Closed
Bug 459439
Opened 16 years ago
Closed 16 years ago
Changing <audio> src can cause crashes
Categories
(Core :: Audio/Video, defect, P2)
Core
Audio/Video
Tracking
()
VERIFIED
FIXED
mozilla1.9.1b2
People
(Reporter: jruderman, Assigned: cajbir)
References
Details
(4 keywords, Whiteboard: [sg:critical?][fixed by bug 449159])
Attachments
(2 files)
Changing the src attribute of an <audio> element can pause JavaScript execution in a strange way. This can lead to all kinds of bad assertions and crashes. I suspect that it's wrong to spin an event loop under nsHTMLMediaElement::SetAttr. * Closing the window with the testcase can trigger nonsensical JavaScript errors such as "i is not defined", and can cause the music to restart. * Reloading the testcase a few times can crash Firefox. * More complicated testcases can cause scarier crashes.
Flags: blocking1.9.1?
Eep, yes, you have to be really really careful about where you spin the event loop. You basically never want to do it.
|
Reporter | |
Comment 2•16 years ago
|
||
Firefox was showing "FAIL" while I took this sample.
|
|
Reporter | |
Comment 3•16 years ago
|
||
I think this needs to be fixed well before 1.9.1. * It will interfere with sites that use <audio> in interesting ways, which is bad on its own but also means the security hole is likely to be discovered. * It interferes with me being able to test <audio> for other bugs.
|
|
Reporter | |
Updated•16 years ago
|
Whiteboard: [sg:critical?]
Assignee: nobody → chris.double
Flags: blocking1.9.1? → blocking1.9.1+
Priority: -- → P2
|
||
Comment 4•16 years ago
|
||
Related to bug 449481?
|
Assignee | |
Comment 5•16 years ago
|
||
Also bug 456648. The event loop spinning issues are being worked on in bug 449159 since they same issue was happening during destruction via the cycle collector (spinning the event loop).
Depends on: 449159
|
|
Assignee | |
Comment 6•16 years ago
|
||
Ok, tried the testcase using the latest iteration of the fix for bug 449159 and it shows PASS?, audio plays fine, no assertions, and refreshing the page multiple times works fine.
|
|
Reporter | |
Comment 7•16 years ago
|
||
This seems to have been fixed by bug 449159.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
|
||
Updated•16 years ago
|
Keywords: fixed1.9.1
|
||
Comment 8•16 years ago
|
||
Verified with builds on OS X and Windows (Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b3pre) Gecko/20090204 Shiretoko/3.1b3pre ID:20090204020327) Can we get the crashtest into the test suite?
Status: RESOLVED → VERIFIED
Flags: in-testsuite?
Keywords: fixed1.9.1 → verified1.9.1
OS: Mac OS X → All
Hardware: x86 → All
Whiteboard: [sg:critical?] → [sg:critical?][fixed by bug 449159]
Target Milestone: --- → mozilla1.9.1b2
|
||
Updated•15 years ago
|
Flags: wanted1.9.0.x-
Flags: wanted1.8.1.x-
|
||
Comment 9•15 years ago
|
||
Can this bug be opened up now?
|
|
Reporter | |
Comment 10•15 years ago
|
||
Yes, making this bug public. I'll add a crashtest soon.
Group: core-security
|
|
Reporter | |
Comment 11•15 years ago
|
||
Crashtest: http://hg.mozilla.org/mozilla-central/rev/7dcc98765d59
Flags: in-testsuite? → in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•