New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 133096 link

Starred by 3 users

Issue metadata

Status: Verified
Owner:
Last visit > 30 days ago
Closed: Jul 2012
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 1
Type: Bug-Regression

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment

[chrome] - content/renderer/media/video_capture_impl.cc:258] VideoCaptureImpl::DoFeedBuffer

Project Member Reported by rohi...@chromium.org, Jun 15 2012

Issue description

Google Chrome	21.0.1174.1 (Official Build 142156) dev
Platform	2442.0.0 (Official Build) dev-channel x86-alex
WebKit	537.1 (@120277)
JavaScript	V8 3.11.9
Flash	11.3.31.203

What steps will reproduce the problem?
1. Go to http://www.funfacecam.com .
2. Take a photo using any theme.

Result:
- Renderer crashes. 

Note:
- this crash is not reproducible all the time.
- we are seeing this crash on the crash server for many photo capture sites and starting from the Chrome build 21.0.1172.0 .
http://crash.corp.google.com/search?query=product%3A%22Chrome_ChromeOS%22++crashed_thread_function_name%3A%22VideoCaptureImpl%3A%3ADoFeedBuffer%22

Crash report : http://crash.corp.google.com/reportdetail?reportid=bbf1ea0c8a2bfa4e


0x75693f79	 [chrome]	 - content/renderer/media/video_capture_impl.cc:258]	VideoCaptureImpl::DoFeedBuffer
0x75694cc6	 [chrome]	 - ./base/bind_internal.h:188]	base::internal::Invoker<2, base::internal::BindState<base::internal::RunnableAdapter<void (VideoCaptureImpl::*)(scoped_refptr<media::VideoCapture::VideoFrameBuffer>)>, void(VideoCaptureImpl*, scoped_refptr<media::VideoCapture::VideoFrameBuffer>), void(base::internal::UnretainedWrapper<VideoCaptureImpl>, scoped_refptr<media::VideoCapture::VideoFrameBuffer>)>, void(VideoCaptureImpl*, scoped_refptr<media::VideoCapture::VideoFrameBuffer>)>::Run
0x75db3a2b	 [chrome]	 - ./base/callback.h:272]	MessageLoop::RunTask
0x75db392b	 [chrome]	 - base/message_loop.cc:477]	MessageLoop::DeferOrRunPendingTask
0x75db1297	 [chrome]	 - base/message_loop.cc:654]	MessageLoop::DoWork
0x75e11d67	 [chrome]	 - base/message_pump_default.cc:28]	base::MessagePumpDefault::Run
0x75db0bd3	 [chrome]	 - base/message_loop.cc:424]	MessageLoop::RunInternal
0x75db0b69	 [chrome]	 - base/message_loop.cc:397]	MessageLoop::Run
0x75db0b0d	 [chrome]	 - base/threading/thread.cc:133]	base::Thread::Run
0x75daf022	 [chrome]	 - base/threading/thread.cc:169]	base::Thread::ThreadMain
0x75daed3c	 [chrome]	 - base/threading/platform_thread_posix.cc:65]	base::::ThreadFunc
0x72e2ead1	 [libpthread-2.11.1.so]	 - pthread_create.c:297]	start_thread
0x727ed5cd	 [libc-2.11.1.so]	 + 0x000ce5cd]
 

Comment 1 by ihf@chromium.org, Jun 15 2012

Cc: wjia@chromium.org
Status: Available
Adding wjia. This is not necessarily a regression in 21.0.1174.1 as funfacecam.com was previously blocked with flash.
Labels: -Pri-2 Pri-1 ReleaseBlock-Beta
Google Chrome	21.0.1180.11 (Official Build 143993) dev
Platform	2465.25.0 (Official Build) dev-channel lumpy
WebKit	537.1 (@121177)
JavaScript	V8 3.11.10.12
Flash	11.3.31.210

This is now 100% reproducible with youtube.com/my_webcam. (which is a regression)

- Go to youtube.com/my_webcam .
- Start recording a video.
- Click on 'Stop Recording'.

Result:
- Renderer crashes.

Crash report id : 681d020d8a57284d
This affects video recording on Facebook and Youtube.

http://crash.corp.google.com/reportdetail?reportid=b72e15eab365074b

Comment 4 by ihf@chromium.org, Jul 10 2012

 Issue 136411  has been merged into this issue.

Comment 5 by ihf@chromium.org, Jul 10 2012

Owner: wjia@chromium.org
Status: Started
http://codereview.chromium.org/10748018/

Comment 6 by ihf@chromium.org, Jul 10 2012

We checked on my alex and Wei's patch avoids the crashes.
Project Member

Comment 7 by bugdroid1@chromium.org, Jul 11 2012

The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=146044

------------------------------------------------------------------------
r146044 | wjia@chromium.org | Tue Jul 10 20:26:06 PDT 2012

Changed paths:
 M http://src.chromium.org/viewvc/chrome/trunk/src/content/renderer/media/video_capture_impl.cc?r1=146044&r2=146043&pathrev=146044

fix use after free case in VideoCaptureImpl.
It's possible client returns buffer after cached_dibs_ are freed.
Also fix a copy&paste error.

BUG= 133096 
TEST=the pages in  bug 133096  do not crash.
Review URL: https://chromiumcodereview.appspot.com/10748018
------------------------------------------------------------------------

Comment 8 by wjia@chromium.org, Jul 11 2012

Labels: Merge-Requested

Comment 9 by kareng@google.com, Jul 11 2012

can u confirm this is working in canary and not causing new crashes?
Owner: rohi...@chromium.org
Cc: -wjia@chromium.org rohi...@chromium.org
Owner: wjia@chromium.org
Rohitb to confirm crash is not seen in latest ToT. 
Assigning back to wjia@ to merge it after validation
Google Chrome	22.0.1203.0 (Official Build 146062) canary
Platform	2587.0.0 (Official Build) canary-channel x86-alex_he and lumpy
WebKit	537.1 (@122287)
JavaScript	V8 3.12.10
Flash	11.3.31.217

This issue is not reproducible with Youtube.com/my_webcam recording. Please note that, mic is not working on R22 ToT builds, so this was tested using video recording only.

Comment 13 by ddrew@chromium.org, Jul 11 2012

Labels: Iteration-60
Adding all blocking issues to current Iteration-60

Comment 14 by kareng@google.com, Jul 12 2012

Labels: -Merge-Requested Merge-Approved
Project Member

Comment 15 by bugdroid1@chromium.org, Jul 12 2012

Labels: -Merge-Approved merge-merged-1180
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=146245

------------------------------------------------------------------------
r146245 | wjia@chromium.org | Wed Jul 11 17:04:40 PDT 2012

Changed paths:
 M http://src.chromium.org/viewvc/chrome/branches/1180/src/content/renderer/media/video_capture_impl.cc?r1=146245&r2=146244&pathrev=146245

Merge 146044 - fix use after free case in VideoCaptureImpl.
It's possible client returns buffer after cached_dibs_ are freed.
Also fix a copy&paste error.

BUG= 133096 
TEST=the pages in  bug 133096  do not crash.
Review URL: https://chromiumcodereview.appspot.com/10748018

TBR=wjia@chromium.org
Review URL: https://chromiumcodereview.appspot.com/10702160
------------------------------------------------------------------------

Comment 16 by wjia@chromium.org, Jul 12 2012

Status: Fixed
Status: Verified
Google Chrome	21.0.1180.39 (Official Build 146268) dev
Platform	2465.61.0 (Official Build) dev-channel x86-alex
WebKit	537.1 (@122379)
JavaScript	V8 3.11.10.14
Flash	11.3.31.217
Project Member

Comment 18 by bugdroid1@chromium.org, Oct 13 2012

Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member

Comment 19 by bugdroid1@chromium.org, Mar 9 2013

Labels: -Type-Regression -Area-Internals -Feature-Flash -Mstone-21 Type-Bug-Regression M-21 Cr-Content-Plugins-Flash Cr-Internals
Project Member

Comment 20 by bugdroid1@chromium.org, Mar 14 2013

Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Project Member

Comment 21 by bugdroid1@chromium.org, Apr 6 2013

Labels: Cr-Blink
Project Member

Comment 22 by bugdroid1@chromium.org, Apr 6 2013

Labels: -Cr-Content-Plugins-Flash Cr-Internals-Plugins-Flash

Sign in to add a comment