Closed Bug 866570 Opened 12 years ago Closed 12 years ago

AudioContext expando asserts: "Cycle collection participant didn't traverse to preserved wrapper"

Categories

(Core :: Web Audio, defect)

Product:
Core
Component:
Web Audio
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla23
Tracking Flags:
Tracking Status
firefox21 --- unaffected
firefox22 --- unaffected
firefox23 --- fixed
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: jruderman, Assigned: mccr8)

References

Details

(5 keywords, Whiteboard: [adv-main23-])

Attachments

(4 files, 1 obsolete file)

testcase (asserts fatally when loaded)
(deleted), text/html
Details
stack (gdb)
(deleted), text/plain
Details
traverse thy father and thy mother
(deleted), patch
smaug
: review+
Details | Diff | Splinter Review
test, for checkin later
(deleted), patch
smaug
: review+
ehsan.akhgari
: checkin+
Details | Diff | Splinter Review
Assertion failure: callback.mFound (Cycle collection participant didn't traverse to preserved wrapper! This will probably crash.), at content/base/src/nsContentUtils.cpp:6195
Attached file stack (gdb) (deleted) —
Assignee: nobody → continuation
Regression from bug 859600. Need to use the Traverse/Unlink of the parent class.
Blocks: 859600
Group: core-security
Keywords: csec-uaf, sec-critical
Attached patch traverse thy father and thy mother (obsolete) (deleted) — Splinter Review
Man, modifying CCed classes is so treacherous. :(
Comment on attachment 742913 [details] [diff] [review] traverse thy father and thy mother I still need to verify that this compiles and fixes the test case, but I'm pretty confident. I'll put up a test for checkin separately after the patch has been in few a few days.
Attachment #742913 - Flags: review?(ehsan)
Comment on attachment 742913 [details] [diff] [review] traverse thy father and thy mother Pretty sweet, I messed up a one line patch. That's what I get for not compiling it first.
Attachment #742913 - Flags: review?(ehsan)
I confirmed that this fixes the test case.
Attachment #742913 - Attachment is obsolete: true
Attachment #742922 - Flags: review?(ehsan)
Attached patch test, for checkin later (deleted) — Splinter Review
Attachment #742924 - Flags: review?(ehsan)
Comment on attachment 742922 [details] [diff] [review] traverse thy father and thy mother Uh, sorry.
Attachment #742922 - Flags: review?(ehsan) → review+
Attachment #742924 - Flags: review?(ehsan) → review+
Blocks: webaudio
FWIW I think we should land the testcase here, since this bug only affects Nightly.
Yeah, I was just going to wait a week, then land it and open the bug. I'll needinfo myself to remind myself.
Flags: needinfo?(continuation)
(In reply to Andrew McCreight [:mccr8] from comment #12) > Yeah, I was just going to wait a week, then land it and open the bug. I'll > needinfo myself to remind myself. What's the point of waiting for a week? Checking this testcase in won't help anybody attack our users.
(And it gives us much needed test coverage in this area!)
https://hg.mozilla.org/mozilla-central/rev/97ab20a0b6d8
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla23
(In reply to :Ehsan Akhgari (needinfo? me!) from comment #13) > What's the point of waiting for a week? Checking this testcase in won't > help anybody attack our users. Well, a slight variant of this test case will show up as a UAF in ASAN. On the other hand, this is a fairly simple test case. Feel free to check in the test case if you want.
tracking-firefox23: ? → ---
Flags: needinfo?(continuation)
Flags: in-testsuite? → in-testsuite+
Mass moving Web Audio bugs to the Web Audio component. Filter on duckityduck.
Component: Video/Audio → Web Audio
Whiteboard: [adv-main23-]
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: