Closed Bug 1833896 Opened 1 year ago Closed 1 year ago

Assertion failure: mBase > 0, at /builds/worker/workspace/obj-build/dist/include/TimeUnits.h:84

Categories

(Core :: Audio/Video: Playback, defect)

Product:
Core
Component:
Audio/Video: Playback
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
115 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox113 --- unaffected
firefox114 --- unaffected
firefox115 --- verified

People

(Reporter: tsmith, Assigned: padenot)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Attachments

(2 files)

testcase.mp4
(deleted), video/mp4
Details
Bug 1833896 - Consistently use uint32_t to store timescale until it reaches the TimeUnit constructor, which uses int64_t. r?alwu
(deleted), text/x-phabricator-request
Details
Attached video testcase.mp4 (deleted) —

Found while fuzzing m-c 20230518-016166a0aefa (--enable-debug --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -d --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.mp4

Assertion failure: mBase > 0, at /builds/worker/workspace/obj-build/dist/include/TimeUnits.h:84

#0 0x7fcd97510548 in TimeUnit /builds/worker/workspace/obj-build/dist/include/TimeUnits.h:84:5
#1 0x7fcd97510548 in mozilla::MP4SampleIndex::MP4SampleIndex(mozilla::IndiceWrapper const&, mozilla::ByteStream*, unsigned int, bool, int) /builds/worker/checkouts/gecko/dom/media/mp4/SampleIterator.cpp:454:11
#2 0x7fcd974f673f in mozilla::MP4TrackDemuxer::MP4TrackDemuxer(mozilla::MediaResource*, mozilla::UniquePtr<mozilla::TrackInfo, mozilla::DefaultDelete<mozilla::TrackInfo>>&&, mozilla::IndiceWrapper const&, int) /builds/worker/checkouts/gecko/dom/media/mp4/MP4Demuxer.cpp:320:18
#3 0x7fcd974f2ecd in mozilla::MP4Demuxer::Init() /builds/worker/checkouts/gecko/dom/media/mp4/MP4Demuxer.cpp:231:15
#4 0x7fcd96cbd261 in operator() /builds/worker/checkouts/gecko/dom/media/MediaFormatReader.cpp:784:47
#5 0x7fcd96cbd261 in mozilla::detail::ProxyFunctionRunnable<mozilla::MediaFormatReader::DemuxerProxy::Init()::$_2, mozilla::MozPromise<mozilla::MediaResult, mozilla::MediaResult, false>>::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:1696:29
#6 0x7fcd92ef23ec in mozilla::TaskQueue::Runner::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskQueue.cpp:259:20
#7 0x7fcd92f0f0c5 in nsThreadPool::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:343:14
#8 0x7fcd92f05f2a in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1233:16
#9 0x7fcd92f0c3fd in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:479:10
#10 0x7fcd93b5059e in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300:20
#11 0x7fcd93a70d21 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:362:3
#12 0x7fcd93a70d21 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:344:3
#13 0x7fcd92f01346 in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:391:10
#14 0x7fcda8bf8a0f in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
#15 0x7fcda8894b42 in start_thread nptl/pthread_create.c:442:8
#16 0x7fcda89269ff  misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
Flags: in-testsuite?

Got a crash from the testcase on Nightly: https://crash-stats.mozilla.org/report/index/331ae385-42b9-4a19-a096-173680230519

Crash Signature: [@ mozilla::media::TimeUnit::TimeUnit ]

Verified bug as reproducible on mozilla-central 20230518213154-3a125a6b7c3a.
The bug appears to have been introduced in the following build range:

Start: b73c33aa86e6f1f38549530aecd999c7827d380e (20230517144015)
End: 488a1a8b33a0c427f85d10224a2f8db913e22b16 (20230517175836)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=b73c33aa86e6f1f38549530aecd999c7827d380e&tochange=488a1a8b33a0c427f85d10224a2f8db913e22b16

Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]
Regressed by: 1817997

Set release status flags based on info from the regressing bug 1817997

:padenot, since you are the author of the regressor, bug 1817997, could you take a look? Also, could you set the severity field?

For more information, please visit BugBot documentation.

status-firefox113: --- → unaffected
status-firefox114: --- → unaffected
status-firefox-esr102: --- → unaffected
Flags: needinfo?(padenot)

Setting firefox115 to Fixed, the regressor Bug 1817997 was backed out of central.

status-firefox115: affectedfixed

Testcase crashes using the initial build (mozilla-central 20230518092544-016166a0aefa) but not with tip (mozilla-central 20230519115028-225c5ab0d999.)

The bug appears to have been fixed in the following build range:

Start: d976369464663a9147b82c82436afcaab1f61aec (20230519041011)
End: 225c5ab0d999e743db5298d125893ae0702884af (20230519115028)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=d976369464663a9147b82c82436afcaab1f61aec&tochange=225c5ab0d999e743db5298d125893ae0702884af

tsmith, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Flags: needinfo?(padenot) → needinfo?(twsmith)
Keywords: bugmon
Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Flags: needinfo?(twsmith)
Status: RESOLVED → REOPENED
status-firefox115: fixedaffected
Resolution: FIXED → ---
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirm]
Keywords: bugmon

Looks like this got marked as a dupe of the timing work, but may not have been the result of that. Maybe you can point this ni to whoever might be best to look at it.

Flags: needinfo?(padenot)

Verified bug as reproducible on mozilla-central 20230525234553-763f7f02601b.
The bug appears to have been introduced in the following build range:

Start: b73c33aa86e6f1f38549530aecd999c7827d380e (20230517144015)
End: 488a1a8b33a0c427f85d10224a2f8db913e22b16 (20230517175836)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=b73c33aa86e6f1f38549530aecd999c7827d380e&tochange=488a1a8b33a0c427f85d10224a2f8db913e22b16

Whiteboard: [bugmon:bisected,confirm] → [bugmon:bisected,confirmed]

(In reply to Takanori MATSUURA from comment #8)

Regressed by bug 1817997 or bug 1703812?

Ah, I missed the "Regressed-By" by tsmith.

Assignee: nobody → padenot
Flags: needinfo?(padenot)
Pushed by padenot@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/93cf96e033d0 Consistently use uint32_t to store timescale until it reaches the TimeUnit constructor, which uses int64_t. r=media-playback-reviewers,karlt

https://hg.mozilla.org/mozilla-central/rev/93cf96e033d0

Status: REOPENED → RESOLVED
Closed: 1 year ago1 year ago
status-firefox115: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 115 Branch

Verified bug as fixed on rev mozilla-central 20230531214354-860d4ed91dff.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
status-firefox115: fixedverified
Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: