Closed Bug 882075 Opened 11 years ago Closed 9 years ago

crash in mozilla::dom::TimeRanges::Add

Categories

(Core :: Audio/Video, defect)

Product:
Core
Component:
Audio/Video
Version:
23 Branch
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED INCOMPLETE
Tracking Flags:
Tracking Status
firefox22 --- unaffected
firefox23 --- affected
firefox24 --- affected
firefox25 --- affected
firefox26 --- affected

People

(Reporter: scoobidiver, Unassigned)

References

Details

(Keywords: crash, regression, Whiteboard: [native-crash])

Crash Data

It's #67 browser crasher in 23.0a2 and #370 in 24.0a1.
It first showed up in 23.0a1/20130426. The regression range might be (discontinuous across builds):
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=690b5e0f6562&tochange=a6104e0e5a2c

Signature 	nsTArray_Impl<mozilla::dom::TimeRanges::TimeRange, nsTArrayInfallibleAllocator>::AppendElements<mozilla::dom::TimeRanges::TimeRange>(mozilla::dom::TimeRanges::TimeRange const*, unsigned int) More Reports Search
UUID	2e905b8e-c87b-4d9d-b19b-5744c2130610
Date Processed	2013-06-10 00:13:33
Uptime	1615
Install Age	2.5 hours since version was first installed.
Install Time	2013-06-09 21:46:17
Product	Firefox
Version	24.0a1
Build ID	20130608031212
Release Channel	nightly
OS	Windows NT
OS Version	6.2.9200
Build Architecture	x86
Build Architecture Info	AuthenticAMD family 16 model 4 stepping 2
Crash Reason	EXCEPTION_ACCESS_VIOLATION_READ
Crash Address	0x8
App Notes 	
AdapterVendorID: 0x10de, AdapterDeviceID: 0x1200, AdapterSubsysID: 089810de, AdapterDriverVersion: 9.18.13.1422
D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ 
Processor Notes 	sp-processor06_phx1_mozilla_com_5188:2012; non-integer value of "SecondsSinceLastCrash"
EMCheckCompatibility	True
Adapter Vendor ID	0x10de
Adapter Device ID	0x1200
Total Virtual Memory	4294836224
Available Virtual Memory	2316423168
System Memory Use Percentage	23
Available Page File	29104934912
Available Physical Memory	13150478336

Frame 	Module 	Signature 	Source
0 	xul.dll 	nsTArray_Impl<mozilla::dom::TimeRanges::TimeRange,nsTArrayInfallibleAllocator>:: 	obj-firefox/dist/include/nsTArray.h:1044
1 	xul.dll 	mozilla::dom::TimeRanges::Add 	content/html/content/src/TimeRanges.cpp:81
2 	xul.dll 	mozilla::dom::HTMLMediaElement::SetCurrentTime 	content/html/content/src/HTMLMediaElement.cpp:1277
3 	xul.dll 	mozilla::dom::HTMLMediaElement::SetCurrentTime 	content/html/content/src/HTMLMediaElement.cpp:1321
4 	xul.dll 	mozilla::dom::HTMLAudioElement::SetCurrentTime 	obj-firefox/dist/include/mozilla/dom/HTMLAudioElement.h:43
5 	xul.dll 	mozilla::dom::HTMLMediaElement::PlaybackEnded 	content/html/content/src/HTMLMediaElement.cpp:2846
6 	xul.dll 	mozilla::MediaDecoder::PlaybackEnded 	content/media/MediaDecoder.cpp:859
7 	xul.dll 	nsRunnableMethodImpl<void 	obj-firefox/dist/include/nsThreadUtils.h:350
8 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:626
9 	xul.dll 	NS_ProcessNextEvent 	obj-firefox/xpcom/build/nsThreadUtils.cpp:238
10 	xul.dll 	mozilla::ipc::MessagePump::Run 	ipc/glue/MessagePump.cpp:82
11 	xul.dll 	MessageLoop::RunHandler 	ipc/chromium/src/base/message_loop.cc:212
12 	xul.dll 	MessageLoop::Run 	ipc/chromium/src/base/message_loop.cc:186
13 	xul.dll 	nsBaseAppShell::Run 	widget/xpwidgets/nsBaseAppShell.cpp:163
14 	xul.dll 	nsAppShell::Run 	widget/windows/nsAppShell.cpp:113
15 	xul.dll 	nsAppStartup::Run 	toolkit/components/startup/nsAppStartup.cpp:269
16 	xul.dll 	XREMain::XRE_mainRun 	toolkit/xre/nsAppRunner.cpp:3851
17 	xul.dll 	XREMain::XRE_main 	toolkit/xre/nsAppRunner.cpp:3919
18 	xul.dll 	XRE_main 	toolkit/xre/nsAppRunner.cpp:4132
19 	firefox.exe 	do_main 	browser/app/nsBrowserApp.cpp:272
20 	firefox.exe 	NS_internal_main 	browser/app/nsBrowserApp.cpp:632
21 	firefox.exe 	wmain 	toolkit/xre/nsWindowsWMain.cpp:105
22 	firefox.exe 	__tmainCRTStartup 	crtexe.c:552
23 	kernel32.dll 	BaseThreadInitThunk 	
24 	ntdll.dll 	ntdll.dll@0x5bf39 	
25 	ntdll.dll 	ntdll.dll@0x5bf0c

More reports at:
https://crash-stats.mozilla.com/report/list?signature=nsTArray_Impl%3Cmozilla%3A%3Adom%3A%3ATimeRanges%3A%3ATimeRange%2C+nsTArrayInfallibleAllocator%3E%3A%3AAppendElements%3Cmozilla%3A%3Adom%3A%3ATimeRanges%3A%3ATimeRange%3E%28mozilla%3A%3Adom%3A%3ATimeRanges%3A%3ATimeRange+const*%2C+unsigned+int%29
Crash Signature: [@ nsTArray_Impl<mozilla::dom::TimeRanges::TimeRange, nsTArrayInfallibleAllocator>::AppendElements<mozilla::dom::TimeRanges::TimeRange>(mozilla::dom::TimeRanges::TimeRange const*, unsigned int)] → [@ nsTArray_Impl<mozilla::dom::TimeRanges::TimeRange, nsTArrayInfallibleAllocator>::AppendElements<mozilla::dom::TimeRanges::TimeRange>(mozilla::dom::TimeRanges::TimeRange const*, unsigned int)] [@ mozilla::dom::TimeRanges::TimeRange* nsTArray_Impl<mozil…
OS: Windows 7 → All
Hardware: x86 → All
Whiteboard: [native-crash]
Can you provide a test?
(In reply to Andrea Marchesini (:baku) from comment #2)
> Can you provide a test?
No. The best I can do is to ask for URLs.
Keywords: needURLs
4 	https://www.facebook.com/
2 	http://www.facebook.com/
1 	http://www.nhl.com/index.html
1 	https://twitter.com/EmergencyPuppy

several inappropriate search results from vineviewer and memecenter were removed
Keywords: needURLs
I get this crash almost 100% of the time when running the emscripten test suite, which basically opens a bunch of tabs with tests in them and then they close themselves. Let me know if that would be useful and I can write up detailed STR.
STR would be useful.
Sadly it turns out my STR are only reliable on one of my 2 machines. So not sure they will help anywhere else. But here they are:

1. Set up emscripten. There is a tutorial with guides for the various platforms, https://github.com/kripken/emscripten/wiki/Tutorial Basically you need to git clone emscripten, and get node, python and LLVM+clang.
2. Verify emscripten works, by continuing to follow that tutorial. (If you have any issues, please ping me on IRC or here.)
3. Run the browser test suite:    python tests/runner.py browser    (Note that the first time you run it, it will try to open popups from localhost and fail. Need to allow the popups, then start it again.)

The test suite takes several minutes to run. On currently nightly, practically every time I run it I get this crash (3 times today for example), but as mentioned before, on just 1 of my machines.
Component: DOM: Core & HTML → Video/Audio
Flags: needinfo?(roc)
status-firefox25: --- → affected
status-firefox26: --- → affected
we have found a way to reproduced this bug with 100% possibilities.
Operation:
1.start clock app, setup 3 alarms in future, their time interval is one minute.such as 
10:01, 10:02, 10.03, current time is supposed at 10:00.
2.Back to homescreen, wait alarm rings
3.When the first alarm 10:01 come, wait and do nothing
4.After 1 minute, the second alarm come too, wait and still do nothing
5. Still After 1 minute, the third alarm come. Then unlock the screen, you get a crash of clock app.
I just tried to reproduce this bug using those steps, in a debug build of mozilla-central with latest B2G, and I didn't get a crash.

ying.xu, can you reproduce this with a debug build of Gecko? If so, can you attach the debugger before crashing and tell us whatever you can about the crash?
ying.xu, in particular it would be useful to verify whether we're at "mPlayed->Add(mCurrentPlayRangeStart, rangeEndTime);" in HTMLMediaElement::SetCurrentTime, and whether mPlayed is null there.
Can set B2G_DEBUG=1 to make a debug build?
Or other settings?

(In reply to Robert O'Callahan (:roc) (Mozilla Corporation) from comment #14)
> I just tried to reproduce this bug using those steps, in a debug build of
> mozilla-central with latest B2G, and I didn't get a crash.
> 
> ying.xu, can you reproduce this with a debug build of Gecko? If so, can you
> attach the debugger before crashing and tell us whatever you can about the
> crash?
It still happens with debug build of gecko v1.2 branch

git log shows as below
commit 62e2d2fb75de2716bbf90dce8cef4beb3d34235a
Author: Timothy Nikkel <tnikkel@gmail.com>
Date:   Tue Nov 19 12:15:20 2013 -0600

    Bug 908100 - Prefer the pointerDownTarget when resetting the active state because that is what we set active state 

(gdb) frame 2
(gdb) p mPlayed
Cannot access memory at address 0x10624ed3
(gdb) p this
$9 = (class mozilla::dom::HTMLMediaElement * const) 0x10624dd3
(gdb) frame 1
#1  0x40c41e96 in mozilla::dom::TimeRanges::Add (this=0x10, aStart=1.0185579799004822e-312, 
    aEnd=1.0185579799004822e-312) at /home/yingxu/source/ffos/gecko/content/html/content/src/TimeRanges.cpp:79
79	  mRanges.AppendElement(TimeRange(aStart,aEnd));
(gdb) p this
$10 = (class mozilla::dom::TimeRanges * const) 0x10   //this value was wrong.

#0  nsTArray_Impl<mozilla::dom::TimeRanges::TimeRange, nsTArrayInfallibleAllocator>::AppendElement<mozilla::dom::TimeRanges::TimeRange> (this=<value optimized out>, item=<value optimized out>) at ../../../../dist/include/nsTArray.h:1237
#1  0x40c41e96 in mozilla::dom::TimeRanges::Add (this=0x10, aStart=1.0185579799004822e-312, 
    aEnd=1.0185579799004822e-312) at /home/yingxu/source/ffos/gecko/content/html/content/src/TimeRanges.cpp:79
#2  0x40c220c0 in mozilla::dom::HTMLMediaElement::SetCurrentTime (this=0x10624dd3, aCurrentTime=0, aRv=...)
    at /home/yingxu/source/ffos/gecko/content/html/content/src/HTMLMediaElement.cpp:1323
#3  0x40c22224 in mozilla::dom::HTMLMediaElement::SetCurrentTime (this=0x4015dcf8, 
    aCurrentTime=1.0185579799004822e-312)
    at /home/yingxu/source/ffos/gecko/content/html/content/src/HTMLMediaElement.cpp:1367
#4  0x40bff21e in mozilla::dom::HTMLAudioElement::SetCurrentTime (this=0x0, aCurrentTime=0)
    at ../../../../dist/include/mozilla/dom/HTMLAudioElement.h:34
#5  0x40c25c0c in mozilla::dom::HTMLMediaElement::PlaybackEnded (this=0x4470b900)
    at /home/yingxu/source/ffos/gecko/content/html/content/src/HTMLMediaElement.cpp:2917
#6  0x40c89cd4 in mozilla::MediaDecoder::PlaybackEnded (this=0x4479a020)
    at /home/yingxu/source/ffos/gecko/content/media/MediaDecoder.cpp:907
#7  0x4073e990 in nsRunnableMethodImpl<unsigned int (mozilla::net::BackgroundFileSaverStreamListener::*)(), void, true>::Run (this=<value optimized out>) at ../../../dist/include/nsThreadUtils.h:418
.....


(In reply to Robert O'Callahan (:roc) (Mozilla Corporation) from comment #15)
> ying.xu, in particular it would be useful to verify whether we're at
> "mPlayed->Add(mCurrentPlayRangeStart, rangeEndTime);" in
> HTMLMediaElement::SetCurrentTime, and whether mPlayed is null there.
Actually, only two alarms will make this happen.
When the alarm comes, just wait, don't do anything.
After the second alarm come, wait for a few seconds,You will get the crash.

(In reply to Robert O'Callahan (:roc) (Mozilla Corporation) from comment #14)
> I just tried to reproduce this bug using those steps, in a debug build of
> mozilla-central with latest B2G, and I didn't get a crash.
> 
> ying.xu, can you reproduce this with a debug build of Gecko? If so, can you
> attach the debugger before crashing and tell us whatever you can about the
> crash?
Hmm, I don't trust the values in your debug stack. The "this" value for HTMLMediaElement keeps changing from frame to frame and it definitely should be the same :-(.
Can you add code to printf_stderr the value of "this" in TimeRanges::Add, and "this" in HTMLMediaElement::PlaybackEnded, and report the results?
Crash Signature: , unsigned int)] [@ mozilla::dom::TimeRanges::TimeRange* nsTArray_Impl<mozilla::dom::TimeRanges::TimeRange, nsTArrayInfallibleAllocator>::AppendElements<mozilla::dom::TimeRanges::TimeRange>(mozilla::dom::TimeRanges::TimeRange const*, unsigned int) ] → , unsigned int)] [@ mozilla::dom::TimeRanges::TimeRange* nsTArray_Impl<mozilla::dom::TimeRanges::TimeRange, nsTArrayInfallibleAllocator>::AppendElements<mozilla::dom::TimeRanges::TimeRange>(mozilla::dom::TimeRanges::TimeRange const*, unsigned int) ] [@ …
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.