1869675 - Crash in [@ mozilla::detail::InvalidArrayIndex_CRASH | nsTArray_Impl<T>::Sort<T> | mozilla::media::IntervalSet<T>::Normalize]

Status: RESOLVED FIXED

(Core :: Audio/Video: Playback, defect)

Description

[Andrew McCreight [:mccr8]]

Crash report: https://crash-stats.mozilla.org/report/index/2484e5ca-c541-437f-a4b8-afa4e0231212

Reason: SIGSEGV / SEGV_MAPERR

Top 10 frames of crashing thread:

0  libmozglue.so  MOZ_Crash  mfbt/Assertions.h:281
0  libmozglue.so  mozilla::detail::InvalidArrayIndex_CRASH  mfbt/Assertions.cpp:50
1  libxul.so  std::__ndk1::__sort<nsTArray_Impl<mozilla::media::Interval<mozilla::media::TimeUnit>, nsTArrayInfallibleAllocator>::Sort<mozilla::media::IntervalSet<mozilla::media::TimeUnit>::CompareIntervals>  /builds/worker/fetches/android-ndk/toolchains/llvm/prebuilt/linux-x86_64/sysroot/usr/include/c++/v1/algorithm
2  libxul.so  std::__ndk1::sort<mozilla::ArrayIterator<mozilla::media::Interval<mozilla::media::TimeUnit>&, nsTArray_Impl<mozilla::media::Interval<mozilla::media::TimeUnit>, nsTArrayInfallibleAllocator> >, nsTArray_Impl<mozilla::media::Interval<mozilla::media::TimeUnit>, nsTArrayInfallibleAllocator>::Sort<mozilla::media::IntervalSet<mozilla::media::TimeUnit>::CompareIntervals>  /builds/worker/fetches/android-ndk/toolchains/llvm/prebuilt/linux-x86_64/sysroot/usr/include/c++/v1/algorithm:4125
2  libxul.so  nsTArray_Impl<mozilla::media::Interval<mozilla::media::TimeUnit>, nsTArrayInfallibleAllocator>::Sort<mozilla::media::IntervalSet<mozilla::media::TimeUnit>::CompareIntervals>  xpcom/ds/nsTArray.h:2382
2  libxul.so  mozilla::media::IntervalSet<mozilla::media::TimeUnit>::Normalize  dom/media/Intervals.h:707
2  libxul.so  mozilla::media::IntervalSet<mozilla::media::TimeUnit>::Add  dom/media/Intervals.h:318
3  libxul.so  mozilla::media::IntervalSet<mozilla::media::TimeUnit>::operator+=  dom/media/Intervals.h:367
3  libxul.so  mozilla::TrackBuffersManager::InsertFrames  dom/media/mediasource/TrackBuffersManager.cpp:2302
4  libxul.so  mozilla::TrackBuffersManager::ProcessFrames  dom/media/mediasource/TrackBuffersManager.cpp:2137

It looks like this is a new crash in the 20231211095040 build. Here's the list of patches in that regression range.

Bug 1839051 looks like the most likely regressor, as there's lots of sorting stuff on the stack.

Comment 1

[Andrew McCreight [:mccr8]]

The signature looks slightly different on Desktop: [@ mozilla::detail::InvalidArrayIndex_CRASH | nsTArray_Impl<T>::ElementAt | nsTArray_Impl<T>::Sort<T> | mozilla::media::IntervalSet<T>::Normalize ]

bp-e0cd9178-215c-4dfd-a07a-7c7310231212

Comment 2

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1839051

Comment 3

[Jens Stutte [:jstutte]]

The CompareIntervals::LessThan is not symmetric due to the mFuzz, leading to interesting side effects:

bool LessThan(const ElemType& aT1, const ElemType& aT2) const {
  return aT1.mStart - aT1.mFuzz < aT2.mStart + aT2.mFuzz;
}

means

if (aT.mFuzz > 0) aT < aT // instead of aT == aT
if (aT.mFuzz < 0) aT > aT // instead of aT == aT

aT1.mStart := 1
aT1.mFuzz := 2
aT2.mStart := 2
aT2.mFuzz := 2

aT1 < aT2 && aT2 < aT1 // not symmetric

which makes std::sort angry. I assume this comparator did already cause weird effects with NS_QuickSort that were apparently less obvious.

I think the comparator should either just work on mStart or always subtract mFuzz both from aT1 and aT2 to get always the same value to compare with. I'd assume, just checking mStart should be fine here?

Comment 4

[Jens Stutte [:jstutte]]

Attachment: Bug 1869675 - Make CompareIntervals::LessThan become a symmetric relation. r?#dom-core-reviewers

Comment 5

[Pulsebot]

Pushed by jstutte@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/c05c1cfa7a78
Make CompareIntervals::LessThan become a symmetric relation. r=media-playback-reviewers,padenot

Comment 6

[Atila Butkovits]

https://hg.mozilla.org/mozilla-central/rev/c05c1cfa7a78