5dec7d72
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
|
||
Comment 2•3 years ago
|
||
(In reply to Bugmon [:jkratzer for issues] from comment #1)
This OOM can be triggered now due to javascript.options.large_arraybuffers defaulting to true since bug 1703505.
Earlier discussion of handling OOMs in this code in bug 1493779 comment 2 may be relevant.
Paul, any suggestions please?
|
Assignee | |
Comment 3•3 years ago
|
||
|
|
Assignee | |
Comment 4•3 years ago
|
||
I would prefer not to add another large allocation testcase to our testsuite, because these can lead to hard-to-track OOM crashes in subsequent tests.
See for example https://bugzilla.mozilla.org/show_bug.cgi?id=1672869
We have https://searchfox.org/mozilla-central/source/dom/media/webaudio/test/test_convolverNodeOOM.html, which is allocating 0x8f0d1800 bytes split across two ReverbAccumulationBuffers (as well as other large allocations).
Flags: in-testsuite? → in-testsuite-
|
|
Assignee | |
Comment 5•3 years ago
|
||
|
|
Assignee | |
Comment 6•3 years ago
|
||
The accumulate() return value and updateReadIndex() were unused.
Depends on D113624
|
||
Comment 7•3 years ago
|
||
:karlt, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.
Flags: needinfo?(karlt)
|
|
Assignee | |
Comment 8•3 years ago
|
||
This is not really a regression. Large allocation was previously possible here and so an allocation failure was previously likely.
The large ArrayBuffers change means that there is now wider range of lengths for which the 2GB limit is hit in nsTArray rather than on ArrayBuffer allocation.
ReverbAccumulationBuffer can be slightly larger than ArrayBuffers, so I expect the fatal nsTArray limit could have been hit with 2GB ArrayBuffers previously.
Flags: needinfo?(karlt)
See Also: 1703505 →
Pushed by ktomlinson@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/19b23a3a0e43 throw on ReverbAccumulationBuffer allocation failure r=padenot https://hg.mozilla.org/integration/autoland/rev/524ed0e02b89 use size_t for RevebAccumulationBuffer read index r=padenot
|
|
Assignee | |
Updated•3 years ago
|
Severity: -- → S3
Priority: -- → P1
|
||
Comment 10•3 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/19b23a3a0e43
https://hg.mozilla.org/mozilla-central/rev/524ed0e02b89
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → 90 Branch
|
||
Updated•3 years ago
|
status-firefox88:
--- → wontfix
status-firefox-esr78:
--- → wontfix
|
|
||
Comment 11•3 years ago
|
||
The patch landed in nightly and beta is affected.
:karlt, is this bug important enough to require an uplift?
If not please set status_beta to wontfix.
For more information, please visit auto_nag documentation.
Flags: needinfo?(karlt)
|
|
Assignee | |
Updated•3 years ago
|
Flags: needinfo?(karlt)
|
|
||
Updated•3 years ago
|
| Comment hidden (obsolete) |
|
Reporter | |
Updated•3 years ago
|
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•