Closed
Bug 920987
Opened 11 years ago
Closed 11 years ago
WebAudio crash [@void mozilla::PodCopy<float>]
Categories
(Core :: Web Audio, defect)
Core
Web Audio
Tracking
()
VERIFIED
FIXED
mozilla27
Tracking | Status | |
---|---|---|
firefox26 | --- | unaffected |
firefox27 | + | verified |
firefox-esr17 | --- | unaffected |
firefox-esr24 | --- | unaffected |
b2g18 | --- | unaffected |
People
(Reporter: posidron, Assigned: karlt)
References
Details
(Keywords: crash, sec-critical, testcase)
Attachments
(3 files)
Most likely introduced through: https://bugzilla.mozilla.org/show_bug.cgi?id=915524 mfbt/PodOperations.h:101 PodCopy(T* dst, const T* src, size_t nelem) { MOZ_ASSERT(dst != src); MOZ_ASSERT_IF(src < dst, PointerRangeSize(src, static_cast<const T*>(dst)) >= nelem); MOZ_ASSERT_IF(dst < src, PointerRangeSize(static_cast<const T*>(dst), src) >= nelem); if (nelem < 128) { /* * Avoid using operator= in this loop, as it may have been * intentionally deleted by the POD type. */ for (const T* srcend = src + nelem; src < srcend; src++, dst++) PodAssign(dst, src); } else { * memcpy(dst, src, nelem * sizeof(T)); } [...] Tested with https://hg.mozilla.org/integration/mozilla-inbound/rev/e56e8fbacb7c
Reporter | ||
Comment 1•11 years ago
|
||
Reporter | ||
Comment 2•11 years ago
|
||
Setting this to sec-critical because we are crashing in memcpy(). - unaware about what kind of data and size we are using.
Keywords: sec-critical
Updated•11 years ago
|
Updated•11 years ago
|
status-firefox-esr17:
--- → unaffected
Comment 3•11 years ago
|
||
So, is this caused by bug 915524?
Updated•11 years ago
|
Flags: needinfo?(mreavy)
Comment 5•11 years ago
|
||
(In reply to :Ehsan Akhgari (needinfo? me!) from comment #4) > Well, the stack says yes! > > Maire, who should own this? I'm not sure yet, but I'll find an owner quickly.
Flags: needinfo?(mreavy)
Updated•11 years ago
|
Assignee: nobody → karlt
Assignee | ||
Comment 6•11 years ago
|
||
Attachment #810958 -
Flags: review?(ehsan)
Updated•11 years ago
|
Attachment #810958 -
Flags: review?(ehsan) → review+
Assignee | ||
Comment 7•11 years ago
|
||
Landed just the fix. I'll land the reduced testcase in attachment 810958 [details] [diff] [review] in a few days. https://hg.mozilla.org/integration/mozilla-inbound/rev/d976524b8774
Flags: in-testsuite?
Comment 8•11 years ago
|
||
fixed in https://hg.mozilla.org/mozilla-central/rev/d976524b8774
Assignee | ||
Comment 9•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/3ae5ae74b4a5
Status: NEW → RESOLVED
Closed: 11 years ago
status-firefox26:
--- → unaffected
Flags: in-testsuite? → in-testsuite+
OS: Mac OS X → All
Hardware: x86_64 → All
Resolution: --- → FIXED
Target Milestone: --- → mozilla27
Comment 11•11 years ago
|
||
Confirmed crash in FF27 2013-09-25. Verified fixed in FF27 2013-10-07.
Status: RESOLVED → VERIFIED
Updated•11 years ago
|
status-b2g18:
--- → unaffected
status-firefox-esr24:
--- → unaffected
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•