Bug 64157

Summary: AudioDevice::Stop can close NULL handle.
Product: WebKit Reporter: Berend-Jan Wever <skylined>
Component: DOMAssignee: Chris Rogers <crogers>
Status: RESOLVED FIXED    
Severity: Normal CC: kbr
Priority: P1    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: Windows Vista   
Attachments:
Description Flags
Repro (press F5 to crash)
none
Patch
none
Patch kbr: review+

Berend-Jan Wever
Reported 2011-07-08 03:35:10 PDT
Created attachment 100102 [details] Repro (press F5 to crash) Chromium: https://code.google.com/p/chromium/issues/detail?id=88740 Repro: <script> setInterval(function () { var oAudioContext = new webkitAudioContext(); oGainNode = oAudioContext.createGainNode(); }, 1); </script> Load the above file, then press F5 to reload and cause the crash. The code tries to join a thread whose id is 0, which leads to closing an invalid handle (0) on Windows. I don't know how linux/mac handle this. Possible solutions: - AudioDevice::Stop should check if the thread exists before joining it http://codesearch.google.com/codesearch#OAMlx_jo-ck/src/content/renderer/media/audio_device.cc&q=&exact_package=chromium&l=114 - SimpleThread::Join() should return immediately if the thread id is 0. http://codesearch.google.com/codesearch#OAMlx_jo-ck/src/base/threading/simple_thread.cc&q=&exact_package=chromium&l=39
Attachments
Repro (press F5 to crash) (153 bytes, text/html)
2011-07-08 03:35 PDT, Berend-Jan Wever 		no flags
Details
Patch (4.41 KB, patch)
2011-07-11 16:36 PDT, Chris Rogers 		no flags
DetailsFormatted DiffDiff
Patch (4.76 KB, patch)
2011-07-12 14:37 PDT, Chris Rogers 		kbr: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Chris Rogers
Comment 1 2011-07-11 16:36:46 PDT
Created attachment 100382 [details] Patch
Kenneth Russell
Comment 2 2011-07-11 17:20:10 PDT
Comment on attachment 100382 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=100382&action=review Basically looks good except for a small issue in the bindings. > Source/WebCore/bindings/js/JSAudioContextCustom.cpp:72 > + return throwVMError(exec, createReferenceError(exec, "audio resources unavailable for AudioContext construction")); The JS bindings are throwing a ReferenceError, while the V8 bindings are throwing a SyntaxError. These should be aligned.
Chris Rogers
Comment 3 2011-07-12 14:37:17 PDT
Created attachment 100565 [details] Patch
Chris Rogers
Comment 4 2011-07-12 14:39:08 PDT
Sorry, this was already R+, but after some extensive testing I found that it's necessary to decrement s_hardwareContextCount in the uninitialize() method instead of destructor since garbage collection can take a long time and hold up new contexts being created.
Kenneth Russell
Comment 5 2011-07-12 14:42:05 PDT
Comment on attachment 100565 [details] Patch OK.
Chris Rogers
Comment 6 2011-07-12 14:46:49 PDT
Committed r90853: <http://trac.webkit.org/changeset/90853>
Note You need to log in before you can comment on or make changes to this bug.