Browser crashes when streaming video

387 views
Skip to first unread message

Martin Johnson

unread,
Nov 27, 2019, 7:58:30 PM11/27/19
to Chromium-dev
This seems to only affect Android 9+. Devices running Android 8 are fine.

The args.gn configuration is:
proprietary_codecs = true
ffmpeg_branding = "Chrome"

Streaming video from youku.com causes an error like this every time:

11-27 20:24:35.338 16340 16369 I app_process64: frameworks/av/media/ndk/NdkImageReader.cpp:238:13: runtime error: control flow integrity check for type 'void (void *, AImageReader *)' failed during indirect function call
11-27 20:24:35.338 16340 16369 I app_process64:
11-27 20:24:35.343 16340 16358 D NdkImageReader: acquireImageLocked: Overriding buffer format YUV_420_888 to 0x7fa30c06.
11-27 20:24:35.363 16340 16369 I app_process64: (/data/app/org.chromium.chrome-Ir_-k9CgOLBt0hdmQaVlLg==/base.apk+0x373ae48): note: (unknown) defined here
11-27 20:24:35.363 16340 16369 I app_process64:
11-27 20:24:35.400 16011 16032 I cent.mm:sandbo: Waiting for a blocking GC ProfileSaver
11-27 20:24:35.427  1237  1763 E LightsService: Light requested not available on this device. 2
11-27 20:24:35.447 16011 16032 I cent.mm:sandbo: Waiting for a blocking GC ProfileSaver
11-27 20:24:35.447 16011 16032 I cent.mm:sandbo: WaitForGcToComplete blocked ProfileSaver on HeapTrim for 47.175ms
11-27 20:24:35.455 16011 16025 I cent.mm:sandbo: WaitForGcToComplete blocked HeapTrim on ProfileSaver for 7.669ms
11-27 20:24:35.471 16340 16369 F libc    : Fatal signal 6 (SIGABRT), code -6 (SI_TKILL) in tid 16369 (ImageReader-1x1), pid 16340 (ileged_process1)
11-27 20:24:35.591 16394 16394 F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
11-27 20:24:35.591 16394 16394 F DEBUG   : LineageOS Version: '16.0-20191008-NIGHTLY-taton'
11-27 20:24:35.591 16394 16394 F DEBUG   : Build fingerprint: 'Xiaomi/taton/taton:8.1.0/OPM1.171019.011/V9.5.5.0.OEAMIFA:user/release-keys'
11-27 20:24:35.591 16394 16394 F DEBUG   : Revision: '0'
11-27 20:24:35.591 16394 16394 F DEBUG   : ABI: 'arm64'
11-27 20:24:35.591 16394 16394 F DEBUG   : pid: 16340, tid: 16369, name: ImageReader-1x1  >>> org.chromium.chrome:privileged_process1 <<<
11-27 20:24:35.591 16394 16394 F DEBUG   : signal 6 (SIGABRT), code -6 (SI_TKILL), fault addr --------
11-27 20:24:35.591 16394 16394 F DEBUG   :     x0  0000000000000000  x1  0000000000003ff1  x2  0000000000000006  x3  0000000000000008
11-27 20:24:35.591 16394 16394 F DEBUG   :     x4  622d66716e2e6f6f  x5  622d66716e2e6f6f  x6  622d66716e2e6f6f  x7  7f7f7f7f7f7f7f7f
11-27 20:24:35.591 16394 16394 F DEBUG   :     x8  0000000000000083  x9  5ab11182ab410ffd  x10 0000000000000000  x11 fffffffc7ffffbdf
11-27 20:24:35.591 16394 16394 F DEBUG   :     x12 0000000000000001  x13 00000cd7fd28ecb1  x14 001576aee8668b05  x15 0000000009004958
11-27 20:24:35.591 16394 16394 F DEBUG   :     x16 00000077a9ff32a8  x17 00000077a9f313e4  x18 0000000000000001  x19 0000000000003fd4
11-27 20:24:35.591 16394 16394 F DEBUG   :     x20 0000000000003ff1  x21 649aaa0af867eead  x22 00000077addab8d0  x23 00000077aa2ae960
11-27 20:24:35.591 16394 16394 F DEBUG   :     x24 00000077aa2af410  x25 000000770cc04000  x26 000000770f1b3588  x27 0000000000000000
11-27 20:24:35.591 16394 16394 F DEBUG   :     x28 0000007724ae9350  x29 000000770cd01140
11-27 20:24:35.591 16394 16394 F DEBUG   :     sp  000000770cd01100  lr  00000077a9f25f10  pc  00000077a9f25f38
11-27 20:24:35.599 16394 16394 F DEBUG   :
11-27 20:24:35.599 16394 16394 F DEBUG   : backtrace:
11-27 20:24:35.599 16394 16394 F DEBUG   :     #00 pc 0000000000021f38  /system/lib64/libc.so (abort+116)
11-27 20:24:35.599 16394 16394 F DEBUG   :     #01 pc 000000000001dac8  /system/lib64/libclang_rt.ubsan_standalone-aarch64-android.so (__sanitizer::Abort()+56)
11-27 20:24:35.599 16394 16394 F DEBUG   :     #02 pc 000000000001b688  /system/lib64/libclang_rt.ubsan_standalone-aarch64-android.so (__sanitizer::Die()+164)
11-27 20:24:35.599 16394 16394 F DEBUG   :     #03 pc 0000000000026b6c  /system/lib64/libclang_rt.ubsan_standalone-aarch64-android.so (__ubsan_handle_cfi_check_fail_abort+68)
11-27 20:24:35.599 16394 16394 F DEBUG   :     #04 pc 0000000000014084  /system/lib64/libmediandk.so (__cfi_check_fail+108)
11-27 20:24:35.599 16394 16394 F DEBUG   :     #05 pc 000000000001ac14  /system/lib64/libmediandk.so (__cfi_check+7188)
11-27 20:24:35.599 16394 16394 F DEBUG   :     #06 pc 0000000000022410  /system/bin/linker64 (__dl__ZN15CFIShadowWriter7CfiFailEmPvS0_S0_+128)
11-27 20:24:35.599 16394 16394 F DEBUG   :     #07 pc 0000000000001140  /system/lib64/libdl.so (__cfi_slowpath_diag+64)
11-27 20:24:35.599 16394 16394 F DEBUG   :     #08 pc 0000000000026fd8  /system/lib64/libmediandk.so (AImageReader::CallbackHandler::onMessageReceived(android::sp<android::AMessage> const&)+520)
11-27 20:24:35.599 16394 16394 F DEBUG   :     #09 pc 0000000000019904  /system/lib64/libstagefright_foundation.so (android::AHandler::deliverMessage(android::sp<android::AMessage> const&)+92)
11-27 20:24:35.599 16394 16394 F DEBUG   :     #10 pc 0000000000020f70  /system/lib64/libstagefright_foundation.so (android::AMessage::deliver()+180)
11-27 20:24:35.599 16394 16394 F DEBUG   :     #11 pc 000000000001c490  /system/lib64/libstagefright_foundation.so (android::ALooper::loop()+556)
11-27 20:24:35.599 16394 16394 F DEBUG   :     #12 pc 000000000000f9d4  /system/lib64/libutils.so (android::Thread::_threadLoop(void*)+280)
11-27 20:24:35.599 16394 16394 F DEBUG   :     #13 pc 00000000000b4d50  /system/lib64/libandroid_runtime.so (android::AndroidRuntime::javaThreadShell(void*)+140)
11-27 20:24:35.599 16394 16394 F DEBUG   :     #14 pc 0000000000082d14  /system/lib64/libc.so (__pthread_start(void*)+36)
11-27 20:24:35.599 16394 16394 F DEBUG   :     #15 pc 000000000002378c  /system/lib64/libc.so (__start_thread+68)

Daniel Bratell

unread,
Nov 28, 2019, 1:51:23 PM11/28/19
to mar...@greatfire.org, Chromium-dev

Looks like CFI ( https://www.chromium.org/developers/testing/control-flow-integrity ) crashes in AImageReader::CallbackHandler::onMessageReceived which I cannot find. If nobody else says this is known, you should file a bug in https:://crbug.com/

CFI intentionally crashing the program would indicate that the videos trigger some kind of dangerous code failure. You could turn off cfi but I would be a bit scared running code that might have a dangerous bug (as indicated by cfi aborting the program).

/Daniel

--
--
Chromium Developers mailing list: chromi...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-dev
---
You received this message because you are subscribed to the Google Groups "Chromium-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-dev...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/acba36d0-d580-4e88-8ab2-e98309d30193%40chromium.org.
Reply all
Reply to author
Forward
Message has been deleted
0 new messages