Closed
Bug 1399760
Opened 7 years ago
Closed 7 years ago
MediaCacheStream::NotifyDataReceived() might write data to the wrong position when it runs off the main thread
Categories
(Core :: Audio/Video: Playback, defect, P3)
Core
Audio/Video: Playback
Tracking
()
RESOLVED
FIXED
mozilla57
| Tracking | Status | |
|---|---|---|
| firefox57 | --- | fixed |
People
(Reporter: jwwang, Assigned: jwwang)
References
Details
Attachments
(3 files, 4 obsolete files)
http://searchfox.org/mozilla-central/rev/6326724982c66aaeaf70bb7c7ee170f7a38ca226/dom/media/MediaCache.cpp#1385,1437 mChannelOffset is updated to a new position before calling CacheClientSeek() at #1437. Since CacheClientSeek() is called outside the lock, it is possible for NotifyDataReceived() to run at the same time and write data to mChannelOffset which is a wrong position for the old channel data.
|
Assignee | |
Updated•7 years ago
|
| Comment hidden (mozreview-request) |
| Comment hidden (mozreview-request) |
| Comment hidden (mozreview-request) |
| Comment hidden (mozreview-request) |
|
|
Assignee | |
Updated•7 years ago
|
Attachment #8908535 -
Flags: review?(cpearce)
Attachment #8908536 -
Flags: review?(cpearce)
Attachment #8908537 -
Flags: review?(cpearce)
Attachment #8908538 -
Flags: review?(cpearce)
|
|
Assignee | |
Updated•7 years ago
|
Attachment #8908535 -
Flags: review?(cpearce)
Attachment #8908536 -
Flags: review?(cpearce)
Attachment #8908537 -
Flags: review?(cpearce)
Attachment #8908538 -
Flags: review?(cpearce)
| Comment hidden (mozreview-request) |
| Comment hidden (mozreview-request) |
| Comment hidden (mozreview-request) |
|
|
Assignee | |
Updated•7 years ago
|
Attachment #8908538 -
Attachment is obsolete: true
|
|
Assignee | |
Updated•7 years ago
|
Attachment #8908535 -
Flags: review?(gsquelart)
Attachment #8908536 -
Flags: review?(gsquelart)
Attachment #8908537 -
Flags: review?(gsquelart)
|
||
Comment 8•7 years ago
|
||
| mozreview-review | ||
Comment on attachment 8908535 [details] Bug 1399760. P1 - remove the CopySegmentToCache() member function. https://reviewboard.mozilla.org/r/180198/#review186326
Attachment #8908535 -
Flags: review?(gsquelart) → review+
|
|
||
Comment 9•7 years ago
|
||
| mozreview-review | ||
Comment on attachment 8908536 [details] Bug 1399760. P2 - ensure mCacheStream.NotifyDataStarted() is always called in OnStartRequest(). https://reviewboard.mozilla.org/r/180200/#review186330
Attachment #8908536 -
Flags: review?(gsquelart) → review+
|
|
||
Comment 10•7 years ago
|
||
| mozreview-review | ||
Comment on attachment 8908537 [details] Bug 1399760. P3 - keep ID of the loading channel so we check whether the data callback is from an old channel. https://reviewboard.mozilla.org/r/180202/#review186378 ::: dom/media/MediaResource.cpp:485 (Diff revision 2) > - nsresult rv = aStream->ReadSegments(CopySegmentToCache, this, count, &read); > + nsresult rv = aStream->ReadSegments( > + (nsWriteSegmentFun)CopySegmentToCache, &closure, count, &read); You've added a C-style cast in front of CopySegmentToCache -- Is it necessary? And would it be possible to use a C++ cast instead?
Attachment #8908537 -
Flags: review?(gsquelart) → review+
|
|
Assignee | |
Comment 11•7 years ago
|
||
| mozreview-review | ||
Comment on attachment 8908537 [details] Bug 1399760. P3 - keep ID of the loading channel so we check whether the data callback is from an old channel. https://reviewboard.mozilla.org/r/180202/#review186880 ::: dom/media/MediaResource.cpp:485 (Diff revision 2) > - nsresult rv = aStream->ReadSegments(CopySegmentToCache, this, count, &read); > + nsresult rv = aStream->ReadSegments( > + (nsWriteSegmentFun)CopySegmentToCache, &closure, count, &read); The signature of nsWriteSegmentFun is nsresult(*)(nsIInputStream*, void*, const char*, uint32_t, uint32_t, uint32_t*) while CopySegmentToCache has the signature of nsresult(*)(nsIInputStream*, Closure*, const char*, uint32_t, uint32_t, uint32_t*). Explicit casting is needed to pass CopySegmentToCache to aStream->ReadSegments(). However, https://stackoverflow.com/questions/559581/casting-a-function-pointer-to-another-type says such casting is undefined for void* is not compatible with Closure*. I think I should change the signature of CopySegmentToCache to be the same as nsWriteSegmentFun.
| Comment hidden (mozreview-request) |
|
|
Assignee | |
Comment 13•7 years ago
|
||
Thanks for the review!
|
||
Comment 14•7 years ago
|
||
We're sorry, Autoland could not rebase your commits for you automatically. Please manually rebase your commits and try again. hg error in cmd: hg rebase -s 1b4a443bc32d -d 6b2618acffea: rebasing 421462:1b4a443bc32d "Bug 1399760. P1 - remove the CopySegmentToCache() member function. r=gerald" merging dom/media/MediaResource.cpp merging dom/media/MediaResource.h warning: conflicts while merging dom/media/MediaResource.cpp! (edit, then use 'hg resolve --mark') warning: conflicts while merging dom/media/MediaResource.h! (edit, then use 'hg resolve --mark') unresolved conflicts (see hg resolve, then hg rebase --continue)
| Comment hidden (mozreview-request) |
| Comment hidden (mozreview-request) |
| Comment hidden (mozreview-request) |
|
|
Assignee | |
Updated•7 years ago
|
Attachment #8908535 -
Attachment is obsolete: true
|
|
Assignee | |
Updated•7 years ago
|
Attachment #8908536 -
Attachment is obsolete: true
|
|
Assignee | |
Updated•7 years ago
|
Attachment #8908537 -
Attachment is obsolete: true
| Comment hidden (mozreview-request) |
| Comment hidden (mozreview-request) |
| Comment hidden (mozreview-request) |
|
|
Assignee | |
Comment 21•7 years ago
|
||
It looks like the review history is lost after rebase. Hi Gerald, Would you mind r+ing the patches again? Thanks!
|
|
Assignee | |
Updated•7 years ago
|
Attachment #8910112 -
Flags: review?(gsquelart)
Attachment #8910113 -
Flags: review?(gsquelart)
Attachment #8910114 -
Flags: review?(gsquelart)
|
|
||
Comment 22•7 years ago
|
||
| mozreview-review | ||
Comment on attachment 8910112 [details] Bug 1399760. P1 - remove the CopySegmentToCache() member function. https://reviewboard.mozilla.org/r/181594/#review186918
Attachment #8910112 -
Flags: review?(gsquelart) → review+
|
|
||
Comment 23•7 years ago
|
||
| mozreview-review | ||
Comment on attachment 8910113 [details] Bug 1399760. P2 - ensure mCacheStream.NotifyDataStarted() is always called in OnStartRequest(). https://reviewboard.mozilla.org/r/181596/#review186920
Attachment #8910113 -
Flags: review?(gsquelart) → review+
|
|
||
Comment 24•7 years ago
|
||
| mozreview-review | ||
Comment on attachment 8910114 [details] Bug 1399760. P3 - keep ID of the loading channel so we check whether the data callback is from an old channel. https://reviewboard.mozilla.org/r/181598/#review186922
Attachment #8910114 -
Flags: review?(gsquelart) → review+
|
||
Comment 25•7 years ago
|
||
Pushed by jwwang@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/083932453cfc P1 - remove the CopySegmentToCache() member function. r=gerald https://hg.mozilla.org/integration/autoland/rev/723726a9d8c3 P2 - ensure mCacheStream.NotifyDataStarted() is always called in OnStartRequest(). r=gerald https://hg.mozilla.org/integration/autoland/rev/58c5b9d3eab3 P3 - keep ID of the loading channel so we check whether the data callback is from an old channel. r=gerald
|
||
Comment 27•7 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/083932453cfc https://hg.mozilla.org/mozilla-central/rev/723726a9d8c3 https://hg.mozilla.org/mozilla-central/rev/58c5b9d3eab3
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox57:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla57
You need to log in
before you can comment on or make changes to this bug.
Description
•