alloc: ./obj-ff64-asan-opt/dom/bindings/AudioContextBinding.cpp:319 static bool createBufferSource(JSContext* cx, JSHandleObject obj, mozilla::dom::AudioContext* self, unsigned argc, JS::Value* vp) { nsRefPtr<mozilla::dom::AudioBufferSourceNode > result; * result = self->CreateBufferSource(); free: content/media/webaudio/AudioNode.cpp:37 NS_IMETHODIMP_(nsrefcnt) AudioNode::Release() { if (mRefCnt.get() == 1) { // We are about to be deleted, disconnect the object from the graph before // the derived type is destroyed. DisconnectFromGraph(); } * nsrefcnt r = nsDOMEventTargetHelper::Release(); re-use: content/media/webaudio/AudioBufferSourceNode.cpp:518 void AudioBufferSourceNode::Stop(double aWhen, ErrorResult& aRv) { * if (!mStartCalled) { Tested with m-i changeset: 129815:0f87eee6f792

I landed 3-4 patches today which should help with this, and there's also my patch in bug 865532 which has not landed yet (but that probably won't help with this.) Do you mind testing this on the tip of inbound, please?

I did :-)

Sigh! OK, can you please tell me what exact revision you're using so that I can be sure I'm looking at the right lines of source files?

I wrote in my initial post: 0f87eee6f792 http://hg.mozilla.org/integration/mozilla-inbound/rev/0f87eee6f792

What's happening here is that the UnlinkImpl method for AudioBufferSourceNode first calls the UnlinkImpl method for the base class, which clobbers mContext, and therefore the UnregisterAudioBufferSourceNode function never gets called, leaving the AudioContext with dangling pointers to AudioBufferSourceNode's. This is a footgun in general, filed bug 865847 for the broader issue.

Mass moving Web Audio bugs to the Web Audio component. Filter on duckityduck.

Pushed by eakhgari@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/d0527839b83f Add a crashtest based on the test case for the bug