Bug 204248

Summary: CRASH in SourceBuffer::removeCodedFrames()
Product: WebKit Reporter: Jer Noble <jer.noble>
Component: New BugsAssignee: Jer Noble <jer.noble>
Status: RESOLVED FIXED    
Severity: Normal CC: calvaris, commit-queue, darin, ddkilzer, eric.carlson, ews-watchlist, glenn, philipj, sergio, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch none

Description Jer Noble 2019-11-15 14:11:59 PST 
CRASH in SourceBuffer::removeCodedFrames()
Comment 1 Jer Noble 2019-11-15 14:12:35 PST 
rdar://problem/57168384
Comment 2 Jer Noble 2019-11-15 14:28:14 PST 
Created attachment 383651 [details]
Patch
Comment 3 WebKit Commit Bot 2019-11-15 16:05:08 PST 
Comment on attachment 383651 [details]
Patch

Clearing flags on attachment: 383651

Committed r252511: <https://trac.webkit.org/changeset/252511>
Comment 4 WebKit Commit Bot 2019-11-15 16:05:10 PST 
All reviewed patches have been landed.  Closing bug.
Comment 5 David Kilzer (:ddkilzer) 2019-11-15 16:28:06 PST 
Comment on attachment 383651 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=383651&action=review

r=me

> Source/WebCore/Modules/mediasource/SourceBuffer.cpp:805
> +    if (start >= end)

Wasn’t there a second place where this check could be added that was missing it?
Comment 6 David Kilzer (:ddkilzer) 2019-11-15 16:30:43 PST 
(In reply to David Kilzer (:ddkilzer) from comment #5)
> Comment on attachment 383651 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=383651&action=review
> 
> r=me

Oops, didn’t see this landed already.
Comment 7 Jer Noble 2019-11-15 19:55:49 PST 
(In reply to David Kilzer (:ddkilzer) from comment #5)
> Comment on attachment 383651 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=383651&action=review
> 
> r=me
> 
> > Source/WebCore/Modules/mediasource/SourceBuffer.cpp:805
> > +    if (start >= end)
> 
> Wasn’t there a second place where this check could be added that was missing
> it?

All those places are upstream of here. IOW, a check here checks every call site.
Comment 8 Darin Adler 2019-11-18 09:25:46 PST 
Comment on attachment 383651 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=383651&action=review

> Source/WebCore/ChangeLog:10
> +        Speculative fix for rare crash. It's possible that the startTime and endTime inputs to
> +        removeCodedFrames() are out-of-order, which could lead to iterating off the end of the
> +        SampleMap. Verify that startTime < endTime and bail out early if not true.

If it’s possible, then why are we asserting it’s not true?