Closed Bug 893880 Opened 9 years ago Closed 8 years ago

TextTrack crash [@mozilla::dom::TextTrackCueList::Update]

Categories

(Core :: Audio/Video, defect)

x86_64
macOS
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla28

People

(Reporter: posidron, Assigned: drexler)

References

()

Details

(Keywords: assertion, crash, testcase)

Crash Data

Attachments

(4 files)

Attached file callstack
This happens fairly often with the fuzzer but until now I wasn't able to produce an external testcase for it.

Tested with http://hg.mozilla.org/integration/mozilla-inbound/rev/fa6ef0b63025
There's a crash in the wild: bp-2d109cf5-7d41-4fe5-82e6-ef2f52130715. Maybe you can get the URL.
Crash Signature: [@ mozilla::dom::TextTrackCueList::Update] → [@ mozilla::dom::TextTrackCueList::Update(double) ] [@ nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyElements<nsRefPtr<mozilla::dom::TextTrackCue> > >::Length(unsigned int) | mozilla::dom::TextTrackCueList::Update(double) ]
The crash url was http://ie.microsoft.com/testdrive/Graphics/VideoFormatSupport/Default.html which doesn't have track elements, just <video>. I haven't been able to reproduce the crash locally.

Since the crash is in the Cycle Collection of HTMLMediaElement even when no TextTracks are instantiated, the pref won't protect general users from this crash. This is therefore something we need to fix independently of enabling webvtt in bug 887978.
This reminds me of bug 882589 in that media events are firing when they shouldn't.
Could this have anything to do with the removal of libwebvtt? That's my first suspicion.
Attached file testcase
Let the testcase run for a few seconds.
Attached file media.zip
Keywords: assertion
Thanks cdiehl. Now that the reimplementation has landed we can make progress on these again.
Attached patch fixSplinter Review
I'm able to reproduce this. This happens because |mCueList| not having any cues gets cycle collected early and when the test tries to reload the page, it first pauses the player which in turn tries to update any cues it has.
Attachment #823647 - Flags: review?(giles)
Comment on attachment 823647 [details] [diff] [review]
fix

Review of attachment 823647 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks. Is shis is the only dereference which can be triggered during shutdown?
Attachment #823647 - Flags: review?(giles) → review+
> Thanks. Is shis is the only dereference which can be triggered during
> shutdown?

Yes. I even modified the test case to see if there was the possibility of |mTextTrackManager| being collected before it's defereferenced.
remote:   https://hg.mozilla.org/integration/mozilla-inbound/rev/0d29189eef9b
Assignee: nobody → andrew.quartey
https://hg.mozilla.org/mozilla-central/rev/0d29189eef9b
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla28
Keywords: verifyme
Was not able to reproduce the initial crash, 
Based on Socorro there were no crashes registered in the last 3 weeks on Firefox 28 with both signature.

http://goo.gl/8xRgGN
http://goo.gl/MEiKJG
Status: RESOLVED → VERIFIED
Keywords: verifyme
You need to log in before you can comment on or make changes to this bug.