Closed Bug 882734 Opened 11 years ago Closed 11 years ago

Video app crash while reading MPEG4 input buffer

Categories

(Firefox OS Graveyard :: General, defect)

Product:
Firefox OS Graveyard
Component:
General
Platform:
ARM
Gonk (Firefox OS)
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 880902

People

(Reporter: diego, Unassigned)

Details

Attachments

(1 file)

Minidump
131.05 KB, text/plain
Details 
This started popping up during our stability tests on Inari v1.1 relatively recently.

It seems either the input buffer is invalid or it's reading from an invalid offset.

Crash stack below:

Crash reason:  SIGSEGV
Crash address: 0x0

Thread 55 (crashed)
 0  0x0
     r0 = 0x49e59fa0    r1 = 0x00000001    r2 = 0x48db8148    r3 = 0x00000000
     r4 = 0x0000000d    r5 = 0x48db8140    r6 = 0x49ede160    r7 = 0x49ede160
     r8 = 0x48db8148    r9 = 0x0000000d   r10 = 0x000ca664    fp = 0x00000000
     sp = 0x4dfffb68    lr = 0x4100eb55    pc = 0x00000000
    Found by: given as instruction pointer in context
 1  libxul.so!android::Vector<android::InputDispatcher::Connection*>::do_copy + 0xf
     sp = 0x4dfffb84    pc = 0x4100eb29
    Found by: stack scanning
 2  0x49ede15e
     r4 = 0x0000000d    sp = 0x4dfffb8c    pc = 0x49ede160
    Found by: call frame info
 3  libstagefright.so!android::MPEG4DataSource::readAt [MPEG4Extractor.cpp : 172 + 0xd]
     sp = 0x4dfffba0    pc = 0x41d054c5
    Found by: stack scanning
 4  libstagefright.so!android::MPEG4DataSource::readAt [MPEG4Extractor.cpp : 172 + 0xd]
     r0 = 0x49ede160    r1 = 0x0000000d    r2 = 0x000ca664    r4 = 0x48db82a8
     r5 = 0x41d0545d    r6 = 0x0000000d    r7 = 0x49ede160    r8 = 0x000ca664
     r9 = 0x00000000   r10 = 0x000ca671    fp = 0x00000000    sp = 0x4dfffbd0
     pc = 0x41d054c5
    Found by: call frame info
 5  libstagefright.so!android::MPEG4Source::read [MPEG4Extractor.cpp : 2343 + 0x1b]
     r0 = 0x49ede160    r1 = 0x0000000d    r2 = 0x000ca664    r4 = 0x48a9ece0
     r5 = 0x41d0545d    r6 = 0x48db82a0    r7 = 0x41e02b54    r8 = 0x48db8820
     r9 = 0x4a093130   r10 = 0x4dfffd60    fp = 0x00000001    sp = 0x4dfffc00
     pc = 0x41d05787
    Found by: call frame info
 6  libstagefright.so!android::OMXCodec::drainInputBuffer [OMXCodec.cpp : 4213 + 0x7]
     r4 = 0x4507f980    r5 = 0x483bbc90    r6 = 0x00000000    r7 = 0x41e02b54
     r8 = 0x48db8820    r9 = 0x4a093130   r10 = 0x4dfffd10    fp = 0x00000001
     sp = 0x4dfffcd8    pc = 0x41d14215
    Found by: call frame info
 7  libstagefright.so!android::OMXCodec::on_message [OMXCodec.cpp : 3122 + 0x5]
     r4 = 0x4507f980    r5 = 0x00000002    r6 = 0x4dfffd9c    r7 = 0x00000001
     r8 = 0x4507f9d4    r9 = 0x4a093130   r10 = 0x00100000    fp = 0x00000001
     sp = 0x4dfffd98    pc = 0x41d17a91
    Found by: call frame info
 8  libstagefright.so!android::OMXCodecObserver::onMessage [OMXCodec.cpp : 322 + 0x7]
     r4 = 0x4507fa34    r5 = 0x4dfffe60    r6 = 0x49ede258    r7 = 0x4dfffe80
     r8 = 0x49ede264    r9 = 0x4a093130   r10 = 0x00100000    fp = 0x00000001
     sp = 0x4dfffe30    pc = 0x41d18075
    Found by: call frame info
 9  libstagefright_omx.so!android::OMXNodeInstance::onMessage [OMXNodeInstance.cpp : 682 + 0x7]
     r0 = 0x48db8800    r1 = 0x4507f980    r2 = 0x41d18045    r4 = 0x4dfffe60
     r5 = 0x49ede190    r6 = 0x49ede258    r7 = 0x4dfffe80    r8 = 0x49ede264
     r9 = 0x4a093130   r10 = 0x00100000    fp = 0x00000001    sp = 0x4dfffe48
     pc = 0x42154c0b
    Found by: call frame info
10  libstagefright_omx.so!android::OMX::CallbackDispatcher::dispatch [OMX.cpp : 125 + 0x3]
     r4 = 0x4dfffe60    r5 = 0x49ede250    r6 = 0x49ede258    r7 = 0x4dfffe80
     r8 = 0x49ede264    r9 = 0x4a093130   r10 = 0x00100000    fp = 0x00000001
     sp = 0x4dfffe58    pc = 0x42153da3
    Found by: call frame info
11  libstagefright_omx.so!android::OMX::CallbackDispatcher::loop [OMX.cpp : 146 + 0x7]
     r4 = 0x4dfffe60    r5 = 0x49ede250    r6 = 0x49ede258    r7 = 0x4dfffe80
     r8 = 0x49ede264    r9 = 0x4a093130   r10 = 0x00100000    fp = 0x00000001
     sp = 0x4dfffe60    pc = 0x42153e1b
    Found by: call frame info
12  libstagefright_omx.so!android::OMX::CallbackDispatcherThread::threadLoop [OMX.cpp : 155 + 0x5]
     r4 = 0x49ede2b0    r5 = 0x00000001    r6 = 0x49ede2bc    r7 = 0x4dfffeb4
     r8 = 0x4dfffeb0    r9 = 0x4a093130   r10 = 0x00100000    fp = 0x00000001
     sp = 0x4dfffea0    pc = 0x42153e25
    Found by: call frame info
13  libutils.so!android::Thread::_threadLoop [Threads.cpp : 834 + 0x5]
     r4 = 0x49ede2b0    r5 = 0x00000001    r6 = 0x49ede2bc    r7 = 0x4dfffeb4
     r8 = 0x4dfffeb0    r9 = 0x4a093130   r10 = 0x00100000    fp = 0x00000001
     sp = 0x4dfffea8    pc = 0x40145e59
    Found by: call frame info
14  libutils.so!thread_data_t::trampoline [Threads.cpp : 127 + 0x3]
     r0 = 0x49ede2b0    r1 = 0x4a093120    r2 = 0x00000000    r3 = 0x49ede2b0
     r4 = 0x4a093140    r5 = 0x40145de5    r6 = 0x49ede2b0    r7 = 0xfffffffe
     r8 = 0x40146409    r9 = 0x4a093130   r10 = 0x00100000    fp = 0x00000001
     sp = 0x4dfffed0    pc = 0x4014649f
    Found by: call frame info
15  libc.so!__thread_entry [pthread.c : 217 + 0x6]
Do we know what real-world scenarios this could happen in?
I have no idea about it.
Diego, can we have more information about the crash? Like decoded minidump of crash or adb logcat.
Attached file Minidump 
This is the full minidump. It happened after several hours of stress testing, so the logcat log is >200MB long!
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: