Closed Bug 1111114 Opened 10 years ago Closed 10 years ago

[EME] Crash shutting down EMEDecryptor

Categories

(Core :: Audio/Video, defect)

Product:
Core
Component:
Audio/Video
Platform:
x86_64
Windows 8.1
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla37
Tracking Flags:
Tracking Status
firefox37 --- fixed
firefox38 --- fixed
firefox39 --- fixed

People

(Reporter: cpearce, Assigned: cpearce)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

Patch
1.80 KB, patch
kinetik
: review+
Details | Diff | Splinter Review
While trying to catch bug 1101308 in a debugger, I found another crash: xul!mozilla::EMEDecryptor::DeliverDecrypted::Decrypted+0x80 [c:\users\bob\src\mozilla\purple\dom\media\fmp4\eme\emedecodermodule.cpp @ 71] C/C++/ASM xul!mozilla::CDMProxy::gmp_Decrypt+0x130 [c:\users\bob\src\mozilla\purple\dom\media\eme\cdmproxy.cpp @ 526] C/C++/ASM xul!nsRunnableMethodImpl<void (__thiscall mozilla::CDMProxy::*)(nsAutoPtr<mozilla::CDMProxy::DecryptJob>),nsAutoPtr<mozilla::CDMProxy::DecryptJob>,1>::Run+0x2b [c:\users\bob\src\mozilla\purple\objdir\dist\include\nsthreadutils.h @ 365] C/C++/ASM xul!nsThread::ProcessNextEvent+0x592 [c:\users\bob\src\mozilla\purple\xpcom\threads\nsthread.cpp @ 830] C/C++/ASM xul!NS_ProcessNextEvent+0x62 [c:\users\bob\src\mozilla\purple\xpcom\glue\nsthreadutils.cpp @ 265] C/C++/ASM What's happening is we're in DeliverDecrypted::Decrypted(), dereferenceing mDecryptor->mCallback, and mCallback is invalid. mDecryptor is a strong ref, but mCallback is not, and we've run EMEDecryptor::Shutdown(), which doesn't clear mCallback. We should clear mCallback in EMEDecryptor::Shutdown(), and null check it here.
Attached patch PatchSplinter Review
Null mCallback on shutdown, and null-check it before derefing.
Attachment #8535938 - Flags: review?(kinetik)
Attachment #8535938 - Flags: review?(kinetik) → review+
Comment on attachment 8535938 [details] [diff] [review] Patch Review of attachment 8535938 [details] [diff] [review]: ----------------------------------------------------------------- ::: dom/media/fmp4/eme/EMEDecoderModule.cpp @@ +151,5 @@ > mTaskQueue->BeginShutdown(); > mTaskQueue->AwaitShutdownAndIdle(); > mTaskQueue = nullptr; > mProxy = nullptr; > + mCallback = nullptr; Do we need a memory barrier so that the change to mCallback is visible to DeliverDecrypted::Decrypted?
https://hg.mozilla.org/mozilla-central/rev/87aaa1d526e5
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla37
Flags: needinfo?(cpearce)
Mass update firefox-status to track EME uplift.
status-firefox37: --- → fixed
status-firefox38: --- → fixed
status-firefox39: --- → fixed
(In reply to JW Wang [:jwwang] from comment #3) > Comment on attachment 8535938 [details] [diff] [review] > Patch > > Review of attachment 8535938 [details] [diff] [review]: > ----------------------------------------------------------------- > > ::: dom/media/fmp4/eme/EMEDecoderModule.cpp > @@ +151,5 @@ > > mTaskQueue->BeginShutdown(); > > mTaskQueue->AwaitShutdownAndIdle(); > > mTaskQueue = nullptr; > > mProxy = nullptr; > > + mCallback = nullptr; > > Do we need a memory barrier so that the change to mCallback is visible to > DeliverDecrypted::Decrypted? We now use MozPromises here, mCallbackk is only ever used on the one task queue now.
Flags: needinfo?(cpearce)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: