Henrik Skupin [:whimboo][⌚️UTC+2] Reporter
	Description • 15 years ago

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b5pre) Gecko/20090519 Shiretoko/3.5b5pre ID:20090519035556

Using attachment 346615 [details] and seeking over the end of the ogg video crashes the browser. The stack is similar to what has been reported on bug 464007 but which has been marked verified on trunk and 1.9.1.

This crash only happens on branch (OS X and Linux). Running the same steps on trunk doesn't crash the browser.

Crash report: bp-9ac31a94-022d-4e75-ab26-460882090520

0  	XUL  	oggplay_buffer_set_last_data  	media/liboggplay/src/liboggplay/oggplay_buffer.c:150
1 	XUL 	oggplay_step_decoding 	media/liboggplay/src/liboggplay/oggplay.c:686
2 	XUL 	nsOggDecodeStateMachine::Run 	content/media/video/src/nsOggDecoder.cpp:1087
3 	XUL 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:510
4 	XUL 	NS_ProcessNextEvent_P 	nsThreadUtils.cpp:227
5 	XUL 	nsThread::ThreadFunc 	xpcom/threads/nsThread.cpp:254
6 	libnspr4.dylib 	_pt_root 	nsprpub/pr/src/pthreads/ptthread.c:228
7 	libSystem.B.dylib 	_pthread_start 	
8 	libSystem.B.dylib 	thread_start

	Henrik Skupin [:whimboo][⌚️UTC+2] Reporter
	Comment 1 • 15 years ago

Right before the crash happens the following exceptions are thrown:

JavaScript error: , line 0: uncaught exception: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIDOMHTMLVideoElement.currentTime]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: https://bug449307.bugzilla.mozilla.org/attachment.cgi?id=346615 :: onclick :: line 1"  data: no]
JavaScript error: , line 0: uncaught exception: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIDOMHTMLVideoElement.currentTime]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: https://bug449307.bugzilla.mozilla.org/attachment.cgi?id=346615 :: onclick :: line 1"  data: no]

Stack from gdb:

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x0000000c
[Switching to process 93207 thread 0x6e37]
0x12e4615a in oggplay_buffer_set_last_data (me=0x180a61f0, buffer=0x1f2e6ad0) at /data/build/shiretoko/media/liboggplay/src/liboggplay/oggplay_buffer.c:150
150	    p->stream_info = OGGPLAY_STREAM_LAST_DATA;
(gdb) bt
#0  0x12e4615a in oggplay_buffer_set_last_data (me=0x180a61f0, buffer=0x1f2e6ad0) at /data/build/shiretoko/media/liboggplay/src/liboggplay/oggplay_buffer.c:150
#1  0x12e434ae in oggplay_step_decoding (me=0x180a61f0) at /data/build/shiretoko/media/liboggplay/src/liboggplay/oggplay.c:686
#2  0x12e31d7e in nsOggDecodeStateMachine::DecodeFrame (this=0x180a4e00) at /data/build/shiretoko/content/media/video/src/nsOggDecoder.cpp:662
#3  0x12e36c97 in nsOggDecodeStateMachine::Run (this=0x180a4e00) at /data/build/shiretoko/content/media/video/src/nsOggDecoder.cpp:1323
#4  0x00568552 in nsThread::ProcessNextEvent (this=0x1f00d910, mayWait=1, result=0xb0452ecc) at /data/build/shiretoko/xpcom/threads/nsThread.cpp:510
#5  0x004f1c60 in NS_ProcessNextEvent_P (thread=0x1f00d910, mayWait=1) at nsThreadUtils.cpp:227
#6  0x00568761 in nsThread::ThreadFunc (arg=0x1f00d910) at /data/build/shiretoko/xpcom/threads/nsThread.cpp:254
#7  0x00736397 in _pt_root (arg=0x180a4be0) at /data/build/shiretoko/nsprpub/pr/src/pthreads/ptthread.c:228
#8  0x90ad3155 in _pthread_start ()
#9  0x90ad3012 in thread_start ()

Seems like we are missing a null pointer check while accessing p->stream_info:
http://mxr.mozilla.org/mozilla1.9.1/source/media/liboggplay/src/liboggplay/oggplay_buffer.c#150

gdb) print p
$3 = (OggPlayCallbackInfo *) 0x0

Steps:
1. Open the given attachment
2 [review]. Wait until the video has been loaded
3. Click on play
4. Click several times on +5s until you reach the end of the video
5. Click several times on -5 and +5

	cajbir (:cajbir)
	Comment 2 • 15 years ago

The attachement linked in comment 1 seems to be invalid. Is there a correct link?

	cajbir (:cajbir)
	Comment 3 • 15 years ago

I got the crash to happen seeking to the end and around that area on a local file. As you say it doesn't happen on trunk - this area of the code was re-written for the keyframe seeking which is on trunk.

It may be due to the fact that the new seek code (oggplay_seek_to_keyframe) in oggplay actually checks if the seek worked before doing the cleaning up of the oggplay buffers, whereas the old code didn't, possibly breaking things.

	Henrik Skupin [:whimboo][⌚️UTC+2] Reporter
	Comment 4 • 15 years ago

Which bug is that? Can we add it to the dependency list?

	cajbir (:cajbir)
	Comment 5 • 15 years ago

Bug 463358

	Mike Beltzner [:beltzner, not reading bugmail]
	Comment 6 • 15 years ago

Is this a simple matter of getting bug 463358 landed on 191?

	cajbir (:cajbir)
	Comment 7 • 15 years ago

Bug 463358 has other issues - a couple of bugs have been raised about it at the moment. Affecting a/v sync and stopping playback.

	Mike Beltzner [:beltzner, not reading bugmail]
	Comment 8 • 15 years ago

This blocks, though might end up being a duplicate of bug 463358 or be fixed by that bug once it's fixed in ways that don't cause other problems.

	Chris Pearce [:cpearce (Not reading bugmail)]
	Comment 9 • 15 years ago

(In reply to comment #7)
> Bug 463358 has other issues - a couple of bugs have been raised about it at the
> moment. Affecting a/v sync and stopping playback.

I see the a/v sync bug, but I don't see bugs filed for stopping playback. Can you mark them as blocking bug 463358 please?

	Robert O'Callahan (:roc) (email my personal email if necessary)
	Comment 10 • 15 years ago

Fixed by checkin for bug 463358.

	Henrik Skupin [:whimboo][⌚️UTC+2] Reporter
	Comment 11 • 15 years ago

Since this did only happen on 1.9.1 marking as verified with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1pre) Gecko/20090521 Shiretoko/3.5pre ID:20090521135222. I cannot get it to crash anymore.