Last Comment Bug 700555 - Intermittent crash [@ nsBuiltinDecoder::NotifyDataArrived] during test_contentDuration7.html
: Intermittent crash [@ nsBuiltinDecoder::NotifyDataArrived] during test_conten...
Status: RESOLVED FIXED
: intermittent-failure
Product: Core
Classification: Components
Component: Audio/Video (show other bugs)
: Trunk
: x86 All
: -- critical (vote)
: mozilla11
Assigned To: Matthew Gregan [:kinetik]
:
: Maire Reavy [:mreavy]
Mentors:
: 705325 707115 (view as bug list)
Depends on:
Blocks: 532972 438871
  Show dependency treegraph
 
Reported: 2011-11-07 20:53 PST by Phil Ringnalda (:philor)
Modified: 2012-11-25 19:31 PST (History)
5 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
+
fixed


Attachments
patch v0 (873 bytes, patch)
2011-11-08 18:42 PST, Matthew Gregan [:kinetik]
cajbir.bugzilla: review+
akeybl: approval‑mozilla‑beta+
Details | Diff | Splinter Review

Description Phil Ringnalda (:philor) 2011-11-07 20:53:00 PST
https://tbpl.mozilla.org/php/getParsedLog.php?id=7271799&tree=Mozilla-Inbound
Rev3 Fedora 12 mozilla-inbound opt test mochitests-1/5 on 2011-11-07 20:11:27 PST for push 95efc21bf5af

75129 INFO TEST-START | /tests/content/media/test/test_contentDuration7.html
TEST-UNEXPECTED-FAIL | /tests/content/media/test/test_contentDuration7.html | Exited with code 1 during test run
INFO | automation.py | Application ran for: 0:08:46.228844
INFO | automation.py | Reading PID log: /tmp/tmp7bobxupidlog
==> process 2195 launched child process 2235
INFO | automation.py | Checking for orphan process with PID: 2235
PROCESS-CRASH | /tests/content/media/test/test_contentDuration7.html | application crashed (minidump found)
Crash dump filename: /tmp/tmpsFtukG/minidumps/7f0ad011-1479-4d78-39a08976-7a2048c3.dmp
Operating system: Linux
                  0.0.0 Linux 2.6.31.5-127.fc12.i686.PAE #1 SMP Sat Nov 7 21:25:57 EST 2009 i686
CPU: x86
     GenuineIntel family 6 model 23 stepping 10
     2 CPUs

Crash reason:  SIGSEGV
Crash address: 0x0

Thread 0 (crashed)
 0  libxul.so!nsBuiltinDecoder::NotifyDataArrived [nsBuiltinDecoder.h : 504 + 0x0]
    eip = 0x016e510f   esp = 0xbf8af190   ebp = 0xa5e97004   ebx = 0x0228faf4
    esi = 0xbf8af2b0   edi = 0x00002000   eax = 0x00000000   ecx = 0x02220ab0
    edx = 0x957f2000   efl = 0x00010286
    Found by: given as instruction pointer in context
 1  libxul.so!nsMediaChannelStream::CopySegmentToCache [nsMediaStream.cpp : 379 + 0x13]
    eip = 0x016e2f55   esp = 0xbf8af1a0   ebp = 0xa5e97004   ebx = 0x0228faf4
    esi = 0xbf8af2b0   edi = 0x00002000
    Found by: call frame info
 2  libxul.so!nsInputStreamTee::WriteSegmentFun [nsInputStreamTee.cpp : 223 + 0x15]
    eip = 0x01b6d47b   esp = 0xbf8af1c0   ebp = 0xbf8af234   ebx = 0x0228faf4
    esi = 0xa2263790   edi = 0xa5e97004
    Found by: call frame info
 3  libxul.so!nsPipeInputStream::ReadSegments [nsPipe3.cpp : 799 + 0x16]
    eip = 0x01b70f87   esp = 0xbf8af1f0   ebp = 0xbf8af2b8   ebx = 0x0228faf4
    esi = 0xa3a3e0c8   edi = 0x00002000
    Found by: call frame info
 4  libxul.so!nsInputStreamTee::ReadSegments [nsInputStreamTee.cpp : 276 + 0x15]
    eip = 0x01b6ccec   esp = 0xbf8af250   ebp = 0xa2263790   ebx = 0x0228faf4
    esi = 0x00002000   edi = 0xb67936a0
    Found by: call frame info
 5  libxul.so!nsMediaChannelStream::OnDataAvailable [nsMediaStream.cpp : 412 + 0x18]
    eip = 0x016e3b8f   esp = 0xbf8af280   ebp = 0xa2263790   ebx = 0x0228faf4
    esi = 0x00002000   edi = 0xb67936a0
    Found by: call frame info
 6  libxul.so!nsHTMLMediaElement::MediaLoadListener::OnDataAvailable [nsHTMLMediaElement.cpp : 351 + 0x1b]
    eip = 0x014f994b   esp = 0xbf8af2e0   ebp = 0xa3a3e0c8   ebx = 0x0228faf4
    esi = 0xa1c265e0   edi = 0x00000000
    Found by: call frame info
 7  libxul.so!nsStreamListenerTee::OnDataAvailable [nsStreamListenerTee.cpp : 111 + 0x1b]
    eip = 0x0112c69c   esp = 0xbf8af310   ebp = 0xa3a3e0c8   ebx = 0x0228faf4
    esi = 0xa1c265e0   edi = 0x00000000
    Found by: call frame info
 8  libxul.so!nsHttpChannel::OnDataAvailable [nsHttpChannel.cpp : 4389 + 0x1a]
    eip = 0x011808a2   esp = 0xbf8af380   ebp = 0x021ac2d8   ebx = 0x0228faf4
    esi = 0x957ee400   edi = 0x957ee430
    Found by: call frame info
 9  libxul.so!nsInputStreamPump::OnStateTransfer [nsInputStreamPump.cpp : 510 + 0x13]
    eip = 0x0111487e   esp = 0xbf8af3e0   ebp = 0xb75e9d40   ebx = 0x0228faf4
Comment 1 Matthew Gregan [:kinetik] 2011-11-08 18:41:59 PST
This can happen if CreateStateMachine() fails here: http://mxr.mozilla.org/mozilla-central/source/content/media/nsBuiltinDecoder.cpp#203
Comment 2 Matthew Gregan [:kinetik] 2011-11-08 18:42:58 PST
Created attachment 573058 [details] [diff] [review]
patch v0
Comment 3 cajbir (:cajbir) 2011-11-08 18:54:45 PST
Comment on attachment 573058 [details] [diff] [review]
patch v0

I know the original code did a 'return' but since the function has a void return type we don't need it. It looks odd to have a 'return' in the 'if' condition but not in the fall through. r+ anyway since it was like that before, I'll leave it up to you whether to change it.
Comment 4 Matthew Gregan [:kinetik] 2011-11-08 19:31:09 PST
http://hg.mozilla.org/integration/mozilla-inbound/rev/2628f575af5e

I removed the extraneous return.
Comment 5 Marco Bonardo [::mak] 2011-11-09 05:33:42 PST
https://hg.mozilla.org/mozilla-central/rev/2628f575af5e
Comment 6 Bob Clary [:bc:] 2011-11-23 13:46:31 PST
I'm seeing this with Aurora/10 on Linux, Mac and Windows, http://goinglinux.com/shownotes.html with a 

###!!! ASSERTION: You can't dereference a NULL nsCOMPtr with operator->().: 'mRawPtr != 0'
, file c:\work\mozilla\builds\aurora\mozilla\firefox-debug\dist\include\nsCOMPtr.h, line 849

immediately preceding the crash.
Comment 7 Matthew Gregan [:kinetik] 2011-11-25 13:32:45 PST
*** Bug 705325 has been marked as a duplicate of this bug. ***
Comment 8 Alice0775 White 2011-12-02 05:13:01 PST
*** Bug 707115 has been marked as a duplicate of this bug. ***
Comment 9 Bob Clary [:bc:] 2011-12-14 21:06:59 PST
Another example https://www.marinersoftware.com/videos/#macjournal
Comment 10 Alex Keybl [:akeybl] 2012-01-05 13:32:04 PST
[Triage Comment]
This appears to still affect Firefox 10 in the wild (and is a regression in that version). Can we prepare and nominate a patch for FF10 beta if deemed low risk?
Comment 11 Matthew Gregan [:kinetik] 2012-01-05 13:36:01 PST
Comment on attachment 573058 [details] [diff] [review]
patch v0

Simple and safe null-deref check.
Comment 12 Alex Keybl [:akeybl] 2012-01-05 15:10:41 PST
Comment on attachment 573058 [details] [diff] [review]
patch v0

[Triage Comment]
Regression in 10 found in the wild - approved.
Comment 13 Matthew Gregan [:kinetik] 2012-01-05 17:26:49 PST
https://hg.mozilla.org/releases/mozilla-beta/rev/01babb7b880d

Note You need to log in before you can comment on or make changes to this bug.