Closed Bug 700555 Opened 14 years ago Closed 14 years ago

Intermittent crash [@ nsBuiltinDecoder::NotifyDataArrived] during test_contentDuration7.html

Categories

(Core :: Audio/Video, defect)

Product:
Core
Component:
Audio/Video
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla11
Tracking Flags:
Tracking Status
firefox10 + fixed

People

(Reporter: philor, Assigned: kinetik)

References

Details

(Keywords: intermittent-failure)

Crash Data

Attachments

(1 file)

patch v0
873 bytes, patch
cajbir
: review+
akeybl
: approval-mozilla-beta+
Details | Diff | Splinter Review
https://tbpl.mozilla.org/php/getParsedLog.php?id=7271799&tree=Mozilla-Inbound Rev3 Fedora 12 mozilla-inbound opt test mochitests-1/5 on 2011-11-07 20:11:27 PST for push 95efc21bf5af 75129 INFO TEST-START | /tests/content/media/test/test_contentDuration7.html TEST-UNEXPECTED-FAIL | /tests/content/media/test/test_contentDuration7.html | Exited with code 1 during test run INFO | automation.py | Application ran for: 0:08:46.228844 INFO | automation.py | Reading PID log: /tmp/tmp7bobxupidlog ==> process 2195 launched child process 2235 INFO | automation.py | Checking for orphan process with PID: 2235 PROCESS-CRASH | /tests/content/media/test/test_contentDuration7.html | application crashed (minidump found) Crash dump filename: /tmp/tmpsFtukG/minidumps/7f0ad011-1479-4d78-39a08976-7a2048c3.dmp Operating system: Linux 0.0.0 Linux 2.6.31.5-127.fc12.i686.PAE #1 SMP Sat Nov 7 21:25:57 EST 2009 i686 CPU: x86 GenuineIntel family 6 model 23 stepping 10 2 CPUs Crash reason: SIGSEGV Crash address: 0x0 Thread 0 (crashed) 0 libxul.so!nsBuiltinDecoder::NotifyDataArrived [nsBuiltinDecoder.h : 504 + 0x0] eip = 0x016e510f esp = 0xbf8af190 ebp = 0xa5e97004 ebx = 0x0228faf4 esi = 0xbf8af2b0 edi = 0x00002000 eax = 0x00000000 ecx = 0x02220ab0 edx = 0x957f2000 efl = 0x00010286 Found by: given as instruction pointer in context 1 libxul.so!nsMediaChannelStream::CopySegmentToCache [nsMediaStream.cpp : 379 + 0x13] eip = 0x016e2f55 esp = 0xbf8af1a0 ebp = 0xa5e97004 ebx = 0x0228faf4 esi = 0xbf8af2b0 edi = 0x00002000 Found by: call frame info 2 libxul.so!nsInputStreamTee::WriteSegmentFun [nsInputStreamTee.cpp : 223 + 0x15] eip = 0x01b6d47b esp = 0xbf8af1c0 ebp = 0xbf8af234 ebx = 0x0228faf4 esi = 0xa2263790 edi = 0xa5e97004 Found by: call frame info 3 libxul.so!nsPipeInputStream::ReadSegments [nsPipe3.cpp : 799 + 0x16] eip = 0x01b70f87 esp = 0xbf8af1f0 ebp = 0xbf8af2b8 ebx = 0x0228faf4 esi = 0xa3a3e0c8 edi = 0x00002000 Found by: call frame info 4 libxul.so!nsInputStreamTee::ReadSegments [nsInputStreamTee.cpp : 276 + 0x15] eip = 0x01b6ccec esp = 0xbf8af250 ebp = 0xa2263790 ebx = 0x0228faf4 esi = 0x00002000 edi = 0xb67936a0 Found by: call frame info 5 libxul.so!nsMediaChannelStream::OnDataAvailable [nsMediaStream.cpp : 412 + 0x18] eip = 0x016e3b8f esp = 0xbf8af280 ebp = 0xa2263790 ebx = 0x0228faf4 esi = 0x00002000 edi = 0xb67936a0 Found by: call frame info 6 libxul.so!nsHTMLMediaElement::MediaLoadListener::OnDataAvailable [nsHTMLMediaElement.cpp : 351 + 0x1b] eip = 0x014f994b esp = 0xbf8af2e0 ebp = 0xa3a3e0c8 ebx = 0x0228faf4 esi = 0xa1c265e0 edi = 0x00000000 Found by: call frame info 7 libxul.so!nsStreamListenerTee::OnDataAvailable [nsStreamListenerTee.cpp : 111 + 0x1b] eip = 0x0112c69c esp = 0xbf8af310 ebp = 0xa3a3e0c8 ebx = 0x0228faf4 esi = 0xa1c265e0 edi = 0x00000000 Found by: call frame info 8 libxul.so!nsHttpChannel::OnDataAvailable [nsHttpChannel.cpp : 4389 + 0x1a] eip = 0x011808a2 esp = 0xbf8af380 ebp = 0x021ac2d8 ebx = 0x0228faf4 esi = 0x957ee400 edi = 0x957ee430 Found by: call frame info 9 libxul.so!nsInputStreamPump::OnStateTransfer [nsInputStreamPump.cpp : 510 + 0x13] eip = 0x0111487e esp = 0xbf8af3e0 ebp = 0xb75e9d40 ebx = 0x0228faf4
This can happen if CreateStateMachine() fails here: http://mxr.mozilla.org/mozilla-central/source/content/media/nsBuiltinDecoder.cpp#203
Assignee: nobody → kinetik
Attached patch patch v0Splinter Review
Attachment #573058 - Flags: review?(chris.double)
Comment on attachment 573058 [details] [diff] [review] patch v0 I know the original code did a 'return' but since the function has a void return type we don't need it. It looks odd to have a 'return' in the 'if' condition but not in the fall through. r+ anyway since it was like that before, I'll leave it up to you whether to change it.
Attachment #573058 - Flags: review?(chris.double) → review+
http://hg.mozilla.org/integration/mozilla-inbound/rev/2628f575af5e I removed the extraneous return.
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla11
https://hg.mozilla.org/mozilla-central/rev/2628f575af5e
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
I'm seeing this with Aurora/10 on Linux, Mac and Windows, http://goinglinux.com/shownotes.html with a ###!!! ASSERTION: You can't dereference a NULL nsCOMPtr with operator->().: 'mRawPtr != 0' , file c:\work\mozilla\builds\aurora\mozilla\firefox-debug\dist\include\nsCOMPtr.h, line 849 immediately preceding the crash.
status-firefox10: --- → affected
tracking-firefox10: --- → ?
OS: Linux → All
Crash Signature: [@ nsBuiltinDecoder::NotifyDataArrived(char const*, unsigned int, unsigned int)]
[Triage Comment] This appears to still affect Firefox 10 in the wild (and is a regression in that version). Can we prepare and nominate a patch for FF10 beta if deemed low risk?
tracking-firefox10: ?+
Comment on attachment 573058 [details] [diff] [review] patch v0 Simple and safe null-deref check.
Attachment #573058 - Flags: approval-mozilla-beta?
Comment on attachment 573058 [details] [diff] [review] patch v0 [Triage Comment] Regression in 10 found in the wild - approved.
Attachment #573058 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Whiteboard: [orange]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: