crash in mozilla::gfx::ScaleYCbCrToRGB565

RESOLVED FIXED in Firefox 17

Status

()

Core
Graphics: Layers
--
critical
RESOLVED FIXED
5 years ago
4 years ago

People

(Reporter: Scoobidiver (away), Assigned: kanru)

Tracking

(Depends on: 2 bugs, {crash, regression, topcrash})

17 Branch
mozilla18
ARM
Android
crash, regression, topcrash
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(blocking-basecamp:-, firefox17+ fixed)

Details

(Whiteboard: [native-crash], crash signature)

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
It first appeared in 17.0a1/20120822. The regression range is:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=360ab7771e27&tochange=abc17059522b
It's likely a regression from bug 767480.

Signature 	mozilla::gfx::bislerp More Reports Search
UUID	966bee13-a1ef-44c7-8941-b66802120822
Date Processed	2012-08-22 17:32:40
Uptime	624
Last Crash	54.8 minutes before submission
Install Age	2.4 hours since version was first installed.
Install Time	2012-08-22 15:09:10
Product	FennecAndroid
Version	17.0a1
Build ID	20120822030558
Release Channel	nightly
OS	Linux
OS Version	0.0.0 Linux 2.6.39.4_CyanogenMod_DHD-g74007d5 #1 SMP PREEMPT Thu Aug 16 00:17:54 PDT 2012 armv7l
Build Architecture	arm
Build Architecture Info	
Crash Reason	SIGSEGV
Crash Address	0x69539fff
App Notes 	
AdapterDescription: 'NVIDIA Corporation -- NVIDIA Tegra -- OpenGL ES 2.0 14.01002 -- Model: Transformer, Product: US_epad, Manufacturer: asus, Hardware: ventana'
EGL? EGL+ GL Context? GL Context+ GL Layers? GL Layers+ 
asus Transformer
asus/US_epad/EeePad:4.0.3/IML74K/US_epad-9.2.1.11-20120221:user/release-keys
Processor Notes 	
EMCheckCompatibility	True
Adapter Vendor ID	NVIDIA Corporation
Adapter Device ID	NVIDIA Tegra

Frame 	Module 	Signature 	Source
0 	libxul.so 	mozilla::gfx::bislerp 	ycbcr_to_rgb565.cpp:96
1 	libxul.so 	mozilla::gfx::ScaleYCbCr42xToRGB565_BilinearY_Row_C 	ycbcr_to_rgb565.cpp:209
2 	libxul.so 	mozilla::gfx::ScaleYCbCrToRGB565 	ycbcr_to_rgb565.cpp:531
3 	libxul.so 	gfxUtils::ConvertYCbCrToRGB 	gfxUtils.cpp:716
4 	libxul.so 	mozilla::layers::BasicPlanarYCbCrImage::SetData 	BasicImages.cpp:108
5 	libxul.so 	VideoData::Create 	nsBuiltinDecoderReader.cpp:239
6 	libxul.so 	nsMediaPluginReader::DecodeVideoFrame 	nsMediaPluginReader.cpp:204
7 	libxul.so 	nsBuiltinDecoderReader::DecodeToTarget 	nsBuiltinDecoderReader.cpp:340
8 	libxul.so 	nsMediaPluginReader::Seek 	nsMediaPluginReader.cpp:290
9 	libxul.so 	nsBuiltinDecoderStateMachine::DecodeSeek 	nsBuiltinDecoderStateMachine.cpp:1885
10 	libxul.so 	nsBuiltinDecoderStateMachine::DecodeThreadRun 	nsBuiltinDecoderStateMachine.cpp:491
11 	libxul.so 	nsRunnableMethodImpl<void , true>::Run 	nsThreadUtils.h:349
12 	libxul.so 	nsThread::ProcessNextEvent 	nsThread.cpp:624
13 	libxul.so 	NS_ProcessNextEvent_P 	nsThreadUtils.cpp:220
14 	libxul.so 	nsThread::ThreadFunc 	nsThread.cpp:257
15 	libnspr4.so 	_pt_root 	nsprpub/pr/src/pthreads/ptthread.c:156
16 	libc.so 	libc.so@0x1304a 	
17 	libc.so 	libc.so@0x12b76

More reports at:
https://crash-stats.mozilla.com/report/list?signature=mozilla%3A%3Agfx%3A%3Abislerp
https://crash-stats.mozilla.com/query/query?product=FennecAndroid&version=ALL%3AALL&query_search=signature&query_type=contains&query=mozilla%3A%3Agfx%3A%3AScaleYCbCrToRGB565&reason=&do_query=1
This crash is likely related to bug 785441 I just reported.

When using Stagefright's hardware or software decoders in a debug build of Firefox, I get many assertion failures from the ScaleYCbCrToRGB565() function:

I/Gecko   (16185): ###!!! ASSERTION: ScaleYCbCrToRGB565 source image unpadded?: 'abs(y_pitch) >= abs(source_width)+16', file /Users/cpeterson/Code/mozilla/central/gfx/ycbcr/ycbcr_to_rgb565.cpp, line 338
Blocks: 785441
No longer blocks: 785441
Depends on: 785441
(Reporter)

Updated

5 years ago
Crash Signature: [@ mozilla::gfx::bislerp ] [@ libxul.so@0xb5f564 | mozilla::gfx::ScaleYCbCrToRGB565] [@ libxul.so@0xb5f578 | mozilla::gfx::ScaleYCbCrToRGB565] [@ libxul.so@0xb5d3b8 | mozilla::gfx::ScaleYCbCrToRGB565] [@ libxul.so@0xb5d2c4 | mozilla::gfx::Scal&hellip; → [@ mozilla::gfx::bislerp ] [@ libxul.so@0xb5f564 | mozilla::gfx::ScaleYCbCrToRGB565] [@ libxul.so@0xb5f578 | mozilla::gfx::ScaleYCbCrToRGB565] [@ libxul.so@0xb5d3b8 | mozilla::gfx::ScaleYCbCrToRGB565] [@ libxul.so@0xb5d2c4 | mozilla::gfx::Scal&hellip;
blocking-basecamp: --- → ?
(Assignee)

Comment 2

5 years ago
Does the patch for bug 785001 fixed this too?
(Reporter)

Updated

5 years ago
Crash Signature: [@ mozilla::gfx::bislerp ] [@ libxul.so@0xb5f564 | mozilla::gfx::ScaleYCbCrToRGB565] [@ libxul.so@0xb5f578 | mozilla::gfx::ScaleYCbCrToRGB565] [@ libxul.so@0xb5d3b8 | mozilla::gfx::ScaleYCbCrToRGB565] [@ libxul.so@0xb5d2c4 | mozilla::gfx::Scal&hellip; → [@ mozilla::gfx::bislerp ] [@ libxul.so@0xb5f564 | mozilla::gfx::ScaleYCbCrToRGB565] [@ libxul.so@0xb5f578 | mozilla::gfx::ScaleYCbCrToRGB565] [@ libxul.so@0xb5d3b8 | mozilla::gfx::ScaleYCbCrToRGB565] [@ libxul.so@0xb5d2c4 | mozilla::gfx::Scal&hellip;
(Reporter)

Comment 3

5 years ago
(In reply to Kan-Ru Chen [:kanru] from comment #2)
> Does the patch for bug 785001 fixed this too?
Nos there are still crashes in 18.0a1.
Crash Signature: [@ mozilla::gfx::bislerp ] [@ libxul.so@0xb5f564 | mozilla::gfx::ScaleYCbCrToRGB565] [@ libxul.so@0xb5f578 | mozilla::gfx::ScaleYCbCrToRGB565] [@ libxul.so@0xb5d3b8 | mozilla::gfx::ScaleYCbCrToRGB565] [@ libxul.so@0xb5d2c4 | mozilla::gfx::Scal&hellip; → [@ mozilla::gfx::bislerp ] [@ libxul.so@0xb5f564 | mozilla::gfx::ScaleYCbCrToRGB565] [@ libxul.so@0xb5f578 | mozilla::gfx::ScaleYCbCrToRGB565] [@ libxul.so@0xb5d3b8 | mozilla::gfx::ScaleYCbCrToRGB565] [@ libxul.so@0xb5d2c4 | mozilla::gfx::Scal&hellip;
Unless this is happening in B2G (sorry if it is and I'm mis-intepreting; re-nom if so), it's not a Basecamp blocker.
blocking-basecamp: ? → -
doublec, is this ScaleYCbCrToRGB565 crash also happening in B2G?

Comment 6

5 years ago
I have not seen it in B2G. What device are you seeing it on?
(In reply to Chris Double (:doublec) from comment #6)
> I have not seen it in B2G. What device are you seeing it on?

I have a Galaxy Nexus, but the Socorro crash reports also point to Nexus S, Nexus 7, Motorola Xoom, and others. Since this is reproducible with Stagefright's software decoder, I expect this could affect any Android device.

Comment 8

5 years ago
Is there an example video that shows this crash?
I don't know if this is exactly the same crash, but the following video crashes in gfx::ScaleYCbCr code when using the software decoder on my Galaxy S III (ICS). Surprisingly, it does not crash on my Galaxy Nexus (JB)!

  http://people.mozilla.org/~cpeterson/videos/bloomberg.mp4

I have a backtrace, but it is not very helpful:

###!!! ASSERTION: ScaleYCbCrToRGB565 source image unpadded?: 'abs(y_pitch) >= abs(source_width)+16', file /Users/cpeterson/Code/mozilla/central/gfx/ycbcr/ycbcr_to_rgb565.cpp, line 338

Program received signal SIGSEGV, Segmentation fault.
(gdb) bt
#0  ScaleYCbCr42xToRGB565_BilinearY_Row_NEON () at /Users/cpeterson/Code/mozilla/central/gfx/ycbcr/yuv_row_arm.s:198
#1  0x00000000 in ?? ()
(Assignee)

Comment 10

5 years ago
I couldn't get mp4 working on SGS2 (4.0.3) is there a magic pref that I have to flip on?
(In reply to Kan-Ru Chen [:kanru] from comment #10)
> I couldn't get mp4 working on SGS2 (4.0.3) is there a magic pref that I have
> to flip on?

Kan-Ru, it sounds like we do not have a color conversion function for your SGS2's hardware video color format yet. (See bug 784329.)

You will need to wait for me to land my patch from bug 785536 (or build it yourself locally). Then you can set about:config pref "media.stagefright.omxcodec.flags" = 16 to force Stagefright software decoding (which should work on any Android device).

Comment 12

5 years ago
I see this on my Nexus S. Trying a B2G build now.
(Assignee)

Comment 13

5 years ago
I/MediaExtractor(11291): Autodetected media content as 'video/mpeg4' with confidence 0.40
I/OmxPlugin(11291): media.stagefright.omxcodec.flags=16
I/OmxPlugin(11291): FORCE HARDWARE DECODING
I/OMXCodec(11291): [OMX.SEC.avc.dec] AVC profile = 66 (Baseline), level = 30
I/OMXCodec(11291): [OMX.SEC.avc.dec] video dimensions are 320 x 192
I/OMXCodec(11291): [OMX.SEC.avc.dec] Crop rect is 320 x 178 @ (0, 0)
W/        (11291): MetaData::findData() - return false
E/OMXCodec(11291): [OMX.SEC.avc.dec] ERROR(0x80001000, 0)
I/OmxPlugin(11291): videoSource->start() failed with status 0x80000000
E/GeckoConsole(11291): [JavaScript Warning: "Media resource http://people.mozilla.org/~cpeterson/videos/bloomberg.mp4 could not be decoded." {file: "http://people.mozilla.org/~cpeterson/videos/bloomberg.html" line: 0}]

/me restoring my nexus s to android
Kan-ru: sorry, I gave you the wrong magic number. To force software decoding, set media.stagefright.omxcodec.flags = 8 (not 16). These non-intuitive magic numbers map to Stagefright's OMXCodec::CreationFlags enum.

The software decoder should return OMX_COLOR_FormatYUV420Planar video on any Android device. The OMX_COLOR_FormatYUV420Planar color conversion should hit this bug's ScaleYCbCrToRGB565() code path.
(Reporter)

Comment 15

5 years ago
With combined signatures, it's #2 top crasher in 18.0a1 and #4 in 17.0a2.
tracking-fennec: --- → ?
Crash Signature: [@ mozilla::gfx::bislerp ] [@ libxul.so@0xb5f564 | mozilla::gfx::ScaleYCbCrToRGB565] [@ libxul.so@0xb5f578 | mozilla::gfx::ScaleYCbCrToRGB565] [@ libxul.so@0xb5d3b8 | mozilla::gfx::ScaleYCbCrToRGB565] [@ libxul.so@0xb5d2c4 | mozilla::gfx::Scal&hellip; → [@ mozilla::gfx::bislerp ] [@ libxul.so@0xb5f564 | mozilla::gfx::ScaleYCbCrToRGB565] [@ libxul.so@0xb5f578 | mozilla::gfx::ScaleYCbCrToRGB565] [@ libxul.so@0xb5d3b8 | mozilla::gfx::ScaleYCbCrToRGB565] [@ libxul.so@0xb5d2c4 | mozilla::gfx::Scal&hellip;
tracking-firefox17: --- → ?
Keywords: topcrash
(Assignee)

Comment 16

5 years ago
I/OMXCodec(12483): [OMX.SEC.AVC.Decoder] video dimensions are 320 x 192
I/OMXCodec(12483): [OMX.SEC.AVC.Decoder] Crop rect is 320 x 178 @ (0, 0)
I/OmxPlugin(12483): stride not available, assuming width
I/OmxPlugin(12483): slice height not available, assuming height
I/OmxPlugin(12483): rotation not available, assuming 0
I/OmxPlugin(12483): width: 320 height: 192 component: OMX.SEC.AVC.Decoder format: 19 stride: 320 sliceHeight: 192 rotation: 0

This line |stride not available, assuming width| indicate that we are using the width as the stride, which conflicts with the assertion in ScaleYCbCrToRGB565 |abs(y_pitch) >= abs(source_width)+16|
(Reporter)

Updated

5 years ago
Crash Signature: [@ mozilla::gfx::bislerp ] [@ libxul.so@0xb5f564 | mozilla::gfx::ScaleYCbCrToRGB565] [@ libxul.so@0xb5f578 | mozilla::gfx::ScaleYCbCrToRGB565] [@ libxul.so@0xb5d3b8 | mozilla::gfx::ScaleYCbCrToRGB565] [@ libxul.so@0xb5d2c4 | mozilla::gfx::Scal&hellip; → [@ mozilla::gfx::bislerp] [@ libxul.so@0xb5d3a4 | dalvik-aux-structure (deleted)@0xa147e] [@ libxul.so@0xb76fb8 | dalvik-bitmap-2 (deleted)@0x26447e] [@ libxul.so@0xb795e4 | dalvik-bitmap-2 (deleted)@0x22d47e] [@ libxul.so@0xb5f564 | mozilla::g&hellip;
(Assignee)

Comment 17

5 years ago
Created attachment 657783 [details] [diff] [review]
Restore BasicPlanarYCbCrImage::SetDelayedConversion

In VideoData::Create we had always used PlanarYCbCrImage::CopyData which doesn't do color conversion, but in http://hg.mozilla.org/mozilla-central/diff/e1ec49e3076f/content/media/nsBuiltinDecoderReader.cpp I changed the call to SetData which might do color conversion.

This patch restores the original behavior but we could still hit the assertion when PlanarYCbCrImage::GetAsSurface is called.

Trivia: BasicPlanarYCbCrImage::SetDelayedConversion was removed in bug 715785
Assignee: nobody → kchen
Attachment #657783 - Flags: review?
(Assignee)

Updated

5 years ago
Attachment #657783 - Flags: review? → review?(roc)
Comment on attachment 657783 [details] [diff] [review]
Restore BasicPlanarYCbCrImage::SetDelayedConversion

Review of attachment 657783 [details] [diff] [review]:
-----------------------------------------------------------------

::: gfx/layers/basic/BasicImages.cpp
@@ +52,5 @@
>  private:
>    gfxIntSize mScaleHint;
>    int mStride;
>    nsAutoArrayPtr<uint8_t> mDecodedBuffer;
> +  bool mDelayedConversion;

Reorder these so pointers (mDecodedBuffer) are first, then mScaleHint and mStride, then mDelayedConversion.
Attachment #657783 - Flags: review?(roc) → review+
(In reply to Kan-Ru Chen [:kanru] from comment #17)
> This patch restores the original behavior but we could still hit the
> assertion when PlanarYCbCrImage::GetAsSurface is called.

Yes. We need YUV-to-565 code that handles the unpadded case.
(Assignee)

Comment 20

5 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/7c77ae28cffd
(Assignee)

Updated

5 years ago
Depends on: 787886
(Reporter)

Updated

5 years ago
Crash Signature: [@ mozilla::gfx::bislerp] [@ libxul.so@0xb5d3a4 | dalvik-aux-structure (deleted)@0xa147e] [@ libxul.so@0xb76fb8 | dalvik-bitmap-2 (deleted)@0x26447e] [@ libxul.so@0xb795e4 | dalvik-bitmap-2 (deleted)@0x22d47e] [@ libxul.so@0xb5f564 | mozilla::g&hellip; → [@ mozilla::gfx::bislerp] [@ libxul.so@0xb5d3a4 | dalvik-aux-structure (deleted)@0xa147e] [@ libxul.so@0xb76fb8 | dalvik-bitmap-2 (deleted)@0x26447e] [@ libxul.so@0xb795e4 | dalvik-bitmap-2 (deleted)@0x22d47e] [@ libxul.so@0xb795f8 | dalvik-bit&hellip;
https://hg.mozilla.org/mozilla-central/rev/7c77ae28cffd
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla18

Updated

5 years ago
tracking-firefox17: ? → +
Crash count for this seems to be going down on Nightly.  Noming for Aurora.
Comment on attachment 657783 [details] [diff] [review]
Restore BasicPlanarYCbCrImage::SetDelayedConversion

[Approval Request Comment]
Bug caused by (feature/regressing bug #): 
User impact if declined: 
Testing completed (on m-c, etc.): 
Risk to taking this patch (and alternatives if risky): 
String or UUID changes made by this patch:
Attachment #657783 - Flags: approval-mozilla-aurora?
Blocks: 786117
(In reply to Naoki Hirata :nhirata from comment #23)
> Comment on attachment 657783 [details] [diff] [review]
> Restore BasicPlanarYCbCrImage::SetDelayedConversion
> 
> [Approval Request Comment]

kanru - can you please fill out the above form so that we can fully understand the risk and alternatives? Thanks!
Depends on: 786103
(Assignee)

Comment 25

5 years ago
[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 767480
User impact if declined: broken video, possibly crash fennec
Testing completed (on m-c, etc.): tested manually on m-c
Risk to taking this patch (and alternatives if risky): low
String or UUID changes made by this patch: none
This bug is one of the topcrashes in Aurora 17.

Updated

5 years ago
Attachment #657783 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
(Reporter)

Comment 27

5 years ago
Landed in Aurora: http://hg.mozilla.org/releases/mozilla-aurora/rev/af3e4f58a679
status-firefox17: --- → fixed
tracking-fennec: ? → ---
You need to log in before you can comment on or make changes to this bug.