[Fission] Crash in [@ mozilla::dom::AutoplayPolicy::IsAllowedToPlay]
Categories
(Core :: Audio/Video: Playback, defect, P3)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr68 | --- | unaffected |
firefox76 | --- | unaffected |
firefox77 | --- | unaffected |
firefox78 | --- | fixed |
People
(Reporter: jan, Assigned: alwu)
References
Details
(Keywords: crash, nightly-community, regression)
Crash Data
Attachments
(1 file)
(deleted),
text/x-phabricator-request
|
Details |
Clicked to play a GIF on Twitter. I have Fission enabled.
This bug is for crash report bp-3102fc98-3d9a-4189-bc00-4e4390200516.
Top 10 frames of crashing thread:
0 libxul.so mozilla::dom::AutoplayPolicy::IsAllowedToPlay dom/media/AutoplayPolicy.cpp:258
1 libxul.so mozilla::dom::HTMLMediaElement::UpdatePreloadAction dom/html/HTMLMediaElement.cpp:2858
2 libxul.so mozilla::dom::HTMLMediaElement::AfterSetAttr dom/html/HTMLMediaElement.cpp:4638
3 libxul.so <name omitted> dom/base/Element.cpp:2363
4 libxul.so mozilla::dom::Element::SetAttr dom/base/Element.cpp:2220
5 libxul.so mozilla::dom::Element::SetAttribute dom/base/Element.cpp:1290
6 libxul.so mozilla::dom::Element_Binding::setAttribute dom/bindings/ElementBinding.cpp:1345
7 libxul.so bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions> dom/bindings/BindingUtils.cpp:3203
8 libxul.so js::InternalCallOrConstruct js/src/vm/Interpreter.cpp:585
9 libxul.so Interpret js/src/vm/Interpreter.cpp:648
Reporter | ||
Comment 1•4 years ago
|
||
bug 1597450, bug 1509933, bug 1627999 and bug 1627999 changed AutoplayPolicy.cpp and HTMLMediaElement.cpp yesterday and today.
Assignee | ||
Comment 2•4 years ago
|
||
Hmm, this crash looks little weird, it crashes on the reference of media element, but the element should still be alive at the time the function being called.
Assignee | ||
Comment 3•4 years ago
|
||
Considering this crash didn't happen a lot, set it as P3.
Reporter | ||
Comment 4•4 years ago
|
||
All recent crashes have Fission enabled.
Assignee | ||
Comment 5•4 years ago
|
||
I still can't understand why this happens, but seeing those recent crashes which all started occuring after the build in 5/16, it seems possible relating with bug1597450.
The only possibility I can imagine is that we crash when we have a null window context [1], that shouldn't be null though. Anyway, I will submit a patch for that to see if it helps.
Assignee | ||
Comment 6•4 years ago
|
||
I suspect that when enabling Fission, in some situation, we might get a null window context which results in a crash. Therefore, returning a deny action if we are not able to get a window context.
(In reply to Alastor Wu [:alwu] from comment #5)
The only possibility I can imagine is that we crash when we have a null window context [1], that shouldn't be null though. Anyway, I will submit a patch for that to see if it helps.
I looked at the code that's generated for nightly and I'm fairly certain that's what's happening.
mov edi, dword ptr [rax+68h]
looks to be the code generated to fetch the autoplay permission. Seems like it takes the result of GetTopWindowContext()
(in rax) then adds 0x68 to get the address of the autoplay permission and moves that. 0x0 + 0x68 would give us our crashing address.
Comment 9•4 years ago
|
||
bugherder |
Description
•