Changing the src attribute of an <audio> element can pause JavaScript execution in a strange way. This can lead to all kinds of bad assertions and crashes. I suspect that it's wrong to spin an event loop under nsHTMLMediaElement::SetAttr. * Closing the window with the testcase can trigger nonsensical JavaScript errors such as "i is not defined", and can cause the music to restart. * Reloading the testcase a few times can crash Firefox. * More complicated testcases can cause scarier crashes.

Eep, yes, you have to be really really careful about where you spin the event loop. You basically never want to do it.

Firefox was showing "FAIL" while I took this sample.

I think this needs to be fixed well before 1.9.1. * It will interfere with sites that use <audio> in interesting ways, which is bad on its own but also means the security hole is likely to be discovered. * It interferes with me being able to test <audio> for other bugs.

Related to bug 449481?

Also bug 456648. The event loop spinning issues are being worked on in bug 449159 since they same issue was happening during destruction via the cycle collector (spinning the event loop).

Ok, tried the testcase using the latest iteration of the fix for bug 449159 and it shows PASS?, audio plays fine, no assertions, and refreshing the page multiple times works fine.

This seems to have been fixed by bug 449159.

Verified with builds on OS X and Windows (Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b3pre) Gecko/20090204 Shiretoko/3.1b3pre ID:20090204020327) Can we get the crashtest into the test suite?

Can this bug be opened up now?

Yes, making this bug public. I'll add a crashtest soon.

Crashtest: http://hg.mozilla.org/mozilla-central/rev/7dcc98765d59