785339 - crash in mozilla::gfx::ScaleYCbCrToRGB565

Status: RESOLVED FIXED

(Core :: Graphics: Layers, defect)

Description

[Scoobidiver (away)]

It first appeared in 17.0a1/20120822. The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=360ab7771e27&tochange=abc17059522b
It's likely a regression from bug 767480.

Signature 	mozilla::gfx::bislerp More Reports Search
UUID	966bee13-a1ef-44c7-8941-b66802120822
Date Processed	2012-08-22 17:32:40
Uptime	624
Last Crash	54.8 minutes before submission
Install Age	2.4 hours since version was first installed.
Install Time	2012-08-22 15:09:10
Product	FennecAndroid
Version	17.0a1
Build ID	20120822030558
Release Channel	nightly
OS	Linux
OS Version	0.0.0 Linux 2.6.39.4_CyanogenMod_DHD-g74007d5 #1 SMP PREEMPT Thu Aug 16 00:17:54 PDT 2012 armv7l
Build Architecture	arm
Build Architecture Info	
Crash Reason	SIGSEGV
Crash Address	0x69539fff
App Notes 	
AdapterDescription: 'NVIDIA Corporation -- NVIDIA Tegra -- OpenGL ES 2.0 14.01002 -- Model: Transformer, Product: US_epad, Manufacturer: asus, Hardware: ventana'
EGL? EGL+ GL Context? GL Context+ GL Layers? GL Layers+ 
asus Transformer
asus/US_epad/EeePad:4.0.3/IML74K/US_epad-9.2.1.11-20120221:user/release-keys
Processor Notes 	
EMCheckCompatibility	True
Adapter Vendor ID	NVIDIA Corporation
Adapter Device ID	NVIDIA Tegra

Frame 	Module 	Signature 	Source
0 	libxul.so 	mozilla::gfx::bislerp 	ycbcr_to_rgb565.cpp:96
1 	libxul.so 	mozilla::gfx::ScaleYCbCr42xToRGB565_BilinearY_Row_C 	ycbcr_to_rgb565.cpp:209
2 	libxul.so 	mozilla::gfx::ScaleYCbCrToRGB565 	ycbcr_to_rgb565.cpp:531
3 	libxul.so 	gfxUtils::ConvertYCbCrToRGB 	gfxUtils.cpp:716
4 	libxul.so 	mozilla::layers::BasicPlanarYCbCrImage::SetData 	BasicImages.cpp:108
5 	libxul.so 	VideoData::Create 	nsBuiltinDecoderReader.cpp:239
6 	libxul.so 	nsMediaPluginReader::DecodeVideoFrame 	nsMediaPluginReader.cpp:204
7 	libxul.so 	nsBuiltinDecoderReader::DecodeToTarget 	nsBuiltinDecoderReader.cpp:340
8 	libxul.so 	nsMediaPluginReader::Seek 	nsMediaPluginReader.cpp:290
9 	libxul.so 	nsBuiltinDecoderStateMachine::DecodeSeek 	nsBuiltinDecoderStateMachine.cpp:1885
10 	libxul.so 	nsBuiltinDecoderStateMachine::DecodeThreadRun 	nsBuiltinDecoderStateMachine.cpp:491
11 	libxul.so 	nsRunnableMethodImpl<void , true>::Run 	nsThreadUtils.h:349
12 	libxul.so 	nsThread::ProcessNextEvent 	nsThread.cpp:624
13 	libxul.so 	NS_ProcessNextEvent_P 	nsThreadUtils.cpp:220
14 	libxul.so 	nsThread::ThreadFunc 	nsThread.cpp:257
15 	libnspr4.so 	_pt_root 	nsprpub/pr/src/pthreads/ptthread.c:156
16 	libc.so 	libc.so@0x1304a 	
17 	libc.so 	libc.so@0x12b76

More reports at:
https://crash-stats.mozilla.com/report/list?signature=mozilla%3A%3Agfx%3A%3Abislerp
https://crash-stats.mozilla.com/query/query?product=FennecAndroid&version=ALL%3AALL&query_search=signature&query_type=contains&query=mozilla%3A%3Agfx%3A%3AScaleYCbCrToRGB565&reason=&do_query=1

Comment 1

[Chris Peterson [:cpeterson]]

This crash is likely related to bug 785441 I just reported.

When using Stagefright's hardware or software decoders in a debug build of Firefox, I get many assertion failures from the ScaleYCbCrToRGB565() function:

I/Gecko   (16185): ###!!! ASSERTION: ScaleYCbCrToRGB565 source image unpadded?: 'abs(y_pitch) >= abs(source_width)+16', file /Users/cpeterson/Code/mozilla/central/gfx/ycbcr/ycbcr_to_rgb565.cpp, line 338

Comment 2

[Kan-Ru Chen [:kanru] (UTC+9)]

Does the patch for bug 785001 fixed this too?

