Assertion failure: IsAudioDecoding(), at /dom/media/MediaDecoderStateMachine.cpp:3966
Categories
(Core :: Audio/Video, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox138 | --- | affected |
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 2 open bugs, )
Details
(Keywords: assertion, testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(1 file)
|
2.08 MB,
application/octet-stream
|
Details |
Testcase found while fuzzing mozilla-central rev c560ac2dab5f (built with: --enable-debug --enable-fuzzing).
Testcase can be reproduced using the following commands:
$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch --build c560ac2dab5f --debug --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>
Assertion failure: IsAudioDecoding(), at /dom/media/MediaDecoderStateMachine.cpp:3966
==607125==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x70022e31741a bp 0x7002201f45e0 sp 0x7002201f44c0 T607194)
==607125==The signal is caused by a WRITE memory access.
==607125==Hint: address points to the zero page.
#0 0x70022e31741a in mozilla::MediaDecoderStateMachine::RequestAudioData() /dom/media/MediaDecoderStateMachine.cpp:3966:3
#1 0x70022e435372 in operator() /dom/media/MediaDecoderStateMachine.cpp:4096:32
#2 0x70022e435372 in InvokeMethod<(lambda at /dom/media/MediaDecoderStateMachine.cpp:4090:13), void ((lambda at /dom/media/MediaDecoderStateMachine.cpp:4090:13)::*)(mozilla::MediaData::Type) const, mozilla::MediaData::Type> /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:652:12
#3 0x70022e435372 in InvokeCallbackMethod<false, (lambda at /dom/media/MediaDecoderStateMachine.cpp:4090:13), void ((lambda at /dom/media/MediaDecoderStateMachine.cpp:4090:13)::*)(mozilla::MediaData::Type) const, mozilla::MediaData::Type, RefPtr<mozilla::MozPromise<mozilla::MediaData::Type, mozilla::WaitForDataRejectValue, true>::Private> > /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:683:5
#4 0x70022e435372 in mozilla::MozPromise<mozilla::MediaData::Type, mozilla::WaitForDataRejectValue, true>::ThenValue<mozilla::MediaDecoderStateMachine::WaitForData(mozilla::MediaData::Type)::$_0, mozilla::MediaDecoderStateMachine::WaitForData(mozilla::MediaData::Type)::$_1>::DoResolveOrRejectInternal(mozilla::MozPromise<mozilla::MediaData::Type, mozilla::WaitForDataRejectValue, true>::ResolveOrRejectValue&) /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:857:9
#5 0x70022e2c76a2 in mozilla::MozPromise<mozilla::MediaData::Type, mozilla::WaitForDataRejectValue, true>::ThenValueBase::ResolveOrRejectRunnable::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:488:21
#6 0x70022a5742b8 in mozilla::AutoTaskDispatcher::TaskGroupRunnable::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/TaskDispatcher.h:230:35
#7 0x70022a56a978 in mozilla::TaskQueue::Runner::Run() /xpcom/threads/TaskQueue.cpp:257:20
#8 0x70022a595d29 in nsThreadPool::Run() /xpcom/threads/nsThreadPool.cpp:341:14
#9 0x70022a58c221 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1193:16
#10 0x70022a5931fd in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:480:10
#11 0x70022b299fbe in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:300:20
#12 0x70022b1aec91 in RunHandler /ipc/chromium/src/base/message_loop.cc:363:3
#13 0x70022b1aec91 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:345:3
#14 0x70022a5874f3 in nsThread::ThreadFunc(void*) /xpcom/threads/nsThread.cpp:370:10
#15 0x70023ed5466f in _pt_root /nsprpub/pr/src/pthreads/ptthread.c:201:5
#16 0x70023f5f6ac2 in start_thread nptl/pthread_create.c:442:8
#17 0x70023f68884f misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /dom/media/MediaDecoderStateMachine.cpp:3966:3 in mozilla::MediaDecoderStateMachine::RequestAudioData()
==607125==ABORTING
|
Reporter | |
Comment 1•1 year ago
|
||
|
||
Comment 2•1 year ago
|
||
Verified bug as reproducible on mozilla-central 20240505202839-a6cb5ac7a79a.
Unable to bisect testcase (Testcase reproduces on start build!):
Start: 25209607dc0b253635ead03eff51fdc10a62e659 (20230508094425)
End: c560ac2dab5f138b9d9fc117124a8edd04dc0d3f (20240503031641)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=True, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False)
|
||
Updated•1 year ago
|
|
|
||
Comment 3•1 year ago
|
||
Testcase crashes using the initial build (mozilla-central 20240503031641-c560ac2dab5f) but not with tip (mozilla-central 20241123090138-64d44f7a4817.)
The bug appears to have been fixed in the following build range:
Start: 7b683be273cc88f730cb639354d53ba54c37d6f6 (20241107043215)
End: dbe3516815a2f5443ce9da4d874aa6f086fb98b8 (20241107012504)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=7b683be273cc88f730cb639354d53ba54c37d6f6&tochange=dbe3516815a2f5443ce9da4d874aa6f086fb98b8
jkratzer, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
|
|
Reporter | |
Comment 4•1 year ago
|
||
:alwu, could this have been fixed via bug 1928183?
|
||
Comment 6•8 months ago
|
||
This has been reported via live site testing.
|
|
||
Updated•8 months ago
|
Description
•