Closed Bug 923437 Opened 11 years ago Closed 11 years ago

[flatfish] libtheora ARM asm crash showing ogv files in the video play list (Android 4.2)

Categories

(Firefox OS Graveyard :: Gaia::Video, defect)

Product:
Firefox OS Graveyard
Component:
Gaia::Video
Platform:
ARM
Gonk (Firefox OS)
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 920992

People

(Reporter: tommy.cvkk, Unassigned)

References

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/28.0.1500.52 Chrome/28.0.1500.52 Safari/537.36

Steps to reproduce:

1. adb push gaia/media-samples/Movies/manifesto.ogv /mnt/sdcard/Movies
2. lunch video player


Actual results:

video just crash ( send report )!
And I traced code to the gecko layer and found the assembly function oc_pack_read() will cause this issue. 


Expected results:

It will show one video picture and it's filename in the video play list.
Blocks: flatfish
Depends on: 920992
OS: All → Gonk (Firefox OS)
Hardware: All → ARM
Hi, All:

Let me explain the issue. After lunching the video player, it will scan the /mnt/scard/Movies/* . If it find the (.ogv) files, it will read it's ogv meta data in the gecko layer. In the function  oc_dec_headerin(), it will call the assembly function call "oc_pack_read", and then the video player crash ! The root cause is the assembly function call.

I changed the gcc version to 4.4.x (arm-linux-androideabi-4.4.x/bin/arm-linux-androideabi-gcc) and re-build the libtheora folder only. And the video player works fine!

Is it a good solution ?
Summary: [flatfish] Can't show ogv files in the video play list (Android 4.2) → [flatfish] libtheora ARM asm crash showing ogv files in the video play list (Android 4.2)
Can you attach a backtrace of the crash and the contents of the registers?
only following message: ( using /scard/Movies/manifesto.ogv that is from gaia/media-samples/Movies )


I/Gecko   ( 1270):
I/Gecko   ( 1270): ###!!! [Parent][AsyncChannel] Error: Channel error: cannot send/recv
I/Gecko   ( 1270):
I/Gonk    ( 1270): Setting nice for pid 1629 to 1
I/Gonk    ( 1270): Changed nice for pid 1629 from 18 to 1.
I/GeckoDump( 1270): Crash reporter : Can't fetch app.reportCrashes. Exception: [Exception... "Component returned failure code: 0x8000ffff (NS_ERROR_UNEXPECTED) [nsIPrefBranch.getBoolPref]"  nsresult: "0x8000ffff (NS_ERROR_UNEXPECTED)"  location: "JS frame :: chrome://browser/content/shell.js :: shell_reportCrash :: line 120"  data: no]
Okay, can you tell me how to set up an Android 4.2 build on my peak so I can attempt to reproduce?
Not sure what security rating to give here. Timothy did you get help reproducing? Still no stack I assume.
(In reply to David Bolter [:davidb] from comment #5)
> Not sure what security rating to give here. Timothy did you get help
> reproducing? Still no stack I assume.

Not yet, no. oc_pack_read_arm does write some state back to the heap-allocated oc_pack_buf * that is passed in, so it's not immediately clear this is just an unsafe read.

My best guess is that whatever compiler Android 4.2 is using (what compiler is it, Tommy? All you said was what compiler worked, not which one was broken) packs the struct differently, though it's hard to see why, since every member should be 32 bits.
Going to write this off as a compiler bug. Since these are the samples surely we'll remember to use the right compiler
Group: core-security
please refer to this one [Bug 920992]
cc platform media team to know this bug.
(In reply to tommy_chiu from comment #8)
> please refer to this one [Bug 920992]

Hi Tommy,

Could Bug 920992 solve this issue or there is another case here?

Thanks.
yes, they are the same. And the patch "Specifying alignments explicitly in assembly codes. r=derf" fixed this issue. It is an alignment problem.
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.