Comment 3

[Scoobidiver (away)]

(In reply to Kan-Ru Chen [:kanru] from comment #2)
> Does the patch for bug 785001 fixed this too?
Nos there are still crashes in 18.0a1.

Comment 4

[Andrew Overholt [:overholt]]

Unless this is happening in B2G (sorry if it is and I'm mis-intepreting; re-nom if so), it's not a Basecamp blocker.

Comment 5

[Chris Peterson [:cpeterson]]

doublec, is this ScaleYCbCrToRGB565 crash also happening in B2G?

Comment 6

[cajbir (:cajbir)]

I have not seen it in B2G. What device are you seeing it on?

Comment 7

[Chris Peterson [:cpeterson]]

(In reply to Chris Double (:doublec) from comment #6)
> I have not seen it in B2G. What device are you seeing it on?

I have a Galaxy Nexus, but the Socorro crash reports also point to Nexus S, Nexus 7, Motorola Xoom, and others. Since this is reproducible with Stagefright's software decoder, I expect this could affect any Android device.

Comment 8

[cajbir (:cajbir)]

Is there an example video that shows this crash?

Comment 9

[Chris Peterson [:cpeterson]]

I don't know if this is exactly the same crash, but the following video crashes in gfx::ScaleYCbCr code when using the software decoder on my Galaxy S III (ICS). Surprisingly, it does not crash on my Galaxy Nexus (JB)!

  http://people.mozilla.org/~cpeterson/videos/bloomberg.mp4

I have a backtrace, but it is not very helpful:

###!!! ASSERTION: ScaleYCbCrToRGB565 source image unpadded?: 'abs(y_pitch) >= abs(source_width)+16', file /Users/cpeterson/Code/mozilla/central/gfx/ycbcr/ycbcr_to_rgb565.cpp, line 338

Program received signal SIGSEGV, Segmentation fault.
(gdb) bt
#0  ScaleYCbCr42xToRGB565_BilinearY_Row_NEON () at /Users/cpeterson/Code/mozilla/central/gfx/ycbcr/yuv_row_arm.s:198
#1  0x00000000 in ?? ()

Comment 10

[Kan-Ru Chen [:kanru] (UTC+9)]

I couldn't get mp4 working on SGS2 (4.0.3) is there a magic pref that I have to flip on?

Comment 11

[Chris Peterson [:cpeterson]]

(In reply to Kan-Ru Chen [:kanru] from comment #10)
> I couldn't get mp4 working on SGS2 (4.0.3) is there a magic pref that I have
> to flip on?

Kan-Ru, it sounds like we do not have a color conversion function for your SGS2's hardware video color format yet. (See bug 784329.)

You will need to wait for me to land my patch from bug 785536 (or build it yourself locally). Then you can set about:config pref "media.stagefright.omxcodec.flags" = 16 to force Stagefright software decoding (which should work on any Android device).

Comment 12

[cajbir (:cajbir)]

I see this on my Nexus S. Trying a B2G build now.

Comment 13

[Kan-Ru Chen [:kanru] (UTC+9)]

I/MediaExtractor(11291): Autodetected media content as 'video/mpeg4' with confidence 0.40
I/OmxPlugin(11291): media.stagefright.omxcodec.flags=16
I/OmxPlugin(11291): FORCE HARDWARE DECODING
I/OMXCodec(11291): [OMX.SEC.avc.dec] AVC profile = 66 (Baseline), level = 30
I/OMXCodec(11291): [OMX.SEC.avc.dec] video dimensions are 320 x 192
I/OMXCodec(11291): [OMX.SEC.avc.dec] Crop rect is 320 x 178 @ (0, 0)
W/        (11291): MetaData::findData() - return false
E/OMXCodec(11291): [OMX.SEC.avc.dec] ERROR(0x80001000, 0)
I/OmxPlugin(11291): videoSource->start() failed with status 0x80000000
E/GeckoConsole(11291): [JavaScript Warning: "Media resource http://people.mozilla.org/~cpeterson/videos/bloomberg.mp4 could not be decoded." {file: "http://people.mozilla.org/~cpeterson/videos/bloomberg.html" line: 0}]

/me restoring my nexus s to android

Comment 14

[Chris Peterson [:cpeterson]]

Kan-ru: sorry, I gave you the wrong magic number. To force software decoding, set media.stagefright.omxcodec.flags = 8 (not 16). These non-intuitive magic numbers map to Stagefright's OMXCodec::CreationFlags enum.

The software decoder should return OMX_COLOR_FormatYUV420Planar video on any Android device. The OMX_COLOR_FormatYUV420Planar color conversion should hit this bug's ScaleYCbCrToRGB565() code path.

Comment 15

[Scoobidiver (away)]

With combined signatures, it's #2 top crasher in 18.0a1 and #4 in 17.0a2.

Comment 16

[Kan-Ru Chen [:kanru] (UTC+9)]

I/OMXCodec(12483): [OMX.SEC.AVC.Decoder] video dimensions are 320 x 192
I/OMXCodec(12483): [OMX.SEC.AVC.Decoder] Crop rect is 320 x 178 @ (0, 0)
I/OmxPlugin(12483): stride not available, assuming width
I/OmxPlugin(12483): slice height not available, assuming height
I/OmxPlugin(12483): rotation not available, assuming 0
I/OmxPlugin(12483): width: 320 height: 192 component: OMX.SEC.AVC.Decoder format: 19 stride: 320 sliceHeight: 192 rotation: 0

This line |stride not available, assuming width| indicate that we are using the width as the stride, which conflicts with the assertion in ScaleYCbCrToRGB565 |abs(y_pitch) >= abs(source_width)+16|

Comment 17

[Kan-Ru Chen [:kanru] (UTC+9)]

Attachment: Restore BasicPlanarYCbCrImage::SetDelayedConversion

In VideoData::Create we had always used PlanarYCbCrImage::CopyData which doesn't do color conversion, but in http://hg.mozilla.org/mozilla-central/diff/e1ec49e3076f/content/media/nsBuiltinDecoderReader.cpp I changed the call to SetData which might do color conversion.

This patch restores the original behavior but we could still hit the assertion when PlanarYCbCrImage::GetAsSurface is called.

Trivia: BasicPlanarYCbCrImage::SetDelayedConversion was removed in bug 715785

Comment 18

[Robert O'Callahan (:roc) (email my personal email if necessary)]

Comment on attachment 657783 [details] [diff] [review]
Restore BasicPlanarYCbCrImage::SetDelayedConversion

Review of attachment 657783 [details] [diff] [review]:
-----------------------------------------------------------------

::: gfx/layers/basic/BasicImages.cpp
@@ +52,5 @@
>  private:
>    gfxIntSize mScaleHint;
>    int mStride;
>    nsAutoArrayPtr<uint8_t> mDecodedBuffer;
> +  bool mDelayedConversion;

Reorder these so pointers (mDecodedBuffer) are first, then mScaleHint and mStride, then mDelayedConversion.

Comment 19

[Robert O'Callahan (:roc) (email my personal email if necessary)]

(In reply to Kan-Ru Chen [:kanru] from comment #17)
> This patch restores the original behavior but we could still hit the
> assertion when PlanarYCbCrImage::GetAsSurface is called.

Yes. We need YUV-to-565 code that handles the unpadded case.

Comment 20

[Kan-Ru Chen [:kanru] (UTC+9)]

https://hg.mozilla.org/integration/mozilla-inbound/rev/7c77ae28cffd

Comment 21

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/mozilla-central/rev/7c77ae28cffd

Comment 22

[Naoki Hirata :nhirata (please use needinfo instead of cc)]

Crash count for this seems to be going down on Nightly.  Noming for Aurora.

Comment 23

[Naoki Hirata :nhirata (please use needinfo instead of cc)]

Comment on attachment 657783 [details] [diff] [review]
Restore BasicPlanarYCbCrImage::SetDelayedConversion

[Approval Request Comment]
Bug caused by (feature/regressing bug #): 
User impact if declined: 
Testing completed (on m-c, etc.): 
Risk to taking this patch (and alternatives if risky): 
String or UUID changes made by this patch:

Comment 24

[Alex Keybl [:akeybl]]

(In reply to Naoki Hirata :nhirata from comment #23)
> Comment on attachment 657783 [details] [diff] [review]
> Restore BasicPlanarYCbCrImage::SetDelayedConversion
> 
> [Approval Request Comment]

kanru - can you please fill out the above form so that we can fully understand the risk and alternatives? Thanks!

Comment 25

[Kan-Ru Chen [:kanru] (UTC+9)]

[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 767480
User impact if declined: broken video, possibly crash fennec
Testing completed (on m-c, etc.): tested manually on m-c
Risk to taking this patch (and alternatives if risky): low
String or UUID changes made by this patch: none

Comment 26

[Chris Peterson [:cpeterson]]

This bug is one of the topcrashes in Aurora 17.

Comment 27

[Scoobidiver (away)]

Landed in Aurora: http://hg.mozilla.org/releases/mozilla-aurora/rev/af3e4f58a679