Crash in [@ soundtouch::TDStretch::seekBestOverlapPositionFull]
Categories
(Core :: Audio/Video: Playback, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr102 | --- | unaffected |
| firefox109 | --- | unaffected |
| firefox110 | + | fixed |
| firefox111 | + | fixed |
People
(Reporter: cpeterson, Assigned: padenot)
References
(Regression)
Details
(5 keywords, Whiteboard: [adv-main110.0.1+])
Crash Data
Attachments
(1 file)
|
213 bytes,
text/plain
|
Details |
Crash report: https://crash-stats.mozilla.org/report/index/6aea554a-9766-4292-ba38-07b6d0230208
This Android crash looks like a regression in Nightly 110.
I tentatively marked this as a sec bug because all the crash addresses are variations of jemalloc's UAF poison like 0xe5e5e5e5e5e5e5f5.
Reason: SIGSEGV / SEGV_MAPERR
Top 10 frames of crashing thread:
0 liblgpllibs.so soundtouch::TDStretch::seekBestOverlapPositionFull media/libsoundtouch/src/TDStretch.cpp:350
1 liblgpllibs.so soundtouch::TDStretch::processSamples media/libsoundtouch/src/TDStretch.cpp:661
2 liblgpllibs.so soundtouch::SoundTouch::putSamples media/libsoundtouch/src/SoundTouch.cpp
3 libxul.so mozilla::AudioStream::GetTimeStretched dom/media/AudioStream.cpp:546
3 libxul.so mozilla::AudioStream::DataCallback dom/media/AudioStream.cpp:623
3 libxul.so mozilla::AudioStream::DataCallback_S dom/media/AudioStream.h:319
4 libxul.so passthrough_resampler<short>::fill media/libcubeb/src/cubeb_resampler.cpp:111
5 libxul.so aaudio_output_data_cb media/libcubeb/src/cubeb_aaudio.cpp:719
6 libaaudio_internal.so libaaudio_internal.so@0x22364
7 libaaudio_internal.so libaaudio_internal.so@0x2432c
|
Reporter | |
Comment 1•2 years ago
|
||
I found some other soundtouch crash signatures that have different stack traces, but they too look like UAF regressions starting in 110. Maybe they are all related?
[@ soundtouch::SoundTouch::setTempo]
[@ soundtouch::FIRFilter::evaluateFilterStereo]
[@ soundtouch::FIFOSampleBuffer::ensureCapacity]
|
||
Updated•2 years ago
|
|
|
||
Comment 2•2 years ago
|
||
[Tracking Requested - why for this release]: use-after free regression on Android
|
||
Updated•2 years ago
|
|
||
Comment 3•2 years ago
|
||
The bug is linked to a topcrash signature, which matches the following criterion:
- Top 10 AArch64 and ARM crashes on release
:jimm, could you consider increasing the severity of this top-crash bug?
For more information, please visit auto_nag documentation.
|
|
||
Comment 4•2 years ago
|
||
The bug is marked as tracked for firefox110 (release) and tracked for firefox111 (beta). We have limited time to fix this, the soft freeze is in 14 days. However, the bug still isn't assigned.
:jimm, could you please find an assignee for this tracked bug? If you disagree with the tracking decision, please talk with the release managers.
For more information, please visit auto_nag documentation.
|
|
||
Comment 5•2 years ago
|
||
Paul, any ideas? It looked like you touched this TDStretch file last. Thanks.
|
Assignee | |
Comment 6•2 years ago
|
||
https://bugzilla.mozilla.org/show_bug.cgi?id=1812120#c12 wasn't handled, it seems like.
|
||
Comment 7•2 years ago
|
||
(In reply to Paul Adenot (:padenot) from comment #6)
https://bugzilla.mozilla.org/show_bug.cgi?id=1812120#c12 wasn't handled, it seems like.
My comment mentioned it was too late for 110 and that I would evaluate for the planned dot release.
|
|
||
Comment 8•2 years ago
|
||
I guess that explains why it hasn't shown up on 111 beta.
|
|
||
Updated•2 years ago
|
|
|
||
Comment 9•2 years ago
|
||
:cpeterson, since this bug is a regression, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.
|
|
||
Updated•2 years ago
|
|
|
Reporter | |
Updated•2 years ago
|
|
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
|
||
Comment 10•2 years ago
|
||
|
||
Updated•2 years ago
|
|
||
Updated•1 year ago
|
Description
•