Closed Bug 700555 Opened 12 years ago Closed 12 years ago

Intermittent crash [@ nsBuiltinDecoder::NotifyDataArrived] during test_contentDuration7.html

Categories

(Core :: Audio/Video, defect)

Product:
Core
Component:
Audio/Video
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla11
Tracking Flags:
Tracking Status
firefox10 + fixed

People

(Reporter: philor, Assigned: kinetik)

References

Details

(Keywords: intermittent-failure)

Crash Data

Attachments

(1 file)

patch v0
873 bytes, patch
cajbir
: review+
akeybl
: approval-mozilla-beta+
Details | Diff | Splinter Review 
https://tbpl.mozilla.org/php/getParsedLog.php?id=7271799&tree=Mozilla-Inbound
Rev3 Fedora 12 mozilla-inbound opt test mochitests-1/5 on 2011-11-07 20:11:27 PST for push 95efc21bf5af

75129 INFO TEST-START | /tests/content/media/test/test_contentDuration7.html
TEST-UNEXPECTED-FAIL | /tests/content/media/test/test_contentDuration7.html | Exited with code 1 during test run
INFO | automation.py | Application ran for: 0:08:46.228844
INFO | automation.py | Reading PID log: /tmp/tmp7bobxupidlog
==> process 2195 launched child process 2235
INFO | automation.py | Checking for orphan process with PID: 2235
PROCESS-CRASH | /tests/content/media/test/test_contentDuration7.html | application crashed (minidump found)
Crash dump filename: /tmp/tmpsFtukG/minidumps/7f0ad011-1479-4d78-39a08976-7a2048c3.dmp
Operating system: Linux
                  0.0.0 Linux 2.6.31.5-127.fc12.i686.PAE #1 SMP Sat Nov 7 21:25:57 EST 2009 i686
CPU: x86
     GenuineIntel family 6 model 23 stepping 10
     2 CPUs

Crash reason:  SIGSEGV
Crash address: 0x0

Thread 0 (crashed)
 0  libxul.so!nsBuiltinDecoder::NotifyDataArrived [nsBuiltinDecoder.h : 504 + 0x0]
    eip = 0x016e510f   esp = 0xbf8af190   ebp = 0xa5e97004   ebx = 0x0228faf4
    esi = 0xbf8af2b0   edi = 0x00002000   eax = 0x00000000   ecx = 0x02220ab0
    edx = 0x957f2000   efl = 0x00010286
    Found by: given as instruction pointer in context
 1  libxul.so!nsMediaChannelStream::CopySegmentToCache [nsMediaStream.cpp : 379 + 0x13]
    eip = 0x016e2f55   esp = 0xbf8af1a0   ebp = 0xa5e97004   ebx = 0x0228faf4
    esi = 0xbf8af2b0   edi = 0x00002000
    Found by: call frame info
 2  libxul.so!nsInputStreamTee::WriteSegmentFun [nsInputStreamTee.cpp : 223 + 0x15]
    eip = 0x01b6d47b   esp = 0xbf8af1c0   ebp = 0xbf8af234   ebx = 0x0228faf4
    esi = 0xa2263790   edi = 0xa5e97004
    Found by: call frame info
 3  libxul.so!nsPipeInputStream::ReadSegments [nsPipe3.cpp : 799 + 0x16]
    eip = 0x01b70f87   esp = 0xbf8af1f0   ebp = 0xbf8af2b8   ebx = 0x0228faf4
    esi = 0xa3a3e0c8   edi = 0x00002000
    Found by: call frame info
 4  libxul.so!nsInputStreamTee::ReadSegments [nsInputStreamTee.cpp : 276 + 0x15]
    eip = 0x01b6ccec   esp = 0xbf8af250   ebp = 0xa2263790   ebx = 0x0228faf4
    esi = 0x00002000   edi = 0xb67936a0
    Found by: call frame info
 5  libxul.so!nsMediaChannelStream::OnDataAvailable [nsMediaStream.cpp : 412 + 0x18]
    eip = 0x016e3b8f   esp = 0xbf8af280   ebp = 0xa2263790   ebx = 0x0228faf4
    esi = 0x00002000   edi = 0xb67936a0
    Found by: call frame info
 6  libxul.so!nsHTMLMediaElement::MediaLoadListener::OnDataAvailable [nsHTMLMediaElement.cpp : 351 + 0x1b]
    eip = 0x014f994b   esp = 0xbf8af2e0   ebp = 0xa3a3e0c8   ebx = 0x0228faf4
    esi = 0xa1c265e0   edi = 0x00000000
    Found by: call frame info
 7  libxul.so!nsStreamListenerTee::OnDataAvailable [nsStreamListenerTee.cpp : 111 + 0x1b]
    eip = 0x0112c69c   esp = 0xbf8af310   ebp = 0xa3a3e0c8   ebx = 0x0228faf4
    esi = 0xa1c265e0   edi = 0x00000000
    Found by: call frame info
 8  libxul.so!nsHttpChannel::OnDataAvailable [nsHttpChannel.cpp : 4389 + 0x1a]
    eip = 0x011808a2   esp = 0xbf8af380   ebp = 0x021ac2d8   ebx = 0x0228faf4
    esi = 0x957ee400   edi = 0x957ee430
    Found by: call frame info
 9  libxul.so!nsInputStreamPump::OnStateTransfer [nsInputStreamPump.cpp : 510 + 0x13]
    eip = 0x0111487e   esp = 0xbf8af3e0   ebp = 0xb75e9d40   ebx = 0x0228faf4
This can happen if CreateStateMachine() fails here: http://mxr.mozilla.org/mozilla-central/source/content/media/nsBuiltinDecoder.cpp#203
Assignee: nobody → kinetik
Attached patch patch v0Splinter Review 

        Attachment #573058 -
        Flags: review?(chris.double)

    
    

    
  
Comment on attachment 573058 [details] [diff] [review]
patch v0

I know the original code did a 'return' but since the function has a void return type we don't need it. It looks odd to have a 'return' in the 'if' condition but not in the fall through. r+ anyway since it was like that before, I'll leave it up to you whether to change it.

        Attachment #573058 -
        Flags: review?(chris.double) → review+

    
    

    
  
http://hg.mozilla.org/integration/mozilla-inbound/rev/2628f575af5e

I removed the extraneous return.
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla11

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/2628f575af5e
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED

    
    

    
  
I'm seeing this with Aurora/10 on Linux, Mac and Windows, http://goinglinux.com/shownotes.html with a 

###!!! ASSERTION: You can't dereference a NULL nsCOMPtr with operator->().: 'mRawPtr != 0'
, file c:\work\mozilla\builds\aurora\mozilla\firefox-debug\dist\include\nsCOMPtr.h, line 849

immediately preceding the crash.

          status-firefox10:
          --- → affected

          tracking-firefox10:
          --- → ?
OS: Linux → All

    
  
Crash Signature: [@ nsBuiltinDecoder::NotifyDataArrived(char const*, unsigned int, unsigned int)]

    
    

    
  
[Triage Comment]
This appears to still affect Firefox 10 in the wild (and is a regression in that version). Can we prepare and nominate a patch for FF10 beta if deemed low risk?

          tracking-firefox10:
          ?+

    
    

    
  
Comment on attachment 573058 [details] [diff] [review]
patch v0

Simple and safe null-deref check.

        Attachment #573058 -
        Flags: approval-mozilla-beta?

    
    

    
  
Comment on attachment 573058 [details] [diff] [review]
patch v0

[Triage Comment]
Regression in 10 found in the wild - approved.

        Attachment #573058 -
        Flags: approval-mozilla-beta? → approval-mozilla-beta+
Whiteboard: [orange]

          You need to log in
          before you can comment on or make changes to this bug.