MOZ_CRASH in [@ mozilla::media::TimeUnit::MultDouble]
Categories
(Core :: Audio/Video: Playback, defect)
Tracking
()
People
(Reporter: tsmith, Assigned: padenot)
References
(Regression)
Details
(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed])
Crash Data
Attachments
(2 files)
1.02 KB,
video/mp4
|
Details | |
48 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-beta+
RyanVM
:
approval-mozilla-esr115+
|
Details | Review |
Found while fuzzing m-c 20230721-09025d4def55 (--enable-debug --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.mp4
TimeUnit tick count after multiplication 19 * inf is too high for the result to be exact
Hit MOZ_CRASH() at /builds/worker/checkouts/gecko/dom/media/TimeUnits.cpp:353
#0 0x7f087534c8c6 in mozilla::media::TimeUnit::MultDouble(double) const /builds/worker/checkouts/gecko/dom/media/TimeUnits.cpp:353:5
#1 0x7f0875b53fb9 in mozilla::Moof::Moof(mozilla::Box&, mozilla::Variant<mozilla::ParseAllTracks, unsigned int> const&, mozilla::Trex&, mozilla::Mvhd&, mozilla::Mdhd&, mozilla::Edts&, mozilla::Sinf&, unsigned long*, bool, nsTArray<mozilla::TrackEndCts>&) /builds/worker/checkouts/gecko/dom/media/mp4/MoofParser.cpp:544:62
#2 0x7f0875b4d523 in mozilla::MoofParser::RebuildFragmentedIndex(mozilla::BoxContext&) /builds/worker/checkouts/gecko/dom/media/mp4/MoofParser.cpp:77:12
#3 0x7f0875b4d1cc in mozilla::MoofParser::RebuildFragmentedIndex(mozilla::media::IntervalSet<long> const&) /builds/worker/checkouts/gecko/dom/media/mp4/MoofParser.cpp:45:10
#4 0x7f0875b45a0a in UpdateMoofIndex /builds/worker/checkouts/gecko/dom/media/mp4/SampleIterator.cpp:530:16
#5 0x7f0875b45a0a in UpdateMoofIndex /builds/worker/checkouts/gecko/dom/media/mp4/SampleIterator.cpp:508:3
#6 0x7f0875b45a0a in mozilla::MP4TrackDemuxer::EnsureUpToDateIndex() /builds/worker/checkouts/gecko/dom/media/mp4/MP4Demuxer.cpp:359:11
#7 0x7f0875b453a1 in mozilla::MP4TrackDemuxer::MP4TrackDemuxer(mozilla::MediaResource*, mozilla::UniquePtr<mozilla::TrackInfo, mozilla::DefaultDelete<mozilla::TrackInfo>>&&, mozilla::IndiceWrapper const&, unsigned int) /builds/worker/checkouts/gecko/dom/media/mp4/MP4Demuxer.cpp:324:3
#8 0x7f0875b417e1 in mozilla::MP4Demuxer::Init() /builds/worker/checkouts/gecko/dom/media/mp4/MP4Demuxer.cpp:231:15
#9 0x7f0875232961 in operator() /builds/worker/checkouts/gecko/dom/media/MediaFormatReader.cpp:788:47
#10 0x7f0875232961 in mozilla::detail::ProxyFunctionRunnable<mozilla::MediaFormatReader::DemuxerProxy::Init()::$_2, mozilla::MozPromise<mozilla::MediaResult, mozilla::MediaResult, false>>::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:1690:29
#11 0x7f08712d3d8b in mozilla::TaskQueue::Runner::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskQueue.cpp:257:20
#12 0x7f08712fddb5 in nsThreadPool::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:343:14
#13 0x7f08712f435d in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1193:16
#14 0x7f08712fb06d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#15 0x7f0871fa469e in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300:20
#16 0x7f0871ebe3d1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#17 0x7f0871ebe3d1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#18 0x7f08712ef9e6 in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:391:10
#19 0x7f08855119ef in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
#20 0x7f0885294b42 in start_thread nptl/pthread_create.c:442:8
#21 0x7f08853269ff misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
Reporter | ||
Comment 1•1 year ago
|
||
Note: the call to printf_stderr()
seems to be missing a new line after the error message.
Reporter | ||
Updated•1 year ago
|
Comment 2•1 year ago
|
||
Verified bug as reproducible on mozilla-central 20230725211415-d527a0783112.
The bug appears to have been introduced in the following build range:
Start: 9fa4a7ae19238256fcd261c727ad2b08c6f1a4fd (20230524162134)
End: 6a96bb1f430f92b83cc31f74db4e4c1f71e155e5 (20230524133440)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=9fa4a7ae19238256fcd261c727ad2b08c6f1a4fd&tochange=6a96bb1f430f92b83cc31f74db4e4c1f71e155e5
Updated•1 year ago
|
Comment 3•1 year ago
|
||
Since nightly and release are affected, beta will likely be affected too.
For more information, please visit BugBot documentation.
Comment 4•1 year ago
|
||
Set release status flags based on info from the regressing bug 1817997
:padenot, since you are the author of the regressor, bug 1817997, could you take a look? Also, could you set the severity field?
For more information, please visit BugBot documentation.
Assignee | ||
Comment 5•1 year ago
|
||
Updated•1 year ago
|
Comment 7•1 year ago
|
||
Set release status flags based on info from the regressing bug 1817997
Comment 8•1 year ago
|
||
bugherder |
Updated•1 year ago
|
Comment 9•1 year ago
|
||
Verified bug as fixed on rev mozilla-central 20230801160652-8e6d6287c0af.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Comment 10•1 year ago
|
||
The patch landed in nightly and beta is affected.
:padenot, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- If no, please set
status-firefox117
towontfix
.
For more information, please visit BugBot documentation.
Assignee | ||
Comment 11•1 year ago
|
||
Comment on attachment 9345989 [details]
Bug 1845350 - Prevent a division by zero when adjusting dts in MoofParser.cpp. r?alwu
Beta/Release Uplift Approval Request
- User impact if declined: Fix a crash content process crash, easy to trigger using a specially crafted media file.
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Trivial fix, well tested.
- String changes made/needed: none
- Is Android affected?: Yes
Comment 12•1 year ago
|
||
Comment on attachment 9345989 [details]
Bug 1845350 - Prevent a division by zero when adjusting dts in MoofParser.cpp. r?alwu
Approved for 117.0b3.
Comment 13•1 year ago
|
||
uplift |
Updated•1 year ago
|
Updated•1 year ago
|
Comment 14•1 year ago
|
||
Comment on attachment 9345989 [details]
Bug 1845350 - Prevent a division by zero when adjusting dts in MoofParser.cpp. r?alwu
Approved for 115.2esr.
Comment 15•1 year ago
|
||
uplift |
Updated•1 year ago
|
Updated•1 year ago
|
Updated•1 year ago
|
Comment 16•1 year ago
|
||
I have reproduced the crash using the video sample from comment 0, on an affected asan Nightly build (2023-07-25).
The issue is verified as fixed on the latest asan builds available, Firefox Release 117.0 and ESR 115.2 running Ubuntu 20.04 x64.
Description
•