Closed
Bug 866737
Opened 12 years ago
Closed 12 years ago
crash in mozilla::dom::PannerNode::FindConnectedSources
Categories
(Core :: Web Audio, defect)
Tracking
()
RESOLVED
FIXED
mozilla23
Tracking | Status | |
---|---|---|
firefox22 | --- | unaffected |
firefox23 | + | fixed |
firefox-esr17 | --- | unaffected |
b2g18 | --- | unaffected |
People
(Reporter: scoobidiver, Assigned: ehsan.akhgari)
References
Details
(4 keywords, Whiteboard: [adv-main23-])
Crash Data
Attachments
(1 file)
(deleted),
patch
|
padenot
:
review+
|
Details | Diff | Splinter Review |
It first showed up in 23.0a1/20130416. The regression range might be:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=261d6997d1d1&tochange=1d9c510b3742
Signature mozilla::dom::PannerNode::FindConnectedSources(mozilla::dom::AudioNode*, nsTArray<mozilla::dom::AudioBufferSourceNode*>&, std::set<mozilla::dom::AudioNode*, std::less<mozilla::dom::AudioNode*>, std::allocator<mozilla::dom::AudioNode*> >&) More Reports Search
UUID d6842db5-383d-4fc6-8132-231df2130429
Date Processed 2013-04-29 13:03:37
Uptime 23
Last Crash 35 seconds before submission
Install Age 7.2 hours since version was first installed.
Install Time 2013-04-29 05:51:30
Product Firefox
Version 23.0a1
Build ID 20130428031010
Release Channel nightly
OS Windows NT
OS Version 5.1.2600 Service Pack 3
Build Architecture x86
Build Architecture Info GenuineIntel family 15 model 2 stepping 9
Crash Reason EXCEPTION_ACCESS_VIOLATION_READ
Crash Address 0x0
App Notes
AdapterVendorID: 0x0000, AdapterDeviceID: 0x0000, AdapterSubsysID: 00000000, AdapterDriverVersion:
D3D10 Layers? D3D10 Layers- D3D9 Layers? D3D9 Layers-
Processor Notes sp-processor05.phx1.mozilla.com_19953:2012
EMCheckCompatibility True
Adapter Vendor ID 0x0000
Adapter Device ID 0x0000
Total Virtual Memory 2147352576
Available Virtual Memory 1906249728
System Memory Use Percentage 47
Available Page File 912732160
Available Physical Memory 277131264
Accessibility Active
Frame Module Signature Source
0 xul.dll mozilla::dom::PannerNode::FindConnectedSources content/media/webaudio/PannerNode.cpp:493
1 xul.dll mozilla::dom::PannerNode::FindConnectedSources content/media/webaudio/PannerNode.cpp:466
2 xul.dll mozilla::dom::FindConnectedSourcesOn content/media/webaudio/AudioContext.cpp:270
3 xul.dll nsTHashtable<nsPtrHashKey<mozilla::dom::PannerNode> >::s_EnumStub obj-firefox/dist/include/nsTHashtable.h:486
4 xul.dll PL_DHashTableEnumerate obj-firefox/xpcom/build/pldhash.cpp:714
5 xul.dll nsTHashtable<nsPtrHashKey<mozilla::dom::PannerNode> >::EnumerateEntries obj-firefox/dist/include/nsTHashtable.h:237
6 xul.dll mozilla::dom::AudioContext::UpdatePannerSource content/media/webaudio/AudioContext.cpp:278
7 xul.dll mozilla::dom::AudioNode::Disconnect content/media/webaudio/AudioNode.cpp:213
8 xul.dll mozilla::dom::AudioNodeBinding::disconnect obj-firefox/dom/bindings/AudioNodeBinding.cpp:102
9 mozjs.dll mozjs.dll@0xe3fa0
10 @0x11ea01
More reports at:
https://crash-stats.mozilla.com/report/list?signature=mozilla%3A%3Adom%3A%3APannerNode%3A%3AFindConnectedSources%28mozilla%3A%3Adom%3A%3AAudioNode*%2C+nsTArray%3Cmozilla%3A%3Adom%3A%3AAudioBufferSourceNode*%3E%26%2C+std%3A%3Aset%3Cmozilla%3A%3Adom%3A%3AAudioNode*%2C+std%3A%3Aless%3Cmozilla%3A%3Adom%3A%3AAudioNode*%3E%2C+std%3A%3Aallocator%3Cmozilla%3A%3Adom%3A%3AAudioNode*%3E+%3E%26%29
https://crash-stats.mozilla.com/report/list?signature=mozilla%3A%3Adom%3A%3APannerNode%3A%3AFindConnectedSources%28%29
https://crash-stats.mozilla.com/query/query?product=Firefox&version=Firefox%3A23.0a1&query_search=signature&query_type=contains&query=%3A%3AClear%28%29&do_query=1
Assignee | ||
Comment 1•12 years ago
|
||
PannerNode needs to unregister itself when getting deleted by the CC.
Assignee | ||
Comment 2•12 years ago
|
||
Hmm, this is use after free, basically.
Comment 3•12 years ago
|
||
Use-after-unlink isn't so bad. The CC doesn't actually delete things. :)
Comment 4•12 years ago
|
||
Well, sounds like this isn't actually a use-after-unlink, but something having a weak reference.
Assignee | ||
Comment 5•12 years ago
|
||
Yes, the issue here is that CC nulls out mContext, which means that code in ~PannerNode to unregister the node before it going away will not run, which means that when you do something that causes the mPannerNodes hashtable to be accessed again, you'll end up accessing the freed PannerNode object.
Assignee | ||
Comment 6•12 years ago
|
||
Attachment #743171 -
Flags: review?(paul)
Updated•12 years ago
|
Attachment #743171 -
Flags: review?(paul) → review+
Assignee | ||
Comment 7•12 years ago
|
||
Comment 8•12 years ago
|
||
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla23
Updated•12 years ago
|
Assignee | ||
Comment 9•11 years ago
|
||
Mass moving Web Audio bugs to the Web Audio component. Filter on duckityduck.
Component: Video/Audio → Web Audio
Updated•11 years ago
|
Whiteboard: [adv-main23-]
Updated•11 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•