crash [@ libxul.so@0x5fbfc0] [@ vp8_decode_mb_tokens]

RESOLVED FIXED in Firefox 7

Status

()

Core
Audio/Video
--
critical
RESOLVED FIXED
7 years ago
6 years ago

People

(Reporter: cajbir, Assigned: derf)

Tracking

({crash})

Trunk
mozilla7
All
Linux
crash
Points:
---

Firefox Tracking Flags

(firefox7+ fixed, fennec-)

Details

(Whiteboard: [fixed by disabling feature], crash signature, URL)

Attachments

(1 attachment)

(Reporter)

Description

7 years ago
This bug was filed from the Socorro interface and is 
report bp-8dd16848-0a73-4cca-b4a6-82d9c2110325 .
=============================================================
(Reporter)

Comment 1

7 years ago
This was during playback of a WebM video in the URL. Stack trace is in the VP8 decoder. Should this be raised under the Video/Audio component instead?

0 	libxul.so 	libxul.so@0x5fbfc0 	
1 	libnspr4.so 	_pt_root 	nsprpub/pr/src/pthreads/ptthread.c:128
2 	libxul.so 	vp8_decode_mb_tokens 	media/libvpx/vp8/decoder/detokenize.c:225
3 	libxul.so 	vp8_decode_macroblock 	media/libvpx/vp8/decoder/decodframe.c:190
4 	libxul.so 	vp8_decode_mb_row 	media/libvpx/vp8/decoder/decodframe.c:395
5 	libxul.so 	vp8_decode_frame 	media/libvpx/vp8/decoder/decodframe.c:874
6 	libxul.so 	vp8dx_receive_compressed_data 	media/libvpx/vp8/decoder/onyxd_if.c:374
7 	libxul.so 	vp8_decode 	media/libvpx/vp8/vp8_dx_iface.c:424
8 	libxul.so 	vpx_codec_decode 	media/libvpx/vpx/src/vpx_decoder.c:127
9 	libxul.so 	nsWebMReader::DecodeVideoFrame 	content/media/webm/nsWebMReader.cpp:690
10 	libxul.so 	nsBuiltinDecoderStateMachine::DecodeLoop 	content/media/nsBuiltinDecoderStateMachine.cpp:297
11 	libxul.so 	nsRunnableMethodImpl<void , true>::Run 	nsThreadUtils.h:347
12 	libxul.so 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:633
13 	libxul.so 	NS_ProcessNextEvent_P 	nsThreadUtils.cpp:250
14 	libxul.so 	nsThread::ThreadFunc 	xpcom/threads/nsThread.h:85
15 	libnspr4.so 	_pt_root 	nsprpub/pr/src/pthreads/ptthread.c:190
16 	libc.so 	libc.so@0x111b3 	
17 	libc.so 	libc.so@0x10ca3
(Reporter)

Comment 2

7 years ago
Device was a Samsung Galaxy S running Android 2.2.1 (the stock install)
(Reporter)

Updated

7 years ago
Component: General → Video/Audio
Product: Fennec → Core
QA Contact: general → video.audio
(Assignee)

Comment 3

7 years ago
This looks like it's using the ARM asm detokenizer. This has been removed from current versions of libvpx (see https://review.webmproject.org/1741), because it, "hasn't been kept up to date." Perhaps we should just disable it?

Updated

7 years ago
tracking-fennec: --- → ?
tracking-fennec: ? → 2.0-
Whiteboard: [fennec-4.1?]
Summary: crash [@ libxul.so@0x5fbfc0] → crash [@ libxul.so@0x5fbfc0] [@ vp8_decode_mb_tokens]
(Assignee)

Comment 4

7 years ago
Created attachment 523967 [details] [diff] [review]
Disable arm detokenizer
Assignee: nobody → tterribe
Status: NEW → ASSIGNED
Whiteboard: [fennec-4.1?]
Crash Signature: [@ libxul.so@0x5fbfc0] [@ vp8_decode_mb_tokens]
having this crash on Nokia Arm
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 6344]
0x3b564820 in SKIP_EOB_CHECK () from /home/user/fennec_instq/libxul.so
(gdb) disa 
disable      disassemble  
(gdb) disassemble 
Dump of assembler code for function SKIP_EOB_CHECK:
   0x3b564800 <+0>:	ldr	r7, [sp, #16]
   0x3b564804 <+4>:	ldr	r3, [r9, #32]
   0x3b564808 <+8>:	add	r1, r1, #2
   0x3b56480c <+12>:	cmp	r7, #15
   0x3b564810 <+16>:	ldr	r3, [r3, r7, lsl #2]
   0x3b564814 <+20>:	add	r7, r7, #1
   0x3b564818 <+24>:	add	r3, r11, r3, lsl #1
   0x3b56481c <+28>:	str	r7, [sp, #16]
=> 0x3b564820 <+32>:	strh	lr, [r3]
   0x3b564824 <+36>:	blt	0x3b5646bc <COEFF_LOOP>
   0x3b564828 <+40>:	sub	r7, r7, #1
Crash Signature: [@ libxul.so@0x5fbfc0] [@ vp8_decode_mb_tokens] → [@ libxul.so@0x5fbfc0] [@ vp8_decode_mb_tokens]
Comment on attachment 523967 [details] [diff] [review]
Disable arm detokenizer

with this patch problem is not reproducible anymore
Attachment #523967 - Flags: feedback+
Attachment #523967 - Flags: review+
(Assignee)

Comment 7

6 years ago
http://hg.mozilla.org/integration/mozilla-inbound/rev/93d400457dc0
Whiteboard: [inbound]
http://hg.mozilla.org/mozilla-central/rev/93d400457dc0
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Whiteboard: [inbound]
Target Milestone: --- → mozilla8
(Assignee)

Updated

6 years ago
Duplicate of this bug: 676141
(Assignee)

Updated

6 years ago
Attachment #523967 - Flags: approval-mozilla-aurora?
(Assignee)

Updated

6 years ago
status-firefox7: --- → affected
tracking-firefox7: --- → ?
Comment on attachment 523967 [details] [diff] [review]
Disable arm detokenizer

according to derf the risk here is "basically none" and this is arm only. reward is it fixes webm for arm
Attachment #523967 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+

Updated

6 years ago
status-firefox7: affected → fixed
tracking-firefox7: ? → +
Whiteboard: [fixed by disabling feature]
(Assignee)

Comment 11

6 years ago
http://hg.mozilla.org/releases/mozilla-aurora/rev/b8f899c4dd9e
Target Milestone: mozilla8 → mozilla7
(Assignee)

Updated

6 years ago
Duplicate of this bug: 676153
Crash Signature: [@ libxul.so@0x5fbfc0] [@ vp8_decode_mb_tokens] → [@ libxul.so@0x5fbfc0] [@ vp8_decode_mb_tokens] [@ libxul.so@0x61679c ] [@ libxul.so@0x61647c ] [@ libxul.so@0x61607c ] [@ libxul.so@0x61610c ] [@ vp8_decode_mb_tokens ]
Duplicate of this bug: 671271
Crash Signature: [@ libxul.so@0x5fbfc0] [@ vp8_decode_mb_tokens] [@ libxul.so@0x61679c ] [@ libxul.so@0x61647c ] [@ libxul.so@0x61607c ] [@ libxul.so@0x61610c ] [@ vp8_decode_mb_tokens ] → [@ libxul.so@0x5fbfc0] [@ vp8_decode_mb_tokens] [@ libxul.so@0x61679c ] [@ libxul.so@0x61647c ] [@ libxul.so@0x61607c ] [@ libxul.so@0x61679c] [@ libxul.so@0x61610c ] [@ vp8_decode_mb_tokens ]
You need to log in before you can comment on or make changes to this bug.