Closed Bug 1832354 Opened 2 years ago Closed 2 years ago

Crash in [@ mozilla::detail::nsTStringLengthStorage<T>::operator unsigned long long]

Categories

(Core :: Audio/Video: GMP, defect, P3)

Product:
Core
Component:
Audio/Video: GMP
Platform:
Unspecified
Windows 11
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
115 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox113 --- unaffected
firefox114 --- wontfix
firefox115 --- fixed

People

(Reporter: aosmond, Assigned: aosmond)

References

Details

(Keywords: crash)

Crash Data

Attachments

(1 file)

Bug 1832354 - Fix null pointer deref after GMP process crash.
48 bytes, text/x-phabricator-request
Details | Review

Crash report: https://crash-stats.mozilla.org/report/index/e90faf20-0257-4c87-a6ce-f52a30230509

Reason: EXCEPTION_ACCESS_VIOLATION_READ

Top 10 frames of crashing thread:

0  xul.dll  mozilla::detail::nsTStringLengthStorage<char>::operator unsigned long long const  xpcom/string/nsTStringRepr.h:93
0  xul.dll  mozilla::detail::nsTStringRepr<char>::EqualsASCII const  xpcom/string/nsTStringRepr.cpp:83
1  xul.dll  mozilla::detail::nsTStringRepr<char>::EqualsLiteral const  xpcom/string/nsTStringRepr.h:278
1  xul.dll  mozilla::GMPVideoDecoder::Decode  dom/media/platforms/agnostic/gmp/GMPVideoDecoder.cpp:375
2  xul.dll  mozilla::MediaDataDecoderProxy::Decode::<lambda_19>::operator const  dom/media/platforms/wrappers/MediaDataDecoderProxy.cpp:31
2  xul.dll  mozilla::detail::ProxyFunctionRunnable<`lambda at /builds/worker/checkouts/gecko/dom/media/platforms/wrappers/MediaDataDecoderProxy.cpp:30:46', mozilla::MozPromise<nsTArray<RefPtr<mozilla::MediaData> >, mozilla::MediaResult, 1> >::Run  xpcom/threads/MozPromise.h:1696
3  xul.dll  nsThread::ProcessNextEvent  xpcom/threads/nsThread.cpp:1233
4  xul.dll  NS_ProcessNextEvent  xpcom/threads/nsThreadUtils.cpp:479
4  xul.dll  mozilla::ipc::MessagePumpForNonMainThreads::Run  ipc/glue/MessagePump.cpp:300
5  xul.dll  MessageLoop::RunInternal  ipc/chromium/src/base/message_loop.cc:369

When the GMP process crashes, we may still attempt to deref a null
pointer for the underlying IPDL object in the content process before we
finish shutting down the decoder.

This patch fixes the crash by checking for the null pointer, but also
now caches the plugin type as an enum for use elsewhere in the code.
This minimizes checking the display name of the plugin everywhere to
guess the plugin properties.

Pushed by aosmond@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/8a097cbf07cd Fix null pointer deref after GMP process crash. r=media-playback-reviewers,alwu

Marking 114 as affected because I will be requesting uplift. In theory users are unaffected because we disable the plugin decoder by default, but popular Linux distros enable it and will potentially hit this crash if/when the GMP process crashes.

status-firefox113: --- → unaffected
status-firefox114: --- → affected
status-firefox115: --- → affected
Pushed by aosmond@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/f7f68725a323 Fix null pointer deref after GMP process crash. r=media-playback-reviewers,alwu

https://hg.mozilla.org/mozilla-central/rev/f7f68725a323

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox115: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 115 Branch

The patch landed in nightly and beta is affected.
:aosmond, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox114 to wontfix.

For more information, please visit BugBot documentation.

Flags: needinfo?(aosmond)
Flags: needinfo?(aosmond)
No longer blocks: openh264-2_6
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: