Closed
Bug 821737
Opened 12 years ago
Closed 12 years ago
Heap-use-after-free in nsThread::PutEvent
Categories
(Core :: Audio/Video, defect)
Tracking
()
RESOLVED
FIXED
mozilla21
| Tracking | Status | |
|---|---|---|
| firefox19 | --- | unaffected |
| firefox20 | --- | fixed |
| firefox21 | --- | fixed |
| firefox-esr17 | --- | unaffected |
| b2g18 | --- | unaffected |
People
(Reporter: inferno, Assigned: padenot)
References
Details
(5 keywords, Whiteboard: [asan][adv-main20-])
Attachments
(4 files, 1 obsolete file)
|
(deleted),
application/java-archive
|
Details | |
|
(deleted),
application/java-archive
|
Details | |
|
(deleted),
text/html
|
Details | |
|
(deleted),
patch
|
kinetik
:
review+
lsblakk
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
Sorry, not a reliable testcase, but this stack is hitting a lot now. This unminimized testcase however is reliably hitting an assert in debug build which seems related.
void MediaDecoderStateMachine::AdvanceFrame()
{
..............
NS_ASSERTION(clock_time >= mStartTime, "Should have positive clock time.");
==21956== ERROR: AddressSanitizer: heap-use-after-free on address 0x7f3ba6f38c38 at pc 0x7f3bbde57ed3 bp 0x7f3bac3f8700 sp 0x7f3bac3f86f8
READ of size 8 at 0x7f3ba6f38c38 thread T8
#0 0x7f3bbde57ed2 in nsThread::PutEvent(nsIRunnable*) ../../dist/include/mozilla/Mutex.h:74
0x7f3ba6f38c38 is located 24 bytes inside of 152-byte region [0x7f3ba6f38c20,0x7f3ba6f38cb8)
freed by thread T0 here:
#0 0x426100 in __interceptor_free
#1 0x7f3bbde56139 in nsThread::Release() ../../dist/include/mozilla/mozalloc.h:224
previously allocated by thread T0 here:
#0 0x4261c0 in malloc
Thread T8 created by T0 here:
#0 0x4223c4 in __interceptor_pthread_create
#1 0x7f3bc3a7277f in _PR_CreateThread nsprpub/pr/src/pthreads/ptthread.c:393
#2 0x7f3bc3a721e7 in PR_CreateThread nsprpub/pr/src/pthreads/ptthread.c:476
Shadow byte and word:
0x1fe774de7187: fd
0x1fe774de7180: fa fa fa fa fd fd fd fd
More shadow bytes:
0x1fe774de7160: fa fa fa fa fd fd fd fd
0x1fe774de7168: fd fd fd fd fd fd fd fd
0x1fe774de7170: fd fd fd fd fd fd fd fd
0x1fe774de7178: fd fd fd fd fd fd fd fd
=>0x1fe774de7180: fa fa fa fa fd fd fd fd
0x1fe774de7188: fd fd fd fd fd fd fd fd
0x1fe774de7190: fd fd fd fd fd fd fd fd
0x1fe774de7198: fa fa fa fa fa fa fa fa
0x1fe774de71a0: fa fa fa fa fd fd fd fd
Stats: 379M malloced (340M for red zones) by 565542 calls
Stats: 39M realloced by 27183 calls
Stats: 349M freed by 410529 calls
Stats: 315M really freed by 361763 calls
Stats: 285M (73138 full pages) mmaped in 547 calls
mmaps by size class: 6:98292; 7:94185; 8:36846; 9:16368; 10:9198; 11:6630; 12:2432; 13:2688; 14:2464; 15:224; 16:784; 17:460; 18:30; 19:33; 20:21;
mallocs by size class: 6:208039; 7:186369; 8:84944; 9:30757; 10:14175; 11:16347; 12:4134; 13:8752; 14:7741; 15:512; 16:2108; 17:1552; 18:48; 19:40; 20:24;
frees by size class: 6:155481; 7:121055; 8:62848; 9:23201; 10:10552; 11:14243; 12:3103; 13:8525; 14:7497; 15:392; 16:2004; 17:1528; 18:39; 19:39; 20:22;
rfrees by size class: 6:140406; 7:102931; 8:55273; 9:21797; 10:9463; 11:13167; 12:2818; 13:6496; 14:5584; 15:377; 16:1830; 17:1521; 18:39; 19:39; 20:22;
Stats: malloc large: 4284 small slow: 11087
==21956== ABORTING
|
||
Updated•12 years ago
|
Component: General → Video/Audio
Product: Firefox → Core
|
||
Comment 1•12 years ago
|
||
Hrm, not sure if I'm missing something. Does this test case use web audio in any way?
|
Reporter | |
Comment 2•12 years ago
|
||
(In reply to Ehsan Akhgari [:ehsan] from comment #1)
> Hrm, not sure if I'm missing something. Does this test case use web audio
> in any way?
It uses a wav file (enclosed in testcase attachment) and tries to seek to different times and also with volume levels.
|
Assignee | |
Comment 3•12 years ago
|
||
I'll valgrind this over the weekend, or maybe it's obvious for someone. Or maybe we don't care.
Ehsan, this does not use web audio, not sure why you are cc-ed.
|
|
Reporter | |
Comment 4•12 years ago
|
||
I had another crash hit which i tried in the debug build. It hits the assert
NS_ASSERTION(!audio || (audio->mTime <= seekTime &&
seekTime <= audio->mTime + audio->mDuration),
"Seek target should lie inside the first audio block after seek");
and eventually ending in
NS_ASSERTION(clock_time >= mStartTime, "Should have positive clock time.");
So, this bug definitely looks like integer underflow in time :)
|
||
Comment 5•12 years ago
|
||
(In reply to Abhishek Arya from comment #4)
> I had another crash hit which i tried in the debug build. It hits the assert
>
> NS_ASSERTION(!audio || (audio->mTime <= seekTime &&
> seekTime <= audio->mTime + audio->mDuration),
> "Seek target should lie inside the first audio block
> after seek");
We've been hitting this assertion for years, no one's had the time to dig into it.
>
> and eventually ending in
>
> NS_ASSERTION(clock_time >= mStartTime, "Should have positive clock time.");
>
> So, this bug definitely looks like integer underflow in time :)
I thought we'd fixed this in bug 815017. That merged to m-c on 2012-12-11 PST, does your build contain the fix from bug 815017?
|
|
Reporter | |
Comment 6•12 years ago
|
||
The stack from my fuzzing uses release build (since that goes in production). When this stack was hit yesterday (again), it was using latest build
20121215234951
http://hg.mozilla.org/mozilla-central/rev/5ea1c76e4bb3
So, the use-after-free should be on trunk.
Now regarding the assert, I was using a few days old debug build on my windows machine. I updated it now. NS_ASSERTION(clock_time >= mStartTime, "Should have positive clock time."); is now gone. but NS_ASSERTION(!audio || (audio->mTime <= seekTime &&
> seekTime <= audio->mTime + audio->mDuration) still hits.
I am enclosing this second testcase. I don't know if the assert and release build crash are related. release build crash does not reproduce easily, looks like a race condition since free and crash are on different threads.
|
|
Reporter | |
Comment 7•12 years ago
|
||
|
||
Comment 8•12 years ago
|
||
Can we not get longer stacks from the ASAN report (at least 8 frames)? It looks like we're trying to post an event to a thread which has already been deleted, but because we only have 3 frames we don't actually know what event is being posted nor what thread it would be going to.
I presume this is not happening during shutdown, but just while running the testcase?
|
||
Updated•12 years ago
|
Flags: sec-bounty?
|
|
||
Updated•12 years ago
|
Attachment #692322 -
Attachment mime type: application/x-zip-compressed → application/java-archive
|
|
||
Updated•12 years ago
|
Attachment #692778 -
Attachment mime type: application/x-zip-compressed → application/java-archive
|
||
Comment 9•12 years ago
|
||
(In reply to Chris Pearce (:cpearce, away 20 Dec until 10 Jan) from comment #5)
> (In reply to Abhishek Arya from comment #4)
> >
> > and eventually ending in
> >
> > NS_ASSERTION(clock_time >= mStartTime, "Should have positive clock time.");
> >
> > So, this bug definitely looks like integer underflow in time :)
>
> I thought we'd fixed this in bug 815017. That merged to m-c on 2012-12-11
> PST, does your build contain the fix from bug 815017?
Chris are you sure you meant 815017? (I don't see any landings as of now).
|
|
||
Comment 10•12 years ago
|
||
Adding needinfo so this shows up when you're back :)
Flags: needinfo?(cpearce)
|
|
Assignee | |
Comment 11•12 years ago
|
||
David, I believe Chris Pearce meant bug 815107 (it makes sense considering the context and the bug number is quite similar).
Flags: needinfo?(cpearce)
|
||
Comment 12•12 years ago
|
||
Can we get this bug assigned to someone as a sec-critical?
Whiteboard: [asan]
|
|
Reporter | |
Comment 13•12 years ago
|
||
Another testcase, which looks like just running test content/media/test/crashtests/481136-1.html. Also, just a fyi, this was not during shutdown as the crash timeout was way before my shutdown timeout.
|
|
||
Comment 14•12 years ago
|
||
decoder, is it possible you could get better ASAN reports with full stacks? That will help identify the best owner for this bug.
Assignee: nobody → choller
|
|
||
Updated•12 years ago
|
Flags: needinfo?(choller)
|
||
Comment 15•12 years ago
|
||
I wasn't able to reproduce in a debug build, but I got this with the second testcase:
==32634== ERROR: AddressSanitizer heap-use-after-free on address 0x7fabe9884584 at pc 0x7fac1eac7a57 bp 0x7fabde9f9ab0 sp 0x7fabde9f9aa8
READ of size 4 at 0x7fabe9884584 thread T28
#0 0x7fac1eac7a56 in soundtouch::FIRFilter::evaluateFilterMono(float*, float const*, unsigned int) const /builds/slave/try-lnx64/build/media/libsoundtouch/src/FIRFilter.cpp:151
0x7fabe9884584 is located 4 bytes inside of 128-byte region [0x7fabe9884580,0x7fabe9884600)
freed by thread T9476 here:
#0 0x435a70 in free ??:0
#1 0x7fac1ead0744 in ~FIRFilterSSE /builds/slave/try-lnx64/build/media/libsoundtouch/src/sse_optimized.cpp:205
#2 0x7fac1c83fea6 in nsRunnableMethodImpl<void (mozilla::MediaDecoderStateMachine::*)(), true>::Run() /builds/slave/try-lnx64/build/../../dist/include/nsThreadUtils.h:367
#3 0x7fac1e1a6283 in NS_ProcessNextEvent_P(nsIThread*, bool) /builds/slave/try-lnx64/build/obj-firefox/xpcom/build/nsThreadUtils.cpp:238
#4 0x7fac1e26b62c in nsThread::ThreadFunc(void*) /builds/slave/try-lnx64/build/xpcom/threads/nsThread.cpp:265
#5 0x7fac245154d5 in _pt_root /builds/slave/try-lnx64/build/nsprpub/pr/src/pthreads/ptthread.c:156
#6 0x43870a in __asan::AsanThread::ThreadStart() ??:0
previously allocated by thread T28 here:
#0 0x435b30 in __interceptor_malloc ??:0
#1 0x7fac22607288 in moz_xmalloc /builds/slave/try-lnx64/build/memory/mozalloc/mozalloc.cpp:54
Thread T28 created by T27 here:
#0 0x431d64 in pthread_create ??:0
#1 0x7fac1ead124f in cubeb_init /builds/slave/try-lnx64/build/media/libcubeb/src/cubeb_alsa.c:685
#2 0x7fac1c85ee48 in mozilla::GetCubebContext() /builds/slave/try-lnx64/build/content/media/AudioStream.cpp:142
#3 0x7fac1c83361d in mozilla::MediaDecoderStateMachine::AudioLoop() /builds/slave/try-lnx64/build/content/media/MediaDecoderStateMachine.cpp:982
#4 0x7fac1c83fea6 in nsRunnableMethodImpl<void (mozilla::MediaDecoderStateMachine::*)(), true>::Run() /builds/slave/try-lnx64/build/../../dist/include/nsThreadUtils.h:367
#5 0x7fac1e1a6283 in NS_ProcessNextEvent_P(nsIThread*, bool) /builds/slave/try-lnx64/build/obj-firefox/xpcom/build/nsThreadUtils.cpp:238
#6 0x7fac1e26b62c in nsThread::ThreadFunc(void*) /builds/slave/try-lnx64/build/xpcom/threads/nsThread.cpp:265
#7 0x7fac245154d5 in _pt_root /builds/slave/try-lnx64/build/nsprpub/pr/src/pthreads/ptthread.c:156
#8 0x43870a in __asan::AsanThread::ThreadStart() ??:0
Thread T27 created by T26 here:
#0 0x431d64 in pthread_create ??:0
#1 0x7fac2451164c in _PR_CreateThread /builds/slave/try-lnx64/build/nsprpub/pr/src/pthreads/ptthread.c:393
#2 0x7fac245110c7 in PR_CreateThread /builds/slave/try-lnx64/build/nsprpub/pr/src/pthreads/ptthread.c:476
Thread T26 created by T25 here:
#0 0x431d64 in pthread_create ??:0
#1 0x7fac2451164c in _PR_CreateThread /builds/slave/try-lnx64/build/nsprpub/pr/src/pthreads/ptthread.c:393
#2 0x7fac245110c7 in PR_CreateThread /builds/slave/try-lnx64/build/nsprpub/pr/src/pthreads/ptthread.c:476
Thread T25 created by T0 here:
#0 0x431d64 in pthread_create ??:0
#1 0x7fac2451164c in _PR_CreateThread /builds/slave/try-lnx64/build/nsprpub/pr/src/pthreads/ptthread.c:393
#2 0x7fac245110c7 in PR_CreateThread /builds/slave/try-lnx64/build/nsprpub/pr/src/pthreads/ptthread.c:476
Thread T9476 created by T9149 here:
#0 0x431d64 in pthread_create ??:0
#1 0x7fac2451164c in _PR_CreateThread /builds/slave/try-lnx64/build/nsprpub/pr/src/pthreads/ptthread.c:393
#2 0x7fac245110c7 in PR_CreateThread /builds/slave/try-lnx64/build/nsprpub/pr/src/pthreads/ptthread.c:476
Thread T9149 created by T0 here:
#0 0x431d64 in pthread_create ??:0
#1 0x7fac2451164c in _PR_CreateThread /builds/slave/try-lnx64/build/nsprpub/pr/src/pthreads/ptthread.c:393
#2 0x7fac245110c7 in PR_CreateThread /builds/slave/try-lnx64/build/nsprpub/pr/src/pthreads/ptthread.c:476
Shadow byte and word:
0x1ff57d3108b0: fd
0x1ff57d3108b0: fd fd fd fd fd fd fd fd
More shadow bytes:
0x1ff57d310890: 00 00 00 00 00 00 00 00
0x1ff57d310898: 00 00 00 00 00 00 00 00
0x1ff57d3108a0: fa fa fa fa fa fa fa fa
0x1ff57d3108a8: fa fa fa fa fa fa fa fa
=>0x1ff57d3108b0: fd fd fd fd fd fd fd fd
0x1ff57d3108b8: fd fd fd fd fd fd fd fd
0x1ff57d3108c0: fa fa fa fa fa fa fa fa
0x1ff57d3108c8: fa fa fa fa fa fa fa fa
0x1ff57d3108d0: 00 00 00 00 00 fb fb fb
Flags: needinfo?(choller)
|
|
Reporter | |
Comment 16•12 years ago
|
||
More stack frames with a fully symbolized builds. This is for 2nd testcase, it crashes with two different stacks.
Stack1::
>==10001== ERROR: AddressSanitizer: heap-use-after-free on address 0x7fa8de315d88 at pc 0x7fa90b67e164 bp 0x7fa8e0b9b110 sp 0x7fa8e0b9b108
>READ of size 4 at 0x7fa8de315d88 thread T20
> #0 0x7fa90b67e163 in soundtouch::FIRFilter::evaluateFilterMono(float*, float const*, unsigned int) const src/media/libsoundtouch/src/FIRFilter.cpp:151
> #1 0x7fa90b67fdb9 in soundtouch::FIRFilter::evaluate(float*, float const*, unsigned int, unsigned int) const /usr/local/google/home/aarya/firefox/src/media/libsoundtouch/src/FIRFilter.cpp:213
> #2 0x7fa90b675a98 in soundtouch::AAFilter::evaluate(float*, float const*, unsigned int, unsigned int) const /usr/local/google/home/aarya/firefox/src/media/libsoundtouch/src/AAFilter.cpp:177
> #3 0x7fa90b683bd0 in soundtouch::RateTransposer::downsample(float const*, unsigned int) /usr/local/google/home/aarya/firefox/src/media/libsoundtouch/src/RateTransposer.cpp:261
> #4 0x7fa90b68256b in soundtouch::RateTransposer::processSamples(float const*, unsigned int) /usr/local/google/home/aarya/firefox/src/media/libsoundtouch/src/RateTransposer.cpp:304
> #5 0x7fa90b681d34 in soundtouch::RateTransposer::putSamples(float const*, unsigned int) /usr/local/google/home/aarya/firefox/src/media/libsoundtouch/src/RateTransposer.cpp:207
> #6 0x7fa90b691854 in soundtouch::SoundTouch::putSamples(float const*, unsigned int) /usr/local/google/home/aarya/firefox/src/media/libsoundtouch/src/SoundTouch.cpp:324
> #7 0x7fa8ffa3ba2e in mozilla::BufferedAudioStream::GetTimeStretched(void*, long) /usr/local/google/home/aarya/firefox/src/content/media/AudioStream.cpp:983
> #8 0x7fa8ffa3c9d5 in mozilla::BufferedAudioStream::DataCallback(void*, long) /usr/local/google/home/aarya/firefox/src/content/media/AudioStream.cpp:1008
> #9 0x7fa8ffa330a2 in mozilla::BufferedAudioStream::DataCallback_S(cubeb_stream*, void*, void*, long) /usr/local/google/home/aarya/firefox/src/content/media/AudioStream.cpp:610
> #10 0x7fa90b6b70a2 in cubeb_refill_stream /usr/local/google/home/aarya/firefox/src/media/libcubeb/src/cubeb_alsa.c:301
> #11 0x7fa90b6b38c2 in cubeb_run /usr/local/google/home/aarya/firefox/src/media/libcubeb/src/cubeb_alsa.c:383
> #12 0x7fa90b6a9c60 in cubeb_run_thread /usr/local/google/home/aarya/firefox/src/media/libcubeb/src/cubeb_alsa.c:415
> #13 0x414a5a in __asan::AsanThread::ThreadStart()
>0x7fa8de315d88 is located 8 bytes inside of 128-byte region [0x7fa8de315d80,0x7fa8de315e00)
>freed by thread T143 (Media Audio) here:
> #0 0x40fb32 in __interceptor_free
> #1 0x7fa91a36a4b9 in moz_free /usr/local/google/home/aarya/firefox/src/memory/mozalloc/mozalloc.cpp:48
> #2 0x7fa90b67b60d in operator delete[](void*) /usr/local/google/home/aarya/firefox/src/../../../dist/include/mozilla/mozalloc.h:236
> #3 0x7fa90b67b60d in soundtouch::FIRFilter::~FIRFilter() /usr/local/google/home/aarya/firefox/src/media/libsoundtouch/src/FIRFilter.cpp:69
> #4 0x7fa90b6a3d2e in soundtouch::FIRFilterSSE::~FIRFilterSSE() /usr/local/google/home/aarya/firefox/src/media/libsoundtouch/src/sse_optimized.cpp:205
> #5 0x7fa90b6a39ef in soundtouch::FIRFilterSSE::~FIRFilterSSE() /usr/local/google/home/aarya/firefox/src/media/libsoundtouch/src/sse_optimized.cpp:201
> #6 0x7fa90b673a80 in soundtouch::AAFilter::~AAFilter() /usr/local/google/home/aarya/firefox/src/media/libsoundtouch/src/AAFilter.cpp:72
> #7 0x7fa90b680f06 in soundtouch::RateTransposer::~RateTransposer() /usr/local/google/home/aarya/firefox/src/media/libsoundtouch/src/RateTransposer.cpp:140
> #8 0x7fa90b688d1f in RateTransposerFloat::~RateTransposerFloat() /usr/local/google/home/aarya/firefox/src/media/libsoundtouch/src/RateTransposer.cpp:521
> #9 0x7fa90b68ed60 in soundtouch::SoundTouch::~SoundTouch() /usr/local/google/home/aarya/firefox/src/media/libsoundtouch/src/SoundTouch.cpp:121
> #10 0x7fa90b68eabf in soundtouch::SoundTouch::~SoundTouch() /usr/local/google/home/aarya/firefox/src/media/libsoundtouch/src/SoundTouch.cpp:120
> #11 0x7fa8ffa40cdc in nsAutoPtr<soundtouch::SoundTouch>::assign(soundtouch::SoundTouch*) /usr/local/google/home/aarya/firefox/src/../../dist/include/nsAutoPtr.h:40
> #12 0x7fa8ffa26862 in nsAutoPtr<soundtouch::SoundTouch>::operator=(soundtouch::SoundTouch*) /usr/local/google/home/aarya/firefox/src/../../dist/include/nsAutoPtr.h:103
> #13 0x7fa8ffa26460 in mozilla::AudioStream::EnsureTimeStretcherInitialized() /usr/local/google/home/aarya/firefox/src/content/media/AudioStream.cpp:226
> #14 0x7fa8ffa26d87 in mozilla::AudioStream::SetPlaybackRate(double) /usr/local/google/home/aarya/firefox/src/content/media/AudioStream.cpp:244
> #15 0x7fa8ff97cd00 in mozilla::MediaDecoderStateMachine::AudioLoop() /usr/local/google/home/aarya/firefox/src/content/media/MediaDecoderStateMachine.cpp:1049
> #16 0x7fa8ff99c7d2 in nsRunnableMethodImpl<void (mozilla::MediaDecoderStateMachine::*)(), true>::Run() /usr/local/google/home/aarya/firefox/src/../../dist/include/nsThreadUtils.h:367
> #17 0x7fa9073c220f in nsThread::ProcessNextEvent(bool, bool*) /usr/local/google/home/aarya/firefox/src/xpcom/threads/nsThread.cpp:627
> #18 0x7fa9070369a5 in NS_ProcessNextEvent_P(nsIThread*, bool) /usr/local/google/home/aarya/firefox/src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:238
> #19 0x7fa9073b9d89 in nsThread::ThreadFunc(void*) /usr/local/google/home/aarya/firefox/src/xpcom/threads/nsThread.cpp:265
> #20 0x7fa9186caf19 in _pt_root /usr/local/google/home/aarya/firefox/src/nsprpub/pr/src/pthreads/ptthread.c:156
> #21 0x414a5a in __asan::AsanThread::ThreadStart()
>previously allocated by thread T20 here:
> #0 0x40fc12 in __interceptor_malloc
> #1 0x7fa91a36a604 in moz_xmalloc /usr/local/google/home/aarya/firefox/src/memory/mozalloc/mozalloc.cpp:54
> #2 0x7fa90b67f097 in operator new[](unsigned long) /usr/local/google/home/aarya/firefox/src/../../../dist/include/mozilla/mozalloc.h:212
> #3 0x7fa90b67f097 in soundtouch::FIRFilter::setCoefficients(float const*, unsigned int, unsigned int) /usr/local/google/home/aarya/firefox/src/media/libsoundtouch/src/FIRFilter.cpp:186
> #4 0x7fa90b6a41fd in soundtouch::FIRFilterSSE::setCoefficients(float const*, unsigned int, unsigned int) /usr/local/google/home/aarya/firefox/src/media/libsoundtouch/src/sse_optimized.cpp:214
> #5 0x7fa90b6753af in soundtouch::AAFilter::calculateCoeffs() /usr/local/google/home/aarya/firefox/src/media/libsoundtouch/src/AAFilter.cpp:165
> #6 0x7fa90b673c73 in soundtouch::AAFilter::setCutoffFreq(double) /usr/local/google/home/aarya/firefox/src/media/libsoundtouch/src/AAFilter.cpp:83
> #7 0x7fa90b681a8c in soundtouch::RateTransposer::setRate(float) /usr/local/google/home/aarya/firefox/src/media/libsoundtouch/src/RateTransposer.cpp:183
> #8 0x7fa90b68e11e in soundtouch::SoundTouch::calcEffectiveRateAndTempo() /usr/local/google/home/aarya/firefox/src/media/libsoundtouch/src/SoundTouch.cpp:242
> #9 0x7fa90b68d3b4 in soundtouch::SoundTouch::SoundTouch() /usr/local/google/home/aarya/firefox/src/media/libsoundtouch/src/SoundTouch.cpp:111
> #10 0x7fa8ffa26451 in mozilla::AudioStream::EnsureTimeStretcherInitialized() /usr/local/google/home/aarya/firefox/src/content/media/AudioStream.cpp:226
> #11 0x7fa8ffa3af3c in mozilla::BufferedAudioStream::GetTimeStretched(void*, long) /usr/local/google/home/aarya/firefox/src/content/media/AudioStream.cpp:964
> #12 0x7fa8ffa3c9d5 in mozilla::BufferedAudioStream::DataCallback(void*, long) /usr/local/google/home/aarya/firefox/src/content/media/AudioStream.cpp:1008
> #13 0x7fa8ffa330a2 in mozilla::BufferedAudioStream::DataCallback_S(cubeb_stream*, void*, void*, long) /usr/local/google/home/aarya/firefox/src/content/media/AudioStream.cpp:610
> #14 0x7fa90b6b70a2 in cubeb_refill_stream /usr/local/google/home/aarya/firefox/src/media/libcubeb/src/cubeb_alsa.c:301
> #15 0x7fa90b6b38c2 in cubeb_run /usr/local/google/home/aarya/firefox/src/media/libcubeb/src/cubeb_alsa.c:383
> #16 0x7fa90b6a9c60 in cubeb_run_thread /usr/local/google/home/aarya/firefox/src/media/libcubeb/src/cubeb_alsa.c:415
> #17 0x414a5a in __asan::AsanThread::ThreadStart()
>Thread T20 created by T19 (Media Audio) here:
> #0 0x40d3e4 in __interceptor_pthread_create
> #1 0x7fa90b6a8e3c in cubeb_init /usr/local/google/home/aarya/firefox/src/media/libcubeb/src/cubeb_alsa.c:685
> #2 0x7fa8ffa32b0e in mozilla::GetCubebContext() /usr/local/google/home/aarya/firefox/src/content/media/AudioStream.cpp:142
> #3 0x7fa8ffa31a08 in mozilla::BufferedAudioStream::Init(int, int, mozilla::dom::AudioChannelType) /usr/local/google/home/aarya/firefox/src/content/media/AudioStream.cpp:708
> #4 0x7fa8ff97b564 in mozilla::MediaDecoderStateMachine::AudioLoop() /usr/local/google/home/aarya/firefox/src/content/media/MediaDecoderStateMachine.cpp:982
> #5 0x7fa8ff99c7d2 in nsRunnableMethodImpl<void (mozilla::MediaDecoderStateMachine::*)(), true>::Run() /usr/local/google/home/aarya/firefox/src/../../dist/include/nsThreadUtils.h:367
> #6 0x7fa9073c220f in nsThread::ProcessNextEvent(bool, bool*) /usr/local/google/home/aarya/firefox/src/xpcom/threads/nsThread.cpp:627
> #7 0x7fa9070369a5 in NS_ProcessNextEvent_P(nsIThread*, bool) /usr/local/google/home/aarya/firefox/src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:238
> #8 0x7fa9073b9d89 in nsThread::ThreadFunc(void*) /usr/local/google/home/aarya/firefox/src/xpcom/threads/nsThread.cpp:265
> #9 0x7fa9186caf19 in _pt_root /usr/local/google/home/aarya/firefox/src/nsprpub/pr/src/pthreads/ptthread.c:156
> #10 0x414a5a in __asan::AsanThread::ThreadStart()
>Thread T19 (Media Audio) created by T16 (Media State) here:
> #0 0x40d3e4 in __interceptor_pthread_create
> #1 0x7fa9186bc215 in _PR_CreateThread /usr/local/google/home/aarya/firefox/src/nsprpub/pr/src/pthreads/ptthread.c:393
> #2 0x7fa9186ba006 in PR_CreateThread /usr/local/google/home/aarya/firefox/src/nsprpub/pr/src/pthreads/ptthread.c:476
> #3 0x7fa9073bce66 in nsThread::Init() /usr/local/google/home/aarya/firefox/src/xpcom/threads/nsThread.cpp:331
> #4 0x7fa9073d4cd9 in nsThreadManager::NewThread(unsigned int, unsigned int, nsIThread**) /usr/local/google/home/aarya/firefox/src/xpcom/threads/nsThreadManager.cpp:215
> #5 0x7fa9070340f2 in NS_NewThread_P(nsIThread**, nsIRunnable*, unsigned int) /usr/local/google/home/aarya/firefox/src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:67
> #6 0x7fa8fe78b120 in tag_nsresult NS_NewNamedThread_P<12ul>(char const (&) [12ul], nsIThread**, nsIRunnable*, unsigned int) /usr/local/google/home/aarya/firefox/src/../../dist/include/nsThreadUtils.h:90
> #7 0x7fa8ff983c5b in mozilla::MediaDecoderStateMachine::StartAudioThread() /usr/local/google/home/aarya/firefox/src/content/media/MediaDecoderStateMachine.cpp:1675
> #8 0x7fa8ff9836be in mozilla::MediaDecoderStateMachine::StartPlayback() /usr/local/google/home/aarya/firefox/src/content/media/MediaDecoderStateMachine.cpp:1264
> #9 0x7fa8ff9930c6 in mozilla::MediaDecoderStateMachine::AdvanceFrame() /usr/local/google/home/aarya/firefox/src/content/media/MediaDecoderStateMachine.cpp:2371
> #10 0x7fa8ff99009b in mozilla::MediaDecoderStateMachine::RunStateMachine() /usr/local/google/home/aarya/firefox/src/content/media/MediaDecoderStateMachine.cpp:2084
> #11 0x7fa8ff998246 in mozilla::MediaDecoderStateMachine::CallRunStateMachine() /usr/local/google/home/aarya/firefox/src/content/media/MediaDecoderStateMachine.cpp:2590
> #12 0x7fa8ff997bb2 in mozilla::MediaDecoderStateMachine::Run() /usr/local/google/home/aarya/firefox/src/content/media/MediaDecoderStateMachine.cpp:2567
> #13 0x7fa9073c220f in nsThread::ProcessNextEvent(bool, bool*) /usr/local/google/home/aarya/firefox/src/xpcom/threads/nsThread.cpp:627
> #14 0x7fa9070369a5 in NS_ProcessNextEvent_P(nsIThread*, bool) /usr/local/google/home/aarya/firefox/src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:238
> #15 0x7fa9073b9d89 in nsThread::ThreadFunc(void*) /usr/local/google/home/aarya/firefox/src/xpcom/threads/nsThread.cpp:265
> #16 0x7fa9186caf19 in _pt_root /usr/local/google/home/aarya/firefox/src/nsprpub/pr/src/pthreads/ptthread.c:156
> #17 0x414a5a in __asan::AsanThread::ThreadStart()
>Thread T16 (Media State) created by T0 here:
> #0 0x40d3e4 in __interceptor_pthread_create
> #1 0x7fa9186bc215 in _PR_CreateThread /usr/local/google/home/aarya/firefox/src/nsprpub/pr/src/pthreads/ptthread.c:393
> #2 0x7fa9186ba006 in PR_CreateThread /usr/local/google/home/aarya/firefox/src/nsprpub/pr/src/pthreads/ptthread.c:476
> #3 0x7fa9073bce66 in nsThread::Init() /usr/local/google/home/aarya/firefox/src/xpcom/threads/nsThread.cpp:331
> #4 0x7fa9073d4cd9 in nsThreadManager::NewThread(unsigned int, unsigned int, nsIThread**) /usr/local/google/home/aarya/firefox/src/xpcom/threads/nsThreadManager.cpp:215
> #5 0x7fa9070340f2 in NS_NewThread_P(nsIThread**, nsIRunnable*, unsigned int) /usr/local/google/home/aarya/firefox/src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:67
> #6 0x7fa8fe78b120 in tag_nsresult NS_NewNamedThread_P<12ul>(char const (&) [12ul], nsIThread**, nsIRunnable*, unsigned int) /usr/local/google/home/aarya/firefox/src/../../dist/include/nsThreadUtils.h:90
> #7 0x7fa8ff95eea4 in mozilla::StateMachineTracker::EnsureGlobalStateMachine() /usr/local/google/home/aarya/firefox/src/content/media/MediaDecoderStateMachine.cpp:243
> #8 0x7fa8ff962d45 in mozilla::MediaDecoderStateMachine::MediaDecoderStateMachine(mozilla::MediaDecoder*, mozilla::MediaDecoderReader*, bool) /usr/local/google/home/aarya/firefox/src/content/media/MediaDecoderStateMachine.cpp:395
> #9 0x7fa8ffacdb2e in mozilla::OggDecoder::CreateStateMachine() /usr/local/google/home/aarya/firefox/src/content/media/ogg/OggDecoder.cpp:15
> #10 0x7fa8ff932a01 in mozilla::MediaDecoder::Load(mozilla::MediaResource*, nsIStreamListener**, mozilla::MediaDecoder*) /usr/local/google/home/aarya/firefox/src/content/media/MediaDecoder.cpp:425
> #11 0x7fa8fd31953d in nsHTMLMediaElement::FinishDecoderSetup(mozilla::MediaDecoder*, mozilla::MediaResource*, nsIStreamListener**, mozilla::MediaDecoder*) /usr/local/google/home/aarya/firefox/src/content/html/content/src/nsHTMLMediaElement.cpp:2335
> #12 0x7fa8fd2d68e0 in nsHTMLMediaElement::InitializeDecoderForChannel(nsIChannel*, nsIStreamListener**) /usr/local/google/home/aarya/firefox/src/content/html/content/src/nsHTMLMediaElement.cpp:2308
> #13 0x7fa8fd2d4f35 in nsHTMLMediaElement::MediaLoadListener::OnStartRequest(nsIRequest*, nsISupports*) /usr/local/google/home/aarya/firefox/src/content/html/content/src/nsHTMLMediaElement.cpp:365
> #14 0x7fa8f7740453 in nsBaseChannel::OnStartRequest(nsIRequest*, nsISupports*) /usr/local/google/home/aarya/firefox/src/netwerk/base/src/nsBaseChannel.cpp:720
> #15 0x7fa8f77417df in non-virtual thunk to nsBaseChannel::OnStartRequest(nsIRequest*, nsISupports*) /usr/local/google/home/aarya/firefox/src/netwerk/base/src/nsBaseChannel.cpp:722
> #16 0x7fa8f77f148e in nsInputStreamPump::OnStateStart() /usr/local/google/home/aarya/firefox/src/netwerk/base/src/nsInputStreamPump.cpp:417
> #17 0x7fa8f77f0626 in nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) /usr/local/google/home/aarya/firefox/src/netwerk/base/src/nsInputStreamPump.cpp:368
> #18 0x7fa8f77f3d29 in non-virtual thunk to nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) /usr/local/google/home/aarya/firefox/src/netwerk/base/src/nsInputStreamPump.cpp:397
> #19 0x7fa9072a2c99 in nsInputStreamReadyEvent::Run() /usr/local/google/home/aarya/firefox/src/xpcom/io/nsStreamUtils.cpp:82
> #20 0x7fa9073c220f in nsThread::ProcessNextEvent(bool, bool*) /usr/local/google/home/aarya/firefox/src/xpcom/threads/nsThread.cpp:627
> #21 0x7fa9070369a5 in NS_ProcessNextEvent_P(nsIThread*, bool) /usr/local/google/home/aarya/firefox/src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:238
> #22 0x7fa9044eec3c in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /usr/local/google/home/aarya/firefox/src/ipc/glue/MessagePump.cpp:82
> #23 0x7fa9076b3c92 in MessageLoop::RunInternal() /usr/local/google/home/aarya/firefox/src/ipc/chromium/src/base/message_loop.cc:215
> #24 0x7fa9076b3ac9 in MessageLoop::RunHandler() /usr/local/google/home/aarya/firefox/src/ipc/chromium/src/base/message_loop.cc:208
> #25 0x7fa9076b399e in MessageLoop::Run() /usr/local/google/home/aarya/firefox/src/ipc/chromium/src/base/message_loop.cc:182
> #26 0x7fa9038d6b77 in nsBaseAppShell::Run() /usr/local/google/home/aarya/firefox/src/widget/xpwidgets/nsBaseAppShell.cpp:163
> #27 0x7fa9023e1815 in nsAppStartup::Run() /usr/local/google/home/aarya/firefox/src/toolkit/components/startup/nsAppStartup.cpp:288
> #28 0x7fa8f75d5d44 in XREMain::XRE_mainRun() /usr/local/google/home/aarya/firefox/src/toolkit/xre/nsAppRunner.cpp:3823
> #29 0x7fa8f75db92a in XREMain::XRE_main(int, char**, nsXREAppData const*) /usr/local/google/home/aarya/firefox/src/toolkit/xre/nsAppRunner.cpp:3890
> #30 0x7fa8f75de700 in XRE_main /usr/local/google/home/aarya/firefox/src/toolkit/xre/nsAppRunner.cpp:4093
> #31 0x41db83 in do_main(int, char**, nsIFile*) /usr/local/google/home/aarya/firefox/src/browser/app/nsBrowserApp.cpp:195
> #32 0x41ae86 in main /usr/local/google/home/aarya/firefox/src/browser/app/nsBrowserApp.cpp:388
> #33 0x7fa91934d76c in
>Thread T143 (Media Audio) created by T142 (Media Decode) here:
> #0 0x40d3e4 in __interceptor_pthread_create
> #1 0x7fa9186bc215 in _PR_CreateThread /usr/local/google/home/aarya/firefox/src/nsprpub/pr/src/pthreads/ptthread.c:393
> #2 0x7fa9186ba006 in PR_CreateThread /usr/local/google/home/aarya/firefox/src/nsprpub/pr/src/pthreads/ptthread.c:476
> #3 0x7fa9073bce66 in nsThread::Init() /usr/local/google/home/aarya/firefox/src/xpcom/threads/nsThread.cpp:331
> #4 0x7fa9073d4cd9 in nsThreadManager::NewThread(unsigned int, unsigned int, nsIThread**) /usr/local/google/home/aarya/firefox/src/xpcom/threads/nsThreadManager.cpp:215
> #5 0x7fa9070340f2 in NS_NewThread_P(nsIThread**, nsIRunnable*, unsigned int) /usr/local/google/home/aarya/firefox/src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:67
> #6 0x7fa8fe78b120 in tag_nsresult NS_NewNamedThread_P<12ul>(char const (&) [12ul], nsIThread**, nsIRunnable*, unsigned int) /usr/local/google/home/aarya/firefox/src/../../dist/include/nsThreadUtils.h:90
> #7 0x7fa8ff983c5b in mozilla::MediaDecoderStateMachine::StartAudioThread() /usr/local/google/home/aarya/firefox/src/content/media/MediaDecoderStateMachine.cpp:1675
> #8 0x7fa8ff9836be in mozilla::MediaDecoderStateMachine::StartPlayback() /usr/local/google/home/aarya/firefox/src/content/media/MediaDecoderStateMachine.cpp:1264
> #9 0x7fa8ff967d77 in mozilla::MediaDecoderStateMachine::DecodeMetadata() /usr/local/google/home/aarya/firefox/src/content/media/MediaDecoderStateMachine.cpp:1850
> #10 0x7fa8ff966147 in mozilla::MediaDecoderStateMachine::DecodeThreadRun() /usr/local/google/home/aarya/firefox/src/content/media/MediaDecoderStateMachine.cpp:477
> #11 0x7fa8ff99c7d2 in nsRunnableMethodImpl<void (mozilla::MediaDecoderStateMachine::*)(), true>::Run() /usr/local/google/home/aarya/firefox/src/../../dist/include/nsThreadUtils.h:367
> #12 0x7fa9073c220f in nsThread::ProcessNextEvent(bool, bool*) /usr/local/google/home/aarya/firefox/src/xpcom/threads/nsThread.cpp:627
> #13 0x7fa9070369a5 in NS_ProcessNextEvent_P(nsIThread*, bool) /usr/local/google/home/aarya/firefox/src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:238
> #14 0x7fa9073b9d89 in nsThread::ThreadFunc(void*) /usr/local/google/home/aarya/firefox/src/xpcom/threads/nsThread.cpp:265
> #15 0x7fa9186caf19 in _pt_root /usr/local/google/home/aarya/firefox/src/nsprpub/pr/src/pthreads/ptthread.c:156
> #16 0x414a5a in __asan::AsanThread::ThreadStart()
>Thread T142 (Media Decode) created by T141 (Media State) here:
> #0 0x40d3e4 in __interceptor_pthread_create
> #1 0x7fa9186bc215 in _PR_CreateThread /usr/local/google/home/aarya/firefox/src/nsprpub/pr/src/pthreads/ptthread.c:393
> #2 0x7fa9186ba006 in PR_CreateThread /usr/local/google/home/aarya/firefox/src/nsprpub/pr/src/pthreads/ptthread.c:476
> #3 0x7fa9073bce66 in nsThread::Init() /usr/local/google/home/aarya/firefox/src/xpcom/threads/nsThread.cpp:331
> #4 0x7fa9073d4cd9 in nsThreadManager::NewThread(unsigned int, unsigned int, nsIThread**) /usr/local/google/home/aarya/firefox/src/xpcom/threads/nsThreadManager.cpp:215
> #5 0x7fa9070340f2 in NS_NewThread_P(nsIThread**, nsIRunnable*, unsigned int) /usr/local/google/home/aarya/firefox/src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:67
> #6 0x7fa8f9085010 in tag_nsresult NS_NewNamedThread_P<13ul>(char const (&) [13ul], nsIThread**, nsIRunnable*, unsigned int) /usr/local/google/home/aarya/firefox/src/../../dist/include/nsThreadUtils.h:90
> #7 0x7fa8ff960229 in mozilla::MediaDecoderStateMachine::StartDecodeThread() /usr/local/google/home/aarya/firefox/src/content/media/MediaDecoderStateMachine.cpp:1642
> #8 0x7fa8ff961612 in mozilla::StateMachineTracker::RequestCreateDecodeThread(mozilla::MediaDecoderStateMachine*) /usr/local/google/home/aarya/firefox/src/content/media/MediaDecoderStateMachine.cpp:341
> #9 0x7fa8ff98bbd0 in mozilla::MediaDecoderStateMachine::ScheduleDecodeThread() /usr/local/google/home/aarya/firefox/src/content/media/MediaDecoderStateMachine.cpp:1620
> #10 0x7fa8ff98fe7e in mozilla::MediaDecoderStateMachine::RunStateMachine() /usr/local/google/home/aarya/firefox/src/content/media/MediaDecoderStateMachine.cpp:2055
> #11 0x7fa8ff998246 in mozilla::MediaDecoderStateMachine::CallRunStateMachine() /usr/local/google/home/aarya/firefox/src/content/media/MediaDecoderStateMachine.cpp:2590
> #12 0x7fa8ff997bb2 in mozilla::MediaDecoderStateMachine::Run() /usr/local/google/home/aarya/firefox/src/content/media/MediaDecoderStateMachine.cpp:2567
> #13 0x7fa9073c220f in nsThread::ProcessNextEvent(bool, bool*) /usr/local/google/home/aarya/firefox/src/xpcom/threads/nsThread.cpp:627
> #14 0x7fa9070369a5 in NS_ProcessNextEvent_P(nsIThread*, bool) /usr/local/google/home/aarya/firefox/src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:238
> #15 0x7fa9073b9d89 in nsThread::ThreadFunc(void*) /usr/local/google/home/aarya/firefox/src/xpcom/threads/nsThread.cpp:265
> #16 0x7fa9186caf19 in _pt_root /usr/local/google/home/aarya/firefox/src/nsprpub/pr/src/pthreads/ptthread.c:156
> #17 0x414a5a in __asan::AsanThread::ThreadStart()
>Thread T141 (Media State) created by T0 here:
> #0 0x40d3e4 in __interceptor_pthread_create
> #1 0x7fa9186bc215 in _PR_CreateThread /usr/local/google/home/aarya/firefox/src/nsprpub/pr/src/pthreads/ptthread.c:393
> #2 0x7fa9186ba006 in PR_CreateThread /usr/local/google/home/aarya/firefox/src/nsprpub/pr/src/pthreads/ptthread.c:476
> #3 0x7fa9073bce66 in nsThread::Init() /usr/local/google/home/aarya/firefox/src/xpcom/threads/nsThread.cpp:331
> #4 0x7fa9073d4cd9 in nsThreadManager::NewThread(unsigned int, unsigned int, nsIThread**) /usr/local/google/home/aarya/firefox/src/xpcom/threads/nsThreadManager.cpp:215
> #5 0x7fa9070340f2 in NS_NewThread_P(nsIThread**, nsIRunnable*, unsigned int) /usr/local/google/home/aarya/firefox/src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:67
> #6 0x7fa8fe78b120 in tag_nsresult NS_NewNamedThread_P<12ul>(char const (&) [12ul], nsIThread**, nsIRunnable*, unsigned int) /usr/local/google/home/aarya/firefox/src/../../dist/include/nsThreadUtils.h:90
> #7 0x7fa8ff95eea4 in mozilla::StateMachineTracker::EnsureGlobalStateMachine() /usr/local/google/home/aarya/firefox/src/content/media/MediaDecoderStateMachine.cpp:243
> #8 0x7fa8ff962d45 in mozilla::MediaDecoderStateMachine::MediaDecoderStateMachine(mozilla::MediaDecoder*, mozilla::MediaDecoderReader*, bool) /usr/local/google/home/aarya/firefox/src/content/media/MediaDecoderStateMachine.cpp:395
> #9 0x7fa8ffacdb2e in mozilla::OggDecoder::CreateStateMachine() /usr/local/google/home/aarya/firefox/src/content/media/ogg/OggDecoder.cpp:15
> #10 0x7fa8ff932a01 in mozilla::MediaDecoder::Load(mozilla::MediaResource*, nsIStreamListener**, mozilla::MediaDecoder*) /usr/local/google/home/aarya/firefox/src/content/media/MediaDecoder.cpp:425
> #11 0x7fa8fd31953d in nsHTMLMediaElement::FinishDecoderSetup(mozilla::MediaDecoder*, mozilla::MediaResource*, nsIStreamListener**, mozilla::MediaDecoder*) /usr/local/google/home/aarya/firefox/src/content/html/content/src/nsHTMLMediaElement.cpp:2335
> #12 0x7fa8fd2d68e0 in nsHTMLMediaElement::InitializeDecoderForChannel(nsIChannel*, nsIStreamListener**) /usr/local/google/home/aarya/firefox/src/content/html/content/src/nsHTMLMediaElement.cpp:2308
> #13 0x7fa8fd2d4f35 in nsHTMLMediaElement::MediaLoadListener::OnStartRequest(nsIRequest*, nsISupports*) /usr/local/google/home/aarya/firefox/src/content/html/content/src/nsHTMLMediaElement.cpp:365
> #14 0x7fa8f7740453 in nsBaseChannel::OnStartRequest(nsIRequest*, nsISupports*) /usr/local/google/home/aarya/firefox/src/netwerk/base/src/nsBaseChannel.cpp:720
> #15 0x7fa8f77417df in non-virtual thunk to nsBaseChannel::OnStartRequest(nsIRequest*, nsISupports*) /usr/local/google/home/aarya/firefox/src/netwerk/base/src/nsBaseChannel.cpp:722
> #16 0x7fa8f77f148e in nsInputStreamPump::OnStateStart() /usr/local/google/home/aarya/firefox/src/netwerk/base/src/nsInputStreamPump.cpp:417
> #17 0x7fa8f77f0626 in nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) /usr/local/google/home/aarya/firefox/src/netwerk/base/src/nsInputStreamPump.cpp:368
> #18 0x7fa8f77f3d29 in non-virtual thunk to nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) /usr/local/google/home/aarya/firefox/src/netwerk/base/src/nsInputStreamPump.cpp:397
> #19 0x7fa9072a2c99 in nsInputStreamReadyEvent::Run() /usr/local/google/home/aarya/firefox/src/xpcom/io/nsStreamUtils.cpp:82
> #20 0x7fa9073c220f in nsThread::ProcessNextEvent(bool, bool*) /usr/local/google/home/aarya/firefox/src/xpcom/threads/nsThread.cpp:627
> #21 0x7fa9070369a5 in NS_ProcessNextEvent_P(nsIThread*, bool) /usr/local/google/home/aarya/firefox/src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:238
> #22 0x7fa9044eec3c in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /usr/local/google/home/aarya/firefox/src/ipc/glue/MessagePump.cpp:82
> #23 0x7fa9076b3c92 in MessageLoop::RunInternal() /usr/local/google/home/aarya/firefox/src/ipc/chromium/src/base/message_loop.cc:215
> #24 0x7fa9076b3ac9 in MessageLoop::RunHandler() /usr/local/google/home/aarya/firefox/src/ipc/chromium/src/base/message_loop.cc:208
> #25 0x7fa9076b399e in MessageLoop::Run() /usr/local/google/home/aarya/firefox/src/ipc/chromium/src/base/message_loop.cc:182
> #26 0x7fa9038d6b77 in nsBaseAppShell::Run() /usr/local/google/home/aarya/firefox/src/widget/xpwidgets/nsBaseAppShell.cpp:163
> #27 0x7fa9023e1815 in nsAppStartup::Run() /usr/local/google/home/aarya/firefox/src/toolkit/components/startup/nsAppStartup.cpp:288
> #28 0x7fa8f75d5d44 in XREMain::XRE_mainRun() /usr/local/google/home/aarya/firefox/src/toolkit/xre/nsAppRunner.cpp:3823
> #29 0x7fa8f75db92a in XREMain::XRE_main(int, char**, nsXREAppData const*) /usr/local/google/home/aarya/firefox/src/toolkit/xre/nsAppRunner.cpp:3890
> #30 0x7fa8f75de700 in XRE_main /usr/local/google/home/aarya/firefox/src/toolkit/xre/nsAppRunner.cpp:4093
> #31 0x41db83 in do_main(int, char**, nsIFile*) /usr/local/google/home/aarya/firefox/src/browser/app/nsBrowserApp.cpp:195
> #32 0x41ae86 in main /usr/local/google/home/aarya/firefox/src/browser/app/nsBrowserApp.cpp:388
> #33 0x7fa91934d76c in
>Shadow bytes around the buggy address:
> 0x1ff51bc62b60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x1ff51bc62b70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> 0x1ff51bc62b80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x1ff51bc62b90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> 0x1ff51bc62ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>=>0x1ff51bc62bb0: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> 0x1ff51bc62bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x1ff51bc62bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x1ff51bc62be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x1ff51bc62bf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x1ff51bc62c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable: 00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone: fa
> Heap righ redzone: fb
> Freed Heap region: fd
> Stack left redzone: f1
> Stack mid redzone: f2
> Stack right redzone: f3
> Stack partial redzone: f4
> Stack after return: f5
> Stack use after scope: f8
> Global redzone: f9
> Global init order: f6
> Poisoned by user: f7
> ASan internal: fe
>Stats: 358M malloced (383M for red zones) by 575565 calls
>Stats: 51M realloced by 31590 calls
>Stats: 328M freed by 433733 calls
>Stats: 198M really freed by 249861 calls
>Stats: 564M (564M-0M) mmaped; 141 maps, 0 unmaps
> mmaps by size class: 8:294894; 9:40955; 10:12285; 11:14329; 12:3072; 13:7168; 14:1280; 15:896; 16:1280; 17:1280; 18:96; 19:48; 20:28;
> mallocs by size class: 8:472566; 9:47044; 10:14477; 11:22424; 12:3975; 13:7974; 14:2176; 15:1069; 16:2209; 17:1453; 18:124; 19:48; 20:26;
> frees by size class: 8:348624; 9:36943; 10:10831; 11:20251; 12:2970; 13:7512; 14:1983; 15:940; 16:2064; 17:1435; 18:111; 19:46; 20:23;
> rfrees by size class: 8:208333; 9:16813; 10:4501; 11:13343; 12:1426; 13:1292; 14:1344; 15:236; 16:1163; 17:1316; 18:52; 19:37; 20:5;
>Stats: malloc large: 1651 small slow: 4471
>Stats: StackDepot: 0 ids; 0M mapped
>==10001== ABORTING
>
>
>
Stack 2::
>==3282== ERROR: AddressSanitizer: attempting double-free on 0x7fd3376dd080:
> #0 0x40f992 in __interceptor_free
> #1 0x7fd393cdb409 in moz_free src/memory/mozalloc/mozalloc.cpp:48
> #2 0x7fd387e32477 in operator delete[](void*) src/../../../dist/include/mozilla/mozalloc.h:236
> #3 0x7fd387e32477 in soundtouch::TDStretch::acceptNewOverlapLength(int) src/media/libsoundtouch/src/TDStretch.cpp:589
> #4 0x7fd387e2bcb2 in soundtouch::TDStretch::calculateOverlapLength(int) src/media/libsoundtouch/src/TDStretch.cpp:775
> #5 0x7fd387e29d94 in soundtouch::TDStretch::setParameters(int, int, int, int) src/media/libsoundtouch/src/TDStretch.cpp:158
> #6 0x7fd387e25068 in soundtouch::SoundTouch::setSampleRate(unsigned int) src/media/libsoundtouch/src/SoundTouch.cpp:287
> #7 0x7fd37c3d848c in mozilla::AudioStream::EnsureTimeStretcherInitialized() src/content/media/AudioStream.cpp:227
> #8 0x7fd37c3d8d27 in mozilla::AudioStream::SetPlaybackRate(double) src/content/media/AudioStream.cpp:244
> #9 0x7fd37c32eca0 in mozilla::MediaDecoderStateMachine::AudioLoop() src/content/media/MediaDecoderStateMachine.cpp:1049
> #10 0x7fd37c34e772 in nsRunnableMethodImpl<void (mozilla::MediaDecoderStateMachine::*)(), true>::Run() src/../../dist/include/nsThreadUtils.h:367
> #11 0x7fd383b567df in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:627
> #12 0x7fd3837cb165 in NS_ProcessNextEvent_P(nsIThread*, bool) src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:238
> #13 0x7fd383b4e359 in nsThread::ThreadFunc(void*) src/xpcom/threads/nsThread.cpp:265
> #14 0x7fd3961daa59 in _pt_root src/nsprpub/pr/src/pthreads/ptthread.c:156
> #15 0x4148aa in __asan::AsanThread::ThreadStart()
>0x7fd3376dd080 is located 0 bytes inside of 2832-byte region [0x7fd3376dd080,0x7fd3376ddb90)
>freed by thread T18 here:
> #0 0x40f992 in __interceptor_free
> #1 0x7fd393cdb409 in moz_free src/memory/mozalloc/mozalloc.cpp:48
> #2 0x7fd387e32477 in operator delete[](void*) src/../../../dist/include/mozilla/mozalloc.h:236
> #3 0x7fd387e32477 in soundtouch::TDStretch::acceptNewOverlapLength(int) src/media/libsoundtouch/src/TDStretch.cpp:589
> #4 0x7fd387e2bcb2 in soundtouch::TDStretch::calculateOverlapLength(int) src/media/libsoundtouch/src/TDStretch.cpp:775
> #5 0x7fd387e29d94 in soundtouch::TDStretch::setParameters(int, int, int, int) src/media/libsoundtouch/src/TDStretch.cpp:158
> #6 0x7fd387e25068 in soundtouch::SoundTouch::setSampleRate(unsigned int) src/media/libsoundtouch/src/SoundTouch.cpp:287
> #7 0x7fd37c3d848c in mozilla::AudioStream::EnsureTimeStretcherInitialized() src/content/media/AudioStream.cpp:227
> #8 0x7fd37c3ecedc in mozilla::BufferedAudioStream::GetTimeStretched(void*, long) src/content/media/AudioStream.cpp:964
> #9 0x7fd37c3ee975 in mozilla::BufferedAudioStream::DataCallback(void*, long) src/content/media/AudioStream.cpp:1008
> #10 0x7fd37c3e5042 in mozilla::BufferedAudioStream::DataCallback_S(cubeb_stream*, void*, void*, long) src/content/media/AudioStream.cpp:610
> #11 0x7fd387e4ae42 in cubeb_refill_stream src/media/libcubeb/src/cubeb_alsa.c:301
> #12 0x7fd387e47662 in cubeb_run src/media/libcubeb/src/cubeb_alsa.c:383
> #13 0x7fd387e3da00 in cubeb_run_thread src/media/libcubeb/src/cubeb_alsa.c:415
> #14 0x4148aa in __asan::AsanThread::ThreadStart()
>previously allocated by thread T18 here:
> #0 0x40fa72 in malloc
> #1 0x7fd393cdb554 in moz_xmalloc src/memory/mozalloc/mozalloc.cpp:54
> #2 0x7fd387e32588 in operator new[](unsigned long) src/../../../dist/include/mozilla/mozalloc.h:212
> #3 0x7fd387e32588 in soundtouch::TDStretch::acceptNewOverlapLength(int) src/media/libsoundtouch/src/TDStretch.cpp:591
> #4 0x7fd387e2bcb2 in soundtouch::TDStretch::calculateOverlapLength(int) src/media/libsoundtouch/src/TDStretch.cpp:775
> #5 0x7fd387e29d94 in soundtouch::TDStretch::setParameters(int, int, int, int) src/media/libsoundtouch/src/TDStretch.cpp:158
> #6 0x7fd387e290d5 in soundtouch::TDStretch::TDStretch() src/media/libsoundtouch/src/TDStretch.cpp:103
> #7 0x7fd387e34c15 in soundtouch::TDStretchSSE::TDStretchSSE() src/media/libsoundtouch/src/TDStretch.h:259
> #8 0x7fd387e32bd9 in soundtouch::TDStretchSSE::TDStretchSSE() src/media/libsoundtouch/src/TDStretch.h:259
> #9 0x7fd387e3297f in soundtouch::TDStretch::newInstance() src/media/libsoundtouch/src/TDStretch.cpp:632
> #10 0x7fd387e20e34 in soundtouch::SoundTouch::SoundTouch() src/media/libsoundtouch/src/SoundTouch.cpp:101
> #11 0x7fd37c3d83f1 in mozilla::AudioStream::EnsureTimeStretcherInitialized() src/content/media/AudioStream.cpp:226
> #12 0x7fd37c3ecedc in mozilla::BufferedAudioStream::GetTimeStretched(void*, long) src/content/media/AudioStream.cpp:964
> #13 0x7fd37c3ee975 in mozilla::BufferedAudioStream::DataCallback(void*, long) src/content/media/AudioStream.cpp:1008
> #14 0x7fd37c3e5042 in mozilla::BufferedAudioStream::DataCallback_S(cubeb_stream*, void*, void*, long) src/content/media/AudioStream.cpp:610
> #15 0x7fd387e4ae42 in cubeb_refill_stream src/media/libcubeb/src/cubeb_alsa.c:301
> #16 0x7fd387e47662 in cubeb_run src/media/libcubeb/src/cubeb_alsa.c:383
> #17 0x7fd387e3da00 in cubeb_run_thread src/media/libcubeb/src/cubeb_alsa.c:415
> #18 0x4148aa in __asan::AsanThread::ThreadStart()
>Thread T66 (Media Audio) created by T50 (Media State) here:
> #0 0x40d244 in __interceptor_pthread_create
> #1 0x7fd3961cbd55 in _PR_CreateThread src/nsprpub/pr/src/pthreads/ptthread.c:393
> #2 0x7fd3961c9b46 in PR_CreateThread src/nsprpub/pr/src/pthreads/ptthread.c:476
> #3 0x7fd383b51436 in nsThread::Init() src/xpcom/threads/nsThread.cpp:331
> #4 0x7fd383b69259 in nsThreadManager::NewThread(unsigned int, unsigned int, nsIThread**) src/xpcom/threads/nsThreadManager.cpp:215
> #5 0x7fd3837c88b2 in NS_NewThread_P(nsIThread**, nsIRunnable*, unsigned int) src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:67
> #6 0x7fd37b16afb0 in tag_nsresult NS_NewNamedThread_P<12ul>(char const (&) [12ul], nsIThread**, nsIRunnable*, unsigned int) src/../../dist/include/nsThreadUtils.h:90
> #7 0x7fd37c335bfb in mozilla::MediaDecoderStateMachine::StartAudioThread() src/content/media/MediaDecoderStateMachine.cpp:1675
> #8 0x7fd37c33565e in mozilla::MediaDecoderStateMachine::StartPlayback() src/content/media/MediaDecoderStateMachine.cpp:1264
> #9 0x7fd37c345066 in mozilla::MediaDecoderStateMachine::AdvanceFrame() src/content/media/MediaDecoderStateMachine.cpp:2371
> #10 0x7fd37c34203b in mozilla::MediaDecoderStateMachine::RunStateMachine() src/content/media/MediaDecoderStateMachine.cpp:2084
> #11 0x7fd37c34a1e6 in mozilla::MediaDecoderStateMachine::CallRunStateMachine() src/content/media/MediaDecoderStateMachine.cpp:2590
> #12 0x7fd37c349b52 in mozilla::MediaDecoderStateMachine::Run() src/content/media/MediaDecoderStateMachine.cpp:2567
> #13 0x7fd383b567df in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:627
> #14 0x7fd3837cb165 in NS_ProcessNextEvent_P(nsIThread*, bool) src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:238
> #15 0x7fd383b546f3 in nsThread::Shutdown() src/xpcom/threads/nsThread.cpp:474
> #16 0x7fd37c33d295 in mozilla::MediaDecoderStateMachine::StopAudioThread() src/content/media/MediaDecoderStateMachine.cpp:1585
> #17 0x7fd37c341ca9 in mozilla::MediaDecoderStateMachine::RunStateMachine() src/content/media/MediaDecoderStateMachine.cpp:2029
> #18 0x7fd37c34a1e6 in mozilla::MediaDecoderStateMachine::CallRunStateMachine() src/content/media/MediaDecoderStateMachine.cpp:2590
> #19 0x7fd37c349b52 in mozilla::MediaDecoderStateMachine::Run() src/content/media/MediaDecoderStateMachine.cpp:2567
> #20 0x7fd383b567df in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:627
> #21 0x7fd3837cb165 in NS_ProcessNextEvent_P(nsIThread*, bool) src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:238
> #22 0x7fd383b4e359 in nsThread::ThreadFunc(void*) src/xpcom/threads/nsThread.cpp:265
> #23 0x7fd3961daa59 in _pt_root src/nsprpub/pr/src/pthreads/ptthread.c:156
> #24 0x4148aa in __asan::AsanThread::ThreadStart()
>Thread T50 (Media State) created by T0 here:
> #0 0x40d244 in __interceptor_pthread_create
> #1 0x7fd3961cbd55 in _PR_CreateThread src/nsprpub/pr/src/pthreads/ptthread.c:393
> #2 0x7fd3961c9b46 in PR_CreateThread src/nsprpub/pr/src/pthreads/ptthread.c:476
> #3 0x7fd383b51436 in nsThread::Init() src/xpcom/threads/nsThread.cpp:331
> #4 0x7fd383b69259 in nsThreadManager::NewThread(unsigned int, unsigned int, nsIThread**) src/xpcom/threads/nsThreadManager.cpp:215
> #5 0x7fd3837c88b2 in NS_NewThread_P(nsIThread**, nsIRunnable*, unsigned int) src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:67
> #6 0x7fd37b16afb0 in tag_nsresult NS_NewNamedThread_P<12ul>(char const (&) [12ul], nsIThread**, nsIRunnable*, unsigned int) src/../../dist/include/nsThreadUtils.h:90
> #7 0x7fd37c310e44 in mozilla::StateMachineTracker::EnsureGlobalStateMachine() src/content/media/MediaDecoderStateMachine.cpp:243
> #8 0x7fd37c314ce5 in mozilla::MediaDecoderStateMachine::MediaDecoderStateMachine(mozilla::MediaDecoder*, mozilla::MediaDecoderReader*, bool) src/content/media/MediaDecoderStateMachine.cpp:395
> #9 0x7fd37c47face in mozilla::OggDecoder::CreateStateMachine() src/content/media/ogg/OggDecoder.cpp:15
> #10 0x7fd37c2e49a1 in mozilla::MediaDecoder::Load(mozilla::MediaResource*, nsIStreamListener**, mozilla::MediaDecoder*) src/content/media/MediaDecoder.cpp:425
> #11 0x7fd379d02bad in nsHTMLMediaElement::FinishDecoderSetup(mozilla::MediaDecoder*, mozilla::MediaResource*, nsIStreamListener**, mozilla::MediaDecoder*) src/content/html/content/src/nsHTMLMediaElement.cpp:2335
> #12 0x7fd379cbff50 in nsHTMLMediaElement::InitializeDecoderForChannel(nsIChannel*, nsIStreamListener**) src/content/html/content/src/nsHTMLMediaElement.cpp:2308
> #13 0x7fd379cbe5a5 in nsHTMLMediaElement::MediaLoadListener::OnStartRequest(nsIRequest*, nsISupports*) src/content/html/content/src/nsHTMLMediaElement.cpp:365
> #14 0x7fd37412b933 in nsBaseChannel::OnStartRequest(nsIRequest*, nsISupports*) src/netwerk/base/src/nsBaseChannel.cpp:720
> #15 0x7fd37412ccbf in non-virtual thunk to nsBaseChannel::OnStartRequest(nsIRequest*, nsISupports*) src/netwerk/base/src/nsBaseChannel.cpp:722
> #16 0x7fd3741dc96e in nsInputStreamPump::OnStateStart() src/netwerk/base/src/nsInputStreamPump.cpp:417
> #17 0x7fd3741dbb06 in nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) src/netwerk/base/src/nsInputStreamPump.cpp:368
> #18 0x7fd3741df209 in non-virtual thunk to nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) src/netwerk/base/src/nsInputStreamPump.cpp:397
> #19 0x7fd383a372c9 in nsInputStreamReadyEvent::Run() src/xpcom/io/nsStreamUtils.cpp:82
> #20 0x7fd383b567df in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:627
> #21 0x7fd3837cb165 in NS_ProcessNextEvent_P(nsIThread*, bool) src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:238
> #22 0x7fd380e47bbc in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:82
> #23 0x7fd383e48152 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:215
> #24 0x7fd383e47f89 in MessageLoop::RunHandler() src/ipc/chromium/src/base/message_loop.cc:208
> #25 0x7fd383e47e5e in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:182
> #26 0x7fd3802302d7 in nsBaseAppShell::Run() src/widget/xpwidgets/nsBaseAppShell.cpp:163
> #27 0x7fd37ed3b165 in nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:288
> #28 0x7fd373fc1224 in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:3823
> #29 0x7fd373fc6e0a in XREMain::XRE_main(int, char**, nsXREAppData const*) src/toolkit/xre/nsAppRunner.cpp:3890
> #30 0x7fd373fc9be0 in XRE_main src/toolkit/xre/nsAppRunner.cpp:4093
> #31 0x41d993 in do_main(int, char**, nsIFile*) src/browser/app/nsBrowserApp.cpp:195
> #32 0x41ac96 in main src/browser/app/nsBrowserApp.cpp:388
> #33 0x7fd39705b76c in
>Thread T18 created by T17 (Media Audio) here:
> #0 0x40d244 in __interceptor_pthread_create
> #1 0x7fd387e3cbdc in cubeb_init src/media/libcubeb/src/cubeb_alsa.c:685
> #2 0x7fd37c3e4aae in mozilla::GetCubebContext() src/content/media/AudioStream.cpp:142
> #3 0x7fd37c3e39a8 in mozilla::BufferedAudioStream::Init(int, int, mozilla::dom::AudioChannelType) src/content/media/AudioStream.cpp:708
> #4 0x7fd37c32d504 in mozilla::MediaDecoderStateMachine::AudioLoop() src/content/media/MediaDecoderStateMachine.cpp:982
> #5 0x7fd37c34e772 in nsRunnableMethodImpl<void (mozilla::MediaDecoderStateMachine::*)(), true>::Run() src/../../dist/include/nsThreadUtils.h:367
> #6 0x7fd383b567df in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:627
> #7 0x7fd3837cb165 in NS_ProcessNextEvent_P(nsIThread*, bool) src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:238
> #8 0x7fd383b4e359 in nsThread::ThreadFunc(void*) src/xpcom/threads/nsThread.cpp:265
> #9 0x7fd3961daa59 in _pt_root src/nsprpub/pr/src/pthreads/ptthread.c:156
> #10 0x4148aa in __asan::AsanThread::ThreadStart()
>Thread T17 (Media Audio) created by T14 (Media State) here:
> #0 0x40d244 in __interceptor_pthread_create
> #1 0x7fd3961cbd55 in _PR_CreateThread src/nsprpub/pr/src/pthreads/ptthread.c:393
> #2 0x7fd3961c9b46 in PR_CreateThread src/nsprpub/pr/src/pthreads/ptthread.c:476
> #3 0x7fd383b51436 in nsThread::Init() src/xpcom/threads/nsThread.cpp:331
> #4 0x7fd383b69259 in nsThreadManager::NewThread(unsigned int, unsigned int, nsIThread**) src/xpcom/threads/nsThreadManager.cpp:215
> #5 0x7fd3837c88b2 in NS_NewThread_P(nsIThread**, nsIRunnable*, unsigned int) src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:67
> #6 0x7fd37b16afb0 in tag_nsresult NS_NewNamedThread_P<12ul>(char const (&) [12ul], nsIThread**, nsIRunnable*, unsigned int) src/../../dist/include/nsThreadUtils.h:90
> #7 0x7fd37c335bfb in mozilla::MediaDecoderStateMachine::StartAudioThread() src/content/media/MediaDecoderStateMachine.cpp:1675
> #8 0x7fd37c33565e in mozilla::MediaDecoderStateMachine::StartPlayback() src/content/media/MediaDecoderStateMachine.cpp:1264
> #9 0x7fd37c345066 in mozilla::MediaDecoderStateMachine::AdvanceFrame() src/content/media/MediaDecoderStateMachine.cpp:2371
> #10 0x7fd37c34203b in mozilla::MediaDecoderStateMachine::RunStateMachine() src/content/media/MediaDecoderStateMachine.cpp:2084
> #11 0x7fd37c34a1e6 in mozilla::MediaDecoderStateMachine::CallRunStateMachine() src/content/media/MediaDecoderStateMachine.cpp:2590
> #12 0x7fd37c349b52 in mozilla::MediaDecoderStateMachine::Run() src/content/media/MediaDecoderStateMachine.cpp:2567
> #13 0x7fd383b567df in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:627
> #14 0x7fd3837cb165 in NS_ProcessNextEvent_P(nsIThread*, bool) src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:238
> #15 0x7fd383b4e359 in nsThread::ThreadFunc(void*) src/xpcom/threads/nsThread.cpp:265
> #16 0x7fd3961daa59 in _pt_root src/nsprpub/pr/src/pthreads/ptthread.c:156
> #17 0x4148aa in __asan::AsanThread::ThreadStart()
>Thread T14 (Media State) created by T0 here:
> #0 0x40d244 in __interceptor_pthread_create
> #1 0x7fd3961cbd55 in _PR_CreateThread src/nsprpub/pr/src/pthreads/ptthread.c:393
> #2 0x7fd3961c9b46 in PR_CreateThread src/nsprpub/pr/src/pthreads/ptthread.c:476
> #3 0x7fd383b51436 in nsThread::Init() src/xpcom/threads/nsThread.cpp:331
> #4 0x7fd383b69259 in nsThreadManager::NewThread(unsigned int, unsigned int, nsIThread**) src/xpcom/threads/nsThreadManager.cpp:215
> #5 0x7fd3837c88b2 in NS_NewThread_P(nsIThread**, nsIRunnable*, unsigned int) src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:67
> #6 0x7fd37b16afb0 in tag_nsresult NS_NewNamedThread_P<12ul>(char const (&) [12ul], nsIThread**, nsIRunnable*, unsigned int) src/../../dist/include/nsThreadUtils.h:90
> #7 0x7fd37c310e44 in mozilla::StateMachineTracker::EnsureGlobalStateMachine() src/content/media/MediaDecoderStateMachine.cpp:243
> #8 0x7fd37c314ce5 in mozilla::MediaDecoderStateMachine::MediaDecoderStateMachine(mozilla::MediaDecoder*, mozilla::MediaDecoderReader*, bool) src/content/media/MediaDecoderStateMachine.cpp:395
> #9 0x7fd37c47face in mozilla::OggDecoder::CreateStateMachine() src/content/media/ogg/OggDecoder.cpp:15
> #10 0x7fd37c2e49a1 in mozilla::MediaDecoder::Load(mozilla::MediaResource*, nsIStreamListener**, mozilla::MediaDecoder*) src/content/media/MediaDecoder.cpp:425
> #11 0x7fd379d02bad in nsHTMLMediaElement::FinishDecoderSetup(mozilla::MediaDecoder*, mozilla::MediaResource*, nsIStreamListener**, mozilla::MediaDecoder*) src/content/html/content/src/nsHTMLMediaElement.cpp:2335
> #12 0x7fd379cbff50 in nsHTMLMediaElement::InitializeDecoderForChannel(nsIChannel*, nsIStreamListener**) src/content/html/content/src/nsHTMLMediaElement.cpp:2308
> #13 0x7fd379cbe5a5 in nsHTMLMediaElement::MediaLoadListener::OnStartRequest(nsIRequest*, nsISupports*) src/content/html/content/src/nsHTMLMediaElement.cpp:365
> #14 0x7fd37412b933 in nsBaseChannel::OnStartRequest(nsIRequest*, nsISupports*) src/netwerk/base/src/nsBaseChannel.cpp:720
> #15 0x7fd37412ccbf in non-virtual thunk to nsBaseChannel::OnStartRequest(nsIRequest*, nsISupports*) src/netwerk/base/src/nsBaseChannel.cpp:722
> #16 0x7fd3741dc96e in nsInputStreamPump::OnStateStart() src/netwerk/base/src/nsInputStreamPump.cpp:417
> #17 0x7fd3741dbb06 in nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) src/netwerk/base/src/nsInputStreamPump.cpp:368
> #18 0x7fd3741df209 in non-virtual thunk to nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) src/netwerk/base/src/nsInputStreamPump.cpp:397
> #19 0x7fd383a372c9 in nsInputStreamReadyEvent::Run() src/xpcom/io/nsStreamUtils.cpp:82
> #20 0x7fd383b567df in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:627
> #21 0x7fd3837cb165 in NS_ProcessNextEvent_P(nsIThread*, bool) src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:238
> #22 0x7fd380e47bbc in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:82
> #23 0x7fd383e48152 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:215
> #24 0x7fd383e47f89 in MessageLoop::RunHandler() src/ipc/chromium/src/base/message_loop.cc:208
> #25 0x7fd383e47e5e in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:182
> #26 0x7fd3802302d7 in nsBaseAppShell::Run() src/widget/xpwidgets/nsBaseAppShell.cpp:163
> #27 0x7fd37ed3b165 in nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:288
> #28 0x7fd373fc1224 in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:3823
> #29 0x7fd373fc6e0a in XREMain::XRE_main(int, char**, nsXREAppData const*) src/toolkit/xre/nsAppRunner.cpp:3890
> #30 0x7fd373fc9be0 in XRE_main src/toolkit/xre/nsAppRunner.cpp:4093
> #31 0x41d993 in do_main(int, char**, nsIFile*) src/browser/app/nsBrowserApp.cpp:195
> #32 0x41ac96 in main src/browser/app/nsBrowserApp.cpp:388
> #33 0x7fd39705b76c in
>Stats: 292M malloced (297M for red zones) by 396508 calls
>Stats: 48M realloced by 21075 calls
>Stats: 263M freed by 278060 calls
>Stats: 126M really freed by 160660 calls
>Stats: 480M (480M-0M) mmaped; 120 maps, 0 unmaps
> mmaps by size class: 8:229362; 9:32764; 10:12285; 11:14329; 12:3072; 13:3072; 14:1280; 15:512; 16:1088; 17:1312; 18:80; 19:40; 20:24;
> mallocs by size class: 8:316439; 9:37729; 10:10431; 11:19616; 12:2851; 13:3660; 14:1794; 15:645; 16:1738; 17:1443; 18:97; 19:42; 20:23;
> frees by size class: 8:214440; 9:28075; 10:7047; 11:17747; 12:2011; 13:3443; 14:1601; 15:521; 16:1611; 17:1422; 18:83; 19:39; 20:20;
> rfrees by size class: 8:130601; 9:11629; 10:2904; 11:10919; 12:959; 13:804; 14:911; 15:197; 16:872; 17:831; 18:28; 19:4; 20:1;
>Stats: malloc large: 1605 small slow: 3032
>Stats: StackDepot: 0 ids; 0M mapped
>==3282== ABORTING
>
>
>
|
|
||
Updated•12 years ago
|
Assignee: choller → nobody
Assignee: nobody → paul
|
|
Assignee | |
Comment 17•12 years ago
|
||
This is a race in |EnsureTimeStretcherInitialized()|. I believe I've got a fix. I'm currently running the testcase with this patch, and it has not crashed so far (more than one hour I believe). I'll attach the patch later today if it is still working fine.
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 18•12 years ago
|
||
So, what happens here:
- Thread A tries to set the playback rate (|AudioStream::SetPlaybackRate|), goes in
|EnsureTimeStretcherInitialized|, the pointer is null, goes and tries to
initialize it.
- Thread B is in BufferedAudioStream, on the cubeb thread, tries to get
timestretched frames (|BufferedAudioStream::GetTimeStretched|), also goes in
|EnsureTimeStretcherInitialized|, the pointer is null because the construction
has not happened yet on thread A.
- Thread B |soundtouch::SoundTouch| construction finishes, the |mTimeStretcher|
is not null.
- Thread A tries to create a |soundtouch::SoundTouch|, the RefPtr destroys the
old one during the assignment, that destroys all the internal objects SoundTouch
uses. The new objects are not created yet.
- Thread B goes and try to use the just freed |mTimeStretcher| instance. The
segfault happens only when the first buffer is touched (a different depth in the
library, depending on thread interleaving and time stretcher setup).
I believe this is also the root cause for a couple of "Pure Virtual Call" errors
on Windows.
The fix is pretty straightforward, and I could not reproduce the issue with
this patch applied.
Attachment #702282 -
Flags: review?(kinetik)
|
||
Comment 19•12 years ago
|
||
Comment on attachment 702282 [details] [diff] [review]
r=
The fix makes sense, but can you reuse the existing BufferedAudioStream monitor? That's already held in DataCallback, so you'd just need to arrange for it to be held when calling EnsureTimeStretcherInitialized elsewhere (maybe with a locked and unlocked variant of Ensure like we have for GetPositionInFrames).
|
|
Assignee | |
Comment 20•12 years ago
|
||
Nope, this will deadlock:
- Thread A is in "BufferedAudioStream::Write|, on the Wait call because the |BufferedAudioStream| buffer is full ;
- Thread B is in |BufferedAudioStream::GetTimeStretched|, calls the locked variant of |EnsureTimeStretcherInitialized|, and does not go past the lock, because it is locked by the |Wait| of thread A.
|
|
||
Comment 21•12 years ago
|
||
Monitor::Wait drops the lock during the wait and reacquires it upon waking, so that situation should be impossible.
|
|
Assignee | |
Comment 22•12 years ago
|
||
Yeah, I got confused.
Attachment #702812 -
Flags: review?(kinetik)
|
|
Assignee | |
Updated•12 years ago
|
Attachment #702282 -
Attachment is obsolete: true
Attachment #702282 -
Flags: review?(kinetik)
|
|
||
Updated•12 years ago
|
Attachment #702812 -
Flags: review?(kinetik) → review+
|
|
Assignee | |
Comment 23•12 years ago
|
||
|
|
Assignee | |
Comment 24•12 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
|
||
Comment 25•12 years ago
|
||
What's the regressing bug here? What branches are affected? Is B2G18 affected?
In the future, please follow the process in https://wiki.mozilla.org/Security/Bug_Approval_Process prior to landing a sec-critical on mozilla-central. For now, please fill out the form after the fact.
|
|
||
Updated•12 years ago
|
status-firefox21:
--- → fixed
Target Milestone: --- → mozilla21
|
|
Assignee | |
Updated•12 years ago
|
status-firefox20:
--- → affected
|
|
Assignee | |
Comment 26•12 years ago
|
||
Comment on attachment 702812 [details] [diff] [review]
r=
[Approval Request Comment]
Bug caused by (feature/regressing bug #): 495040
User impact if declined: Rare crash when using the playbackRate property
Testing completed (on m-c, etc.): m-c (crash disappeared), locally
Risk to taking this patch (and alternatives if risky): low
String or UUID changes made by this patch: none
Attachment #702812 -
Flags: approval-mozilla-aurora?
|
||
Comment 27•12 years ago
|
||
Waiting on comprehensive reply to comment 25 before approving for Aurora.
Flags: needinfo?(paul)
|
|
Assignee | |
Comment 28•12 years ago
|
||
> What's the regressing bug here?
Bug 495040 has introduced the regression
> What branches are affected?
Aurora, Central
> Is B2G18 affected?
No, patches for bug 495040 are not in B2G18, so the crash does not occur.
Flags: needinfo?(paul)
|
||
Updated•12 years ago
|
status-b2g18:
--- → unaffected
status-firefox-esr17:
--- → unaffected
|
|
||
Comment 29•12 years ago
|
||
Comment on attachment 702812 [details] [diff] [review]
r=
Thank you Paul, approving for Aurora uplift.
Attachment #702812 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
|
||
Comment 30•12 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/516611986f90
Please post cset links when you land on branches...
|
||
Updated•12 years ago
|
Flags: sec-bounty? → sec-bounty+
|
|
||
Comment 31•12 years ago
|
||
Based on regressing bug 495040, I'm marking this as 19 unaffected.
status-firefox19:
--- → unaffected
|
|
||
Updated•12 years ago
|
Whiteboard: [asan] → [asan][adv-main20+]
|
|
||
Updated•12 years ago
|
Whiteboard: [asan][adv-main20+] → [asan][adv-main20-]
|
||
Updated•11 years ago
|
Attachment #707309 -
Attachment description: Bounty Awarded $3000 → Bounty Awarded $3000 [paid] 1/30/13
|
|
||
Updated•11 years ago
|
Group: core-security
|
|
||
Updated•10 years ago
|
Blocks: 495040
Keywords: regression
|
|
||
Updated•8 years ago
|
Keywords: csectype-uaf
You need to log in
before you can comment on or make changes to this bug.
Description
•