Closed Bug 1797292 Opened 2 years ago Closed 2 years ago

Crash in [@ RefPtr<T>::get | RefPtr<T>::operator-> | mozilla::gmp::ChromiumCDMParent::CreateVideoFrame]

Categories

(Core :: Audio/Video: Playback, defect)

Product:
Core
Component:
Audio/Video: Playback
Platform:
Unspecified
Windows 10
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
108 Branch
Tracking Flags:
Tracking Status
relnote-firefox --- 106+
firefox-esr102 --- unaffected
firefox106 --- fixed
firefox107 + fixed
firefox108 --- fixed

People

(Reporter: aryx, Assigned: bradwerth)

References

(Regression)

Details

(Keywords: crash, regression)

Crash Data

Attachments

(1 file)

Bug 1797292: Protect some pointers from null dereference.
48 bytes, text/x-phabricator-request
dmeehan
: approval-mozilla-beta+
RyanVM
: approval-mozilla-release+
Details | Review

Crash new in Firefox 106, Nightly 108 is still affected. There are 176 crash reports for 149 installations of Firefox 106 and 106.0.1

Brad, could you investigate this issue? (Could it be related to bug 1781122?)

Crash report: https://crash-stats.mozilla.org/report/index/5ddef371-a0c6-4e11-88e0-7adc90221025

Reason: EXCEPTION_ACCESS_VIOLATION_READ

Top 10 frames of crashing thread:

0  xul.dll  RefPtr<mozilla::layers::Image>::get const  mfbt/RefPtr.h:286
0  xul.dll  RefPtr<mozilla::layers::Image>::operator-> const  mfbt/RefPtr.h:316
0  xul.dll  mozilla::gmp::ChromiumCDMParent::CreateVideoFrame  dom/media/gmp/ChromiumCDMParent.cpp:978
1  xul.dll  mozilla::gmp::ChromiumCDMParent::RecvDecodedShmem  dom/media/gmp/ChromiumCDMParent.cpp:893
2  xul.dll  mozilla::gmp::PChromiumCDMParent::OnMessageReceived  ipc/ipdl/PChromiumCDMParent.cpp:1404
3  xul.dll  mozilla::gmp::PGMPContentParent::OnMessageReceived  ipc/ipdl/PGMPContentParent.cpp:435
4  xul.dll  mozilla::ipc::MessageChannel::DispatchAsyncMessage  ipc/glue/MessageChannel.cpp:1756
4  xul.dll  mozilla::ipc::MessageChannel::DispatchMessage  ipc/glue/MessageChannel.cpp:1681
4  xul.dll  mozilla::ipc::MessageChannel::RunMessage  ipc/glue/MessageChannel.cpp:1481
4  xul.dll  mozilla::ipc::MessageChannel::MessageTask::Run  ipc/glue/MessageChannel.cpp:1579
Flags: needinfo?(bwerth)

Yes, this is a regression from Bug 1781122.

Assignee: nobody → bwerth
Flags: needinfo?(bwerth)
Regressed by: 1781122

The Image isn't guaranteed to be created in VideoData::CreateAndCopyData.

Attachment #9300171 - Attachment description: Bug 1797292: Protect an Image pointer from null dereference. → Bug 1797292: Protect some pointers from null dereference.

Might be worth considering an uplift and a ridealong if we have the chance.

Pushed by bwerth@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/59403d4c9957 Protect some pointers from null dereference. r=media-playback-reviewers,alwu

https://hg.mozilla.org/mozilla-central/rev/59403d4c9957

Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox108: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 108 Branch

The patch landed in nightly and beta is affected.
:bradwerth, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox107 to wontfix.

For more information, please visit auto_nag documentation.

Flags: needinfo?(bwerth)

Comment on attachment 9300171 [details]
Bug 1797292: Protect some pointers from null dereference.

Beta/Release Uplift Approval Request

  • User impact if declined: Playback of DRM video may cause a crash in unusual circumstances, including low-memory situations.
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): This provides an early exit in one code path, very minimal risk.
  • String changes made/needed:
  • Is Android affected?: No
Flags: needinfo?(bwerth)
Attachment #9300171 - Flags: approval-mozilla-beta?

Comment on attachment 9300171 [details]
Bug 1797292: Protect some pointers from null dereference.

Approved for 107.0b6.

Attachment #9300171 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

Comment on attachment 9300171 [details]
Bug 1797292: Protect some pointers from null dereference.

Beta/Release Uplift Approval Request

  • User impact if declined: DRM video may not play correctly.
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Code changes are minimal and easy to reason about.
  • String changes made/needed:
  • Is Android affected?: Unknown
Attachment #9300171 - Flags: approval-mozilla-release?

Comment on attachment 9300171 [details]
Bug 1797292: Protect some pointers from null dereference.

Approved for 106.0.4.

Attachment #9300171 - Flags: approval-mozilla-release? → approval-mozilla-release+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: