Closed Bug 1865722 Opened 7 months ago Closed 7 months ago

Assertion failure: Timestamp::Millis(aFrame.render_time_ms()) > mNextFrameMinimumTime, at /dom/media/systemservices/video_engine/desktop_capture_impl.cc:715

Categories

(Core :: WebRTC: Audio/Video, defect)

Product:
Core
Component:
WebRTC: Audio/Video
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: testcase, Whiteboard: [bugmon:confirm])

Attachments

(1 file)

Testcase
235 bytes, text/plain
Details

Testcase found while fuzzing mozilla-central rev c3021f5ece18 (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build c3021f5ece18 --debug --fuzzing  -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

Assertion failure: Timestamp::Millis(aFrame.render_time_ms()) > mNextFrameMinimumTime, at /dom/media/systemservices/video_engine/desktop_capture_impl.cc:715

    ==419476==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fae55dc0d4e bp 0x7fad802ed3c0 sp 0x7fad802ed370 T419945)
    ==419476==The signal is caused by a WRITE memory access.
    ==419476==Hint: address points to the zero page.
        #0 0x7fae55dc0d4e in webrtc::DesktopCaptureImpl::NotifyOnFrame(webrtc::VideoFrame const&) /dom/media/systemservices/video_engine/desktop_capture_impl.cc:714:3
        #1 0x7fae55dc08c6 in webrtc::DesktopCaptureImpl::OnCaptureResult(webrtc::DesktopCapturer::Result, std::unique_ptr<webrtc::DesktopFrame, std::default_delete<webrtc::DesktopFrame>>) /dom/media/systemservices/video_engine/desktop_capture_impl.cc:697:3
        #2 0x7fae58943c41 in webrtc::DesktopAndCursorComposer::OnCaptureResult(webrtc::DesktopCapturer::Result, std::unique_ptr<webrtc::DesktopFrame, std::default_delete<webrtc::DesktopFrame>>) /third_party/libwebrtc/modules/desktop_capture/desktop_and_cursor_composer.cc:273:14
        #3 0x7fae58951a33 in webrtc::ScreenCapturerX11::CaptureFrame() /third_party/libwebrtc/modules/desktop_capture/linux/x11/screen_capturer_x11.cc:286:14
        #4 0x7fae55dc1068 in webrtc::DesktopCaptureImpl::CaptureFrameOnThread() /dom/media/systemservices/video_engine/desktop_capture_impl.cc:760:14
        #5 0x7fae51a39e6d in operator() /xpcom/threads/nsTimerImpl.cpp:681:36
        #6 0x7fae51a39e6d in matchN<mozilla::Variant<nsTimerImpl::UnknownCallback, nsCOMPtr<nsITimerCallback>, nsCOMPtr<nsIObserver>, nsTimerImpl::FuncCallback, nsTimerImpl::ClosureCallback> &, (lambda at /xpcom/threads/nsTimerImpl.cpp:681:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:682:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:309:16
        #7 0x7fae51a39e6d in matchN<mozilla::Variant<nsTimerImpl::UnknownCallback, nsCOMPtr<nsITimerCallback>, nsCOMPtr<nsIObserver>, nsTimerImpl::FuncCallback, nsTimerImpl::ClosureCallback> &, (lambda at /xpcom/threads/nsTimerImpl.cpp:678:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:681:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:682:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:318:14
        #8 0x7fae51a39e6d in matchN<mozilla::Variant<nsTimerImpl::UnknownCallback, nsCOMPtr<nsITimerCallback>, nsCOMPtr<nsIObserver>, nsTimerImpl::FuncCallback, nsTimerImpl::ClosureCallback> &, (lambda at /xpcom/threads/nsTimerImpl.cpp:677:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:678:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:681:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:682:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:318:14
        #9 0x7fae51a39e6d in matchN<mozilla::Variant<nsTimerImpl::UnknownCallback, nsCOMPtr<nsITimerCallback>, nsCOMPtr<nsIObserver>, nsTimerImpl::FuncCallback, nsTimerImpl::ClosureCallback> &, (lambda at /xpcom/threads/nsTimerImpl.cpp:676:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:677:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:678:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:681:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:682:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:318:14
        #10 0x7fae51a39e6d in matchN<mozilla::Variant<nsTimerImpl::UnknownCallback, nsCOMPtr<nsITimerCallback>, nsCOMPtr<nsIObserver>, nsTimerImpl::FuncCallback, nsTimerImpl::ClosureCallback> &, (lambda at /xpcom/threads/nsTimerImpl.cpp:676:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:677:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:678:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:681:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:682:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:902:12
        #11 0x7fae51a39e6d in match<(lambda at /xpcom/threads/nsTimerImpl.cpp:676:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:677:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:678:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:681:7), (lambda at /xpcom/threads/nsTimerImpl.cpp:682:7)> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:857:12
        #12 0x7fae51a39e6d in nsTimerImpl::Fire(int) /xpcom/threads/nsTimerImpl.cpp:675:22
        #13 0x7fae51a38fd3 in nsTimerEvent::Run() /xpcom/threads/TimerThread.cpp:515:11
        #14 0x7fae51a472ad in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1192:16
        #15 0x7fae51a4e23d in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:480:10
        #16 0x7fae5270a5a5 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:330:5
        #17 0x7fae52623281 in RunHandler /ipc/chromium/src/base/message_loop.cc:363:3
        #18 0x7fae52623281 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:345:3
        #19 0x7fae51a42593 in nsThread::ThreadFunc(void*) /xpcom/threads/nsThread.cpp:370:10
        #20 0x7fae655f5d0f in _pt_root /nsprpub/pr/src/pthreads/ptthread.c:201:5
        #21 0x7fae65e96ac2 in start_thread nptl/pthread_create.c:442:8
        #22 0x7fae65f28a3f  misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
    
    UndefinedBehaviorSanitizer can not provide additional info.
    SUMMARY: UndefinedBehaviorSanitizer: SEGV /dom/media/systemservices/video_engine/desktop_capture_impl.cc:714:3 in webrtc::DesktopCaptureImpl::NotifyOnFrame(webrtc::VideoFrame const&)
    ==419476==ABORTING
Attached file Testcase 



Unable to reproduce bug 1865722 using build mozilla-central 20231119091854-c3021f5ece18. Without a baseline, bugmon is unable to analyze this bug.

Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.


Keywords: bugmon



Component: Audio/Video → WebRTC: Audio/Video



A fix is coming in bug 1843163. We were not able to repro in CI as it is perf-dependent (we can only capture two frames on the same millisecond-timestamp if capturing one frame takes <0.5ms). We'll land without the testcase.


Depends on: 1843163
Status: NEW → RESOLVED
Closed: 7 months ago
Resolution: --- → FIXED

You need to log in
before you can comment on or make changes to this bug.

















Attachment


















General



Creator: 






Created: 


Updated: 


Size: