Closed Bug 1857670 Opened 1 year ago Closed 1 year ago

Crash in [@ mozilla::H265::ParseStRefPicSet]

Categories

(Core :: Audio/Video: Playback, defect, P1)

Product:
Core
Component:
Audio/Video: Playback
Platform:
Unspecified
Windows 11
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
120 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox118 --- unaffected
firefox119 --- unaffected
firefox120 + fixed

People

(Reporter: diannaS, Assigned: alwu)

References

(Regression)

Details

(Keywords: crash, regression, topcrash)

Crash Data

Attachments

(3 files)

Bug 1857670 - add more value sanity checks.
48 bytes, text/x-phabricator-request
Details | Review
Bug 1857670 - add assertions.
48 bytes, text/x-phabricator-request
Details | Review
Bug 1857670 - cast uint32_t to int64_t to avoid overflow.
48 bytes, text/x-phabricator-request
Details | Review

Crash report: https://crash-stats.mozilla.org/report/index/a04c1dfb-a13e-41c3-95e7-789130231007

Reason: EXCEPTION_ACCESS_VIOLATION_READ

Top 10 frames of crashing thread:

0  xul.dll  mozilla::H265::ParseStRefPicSet  dom/media/platforms/agnostic/bytestreams/H265.cpp:485
1  xul.dll  mozilla::H265::DecodeSPSFromSPSNALU  dom/media/platforms/agnostic/bytestreams/H265.cpp:290
2  xul.dll  mozilla::H265::DecodeSPSFromHVCCExtraData  dom/media/platforms/agnostic/bytestreams/H265.cpp:340
3  xul.dll  mozilla::MP4TrackDemuxer::MP4TrackDemuxer  dom/media/mp4/MP4Demuxer.cpp:347
4  xul.dll  mozilla::MP4Demuxer::Init  dom/media/mp4/MP4Demuxer.cpp:231
5  xul.dll  mozilla::MediaFormatReader::DemuxerProxy::Init::<lambda_88>::operator const  dom/media/MediaFormatReader.cpp:788
5  xul.dll  mozilla::detail::ProxyFunctionRunnable<`lambda at /builds/worker/checkouts/gecko/dom/media/MediaFormatReader.cpp:783:22', mozilla::MozPromise<mozilla::MediaResult, mozilla::MediaResult, 0> >::Run  xpcom/threads/MozPromise.h:1690
6  xul.dll  mozilla::TaskQueue::Runner::Run  xpcom/threads/TaskQueue.cpp:257
7  xul.dll  nsThreadPool::Run  xpcom/threads/nsThreadPool.cpp:343
8  xul.dll  nsThread::ProcessNextEvent  xpcom/threads/nsThread.cpp:1192
Assignee: nobody → alwu
Severity: -- → S2
Priority: -- → P1

The bug is linked to a topcrash signature, which matches the following criterion:

  • Top 10 desktop browser crashes on nightly

For more information, please visit BugBot documentation.

Keywords: topcrash

Depends on D190506

Pushed by alwu@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/a0826843768f add more value sanity checks. r=media-playback-reviewers,padenot https://hg.mozilla.org/integration/autoland/rev/69759978b024 add assertions. r=media-playback-reviewers,padenot
Pushed by alwu@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/97a70c0e893d add more value sanity checks. r=media-playback-reviewers,padenot https://hg.mozilla.org/integration/autoland/rev/00cb6115c0df add assertions. r=media-playback-reviewers,padenot

https://hg.mozilla.org/mozilla-central/rev/97a70c0e893d
https://hg.mozilla.org/mozilla-central/rev/00cb6115c0df

Status: NEW → RESOLVED
Closed: 1 year ago
status-firefox120: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 120 Branch

:alwu looks like there were immediate crashes after today's build, could you take a look?

Flags: needinfo?(alwu)

Sure, keep my NI and I will check it today.

If num_positive_pics or num_negative_pics is zero, minusing 1 would
overflow to uint32_max. Therefore, we need to cast it to int64_t first.

Status: RESOLVED → REOPENED
Flags: needinfo?(alwu)
Resolution: FIXED → ---
tracking-firefox120: --- → +
Pushed by alwu@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/5d3db27eb27a cast uint32_t to int64_t to avoid overflow. r=media-playback-reviewers,aosmond

https://hg.mozilla.org/mozilla-central/rev/5d3db27eb27a

Status: REOPENED → RESOLVED
Closed: 1 year ago1 year ago
status-firefox120: affectedfixed
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: