Closed
Bug 1200272
Opened 9 years ago
Closed 9 years ago
Cross-thread access without locking on AudioParam event timeline
Categories
(Core :: Web Audio, defect)
Core
Web Audio
Tracking
()
RESOLVED
INVALID
People
(Reporter: padenot, Assigned: padenot)
References
Details
Working on bug 1184057, I discovered that we don't lock around mEvents in AudioEventTimeline [0], or message pass, or anything like that. It's being (at least) mutated on the main thread and audio thread (examples: [1], [2]), and read on the audio thread [3]. Either I'm missing something, or I don't know why this works without blowing up at all. This can be pretty high traffic for certain applications. I'm opening this as a sec bug because I'm pretty sure we can do crazy things. [0]: https://dxr.mozilla.org/mozilla-central/source/dom/media/webaudio/AudioEventTimeline.h?offset=0#615 [1]: written on the main thread: https://dxr.mozilla.org/mozilla-central/source/dom/media/webaudio/AudioEventTimeline.h?offset=0#594 [2]: written on the audio thread: https://dxr.mozilla.org/mozilla-central/source/dom/media/webaudio/AudioEventTimeline.h?offset=0#615 [3]: read on the audio thread: https://dxr.mozilla.org/mozilla-central/source/dom/media/webaudio/AudioEventTimeline.h?offset=500#292
|
||
Comment 1•9 years ago
|
||
AudioParamTimeline is intended for single thread usage. The entire object is copied and passed to the processing thread in AudioNodeStream::SetTimelineParameter(). https://dxr.mozilla.org/mozilla-central/rev/f2518b8a7b97b5bb477e94bc9131584007aac887/dom/media/webaudio/AudioNodeStream.cpp#214
|
Assignee | |
Comment 2•9 years ago
|
||
Glad I missed that. Copying potentially massive nsTArrays full of events is not ideal, though.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → INVALID
|
||
Updated•9 years ago
|
Group: core-security → core-security-release
|
||
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•