Shutting down the AudioContext can result in the hashtables to be manipulated recursively

RESOLVED FIXED in mozilla23

Status

()

Core
Web Audio
RESOLVED FIXED
5 years ago
4 years ago

People

(Reporter: Away for a while, Assigned: Away for a while)

Tracking

Trunk
mozilla23
x86
Mac OS X
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Assignee)

Description

5 years ago
Assertion failure: op == PL_DHASH_LOOKUP || (*(uint32_t*)(table->entryStore + ((uint32_t)1 << (32 - (table)->hashShift)) * table->entrySize)) == 0, at /Users/ehsanakhgari/moz/mozilla-central/obj-ff-dbg/xpcom/build/pldhash.cpp:573

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x0000000000000000
PL_DHashTableOperate (table=0x1172fc0c8, key=0x1172bfb30, op=PL_DHASH_REMOVE) at pldhash.cpp:573
573	    MOZ_ASSERT(op == PL_DHASH_LOOKUP || RECURSION_LEVEL(table) == 0);
(gdb) bt
#0  PL_DHashTableOperate (table=0x1172fc0c8, key=0x1172bfb30, op=PL_DHASH_REMOVE) at pldhash.cpp:573
#1  0x000000010264545d in nsTHashtable<nsPtrHashKey<mozilla::dom::ScriptProcessorNode> >::RemoveEntry (this=0x1172fc0c8, aKey=0x1172bfb30) at nsTHashtable.h:196
#2  0x0000000102643dff in mozilla::dom::AudioContext::UnregisterScriptProcessorNode (this=0x1172fc000, aNode=0x1172bfb30) at /Users/ehsanakhgari/moz/mozilla-central/content/media/webaudio/AudioContext.cpp:258
#3  0x000000010265e9b1 in mozilla::dom::ScriptProcessorNode::~ScriptProcessorNode (this=0x1172bfb30) at /Users/ehsanakhgari/moz/mozilla-central/content/media/webaudio/ScriptProcessorNode.cpp:385
#4  0x000000010265e945 in mozilla::dom::ScriptProcessorNode::~ScriptProcessorNode (this=0x1172bfb30) at /Users/ehsanakhgari/moz/mozilla-central/content/media/webaudio/ScriptProcessorNode.cpp:383
#5  0x000000010265e919 in mozilla::dom::ScriptProcessorNode::~ScriptProcessorNode (this=0x1172bfb30) at /Users/ehsanakhgari/moz/mozilla-central/content/media/webaudio/ScriptProcessorNode.cpp:383
#6  0x000000010235fdff in nsDOMEventTargetHelper::Release (this=0x1172bfb30) at /Users/ehsanakhgari/moz/mozilla-central/content/events/src/nsDOMEventTargetHelper.cpp:73
#7  0x0000000102649ef5 in mozilla::dom::AudioNode::Release (this=0x1172bfb30) at /Users/ehsanakhgari/moz/mozilla-central/content/media/webaudio/AudioNode.cpp:36
#8  0x000000010265e60f in mozilla::dom::ScriptProcessorNode::Release (this=0x1172bfb30) at /Users/ehsanakhgari/moz/mozilla-central/content/media/webaudio/ScriptProcessorNode.cpp:35
#9  0x0000000102648525 in mozilla::dom::SelfReference<mozilla::dom::ScriptProcessorNode>::Drop (this=0x1172bfbb8, t=0x1172bfb30) at AudioNode.h:51
#10 0x00000001026484e9 in mozilla::dom::ScriptProcessorNode::Stop (this=0x1172bfb30) at ScriptProcessorNode.h:81
#11 0x00000001026440b1 in mozilla::dom::StopScriptProcessorNode (aEntry=0x124bf3950, aData=0x0) at /Users/ehsanakhgari/moz/mozilla-central/content/media/webaudio/AudioContext.cpp:311
#12 0x0000000102645677 in nsTHashtable<nsPtrHashKey<mozilla::dom::ScriptProcessorNode> >::s_EnumStub (table=0x1172fc0c8, entry=0x124bf3950, number=0, arg=0x7fff5fbfa668) at nsTHashtable.h:484
#13 0x00000001040cb85a in PL_DHashTableEnumerate (table=0x1172fc0c8, etor=0x102645640 <nsTHashtable<nsPtrHashKey<mozilla::dom::ScriptProcessorNode> >::s_EnumStub(PLDHashTable*, PLDHashEntryHdr*, unsigned int, void*)>, arg=0x7fff5fbfa668) at pldhash.cpp:714
#14 0x000000010264560e in nsTHashtable<nsPtrHashKey<mozilla::dom::ScriptProcessorNode> >::EnumerateEntries (this=0x1172fc0c8, enumFunc=0x102644090 <mozilla::dom::StopScriptProcessorNode(nsPtrHashKey<mozilla::dom::ScriptProcessorNode>*, void*)>, userArg=0x0) at nsTHashtable.h:237
#15 0x0000000102643fee in mozilla::dom::AudioContext::Shutdown (this=0x1172fc000) at /Users/ehsanakhgari/moz/mozilla-central/content/media/webaudio/AudioContext.cpp:326
#16 0x00000001027ff44a in nsGlobalWindow::FreeInnerObjects (this=0x123f90c00) at /Users/ehsanakhgari/moz/mozilla-central/dom/base/nsGlobalWindow.cpp:1491
#17 0x0000000102803f7a in nsGlobalWindow::SetNewDocument (this=0x11e9ccc00, aDocument=0x1154e8800, aState=0x0, aForceReuseInnerWindow=false) at /Users/ehsanakhgari/moz/mozilla-central/dom/base/nsGlobalWindow.cpp:2334
#18 0x00000001028064e6 in non-virtual thunk to nsGlobalWindow::SetNewDocument(nsIDocument*, nsISupports*, bool) (this=0x11e9ccc18, aDocument=0x1154e8800, aState=0x0, aForceReuseInnerWindow=false) at /Users/ehsanakhgari/moz/mozilla-central/dom/base/nsGlobalWindow.cpp:2523
#19 0x0000000101beb5d6 in nsDocumentViewer::InitInternal (this=0x10052e1d0, aParentWidget=0x0, aState=0x0, aBounds=@0x7fff5fbfb228, aDoCreation=true, aNeedMakeCX=true, aForceSetNewDocument=true) at /Users/ehsanakhgari/moz/mozilla-central/layout/base/nsDocumentViewer.cpp:938
#20 0x0000000101beab24 in nsDocumentViewer::Init (this=0x10052e1d0, aParentWidget=0x0, aBounds=@0x7fff5fbfb228) at /Users/ehsanakhgari/moz/mozilla-central/layout/base/nsDocumentViewer.cpp:683
#21 0x000000010312e254 in nsDocShell::SetupNewViewer (this=0x11e9cc400, aNewViewer=0x10052e1d0) at /Users/ehsanakhgari/moz/mozilla-central/docshell/base/nsDocShell.cpp:8185
#22 0x0000000103122279 in nsDocShell::Embed (this=0x11e9cc400, aContentViewer=0x10052e1d0, aCommand=0x1059a67be "", aExtraInfo=0x0) at /Users/ehsanakhgari/moz/mozilla-central/docshell/base/nsDocShell.cpp:6224
#23 0x000000010312b93e in nsDocShell::CreateContentViewer (this=0x11e9cc400, aContentType=0x11033d708 "text/html", request=0x111966858, aContentHandler=0x10fff1df0) at /Users/ehsanakhgari/moz/mozilla-central/docshell/base/nsDocShell.cpp:7972
(Assignee)

Comment 1

5 years ago
Created attachment 743812 [details] [diff] [review]
Patch (v1)
Assignee: nobody → ehsan
Status: NEW → ASSIGNED
Attachment #743812 - Flags: review?(roc)
Attachment #743812 - Flags: review?(roc) → review+
(Assignee)

Comment 2

5 years ago
Landed with the wrong bug number: https://hg.mozilla.org/integration/mozilla-inbound/rev/cace8e8e8556

so, backed out <https://hg.mozilla.org/integration/mozilla-inbound/rev/0ad4e00d7945> and relanded with the correct bug number: <https://hg.mozilla.org/integration/mozilla-inbound/rev/c00516696e8c>.  Sorry for screwing this up!
FYI, to make your life easier if this happens again, you can just backout and re-land with DONTBUILD so you don't to worry about canceling all the pending builds.
https://hg.mozilla.org/mozilla-central/rev/c00516696e8c
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla23
(Assignee)

Comment 5

4 years ago
Mass moving Web Audio bugs to the Web Audio component.  Filter on duckityduck.
Component: Video/Audio → Web Audio
You need to log in before you can comment on or make changes to this bug.