Closed Bug 1877259 Opened 1 year ago Closed 5 months ago

Crash in [@ mozilla::detail::InvalidArrayIndex_CRASH | nsTArray_Impl<T>::ElementAt | nsTArray_Impl<T>::Sort<T> | mozilla::media::IntervalSet<T>::Normalize]

Categories

(Core :: Audio/Video: Playback, defect, P3)

Product:
Core
Component:
Audio/Video: Playback
Platform:
Unspecified
Android
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: jstutte, Unassigned)

References

Details

(Keywords: crash)

Crash Data

Crash report: https://crash-stats.mozilla.org/report/index/96ce6baf-af29-41cf-b8a3-0473e0240126

Reason: SIGSEGV / SEGV_MAPERR

Top 10 frames of crashing thread:

0  libmozglue.so  MOZ_Crash  mfbt/Assertions.h:281
0  libmozglue.so  mozilla::detail::InvalidArrayIndex_CRASH  mfbt/Assertions.cpp:50
1  libxul.so  nsTArray_Impl<mozilla::media::Interval<mozilla::media::TimeUnit>, nsTArrayInfallibleAllocator>::ElementAt const  xpcom/ds/nsTArray.h:1219
1  libxul.so  mozilla::ArrayIterator<mozilla::media::Interval<mozilla::media::TimeUnit>&, nsTArray_Impl<mozilla::media::Interval<mozilla::media::TimeUnit>, nsTArrayInfallibleAllocator> >::operator* const  xpcom/ds/ArrayIterator.h:107
1  libxul.so  std::__ndk1::__sort<nsTArray_Impl<mozilla::media::Interval<mozilla::media::TimeUnit>, nsTArrayInfallibleAllocator>::Sort<mozilla::media::IntervalSet<mozilla::media::TimeUnit>::CompareIntervals>  /builds/worker/fetches/android-ndk/toolchains/llvm/prebuilt/linux-x86_64/sysroot/usr/include/c++/v1/algorithm
2  libxul.so  std::__ndk1::sort<mozilla::ArrayIterator<mozilla::media::Interval<mozilla::media::TimeUnit>&, nsTArray_Impl<mozilla::media::Interval<mozilla::media::TimeUnit>, nsTArrayInfallibleAllocator> >, nsTArray_Impl<mozilla::media::Interval<mozilla::media::TimeUnit>, nsTArrayInfallibleAllocator>::Sort<mozilla::media::IntervalSet<mozilla::media::TimeUnit>::CompareIntervals>  /builds/worker/fetches/android-ndk/toolchains/llvm/prebuilt/linux-x86_64/sysroot/usr/include/c++/v1/algorithm:4125
2  libxul.so  nsTArray_Impl<mozilla::media::Interval<mozilla::media::TimeUnit>, nsTArrayInfallibleAllocator>::Sort<mozilla::media::IntervalSet<mozilla::media::TimeUnit>::CompareIntervals>  xpcom/ds/nsTArray.h:2382
2  libxul.so  mozilla::media::IntervalSet<mozilla::media::TimeUnit>::Normalize  dom/media/Intervals.h:707
2  libxul.so  mozilla::media::IntervalSet<mozilla::media::TimeUnit>::Add  dom/media/Intervals.h:318
3  libxul.so  mozilla::media::IntervalSet<mozilla::media::TimeUnit>::operator+=  dom/media/Intervals.h:367

Looking earlier at bug 1875859, there seem to be some similar crashes with the same signatures as bug 1869675 left on Fenix.

I wonder if Fenix is just slow enough to open a window for a race with other threads? Disclaimer: I have no notion of the surrounding code and if those Intervals are used from multiple threads at all. But if they are, we must be sure that the array and the compared values are not changing while we are sorting.

When I modified that comparator in bug 1869675, I had the gut feeling that there might be more to it, as now the comparator might tell slightly different stories than intersect (which considers the mFuzz), but I did definitely not expect the sorting to still fail like this and still think it should be safe like this if there is no concurrency.

Crash Signature: [@ mozilla::detail::InvalidArrayIndex_CRASH | nsTArray_Impl<T>::ElementAt | nsTArray_Impl<T>::Sort<T> | mozilla::media::IntervalSet<T>::Normalize] → [@ mozilla::detail::InvalidArrayIndex_CRASH | nsTArray_Impl<T>::Sort<T> | mozilla::media::IntervalSet<T>::Normalize ] [@ mozilla::detail::InvalidArrayIndex_CRASH | nsTArray_Impl<T>::ElementAt | nsTArray_Impl<T>::Sort<T> | mozilla::media::IntervalSet<T>::…
See Also: → 1869675, 1875859
Severity: -- → S3
Priority: -- → P3

Closing because no crashes reported for 12 weeks.

Status: NEW → RESOLVED
Closed: 5 months ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.