Closed Bug 1384247 Opened 7 years ago Closed 7 years ago

Assertion failure: CanBeCaptured(aCaptureAudio), at /home/worker/workspace/build/src/dom/html/HTMLMediaElement.cpp:3434

Categories

(Core :: Audio/Video: Playback, defect, P1)

defect

Tracking

()

RESOLVED FIXED
mozilla56
Tracking Status
firefox-esr52 --- unaffected
firefox54 --- unaffected
firefox55 --- unaffected
firefox56 --- fixed

People

(Reporter: jkratzer, Assigned: padenot)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase)

Attachments

(3 files)

Attached file trigger.html
Testcase found while fuzzing mozilla-central rev 20170722-c22502562670.

Assertion failure: CanBeCaptured(aCaptureAudio), at /home/worker/workspace/build/src/dom/html/HTMLMediaElement.cpp:3434

ASAN:DEADLYSIGNAL
=================================================================
==23867==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f8d061134f0 bp 0x7ffc3a085090 sp 0x7ffc3a084780 T0)
==23867==The signal is caused by a WRITE memory access.
==23867==Hint: address points to the zero page.
    #0 0x7f8d061134ef in mozilla::dom::HTMLMediaElement::CaptureStreamInternal(bool, bool, mozilla::MediaStreamGraph*) /home/worker/workspace/build/src/dom/html/HTMLMediaElement.cpp:3433:3
    #1 0x7f8d06113a03 in mozilla::dom::HTMLMediaElement::CaptureAudio(mozilla::ErrorResult&, mozilla::MediaStreamGraph*) /home/worker/workspace/build/src/dom/html/HTMLMediaElement.cpp:3539:5
    #2 0x7f8d0687fd4c in mozilla::dom::MediaElementAudioSourceNode::Create(mozilla::dom::AudioContext&, mozilla::dom::MediaElementAudioSourceOptions const&, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/media/webaudio/MediaElementAudioSourceNode.cpp:36:29
    #3 0x7f8d0683f7e4 in mozilla::dom::AudioContext::CreateMediaElementSource(mozilla::dom::HTMLMediaElement&, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/media/webaudio/AudioContext.cpp:371:10
    #4 0x7f8d04669db1 in mozilla::dom::AudioContextBinding::createMediaElementSource(JSContext*, JS::Handle<JSObject*>, mozilla::dom::AudioContext*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/AudioContextBinding.cpp:149:79
Assignee: nobody → padenot
Rank: 15
Priority: -- → P1
Depends on: 1371719
Comment on attachment 8890854 [details]
Bug 1384247 - Check if an HTMLMediaElement can be capture before doing it.

https://reviewboard.mozilla.org/r/162078/#review167348

::: dom/media/test/crashtests/1384248.html:11
(Diff revision 1)
> +      try { o3 = new AudioContext('alarm') } catch(e) { }
> +      try { o3.createMediaElementSource(o1) } catch(e) { }
> +    </script>
> +  </head>
> +</html>
> +

nit: please remove trailing whitespace
Attachment #8890854 - Flags: review?(dminor) → review+
Comment on attachment 8890854 [details]
Bug 1384247 - Check if an HTMLMediaElement can be capture before doing it.

https://reviewboard.mozilla.org/r/162078/#review167364
Attachment #8890854 - Flags: review+
Attached file updated_trigger.html
hg error in cmd: hg pull gecko -r 295f5e27e4fc983cbef1e40d65775abbb99012a6: pulling from https://reviewboard-hg.mozilla.org/gecko
abort: HTTP Error 500: Internal Server Error
Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/bda427f9dbeb
Check if an HTMLMediaElement can be capture before doing it. r=dminor
Component: Audio/Video → Audio/Video: Playback
As it turns out, in a method called "CaptureAudio", passing true for the parameter called "aCaptureAudio" is necessary.
Flags: needinfo?(padenot)
Pushed by paul@paul.cx:
https://hg.mozilla.org/integration/mozilla-inbound/rev/b5d83e1d3a96
Check if an HTMLMediaElement can be capture before doing it. r=dminor
(In reply to Paul Adenot (:padenot) from comment #9)
> As it turns out, in a method called "CaptureAudio", passing true for the
> parameter called "aCaptureAudio" is necessary.

D'oh, I looked at the definition of CanBeCaptured, thought the code would be easier to read if it didn't take a bool, and still didn't notice the parameter passed was false.
https://hg.mozilla.org/mozilla-central/rev/b5d83e1d3a96
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla56
Blocks: 1371719
No longer depends on: 1371719
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.