Open
Bug 2016497
Opened 1 day ago
Updated 20 hours ago
crash near null in [@ mozilla::HEVCChangeMonitor::CheckForChange]
Categories
(Core :: Audio/Video: Web Codecs, defect)
Core
Audio/Video: Web Codecs
Tracking
()
NEW
| Tracking | Status | |
|---|---|---|
| firefox-esr115 | --- | unaffected |
| firefox-esr140 | --- | wontfix |
| firefox147 | --- | wontfix |
| firefox148 | --- | wontfix |
| firefox149 | --- | affected |
People
(Reporter: tsmith, Unassigned, NeedInfo)
References
(Blocks 1 open bug, Regression)
Details
(4 keywords, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(1 file)
|
393 bytes,
text/html
|
Details |
Found while fuzzing m-c 20260211-7df40d9149a3 (--enable-address-sanitizer --enable-fuzzing)
To reproduce via Grizzly Replay:
$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>
==121310==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000004 (pc 0x6d9954e4eb31 bp 0x6d992a7f3a70 sp 0x6d992a7f39a0 T23)
==121310==The signal is caused by a READ memory access.
==121310==Hint: address points to the zero page.
#0 0x6d9954e4eb31 in GetAutoArrayHeader /builds/worker/workspace/obj-build/dist/include/nsTArray.h:498:16
#1 0x6d9954e4eb31 in TakeHeaderForMove<nsTArrayInfallibleAllocator> /builds/worker/workspace/obj-build/dist/include/nsTArray.h:3581:19
#2 0x6d9954e4eb31 in MoveConstructNonAutoArray /builds/worker/workspace/obj-build/dist/include/nsTArray.h:3573:23
#3 0x6d9954e4eb31 in nsTArray_Impl<nsTArrayInfallibleAllocator> /builds/worker/workspace/obj-build/dist/include/nsTArray.h:930:11
#4 0x6d9954e4eb31 in nsTArray /builds/worker/workspace/obj-build/dist/include/AnnexB.h:14:7
#5 0x6d9954e4eb31 in HVCCConfig /builds/worker/workspace/obj-build/dist/include/H265.h:287:8
#6 0x6d9954e4eb31 in unwrap /builds/worker/workspace/obj-build/dist/include/mozilla/Result.h:141:33
#7 0x6d9954e4eb31 in unwrap /builds/worker/workspace/obj-build/dist/include/mozilla/Result.h:611:18
#8 0x6d9954e4eb31 in mozilla::HEVCChangeMonitor::CheckForChange(mozilla::MediaRawData*) /builds/worker/checkouts/gecko/dom/media/platforms/wrappers/MediaChangeMonitor.cpp:357:59
#9 0x6d9954e36859 in mozilla::MediaChangeMonitor::CreateDecoderAndInit(mozilla::MediaRawData*) /builds/worker/checkouts/gecko/dom/media/platforms/wrappers/MediaChangeMonitor.cpp:1179:36
#10 0x6d9954e33f1e in mozilla::MediaChangeMonitor::CheckForChange(mozilla::MediaRawData*) /builds/worker/checkouts/gecko/dom/media/platforms/wrappers/MediaChangeMonitor.cpp:1296:12
#11 0x6d9954e32e83 in mozilla::MediaChangeMonitor::Decode(mozilla::MediaRawData*) /builds/worker/checkouts/gecko/dom/media/platforms/wrappers/MediaChangeMonitor.cpp:989:20
#12 0x6d9954e67ef2 in operator() /builds/worker/checkouts/gecko/dom/media/platforms/wrappers/MediaDataDecoderProxy.cpp:31:33
#13 0x6d9954e67ef2 in mozilla::detail::ProxyFunctionRunnable<mozilla::MediaDataDecoderProxy::Decode(mozilla::MediaRawData*)::$_0, mozilla::MozPromise<nsTArray<RefPtr<mozilla::MediaData>>, mozilla::MediaResult, true>>::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:1838:29
#14 0x6d994ca0ea05 in mozilla::TaskQueue::Runner::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskQueue.cpp:311:20
#15 0x6d994ca57007 in nsThreadPool::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:446:14
#16 0x6d994ca4a230 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1162:16
#17 0x6d994ca53089 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:461:10
#18 0x6d994e187aa1 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:299:20
#19 0x6d994e0651f4 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:373:10
#20 0x6d994e0651f4 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:366:3
#21 0x6d994e0651f4 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:348:3
#22 0x6d994ca43130 in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:373:10
#23 0x719972454aff in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:191:3
#24 0x644ceba66676 in asan_thread_start(void*) _asan_rtl_:28
#25 0x7199729deac2 in start_thread ./nptl/pthread_create.c:442:8
#26 0x719972a6fa83 in __clone ./misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:100:0
|
||
Comment 1•1 day ago
|
||
Verified bug as reproducible on mozilla-central 20260212213836-06d48ece4edf.
The bug appears to have been introduced in the following build range:
Start: d518db35a2629c055fb69d31f6bcbedc3bd148e0 (20250305170724)
End: 72987cb97c239116fe2fdaae49269be9908134f4 (20250305180333)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=d518db35a2629c055fb69d31f6bcbedc3bd148e0&tochange=72987cb97c239116fe2fdaae49269be9908134f4
Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]
|
||
Comment 2•1 day ago
|
||
Set release status flags based on info from the regressing bug 1854596
:chunmin, since you are the author of the regressor, bug 1854596, could you take a look? Also, could you set the severity field?
For more information, please visit BugBot documentation.
status-firefox147:
--- → affected
status-firefox148:
--- → affected
status-firefox-esr140:
--- → affected
Flags: needinfo?(cchang)
|
||
Updated•20 hours ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•