2016501 - crash at null in [@ mozilla::EncoderAgent::Dry]

Status: NEW

(Core :: Audio/Video: Web Codecs, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Found while fuzzing m-c 20260211-7df40d9149a3 (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

==297707==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7bffda45e517 bp 0x7fffffffb0f0 sp 0x7fffffffafe0 T0)
==297707==The signal is caused by a READ memory access.
==297707==Hint: address points to the zero page.
    #0 0x7bffda45e517 in mozilla::EncoderAgent::Dry(nsTArray<RefPtr<mozilla::MediaRawData>>&&) /builds/worker/checkouts/gecko/dom/media/webcodecs/EncoderAgent.cpp:366:13
    #1 0x7bffda45e1d4 in mozilla::EncoderAgent::Drain() /builds/worker/checkouts/gecko/dom/media/webcodecs/EncoderAgent.cpp:354:3
    #2 0x7bffda4e6705 in mozilla::dom::EncoderTemplate<mozilla::dom::VideoEncoderTraits>::Reconfigure(RefPtr<mozilla::dom::EncoderTemplate<mozilla::dom::VideoEncoderTraits>::ConfigureMessage>)::'lambda'(mozilla::MozPromise<bool, mozilla::MediaResult, true>::ResolveOrRejectValue const&)::operator()(mozilla::MozPromise<bool, mozilla::MediaResult, true>::ResolveOrRejectValue const&) const /builds/worker/checkouts/gecko/dom/media/webcodecs/EncoderTemplate.cpp:682:29
    #3 0x7bffda4e6278 in InvokeMethod<(lambda at /builds/worker/checkouts/gecko/dom/media/webcodecs/EncoderTemplate.cpp:667:11), void ((lambda at /builds/worker/checkouts/gecko/dom/media/webcodecs/EncoderTemplate.cpp:667:11)::*)(const mozilla::MozPromise<bool, mozilla::MediaResult, true>::ResolveOrRejectValue &) const, mozilla::MozPromise<bool, mozilla::MediaResult, true>::ResolveOrRejectValue> /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:669:14
    #4 0x7bffda4e6278 in InvokeCallbackMethod<false, mozilla::MozPromise<bool, mozilla::MediaResult, true>, (lambda at /builds/worker/checkouts/gecko/dom/media/webcodecs/EncoderTemplate.cpp:667:11), void ((lambda at /builds/worker/checkouts/gecko/dom/media/webcodecs/EncoderTemplate.cpp:667:11)::*)(const mozilla::MozPromise<bool, mozilla::MediaResult, true>::ResolveOrRejectValue &) const, mozilla::MozPromise<bool, mozilla::MediaResult, true>::ResolveOrRejectValue> /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:683:7
    #5 0x7bffda4e6278 in mozilla::MozPromise<bool, mozilla::MediaResult, true>::ThenValue<mozilla::dom::EncoderTemplate<mozilla::dom::VideoEncoderTraits>::Reconfigure(RefPtr<mozilla::dom::EncoderTemplate<mozilla::dom::VideoEncoderTraits>::ConfigureMessage>)::'lambda'(mozilla::MozPromise<bool, mozilla::MediaResult, true>::ResolveOrRejectValue const&)>::DoResolveOrRejectInternal(mozilla::MozPromise<bool, mozilla::MediaResult, true>::ResolveOrRejectValue&) /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:940:11
    #6 0x7bffd93354d5 in mozilla::MozPromise<bool, mozilla::MediaResult, true>::ThenValueBase::ResolveOrRejectRunnable::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:505:21
    #7 0x7bffd1aea7ea in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:721:16
    #8 0x7bffd1ad9c2b in mozilla::TaskController::RunTask(mozilla::Task*) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:212:19
    #9 0x7bffd1ae0f2d in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:1342:20
    #10 0x7bffd1adea08 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:1165:15
    #11 0x7bffd1adf026 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:657:36
    #12 0x7bffd1affda1 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:349:37
    #13 0x7bffd1affda1 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:549:5
    #14 0x7bffd1b20e8a in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1168:16
    #15 0x7bffd1b2a089 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:461:10
    #16 0x7bffd325d43e in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
    #17 0x7bffd313c1f4 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:373:10
    #18 0x7bffd313c1f4 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:366:3
    #19 0x7bffd313c1f4 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:348:3
    #20 0x7bffdcb93846 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:152:27
    #21 0x7bffdcd7729b in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:555:33
    #22 0x7bffdedef3cd in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:652:20
    #23 0x7bffd313c1f4 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:373:10
    #24 0x7bffd313c1f4 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:366:3
    #25 0x7bffd313c1f4 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:348:3
    #26 0x7bffdedee31c in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:590:34
    #27 0x55555570812a in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:465:22

Comment 1

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20260212213836-06d48ece4edf.
Unable to bisect testcase (Testcase reproduces on start build!):

Start: 8e442c6e776594983158fd04b5331f1378f5f0dd (20250214215152)
End: 7df40d9149a3d5135ccdcf8602299a76bf7f0081 (20260211162125)
BuildFlags: BuildFlags(asan=True, tsan=False, debug=False, fuzzing=True, coverage=False, valgrind=False, no_opt=False, fuzzilli=False, nyx=False, searchfox=False, afl=False)