SEGV on unknown address 0x000000000001 on mozilla::dom::DecoderTemplate<mozilla::dom::VideoDecoderTraits>::CloseInternal
Categories
(Core :: Audio/Video: Web Codecs, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr115 | --- | unaffected |
| firefox121 | --- | unaffected |
| firefox122 | --- | wontfix |
| firefox123 | --- | wontfix |
| firefox124 | --- | wontfix |
| firefox125 | --- | fix-optional |
People
(Reporter: wh0tlif3, Unassigned)
References
(Blocks 1 open bug, Regression)
Details
(5 keywords, Whiteboard: [reporter-external] [client-bounty-form] [verif?][bugmon:bisected,confirmed])
Crash Data
Attachments
(1 file, 1 obsolete file)
|
216 bytes,
text/html
|
Details |
only tested on nightly
=================================================================
==3208128==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7fbe0f811ae2 bp 0x7fff98dbea20 sp 0x7fff98dbe940 T0)
==3208128==The signal is caused by a WRITE memory access.
==3208128==Hint: address points to the zero page.
#0 0x7fbe0f811ae2 in mozilla::dom::DecoderTemplate<mozilla::dom::VideoDecoderTraits>::CloseInternal(nsresult const&) /builds/worker/checkouts/gecko/dom/media/webcodecs/DecoderTemplate.cpp:298:5
#1 0x7fbe0f869ec6 in operator() /builds/worker/checkouts/gecko/dom/media/webcodecs/DecoderTemplate.cpp:519:24
#2 0x7fbe0f869ec6 in mozilla::detail::RunnableFunction<mozilla::dom::DecoderTemplate<mozilla::dom::VideoDecoderTraits>::ProcessConfigureMessage(mozilla::UniquePtr<mozilla::dom::DecoderTemplate<mozilla::dom::VideoDecoderTraits>::ControlMessage, mozilla::DefaultDelete<mozilla::dom::DecoderTemplate<mozilla::dom::VideoDecoderTraits>::ControlMessage>>&)::'lambda'()>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:548:5
#3 0x7fbe069e331a in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:549:16
#4 0x7fbe069ca44e in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:876:26
#5 0x7fbe069c7038 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:699:15
#6 0x7fbe069c7739 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:485:36
#7 0x7fbe069eb3b1 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:211:37
#8 0x7fbe069eb3b1 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
#9 0x7fbe06a12ba4 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16
#10 0x7fbe06a2082a in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
#11 0x7fbe086a319e in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#12 0x7fbe084cb57a in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10
#13 0x7fbe084cb57a in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#14 0x7fbe084cb57a in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#15 0x7fbe11d52289 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
#16 0x7fbe11f56b42 in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:470:33
#17 0x7fbe173a3cbe in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:721:20
#18 0x7fbe084cb57a in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10
#19 0x7fbe084cb57a in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
#20 0x7fbe084cb57a in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
#21 0x7fbe173a3263 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:656:34
#22 0x564e935acafc in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#23 0x564e935acafc in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18
#24 0x7fbe2ea29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#25 0x7fbe2ea29e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#26 0x564e934d0e08 in _start (/home/uuu/dev/FF/browsers/firefox/firefox+0xdbe08) (BuildId: de8b9cbfaeb2b7f91afe1ab81f91a905fa293823)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/checkouts/gecko/dom/media/webcodecs/DecoderTemplate.cpp:298:5 in mozilla::dom::DecoderTemplate<mozilla::dom::VideoDecoderTraits>::CloseInternal(nsresult const&)
==3208128==ABORTING
|
||
Comment 1•1 year ago
|
||
This looks like a null deref, so it probably isn't a security issue, but I'll leave it hidden until somebody more familiar with this code can take a look.
|
|
||
Updated•1 year ago
|
|
||
Comment 2•1 year ago
|
||
This is a MOZ_CRASH(). Running with debug builds result in Assertion failure: self->mState != CodecState::Closed, at /builds/worker/checkouts/gecko/dom/media/webcodecs/DecoderTemplate.cpp:518
This was found by internal fuzzers running m-c 20231207-bea12a00706c. This appears to be an unreduced domato test case. I will upload a reduced test case shortly.
|
|
||
Comment 3•1 year ago
|
||
|
|
||
Updated•1 year ago
|
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
||
Comment 4•1 year ago
|
||
Verified bug as reproducible on mozilla-central 20231215214115-8fd04cb03fbd.
The bug appears to have been introduced in the following build range:
Start: f5d904bee3fe6c9e79061b56c8499b6154f7d3ff (20231207090730)
End: 67203312eceaa26ae623c7e829006fb89a32d0e9 (20231207114849)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=f5d904bee3fe6c9e79061b56c8499b6154f7d3ff&tochange=67203312eceaa26ae623c7e829006fb89a32d0e9
:padenot, this looks like it could be related to some of your recent changes -- would you have any thoughts?
|
||
Comment 6•1 year ago
|
||
Setting Bug 1865376 as the regressor based on Comment 4 and Comment 5.
:padenot please correct if needed when responding to Comment 5
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
||
Updated•1 year ago
|
|
|
||
Comment 7•1 year ago
|
||
This is frequently reported by fuzzers.
|
||
Updated•1 year ago
|
|
|
||
Comment 8•1 year ago
|
||
Successfully recorded a pernosco session. A link to the pernosco session will be added here shortly.
|
||
Updated•1 year ago
|
|
||
Updated•1 year ago
|
|
||
Updated•1 year ago
|
|
|
||
Comment 9•1 year ago
|
||
Can you check what happened with the pernosco recording here?
|
||
Comment 10•1 year ago
|
||
It looks like we never got a response back from pernosco with the trace. I'm going to re-enable it and see if it works.
|
|
||
Comment 11•1 year ago
|
||
Successfully recorded a pernosco session. A link to the pernosco session will be added here shortly.
|
|
||
Comment 12•1 year ago
|
||
A pernosco session for this bug can be found here.
|
|
||
Comment 13•1 year ago
|
||
(In reply to Jason Kratzer [:jkratzer] from comment #10)
It looks like we never got a response back from pernosco with the trace. I'm going to re-enable it and see if it works.
I'm not sure what happened in the original request because we don't retain logs for that long but at least we managed to get a trace in comment 12.
|
|
||
Comment 14•1 year ago
|
||
Dupe of 1881079 that has landed recently, maybe we can retry on current tip.
|
|
||
Comment 15•1 year ago
|
||
No valid actions for resolution (DUPLICATE).
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
||
Updated•1 year ago
|
|
||
Updated•11 months ago
|
Description
•