Closed
Bug 867203
Opened 12 years ago
Closed 12 years ago
WebAudio use-after-free [@mozilla::dom::AudioNode::SendDoubleParameterToStream]
Categories
(Core :: Web Audio, defect)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox21 | --- | disabled |
| firefox22 | --- | disabled |
| firefox23 | + | fixed |
| firefox-esr17 | --- | unaffected |
| b2g18 | --- | unaffected |
People
(Reporter: posidron, Assigned: ehsan.akhgari)
References
Details
(4 keywords, Whiteboard: [adv-main23-])
Attachments
(4 files)
|
64.92 KB,
text/html
|
Details | |
|
8.99 KB,
text/plain
|
Details | |
|
4.46 KB,
patch
|
padenot
:
review+
|
Details | Diff | Splinter Review |
|
4.12 KB,
patch
|
ehsan.akhgari
:
review+
|
Details | Diff | Splinter Review |
alloc: ./obj-ff64-asan-opt/dom/bindings/AudioContextBinding.cpp:320
static bool
createBufferSource(JSContext* cx, JSHandleObject obj, mozilla::dom::AudioContext* self, unsigned argc, JS::Value* vp)
{
nsRefPtr<mozilla::dom::AudioBufferSourceNode > result;
result = self->CreateBufferSource();
free: ./content/media/webaudio/AudioNode.cpp:36
AudioNode::Release()
{
if (mRefCnt.get() == 1) {
// We are about to be deleted, disconnect the object from the graph before
// the derived type is destroyed.
DisconnectFromGraph();
}
* nsrefcnt r = nsDOMEventTargetHelper::Release();
re-use: ./content/media/webaudio/AudioNode.cpp:159
void
AudioNode::SendDoubleParameterToStream(uint32_t aIndex, double aValue)
{
* AudioNodeStream* ns = static_cast<AudioNodeStream*>(mStream.get());
The attached testcase is not reliable, sometime we get the following after some reloads:
Assertion failure: op == PL_DHASH_LOOKUP || (*(uint32_t*)(table->entryStore + ((uint32_t)1 << (32 - (table)->hashShift)) * table->entrySize)) == 0, at /Users/cdiehl/dev/repos/mozilla/mozilla-inbound/obj-ff64-asan-opt/xpcom/build/pldhash.cpp:573
Tested with m-i changeset: 130337:5447d49a2c6f
|
Reporter | |
Comment 1•12 years ago
|
||
|
|
Reporter | |
Comment 2•12 years ago
|
||
|
Assignee | |
Comment 3•12 years ago
|
||
If I'm reading the code write, we never delete a buffer source node from mSources, which is, pretty broken!
|
|
Assignee | |
Comment 4•12 years ago
|
||
|
|
Assignee | |
Comment 5•12 years ago
|
||
Comment on attachment 743925 [details] [diff] [review]
Patch (v1)
I'd like to land this soonish...
Attachment #743925 -
Flags: review?(roc)
Comment on attachment 743925 [details] [diff] [review]
Patch (v1)
Review of attachment 743925 [details] [diff] [review]:
-----------------------------------------------------------------
I'd like to see some documentation for mPannerNode!
|
|
Assignee | |
Comment 7•12 years ago
|
||
(In reply to Robert O'Callahan (:roc) (Mozilla Corporation) from comment #6)
> Comment on attachment 743925 [details] [diff] [review]
> Patch (v1)
>
> Review of attachment 743925 [details] [diff] [review]:
> -----------------------------------------------------------------
>
> I'd like to see some documentation for mPannerNode!
In addition to what we have in AudioContext.h?
|
||
Comment 8•12 years ago
|
||
In lieu of providing explanation on why we have an |mPannerNode| member, here is
a patch that removes it, because it is actually useless. Not sure why I even
added it in the first place.
Attachment #744634 -
Flags: review?(ehsan)
|
|
||
Updated•12 years ago
|
Assignee: ehsan → paul
|
|
||
Updated•12 years ago
|
Attachment #743925 -
Flags: review?(paul) → review+
|
|
||
Updated•12 years ago
|
Assignee: paul → ehsan
|
||
Updated•12 years ago
|
status-b2g18:
--- → unaffected
status-firefox21:
--- → disabled
status-firefox22:
--- → disabled
status-firefox23:
--- → affected
status-firefox-esr17:
--- → unaffected
tracking-firefox23:
--- → ?
Keywords: regression
|
|
Assignee | |
Comment 9•12 years ago
|
||
Comment on attachment 744634 [details] [diff] [review]
Remove useless mPannerNode member in AudioBufferSourceNode. r=
Review of attachment 744634 [details] [diff] [review]:
-----------------------------------------------------------------
Ah, mPannerNode, not mPannerNodes!
Attachment #744634 -
Flags: review?(ehsan) → review+
|
|
Assignee | |
Comment 10•12 years ago
|
||
|
||
Comment 11•12 years ago
|
||
This and a bunch of others have been backed out for causing permaorange Android mochitest-2, which resulted in the closure of multiple trees, since it had been merged all over the place :-( Had to back out more than the likely cause (bug 867174) due to conflicts & incorrect disabling of Android tests.
Backout:
https://hg.mozilla.org/integration/mozilla-inbound/rev/698f6059ef47
https://hg.mozilla.org/integration/mozilla-inbound/rev/396f66db6b55
|
|
Assignee | |
Comment 12•12 years ago
|
||
|
|
Assignee | |
Comment 13•12 years ago
|
||
|
||
Comment 14•12 years ago
|
||
|
|
Assignee | |
Updated•12 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
|
||
Updated•12 years ago
|
|
|
Assignee | |
Comment 15•11 years ago
|
||
Mass moving Web Audio bugs to the Web Audio component. Filter on duckityduck.
Component: Video/Audio → Web Audio
|
||
Updated•11 years ago
|
Whiteboard: [adv-main23-]
|
||
Updated•10 years ago
|
Group: core-security
Attachment #743925 -
Flags: review?(roc)
You need to log in
before you can comment on or make changes to this bug.
Description
•