Closed
Bug 877695
Opened 11 years ago
Closed 11 years ago
Heap-use-after-free in nsCOMPtr<nsIThread>::assign_assuming_AddRef
Categories
(Core :: Web Audio, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 876273
People
(Reporter: attekett, Unassigned)
References
Details
(Whiteboard: [blocking-webaudio-])
Attachments
(1 file)
|
(deleted),
text/plain
|
Details |
Tested on:
OS: Ubuntu 12.04
Firefox: ASAN debug-build from https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-dbg-asan/1369914031/
It may take some time for the browser to crash with the repro-file. With debug-build I normally got 30-50 "++DOMWINDOW" before crash. You might need to try few times.
Sometimes the repro-file causes crash with different stack.
ASAN-report:
++DOMWINDOW == 31 (0x7f75702104f0) [serial = 34] [outer = 0x7f756f7be8f0]
++DOMWINDOW == 32 (0x7f756fe9b4f0) [serial = 35] [outer = 0x7f756f7be8f0]
=================================================================
==6567== ERROR: AddressSanitizer: heap-use-after-free on address 0x7f757b52d350 at pc 0x7f7590eb6f20 bp 0x7fff765ac6f0 sp 0x7fff765ac6e8
READ of size 8 at 0x7f757b52d350 thread T0
#0 0x7f7590eb6f1f in nsCOMPtr<nsIThread>::assign_assuming_AddRef(nsIThread*) /builds/slave/m-cen-l64-dbg-asan-00000000000/build/obj-firefox/toolkit/xre/../../dist/include/nsCOMPtr.h:514
#1 0x7f7590ee3eed in nsCOMPtr<nsIThread>::operator=(nsIThread*) /builds/slave/m-cen-l64-dbg-asan-00000000000/build/obj-firefox/toolkit/xre/../../dist/include/nsCOMPtr.h:676
#2 0x7f7592316c31 in mozilla::(anonymous namespace)::MediaStreamGraphShutDownRunnable::Run() /builds/slave/m-cen-l64-dbg-asan-00000000000/build/content/media/MediaStreamGraph.cpp:1199
#3 0x7f75940bb2fb in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-dbg-asan-00000000000/build/xpcom/threads/nsThread.cpp:627
#4 0x7f7594007891 in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-dbg-asan-00000000000/build/obj-firefox/xpcom/build/nsThreadUtils.cpp:238
#5 0x7f75936d1d7b in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-dbg-asan-00000000000/build/ipc/glue/MessagePump.cpp:82
.
.
.
freed by thread T0 here:
#0 0x43afe0 in free ??:0
#1 0x7f759230a0d2 in operator delete(void*) /builds/slave/m-cen-l64-dbg-asan-00000000000/build/../../dist/include/mozilla/mozalloc.h:225
#2 0x7f759230afcc in mozilla::MediaStream::Destroy() /builds/slave/m-cen-l64-dbg-asan-00000000000/build/content/media/MediaStreamGraph.cpp:1525
#3 0x7f759233a989 in mozilla::dom::AudioNode::DestroyMediaStream() /builds/slave/m-cen-l64-dbg-asan-00000000000/build/content/media/webaudio/AudioNode.cpp:319
#4 0x7f7592338cbe in mozilla::dom::AudioNode::DisconnectFromGraph() /builds/slave/m-cen-l64-dbg-asan-00000000000/build/content/media/webaudio/AudioNode.cpp:134
#5 0x7f7592338901 in mozilla::dom::AudioNode::cycleCollection::UnlinkImpl(void*) /builds/slave/m-cen-l64-dbg-asan-00000000000/build/content/media/webaudio/AudioNode.cpp:19
.
.
.
|
||
Comment 1•11 years ago
|
||
This is a duplicate of: https://bugzilla.mozilla.org/show_bug.cgi?id=876273
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
|
||
Comment 2•11 years ago
|
||
Mass moving Web Audio bugs to the Web Audio component. Filter on duckityduck.
Component: Video/Audio → Web Audio
|
|
||
Updated•11 years ago
|
Whiteboard: [blocking-webaudio-]
|
||
Updated•9 years ago
|
Group: core-security → core-security-release
|
||
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•