Closed Bug 1848258 Opened 9 months ago Closed 9 months ago

Crash in [@ mozilla::media::TimeUnit::operator>=] with OggDemuxer

Categories

(Core :: Audio/Video: Playback, defect)

Product:
Core
Component:
Audio/Video: Playback
Platform:
Desktop
All
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
118 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox-esr115 --- unaffected
firefox116 --- unaffected
firefox117 --- unaffected
firefox118 + fixed

People

(Reporter: mccr8, Assigned: padenot)

References

Details

(4 keywords)

Crash Data

Attachments

(1 file)

Bug 1848258 - Restore handling of invalid OGG Vorbis file. r?alwu
48 bytes, text/x-phabricator-request
Details | Review

Crash report: https://crash-stats.mozilla.org/report/index/41bcf772-cee4-4a67-b2ec-d3f810230809

MOZ_CRASH Reason: MOZ_DIAGNOSTIC_ASSERT(mIsValid) (Invalid checked integer (division by zero or integer overflow))

Top 10 frames of crashing thread:

0  XUL  mozilla::media::TimeUnit::operator>= const  dom/media/TimeUnits.cpp:193
1  XUL  mozilla::media::TimeUnit::operator< const  dom/media/TimeUnits.cpp:253
2  XUL  std::__1::__less<mozilla::media::TimeUnit, mozilla::media::TimeUnit>::operator const  /builds/worker/fetches/MacOSX13.3.sdk/usr/include/c++/v1/__algorithm/comp.h:73
2  XUL  std::__1::min[abi:v15006]<mozilla::media::TimeUnit, std::__1::__less<mozilla::media, mozilla::media> >  /builds/worker/fetches/MacOSX13.3.sdk/usr/include/c++/v1/__algorithm/min.h:33
2  XUL  std::__1::min[abi:v15006]<mozilla::media::TimeUnit>  /builds/worker/fetches/MacOSX13.3.sdk/usr/include/c++/v1/__algorithm/min.h:42
2  XUL  mozilla::OggDemuxer::FindStartTime  dom/media/ogg/OggDemuxer.cpp:1069
3  XUL  mozilla::OggDemuxer::ReadMetadata  dom/media/ogg/OggDemuxer.cpp:574
4  XUL  mozilla::OggDemuxer::Init  dom/media/ogg/OggDemuxer.cpp:223
5  XUL  mozilla::MediaFormatReader::DemuxerProxy::Init const  dom/media/MediaFormatReader.cpp:788
5  XUL  mozilla::detail::ProxyFunctionRunnable<mozilla::MediaFormatReader::DemuxerProxy::Init  xpcom/threads/MozPromise.h:1690

This is a pre-existing signature, but there's a large spike in it on Nightly, on the 20230808212319 build, so I'm guessing it is a regression from recent media work.

There are a few comments on these crashes:
"Happens often on the GTA Wikia"
"crashed when attempting to play an audio file on wikipedia"

The crash URLs include things that look like this: https://gta.fandom.com/wiki/Jeff_Harlingford (plus a bunch of other articles)
My browser tab crashed immediately when I loaded that URL, so I'll mark this as reproducible.

Flags: needinfo?(padenot)

[Tracking Requested - why for this release]: reproducible crash

status-firefox116: --- → unaffected
status-firefox117: --- → unaffected
status-firefox118: --- → affected
status-firefox-esr102: --- → unaffected
status-firefox-esr115: --- → unaffected
tracking-firefox118: --- → ?

Looks like this is affecting at least Windows and MacOS.

OS: Unspecified → All
Hardware: Unspecified → Desktop

I tried playing a few random Ogg files on Wikipedia and didn't crash.

Assignee: nobody → padenot
Flags: needinfo?(padenot)

Slightly different signature on Android: [@ mozilla::CheckedInt<T>::value | mozilla::media::TimeUnit::operator>= ]

bp-bdacd0a0-79bf-42fb-a5c4-de7910230811

No crash reason given. Gsvelto, it looks like maybe we're having problems with crash annotations on Android again (bug 1681846).

Crash Signature: [@ mozilla::media::TimeUnit::operator>=] → [@ mozilla::media::TimeUnit::operator>=] [@ mozilla::CheckedInt<T>::value | mozilla::media::TimeUnit::operator>= ]
Flags: needinfo?(gsvelto)

The bug is linked to a topcrash signature, which matches the following criterion:

  • Top 10 AArch64 and ARM crashes on nightly

For more information, please visit BugBot documentation.

Keywords: topcrash

(In reply to Andrew McCreight [:mccr8] from comment #5)

Slightly different signature on Android: [@ mozilla::CheckedInt<T>::value | mozilla::media::TimeUnit::operator>= ]

bp-bdacd0a0-79bf-42fb-a5c4-de7910230811

No crash reason given. Gsvelto, it looks like maybe we're having problems with crash annotations on Android again (bug 1681846).

It's a different issue, the crash has DumperError: MissingAnnotations so we were unable to pull all the annotations from the child process. It's an issue that's related to the empty minidumps we were seeing before. It seems to happen when we fail to suspend the target process correctly; I'm looking into it because the fix for this should also be the fix for the vast majority of the empty minidumps we're seeing on Android.

Flags: needinfo?(gsvelto)
Duplicate of this bug: 1848681
Pushed by padenot@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/3bd7ac546094
Restore handling of invalid OGG Vorbis file. r=alwu

https://hg.mozilla.org/mozilla-central/rev/3bd7ac546094

Status: NEW → RESOLVED
Closed: 9 months ago
status-firefox118: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 118 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: