Closed
Bug 867174
Opened 12 years ago
Closed 12 years ago
WebAudio divide-by-zero crash [@mozilla::dom::AudioBufferSourceNodeEngine::UpdateSampleRateIfNeeded]
Categories
(Core :: Web Audio, defect)
Core
Web Audio
Tracking
()
RESOLVED
FIXED
mozilla23
People
(Reporter: posidron, Assigned: ehsan.akhgari)
References
Details
(Keywords: crash, testcase)
Crash Data
Attachments
(4 files, 1 obsolete file)
The stack of this crash looks identical as the one in bug 867089. Though, frame #9 shows a different call. The testcase in bug 867089 is not reproducible anymore.
if (ShouldResample()) {
SpeexResamplerState* resampler = Resampler(mChannels);
Tested with m-i changeset: 130337:5447d49a2c6f
|
Reporter | |
Comment 1•12 years ago
|
||
|
|
||
Comment 2•12 years ago
|
||
On Windows: bp-0c0dcd4d-2d0a-4702-a11d-d6fdc2130430.
Crash Signature: [@ mozalloc_abort(char const*) | NS_DebugBreak | mozilla::dom::AudioBufferSourceNodeEngine::Resampler(unsigned int)]
[@ update_filter ]
OS: Mac OS X → All
Hardware: x86_64 → All
|
|
||
Comment 3•12 years ago
|
||
(In reply to Christoph Diehl [:cdiehl] from comment #0)
> Though, frame #9 shows a different call.
It seems the same call, mozilla::dom::AudioBufferSourceNodeEngine::UpdateSampleRateIfNeeded.
For me, it's a duplicate of bug 867089.
|
|
Reporter | |
Comment 4•12 years ago
|
||
Different line number
|
|
Reporter | |
Comment 5•12 years ago
|
||
The following two frames are different:
#9 0x104cbae87 in mozilla::dom::AudioBufferSourceNodeEngine::UpdateSampleRateIfNeeded AudioBufferSourceNode.cpp:322
#10 0x104cba73c in mozilla::dom::AudioBufferSourceNodeEngine::ProduceAudioBlock AudioBufferSourceNode.cpp:348
|
Assignee | |
Comment 6•12 years ago
|
||
No this is not a dupe.
|
|
Assignee | |
Comment 7•12 years ago
|
||
Here we're failing to set the proper channel count because playbackRate is set to something other than 1 before we have seen the buffer.
|
|
Assignee | |
Comment 8•12 years ago
|
||
Hrm, the protection added in bug 867089 is not enough. I have a better patch.
|
|
Assignee | |
Comment 9•12 years ago
|
||
|
|
Assignee | |
Comment 10•12 years ago
|
||
Attachment #743836 -
Flags: review?(paul)
|
||
Updated•12 years ago
|
Attachment #743835 -
Flags: review?(paul) → review+
|
|
||
Updated•12 years ago
|
Attachment #743836 -
Flags: review?(paul) → review+
|
|
Assignee | |
Comment 11•12 years ago
|
||
|
||
Comment 12•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/ad407adf94f2
https://hg.mozilla.org/mozilla-central/rev/9351bfd9d8c5
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla23
|
|
||
Comment 13•12 years ago
|
||
This and a bunch of others have been backed out for causing permaorange Android mochitest-2, which resulted in the closure of multiple trees, since it had been merged all over the place :-( Had to back out more than the likely cause (bug 867174) due to conflicts & incorrect disabling of Android tests.
Backout:
https://hg.mozilla.org/integration/mozilla-inbound/rev/1bbbd51c40d0
https://hg.mozilla.org/integration/mozilla-inbound/rev/f1c00d9d273c
Example failures:
https://tbpl.mozilla.org/?tree=Mozilla-Inbound&rev=6402e13dc9ba&jobname=android.*mochitest-2
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Whiteboard: [leave open]
|
|
Assignee | |
Comment 14•12 years ago
|
||
|
|
Assignee | |
Comment 15•12 years ago
|
||
With only part 1: https://tbpl.mozilla.org/?tree=Try&rev=fd8fb54cbc12
|
|
Assignee | |
Comment 16•12 years ago
|
||
OK, I know what's happening here. On x86 and x86-64, the result of conversion of +INF and -INF to an integer type is different than on ARM, which makes ComputeFinalOutSampleRate() return a different value on these architectures. What we need here is a sane way that can cast floating point values to integer values with predictable results on all architectures.
|
|
Assignee | |
Comment 17•12 years ago
|
||
Comment on attachment 743835 [details] [diff] [review]
Part 1: Deliver the correct channel
https://hg.mozilla.org/integration/mozilla-inbound/rev/ba4cdf4a1b51
Attachment #743835 -
Flags: checkin+
|
|
Assignee | |
Comment 18•12 years ago
|
||
This should fix it.
Mobile: https://tbpl.mozilla.org/?tree=Try&rev=962bab5eadab
Desktop: https://tbpl.mozilla.org/?tree=Try&rev=b8481293f3e3
Attachment #743836 -
Attachment is obsolete: true
Attachment #745332 -
Flags: review?(paul)
|
||
Comment 19•12 years ago
|
||
|
|
Assignee | |
Updated•12 years ago
|
Whiteboard: [leave open]
|
|
||
Comment 20•12 years ago
|
||
Comment on attachment 745332 [details] [diff] [review]
Part 2: Protect against invalid sample rates a bit harder
Review of attachment 745332 [details] [diff] [review]:
-----------------------------------------------------------------
r+ with comments addressed.
::: content/media/webaudio/AudioBufferSourceNode.cpp
@@ +301,2 @@
> {
> + if (mPlaybackRate < 0 || mPlaybackRate != mPlaybackRate) {
You meant <=, right? We don't protect against divide-by-zero error, here.
@@ +301,5 @@
> {
> + if (mPlaybackRate < 0 || mPlaybackRate != mPlaybackRate) {
> + mPlaybackRate = 1.0f;
> + }
> + if (mDopplerShift < 0 || mDopplerShift != mDopplerShift) {
Same here.
@@ +325,5 @@
> }
>
> + // Make sure the playback rate and the doppler shift are something
> + // our resampler can work with.
> + if (ComputeFinalOutSampleRate() == 0) {
I remember I thought at some point we should cap the playbackRate to a value, but I can't remember why. This is probably okay.
Attachment #745332 -
Flags: review?(paul) → review+
|
|
Assignee | |
Comment 21•12 years ago
|
||
Yes, I meant <=. Sorry!
|
|
Assignee | |
Comment 22•12 years ago
|
||
|
|
||
Comment 23•12 years ago
|
||
Status: REOPENED → RESOLVED
Closed: 12 years ago → 12 years ago
Resolution: --- → FIXED
|
|
Assignee | |
Comment 24•12 years ago
|
||
Mass moving Web Audio bugs to the Web Audio component. Filter on duckityduck.
Component: Video/Audio → Web Audio
You need to log in
before you can comment on or make changes to this bug.
Description
•