User-Agent:       Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.24 (KHTML, like Gecko) Ubuntu/11.04 Chromium/11.0.696.68 Chrome/11.0.696.68 Safari/534.24
Build Identifier: Mozilla/5.0 (X11; Linux armv7l; rv:7.0a1) Gecko/20110624 Firefox/7.0a1

When building firefox (4, 5 and latest daily) for ARM (armv7) with thumb2 enabled libvpx crashes when decoding webm videos.

Reproducible: Always

Steps to Reproduce:
1. Build firefox for ARM (armv7) enabling thumb2 support
2. Go to youtube.com/html5 and enable trial
3. Try to play a webm video

Actual Results:  
Segfault at vp8dx_receive_compressed_data.

Expected Results:  
Video should play without crashing the browser.

Build platform:
target arm-unknown-linux-gnueabi
Build tools:
Compiler 	Version 	Compiler flags
gcc 	gcc version 4.5.2 (Ubuntu/Linaro 4.5.2-8ubuntu4) 	-Wall -W -Wno-unused -Wpointer-arith -Wdeclaration-after-statement -W -pedantic -Wno-long-long -g -fno-strict-aliasing -pthread -mthumb -pipe -DNDEBUG -DTRIMMED -g -Os -freorder-blocks -finline-limit=50 -fomit-frame-pointer
c++ 	gcc version 4.5.2 (Ubuntu/Linaro 4.5.2-8ubuntu4) 	-fno-rtti -fno-exceptions -Wall -Wpointer-arith -Woverloaded-virtual -Wsynth -Wno-ctor-dtor-privacy -Wno-non-virtual-dtor -Wno-invalid-offsetof -Wno-variadic-macros -Werror=return-type -pedantic -Wno-long-long -g -fno-strict-aliasing -std=gnu++0x -pthread -mthumb -pipe -DNDEBUG -DTRIMMED -g -Os -freorder-blocks -finline-limit=50 -fomit-frame-pointer
Configure arguments

--host=arm-linux-gnueabi --prefix=/usr --localstatedir=/var --libexecdir=/usr/lib/firefox-trunk-7.0a1 '--with-l10n-base=/build/firefox/daily/firefox-trunk-7.0~a1~hg20110622r71547+nobinonly/build-tree/mozilla/l10n' --disable-maintainer-mode --disable-dependency-tracking --disable-silent-rules '--srcdir=/build/firefox/daily/firefox-trunk-7.0~a1~hg20110622r71547+nobinonly/build-tree/mozilla' --disable-elf-dynstr-gc --disable-install-strip --disable-strip --disable-updater --enable-application=browser --enable-default-toolkit=cairo-gtk2 --enable-startup-notification --enable-pango --enable-svg --enable-mathml --enable-safe-browsing --with-distribution-id=com.ubuntu --enable-thumb2 --without-system-jpeg --without-system-png --without-system-zlib --enable-optimize --enable-tests --enable-mochitest --enable-ipdl-tests --disable-system-cairo --without-system-nspr --without-system-nss --disable-system-sqlite --disable-system-hunspell --enable-crashreporter --with-branding=browser/branding/nightly --disable-gnomevfs --enable-gio --enable-update-channel=nightly --disable-debug --disable-elf-hack --enable-extensions=default,globalmenu --with-app-name=firefox-trunk

Crash report: http://crash-stats.mozilla.com/report/index/bp-9bd983ab-2bd2-45d2-a466-d7a832110624

GDB stack trace:

Breakpoint 1, vp8dx_receive_compressed_data (ptr=0x533dd020, size=637, source=0x531ae400 "pE", time_stamp=0)
    at /build/firefox/daily/firefox-trunk-7.0~a1~hg20110622r71547+nobinonly/build-tree/mozilla/media/libvpx/vp8/decoder/onyxd_if.c:318
warning: Source file is more recent than executable.
318	{
(gdb) n
330	    if (ptr == 0)
(gdb) 
335	    pbi->common.error.error_code = VPX_CODEC_OK;
(gdb) 
322	    VP8D_COMP *pbi = (VP8D_COMP *) ptr;
(gdb) 
335	    pbi->common.error.error_code = VPX_CODEC_OK;
(gdb) 
339	    if (cm->rtcd.flags & HAS_NEON)
(gdb) 
342	        vp8_push_neon(dx_store_reg);
(gdb) bt full
#0  vp8dx_receive_compressed_data (ptr=0x533dd020, size=637, source=0x531ae400 "pE", time_stamp=0) at /build/firefox/daily/firefox-trunk-7.0~a1~hg20110622r71547+nobinonly/build-tree/mozilla/media/libvpx/vp8/decoder/onyxd_if.c:342
        dx_store_reg = {139152645440798, 96048353650484, 46291157527873, 32920924327760, 4667030352823325135, 1396564432, 2032, 5998198907190763984}
        pbi = 0x533dd020
        cm = 0x533de1d0
        retcode = 0
        timer = {begin = {tv_sec = 0, tv_usec = 1086636637}, end = {tv_sec = 1396559904, tv_usec = 1377364708}}
#1  0x40c4e2aa in vp8_decode (ctx=0x47dd4500, data=0x531ae400 "pE", data_sz=637, user_priv=<value optimized out>, deadline=0)
    at /build/firefox/daily/firefox-trunk-7.0~a1~hg20110622r71547+nobinonly/build-tree/mozilla/media/libvpx/vp8/vp8_dx_iface.c:424
        ppflag = 0
        ppdeblocking = 0
        sd = {y_width = 640, y_height = 360, y_stride = 9, uv_width = 0, uv_height = 0, uv_stride = 0, y_buffer = 0x0, u_buffer = 0xfa00 <Address 0xfa00 out of bounds>, 
          v_buffer = 0x400d49e3 "\373\005\372H\352\001H\302E\006\331\001=\030\353\a\b\002\322\302E\210\277\001=E\352\tJ", buffer_alloc = 0x53165000 "\030\361SA", border = 1086594491, frame_size = 0, clrtype = 1393971200}
        time_stamp = 0
        time_end_stamp = 0
        ppnoise = 0
        res = <value optimized out>
#2  0x40c4e6c4 in vpx_codec_decode (ctx=0x531650c0, data=<value optimized out>, data_sz=<value optimized out>, user_priv=<value optimized out>, deadline=0)
    at /build/firefox/daily/firefox-trunk-7.0~a1~hg20110622r71547+nobinonly/build-tree/mozilla/media/libvpx/vpx/src/vpx_decoder.c:127
        res = <value optimized out>
#3  0x40c41f9a in nsWebMReader::DecodeVideoFrame (this=0x53165000, aKeyframeSkip=@0x5218ec44, aTimeThreshold=0)
    at /build/firefox/daily/firefox-trunk-7.0~a1~hg20110622r71547+nobinonly/build-tree/mozilla/content/media/webm/nsWebMReader.cpp:692
        data = 0x531ae400 "pE"
        length = 637
        si = {sz = 16, w = 640, h = 360, is_kf = 1}
        iter = 0x2
        img = <value optimized out>
        i = 0
        packet = 0x4cc7cc20
        next_tstamp = 42000000
        parsed = 0
        decoded = 0
        track = 0
        r = <value optimized out>
        count = 0
        tstamp_usecs = 0
        autoNotify = {mDecoder = 0x52f5ac80, mParsed = @0x5218ec14, mDecoded = @0x5218ec10}
        holder = {<nsAutoRefBase<NesteggPacketHolder>> = {<nsSimpleRef<NesteggPacketHolder>> = {<nsAutoRefTraits<NesteggPacketHolder>> = {<nsPointerRefTraits<NesteggPacketHolder>> = {<No data fields>}, <No data fields>}, 
              mRawRef = 0x47f756a0}, <No data fields>}, <No data fields>}
        tstamp = 0
#4  0x40c33a2e in nsBuiltinDecoderReader::DecodeVideoFrame (this=<value optimized out>) at /build/firefox/daily/firefox-trunk-7.0~a1~hg20110622r71547+nobinonly/build-tree/mozilla/content/media/nsBuiltinDecoderReader.h:496
        f = 0
#5  0x40c33b08 in nsBuiltinDecoderReader::DecodeToFirstData<VideoData> (this=0x53165000, aDecodeFn=(PRBool (nsBuiltinDecoderReader::*)(nsBuiltinDecoderReader *)) 0x40c33a1b <nsBuiltinDecoderReader::DecodeVideoFrame()>, aQueue=...)
    at /build/firefox/daily/firefox-trunk-7.0~a1~hg20110622r71547+nobinonly/build-tree/mozilla/content/media/nsBuiltinDecoderReader.cpp:277
        eof = <value optimized out>
#6  0x40c3357a in nsBuiltinDecoderReader::FindStartTime (this=0x53165000, aOutStartTime=@0x5218eca0)
    at /build/firefox/daily/firefox-trunk-7.0~a1~hg20110622r71547+nobinonly/build-tree/mozilla/content/media/nsBuiltinDecoderReader.cpp:244
        videoStartTime = 9223372036854775807
        audioStartTime = 9223372036854775807
        videoData = 0x0
        startTime = 30064771072
#7  0x40c31494 in nsBuiltinDecoderStateMachine::FindStartTime (this=<value optimized out>) at /build/firefox/daily/firefox-trunk-7.0~a1~hg20110622r71547+nobinonly/build-tree/mozilla/content/media/nsBuiltinDecoderStateMachine.cpp:1574
        startTime = 4666596270165248304
        v = 0x0
#8  0x40c3289e in nsBuiltinDecoderStateMachine::Run (this=0x4cb06a70) at /build/firefox/daily/firefox-trunk-7.0~a1~hg20110622r71547+nobinonly/build-tree/mozilla/content/media/nsBuiltinDecoderStateMachine.cpp:1078
        videoData = <value optimized out>
        metadataLoadedEvent = {<nsCOMPtr_base> = {mRawPtr = 0x417fa65f}, <No data fields>}
        stream = 0x533d4000
#9  0x40f8b426 in nsThread::ProcessNextEvent (this=0x4c72bd30, mayWait=<value optimized out>, result=0x5218eda4) at /build/firefox/daily/firefox-trunk-7.0~a1~hg20110622r71547+nobinonly/build-tree/mozilla/xpcom/threads/nsThread.cpp:618
        event = {<nsCOMPtr_base> = {mRawPtr = 0x4cb06a70}, <No data fields>}
        notifyGlobalObserver = 1
        obs = {<nsCOMPtr_base> = {mRawPtr = 0x0}, <No data fields>}
        canary = {static sOutputFD = 0}
        rv = 0
#10 0x40f6b1da in NS_ProcessNextEvent_P (thread=<value optimized out>, mayWait=1) at /build/firefox/daily/firefox-trunk-7.0~a1~hg20110622r71547+nobinonly/build-tree/mozilla/obj-arm-linux-gnueabi/xpcom/build/nsThreadUtils.cpp:245
        val = <value optimized out>
#11 0x40f8b174 in nsThread::ThreadFunc (arg=0x4c72bd30) at /build/firefox/daily/firefox-trunk-7.0~a1~hg20110622r71547+nobinonly/build-tree/mozilla/xpcom/threads/nsThread.cpp:273
        self = 0x4c72bd30
        event = {<nsCOMPtr_base> = {mRawPtr = 0x0}, <No data fields>}
#12 0x417fdbec in _pt_root (arg=0x47e995e0) at /build/firefox/daily/firefox-trunk-7.0~a1~hg20110622r71547+nobinonly/build-tree/mozilla/nsprpub/pr/src/pthreads/ptthread.c:187
        thred = 0x47e995e0
        detached = 0
#13 0x401933be in start_thread () from /lib/arm-linux-gnueabi/libpthread.so.0
No symbol table info available.
#14 0x402dd538 in clone () from /lib/arm-linux-gnueabi/libc.so.6
No symbol table info available.
#15 0x402dd538 in clone () from /lib/arm-linux-gnueabi/libc.so.6
No symbol table info available.
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb) p cm->rtcd
$1 = {idct = {idct1 = 0x40c5597e <vp8_short_idct4x4llm_1_neon>, idct16 = 0x40c559ce <vp8_short_idct4x4llm_neon>, idct1_scalar_add = 0x40c451b9 <vp8_dc_only_idct_add_c>, iwalsh1 = 0x40c54c7e <vp8_short_inv_walsh4x4_1_neon>, 
    iwalsh16 = 0x40c54bfa <vp8_short_inv_walsh4x4_neon>}, recon = {copy16x16 = 0x40c54b32 <vp8_copy_mem16x16_neon>, copy8x8 = 0x40c54aee <vp8_copy_mem8x8_neon>, copy8x4 = 0x40c54aca <vp8_copy_mem8x4_neon>, 
    recon = 0x40c5590e <vp8_recon_b_neon>, recon2 = 0x40c55822 <vp8_recon2b_neon>, recon4 = 0x40c5587a <vp8_recon4b_neon>, recon_mb = 0x40c51b5b <vp8_recon_mb_neon>, recon_mby = 0x40c4789f <vp8_recon_mby_c>, 
    build_intra_predictors_mby_s = 0x40c5145f <vp8_build_intra_predictors_mby_s_neon>, build_intra_predictors_mby = 0x40c51439 <vp8_build_intra_predictors_mby_neon>}, subpix = {sixtap16x16 = 0x40c56d16 <vp8_sixtap_predict16x16_neon>, 
    sixtap8x8 = 0x40c56662 <vp8_sixtap_predict8x8_neon>, sixtap8x4 = 0x40c5601e <vp8_sixtap_predict8x4_neon>, sixtap4x4 = 0x40c55aaa <vp8_sixtap_predict_neon>, bilinear16x16 = 0x40c546c6 <vp8_bilinear_predict16x16_neon>, 
    bilinear8x8 = 0x40c544ba <vp8_bilinear_predict8x8_neon>, bilinear8x4 = 0x40c5435a <vp8_bilinear_predict8x4_neon>, bilinear4x4 = 0x40c5421a <vp8_bilinear_predict4x4_neon>}, loopfilter = {
    normal_mb_v = 0x40c51225 <vp8_loop_filter_mbv_neon>, normal_b_v = 0x40c51369 <vp8_loop_filter_bv_neon>, normal_mb_h = 0x40c511c3 <vp8_loop_filter_mbh_neon>, normal_b_h = 0x40c51287 <vp8_loop_filter_bh_neon>, 
    simple_mb_v = 0x40c51269 <vp8_loop_filter_mbvs_neon>, simple_b_v = 0x40c513eb <vp8_loop_filter_bvs_neon>, simple_mb_h = 0x40c51207 <vp8_loop_filter_mbhs_neon>, simple_b_h = 0x40c51317 <vp8_loop_filter_bhs_neon>}, postproc = {
    down = 0, across = 0, downacross = 0, addnoise = 0, blend_mb = 0}, flags = 7}
(gdb) n

Program received signal SIGILL, Illegal instruction.
0x5218ea74 in ?? ()
(gdb) bt full
#0  0x5218ea74 in ?? ()
No symbol table info available.
Cannot access memory at address 0x0
#1  0x515bea48 in ?? ()
No symbol table info available.
Cannot access memory at address 0x0
#2  0x515bea48 in ?? ()
No symbol table info available.
Cannot access memory at address 0x0
Backtrace stopped: previous frame identical to this frame (corrupt stack?)

If I just disable THUMB2 support it works fine.