Closed
Bug 945645
Opened 11 years ago
Closed 10 years ago
HTML5 audio with mp4 file instantly crashes browser
Categories
(Core :: Graphics: Layers, defect)
Tracking
()
VERIFIED
FIXED
mozilla29
People
(Reporter: xslade, Assigned: cpearce)
References
()
Details
(4 keywords, Whiteboard: [reporter-internal][crash sig needed])
Crash Data
Attachments
(1 file)
|
2.53 KB,
patch
|
padenot
:
review+
bajaj
:
approval-mozilla-aurora+
bajaj
:
approval-mozilla-beta+
lsblakk
:
approval-mozilla-esr24-
|
Details | Diff | Splinter Review |
I've created an html file with audio tag and inserted in it .mp4 video file as 'src' attribute: <audio src="http://sladex.org/placeholders/demo.mp4"></audio> When I set preload attribute to none (<audio src="..." preload="none"></audio>), browser doesn't crashes. So the issue happens right after browser has just started download the file. I tested it with several .mp4 files, and not all of them lead to crash. Tested in Windows 7 x64, Firefox 25.0.1. Doesn't reproduce in Ubuntu 13.10 and Android 4.3. Demo: *be careful, it may crash your browser!* http://sladex.org/xbugzilla/ff.html
I am getting no repro on OS X 10.9, Firefox 25.0.1 We really need a crash report attached to this, could you check about:crashes in your browser and attach the crash report link?
Flags: needinfo?(xslade)
Whiteboard: [reporter-internal]
|
||
Updated•11 years ago
|
Whiteboard: [reporter-internal] → [reporter-internal][crash sig needed]
|
||
Comment 2•11 years ago
|
||
I can't reproduce it either on Windows 7 x64 with Firefox 25.0.1. Do you have any codec related plugins enabled in Firefox?
|
||
Comment 3•11 years ago
|
||
I can reproduce on Win7-64 with nightly. Looks like a null deref bp-4584d092-40e0-4128-b962-dc5522131203 Just for kicks I flipped the layers.acceleration.disabled pref to true (because D3D9DXVA2Manager was in the stack) and it still crashed bp-b7e787a2-e2eb-4eb4-9350-2380a2131203 Here's my graphics info from about:support in case it's relevant (especially since Christoph did NOT crash on a similar-sounding config) Adapter Description Intel(R) HD Graphics Family Adapter Description (GPU #2) NVIDIA Quadro 1000M Adapter Drivers igdumd64 igd10umd64 igd10umd64 igdumdx32 igd10umd32 igd10umd32 Adapter Drivers (GPU #2) nvd3dumx,nvwgf2umx,nvwgf2umx nvd3dum,nvwgf2um,nvwgf2um Adapter RAM Unknown Adapter RAM (GPU #2) 2048 ClearType Parameters DISPLAY1 [ Gamma: 2200 Pixel Structure: RGB ClearType Level: 50 Enhanced Contrast: 300 ] DISPLAY3 [ Gamma: 2200 Pixel Structure: RGB ClearType Level: 50 Enhanced Contrast: 100 ] Device ID 0x0126 Device ID (GPU #2) 0x0dfa Direct2D Enabled true DirectWrite Enabled true (6.2.9200.16571) Driver Date 9-26-2011 Driver Date (GPU #2) 1-10-2013 Driver Version 8.15.10.2538 Driver Version (GPU #2) 9.18.13.1100 GPU #2 Active false GPU Accelerated Windows 0/1 Basic Vendor ID 0x8086 Vendor ID (GPU #2) 0x10de WebGL Renderer Google Inc. -- ANGLE (Intel(R) HD Graphics Family Direct3D9Ex vs_3_0 ps_3_0) windowLayerManagerRemote false AzureCanvasBackend direct2d AzureContentBackend direct2d AzureFallbackCanvasBackend cairo AzureSkiaAccelerated 0
Crash Signature: [@ mozilla::layers::ImageContainer::CreateImage(mozilla::ImageFormat const*, unsigned int) ]
Component: General → Graphics: Layers
Product: Firefox → Core
Version: 25 Branch → unspecified
I tried on three different computers that crash link above. And all of them has lead to crash. Here the last one (Windows 2008 x64): https://crash-stats.mozilla.com/report/index/7bc36ef1-b0ea-48f2-b70d-dc9f92131203
Flags: needinfo?(xslade)
|
Assignee | |
Comment 5•11 years ago
|
||
The MediaDecoder doesn't have an image container for the video frame because it's being loaded inside an <audio> element. D'oh!
|
|
Assignee | |
Comment 6•11 years ago
|
||
Don't initialize video decoding if the image container is null during WMFReader::ReadMetadata(). It is only non-null if we have somewhere to play the video anyway. This means we don't null-deref the image container later, which prevents the crash.
Assignee: nobody → cpearce
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Attachment #8342065 -
Flags: review?
|
|
||
Updated•11 years ago
|
|
|
||
Updated•11 years ago
|
status-firefox25:
--- → affected
status-firefox26:
--- → affected
status-firefox27:
--- → affected
status-firefox28:
--- → affected
status-firefox-esr17:
--- → unaffected
status-firefox-esr24:
--- → affected
|
|
Assignee | |
Comment 7•10 years ago
|
||
Comment on attachment 8342065 [details] [diff] [review] Patch Review of attachment 8342065 [details] [diff] [review]: ----------------------------------------------------------------- D'oh! Forgot to set requestee on review... Paul?
Attachment #8342065 -
Flags: review? → review?(paul)
|
||
Updated•10 years ago
|
Attachment #8342065 -
Flags: review?(paul) → review+
|
|
Assignee | |
Comment 8•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/b276b4e0bbcf We'll want to uplift this too...
|
||
Comment 9•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/b276b4e0bbcf
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla29
|
||
Comment 10•10 years ago
|
||
For the record, regression range: good=2013-05-04 bad=2013-05-05 http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=69008b1fd6eb&tochange=c8e47b184aba Suspected bug: bug 847267.
|
|
Assignee | |
Comment 12•10 years ago
|
||
Comment on attachment 8342065 [details] [diff] [review] Patch [Approval Request Comment] Bug caused by (feature/regressing bug #): bug 847267, hardware accelerated H.264 decoding on Windows. Regressed in Firefox 23. User impact if declined: non-exploitable crash when user loads an MP4 video inside an HTML <audio> element on Windows Vista and later. Testing completed (on m-c, etc.): This has been on m-c since 2014-01-07. Risk to taking this patch (and alternatives if risky): Patch is very low risk. It disables video decoding if we're decoding for an <audio> element. String or IDL/UUID changes made by this patch: None.
Attachment #8342065 -
Flags: approval-mozilla-beta?
Attachment #8342065 -
Flags: approval-mozilla-aurora?
|
||
Updated•10 years ago
|
Attachment #8342065 -
Flags: approval-mozilla-beta?
Attachment #8342065 -
Flags: approval-mozilla-beta+
Attachment #8342065 -
Flags: approval-mozilla-aurora?
Attachment #8342065 -
Flags: approval-mozilla-aurora+
|
||
Comment 14•10 years ago
|
||
Reproduced the crash on nightly 2013-12-19 using the test URL http://sladex.org/xbugzilla/ff.html Verified fixed 29.0a1 2014-01-09, Win 7 x64.
Status: RESOLVED → VERIFIED
status-firefox29:
--- → verified
|
||
Comment 15•10 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/c0cb72104db6 https://hg.mozilla.org/releases/mozilla-beta/rev/542ad447aa50 Is this something we need on esr24 as well?
status-b2g-v1.2:
--- → wontfix
status-b2g-v1.3:
--- → fixed
Flags: needinfo?(cpearce)
Keywords: checkin-needed
|
|
Assignee | |
Comment 17•10 years ago
|
||
Comment on attachment 8342065 [details] [diff] [review] Patch [Approval Request Comment] If this is not a sec:{high,crit} bug, please state case for ESR consideration: This patch fixes a non-exploitable crash when user loads an MP4 video inside an HTML <audio> element on Windows Vista and later. User impact if declined: Crashes when user loads an MP4 video inside an HTML <audio> element on Windows Vista and later. Fix Landed on Version: 27 Risk to taking this patch (and alternatives if risky): Low. String or UUID changes made by this patch: None.
Attachment #8342065 -
Flags: approval-mozilla-esr24?
|
||
Comment 18•10 years ago
|
||
Verified as fixed on Firefox 27 beta 5 and the 01/09 Nightly. The bug still reproduces on the 01/09 Aurora. The fix might not have gotten into this Aurora build, so I'll retest this next week.
|
|
||
Comment 19•10 years ago
|
||
Tested again on Aurora with the following results: - 01/12 Windows 7 64bit build - bug fixed - 01/13 Mac OS X 10.8.5 build - bug fixed - 01/13 Ubuntu 13.04 32bit build - crash: https://crash-stats.mozilla.com/report/index/5a952bdb-378b-4063-b67b-f27d72140113 The Linux crash looks like another bug to me, but I'm not sure of it. Chris, can you please take a look and let me know if I should file a separate bug for it?
Flags: needinfo?(cpearce)
|
|
||
Comment 20•10 years ago
|
||
about crash on Linux, probably this is Bug 959007
|
|
Assignee | |
Comment 21•10 years ago
|
||
Ioana: this bug is Windows only. The crash you're seeing is a different bug, possibly bug 959007 as Alice suggests.
Flags: needinfo?(cpearce)
|
|
||
Comment 22•10 years ago
|
||
Thanks guys! Updating aurora status per the above comments...
|
||
Comment 23•10 years ago
|
||
Comment on attachment 8342065 [details] [diff] [review] Patch This sounds like an edge case and there's no crash volume on ESR 24 to support making an exception to the landing criteria for that branch. See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process
Attachment #8342065 -
Flags: approval-mozilla-esr24? → approval-mozilla-esr24-
|
|
||
Updated•10 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•