Closed Bug 1339930 Opened 8 years ago Closed 8 years ago

Crash in mozilla::dom::AudioChannelService::GetOrCreateWindowData

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
Unspecified
Windows 8
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla54
Tracking Flags:
Tracking Status
firefox52 --- unaffected
firefox53 + fixed
firefox54 + fixed

People

(Reporter: marcia, Assigned: ehsan.akhgari)

References

Details

(4 keywords)

Crash Data

Attachments

(3 files)

Don't crash in nsPIDOMWindowInner::IsPlayingAudio() if we've been unlinked
943 bytes, patch
baku
: review+
Details | Diff | Splinter Review
Testcase
303 bytes, text/html
Details
Don't crash in AudioChannelService when dealing with Windows without a parent
5.23 KB, patch
baku
: review+
lizzard
: approval-mozilla-aurora+
Details | Diff | Splinter Review
This bug was filed from the Socorro interface and is report bp-fa77d7ba-bc84-4da8-9273-16e0a2170212. ============================================================= Seen while looking at nightly crash stats - crashes started with 20170211030205: http://bit.ly/2lMefM4 Possible regression range: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=25a94c1047e793ef096d8556fa3c26dd72bd37d7&tochange=855e6b2f6199189f37cea093cbdd1735e297e8aa Bug 1336484 I think touched code in this area. ni on ehsan.
Flags: needinfo?(ehsan)
Yeah certainly my fault. [Tracking Requested - why for this release]: crash
Assignee: nobody → ehsan
Blocks: 1336484
tracking-firefox54: --- → ?
Flags: needinfo?(ehsan)
Keywords: regression
0xc8 is almost the offset of mWindowID in nsPIDOMWindowOuter, so our window pointer is somehow null here.
Tracking 54+ for this new crash.
tracking-firefox54: ?+
Attachment #8837822 - Flags: review?(amarchesini) → review+
Pushed by eakhgari@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/30a1b3847bf4 Don't crash in nsPIDOMWindowInner::IsPlayingAudio() if we've been unlinked; r=baku
Attached file Testcase
Testcase found by fuzzing.
Flags: in-testsuite?
Keywords: testcase
Thanks, the test case was really helpful. Unfortunately the patch doesn't fix the crash. What's happening is that our mOuterWindow is non-null in this case, but GetScriptableTop() returns null because the iframe has been removed from the tree.
(I still think the patch that I landed is necessary since it's hard to know for sure that we'll always have an outer window here.
It seems that AudioChannelService has this bug all over the place.
Keywords: leave-open
Crash Signature: [@ mozilla::dom::AudioChannelService::GetOrCreateWindowData] → [@ mozilla::dom::AudioChannelService::GetOrCreateWindowData] [@ mozilla::dom::AudioChannelService::IsWindowActive]
Comment on attachment 8838100 [details] [diff] [review] Don't crash in AudioChannelService when dealing with Windows without a parent Review of attachment 8838100 [details] [diff] [review]: ----------------------------------------------------------------- ::: dom/audiochannel/AudioChannelService.cpp @@ +827,5 @@ > { > MOZ_ASSERT(NS_IsMainThread()); > > auto* window = nsPIDOMWindowOuter::From(aWindow)->GetScriptableTop(); > + if (!window) { *aVolume = 0; @@ +887,5 @@ > { > MOZ_ASSERT(NS_IsMainThread()); > > auto* window = nsPIDOMWindowOuter::From(aWindow)->GetScriptableTop(); > + if (!window) { *aMuted = 0;
Attachment #8838100 - Flags: review?(amarchesini) → review+
Keywords: leave-open
Pushed by eakhgari@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/1b03953d2cca Don't crash in AudioChannelService when dealing with Windows without a parent; r=baku
https://hg.mozilla.org/mozilla-central/rev/30a1b3847bf4 https://hg.mozilla.org/mozilla-central/rev/1b03953d2cca
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox54: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla54
Please request Aurora approval on this when you get a chance.
status-firefox52: --- → unaffected
status-firefox53: --- → affected
tracking-firefox53: --- → ?
Flags: needinfo?(ehsan)
Comment on attachment 8838100 [details] [diff] [review] Don't crash in AudioChannelService when dealing with Windows without a parent Approval Request Comment [Feature/Bug causing the regression]: Bug 1336484. [User impact if declined]: Crash. [Is this code covered by automated tests?]: Yes. [Has the fix been verified in Nightly?]: Yes. [Needs manual test from QE? If yes, steps to reproduce]: No. [List of other uplifts needed for the feature/fix]: None. [Is the change risky?]: No. [Why is the change risky/not risky?]: Because it's adding some null checks. [String changes made/needed]: None.
Flags: needinfo?(ehsan)
Attachment #8838100 - Flags: approval-mozilla-aurora?
Comment on attachment 8838100 [details] [diff] [review] Don't crash in AudioChannelService when dealing with Windows without a parent Add some null checks to prevent crashes. Regression from 53.
Attachment #8838100 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
tracking-firefox53: ?+
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: