Tested on: OS: Ubuntu 12.04 Firefox: ASAN dbg-build from https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-dbg-asan/1369232390/ ASAN opt-build from https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-asan/1369217427/ ASAN-report:(opt-build) ==3461== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f63fc68da08 at pc 0x7f64274fc436 bp 0x7f63fc4a13f0 sp 0x7f63fc4a13e8 READ of size 8 at 0x7f63fc68da08 thread T22 #0 0x7f64274fc435 in nsRefPtr<mozilla::ThreadSharedObject>::get() const /builds/slave/m-cen-l64-asan-ntly-0000000000/build/../../dist/include/nsAutoPtr.h:1009 #1 0x7f64274fcfe5 in mozilla::AudioNodeStream::ProduceOutput(long, long) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/content/media/AudioNodeStream.cpp:407 #2 0x7f642756ac83 in mozilla::MediaStreamGraphImpl::ProduceDataForStreamsBlockByBlock(unsigned int, long, long) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/content/media/MediaStreamGraph.cpp:937 #3 0x7f642757ce05 in mozilla::(anonymous namespace)::MediaStreamGraphThreadRunnable::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/content/media/MediaStreamGraph.cpp:1163 #4 0x7f6429c0e212 in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/obj-firefox/xpcom/build/nsThreadUtils.cpp:238 #5 0x7f6429cd619c in nsThread::ThreadFunc(void*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/xpcom/threads/nsThread.cpp:265 . . . ASAN-report:(debug-build) Assertion failure: i < Length() (invalid array index), at ../../dist/include/nsTArray.h:725 ASAN:SIGSEGV ================================================================= ==3301== ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f02f14583bd sp 0x7f02c63f2ef0 bp 0x7f02c63f2f10 T24) AddressSanitizer can not provide additional info. #0 0x7f02f14583bc in nsTArray_Impl<mozilla::AudioChunk, nsTArrayInfallibleAllocator>::ElementAt(unsigned int) /builds/slave/m-cen-l64-dbg-asan-00000000000/build/../../dist/include/nsTArray.h:725 #1 0x7f02f1454ea1 in mozilla::AudioNodeStream::ObtainInputBlock(mozilla::AudioChunk&, unsigned int) /builds/slave/m-cen-l64-dbg-asan-00000000000/build/content/media/AudioNodeStream.cpp:279 #2 0x7f02f14560b6 in mozilla::AudioNodeStream::ProduceOutput(long, long) /builds/slave/m-cen-l64-dbg-asan-00000000000/build/content/media/AudioNodeStream.cpp:407 #3 0x7f02f14bcc52 in mozilla::MediaStreamGraphImpl::ProduceDataForStreamsBlockByBlock(unsigned int, long, long) /builds/slave/m-cen-l64-dbg-asan-00000000000/build/content/media/MediaStreamGraph.cpp:937 #4 0x7f02f14bd5b2 in mozilla::MediaStreamGraphImpl::RunThread() /builds/slave/m-cen-l64-dbg-asan-00000000000/build/content/media/MediaStreamGraph.cpp:1017 #5 0x7f02f14cbdd8 in mozilla::(anonymous namespace)::MediaStreamGraphThreadRunnable::Run() /builds/slave/m-cen-l64-dbg-asan-00000000000/build/content/media/MediaStreamGraph.cpp:1163 . . .
Attachment #752819 - Attachment mime type: text/plain → text/html
Assignee: nobody → ehsan
Status: NEW → ASSIGNED
Attachment #752950 - Flags: review?(roc)
Comment on attachment 752950 [details] [diff] [review] Patch (v1) Review of attachment 752950 [details] [diff] [review]: ----------------------------------------------------------------- ::: content/media/test/crashtests/874952.html @@ +1,1 @@ > +874952.html \ No newline at end of file Er, what???
Sorry, copy/paste fail.
Triaging with Ehsan. Affects 23+
I think the needinfo for me concerned whether it repros on 21/22, which David has marked unaffected. If there is still something for me to do, just let me know.
Attachment #753312 - Flags: review?(roc) → review+
We need to know how/if this affects 22 and 23. I assume 21 is unaffected. The flags say that 23 *is* affected. In general, security bugs should get approval when they affect anything other than trunk before they go in. https://wiki.mozilla.org/Security/Bug_Approval_Process
(In reply to Al Billings [:abillings] from comment #9) > In general, security bugs should get approval when they affect anything > other than trunk before they go in. > > https://wiki.mozilla.org/Security/Bug_Approval_Process I thought that only applies to bugs which affect Release?
(In reply to :Ehsan Akhgari (needinfo? me!) from comment #10) > > > https://wiki.mozilla.org/Security/Bug_Approval_Process > > I thought that only applies to bugs which affect Release? No, only if the bug *only* affects trunk (quoting the above doc): 'This means that the developer can mark the status flags for ESR, Beta, and Aurora as "unaffected." It also means that we haven't shipped anywhere public in an official release yet.' The exception is if the bug is sec-low, sec-moderate, sec-other, or sec-want rating. All sec-high or sec-critical bugs otherwise need approval if they aren't trunk only.
I *believe* is is disabled in 22 and currently enabled in 23 but scheduled to be disabled in 23 as well.
Mass moving Web Audio bugs to the Web Audio component. Filter on duckityduck.
Component: Video/Audio → Web Audio
(In reply to Al Billings [:abillings] from comment #13) > I *believe* is is disabled in 22 and currently enabled in 23 but scheduled > to be disabled in 23 as well. That is correct.
Confirmed crash in FF24 ASan build from 2013-05-22. Verified no crash in FF24 ASan build from 2013-09-16.
You need to log in before you can comment on or make changes to this bug.