200542 – Fix thread safety bug in AudioSourceProviderAVFObjC::prepare()

Bug 200542 - Fix thread safety bug in AudioSourceProviderAVFObjC::prepare()

Summary: Fix thread safety bug in AudioSourceProviderAVFObjC::prepare()

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Media (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Chris Dumez

URL:
Keywords:	InRadar

Depends on:
Blocks:	200507
	Show dependency tree / graph

Reported:	2019-08-08 10:36 PDT by Chris Dumez
Modified:	2019-08-08 11:43 PDT (History)
CC List:	7 users (show)

See Also:

Attachments
Patch (2.05 KB, patch) 2019-08-08 10:37 PDT, Chris Dumez	no flags	Details \| Formatted Diff \| Diff
Patch (2.05 KB, patch) 2019-08-08 10:51 PDT, Chris Dumez	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Chris Dumez 2019-08-08 10:36:27 PDT

Fix thread safety bug in AudioSourceProviderAVFObjC::prepare(). It calls callOnMainThread() from a background and captures makeRef(*this) in the lambda, even though |this| is a AudioSourceProviderAVFObjC, which subclasses RefCounted, not ThreadSafeRefCounted.

Comment 1 Chris Dumez 2019-08-08 10:36:59 PDT

Exception Type:        EXC_BREAKPOINT (SIGTRAP)
Exception Codes:       0x0000000000000002, 0x0000000000000000
Exception Note:        EXC_CORPSE_NOTIFY

Termination Signal:    Trace/BPT trap: 5
Termination Reason:    Namespace SIGNAL, Code 0x5
Terminating Process:   exc handler [0]

Application Specific Information:
CRASHING TEST: webaudio/silence-after-playback.html

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore             	0x000000010737dfb3 0x10737c000 + 8115
1   com.apple.WebCore             	0x000000010738e7f3 WTF::Detail::CallableWrapper<WebCore::AudioSourceProviderAVFObjC::prepare(long, AudioStreamBasicDescription const*)::$_0, void>::~CallableWrapper() + 163
2   com.apple.JavaScriptCore      	0x0000000102b2aa9c WTF::dispatchFunctionsFromMainThread() + 332 (MainThread.cpp:123)
3   com.apple.Foundation          	0x00007fff4ebad0b5 __NSThreadPerformPerform + 334
4   com.apple.CoreFoundation      	0x00007fff4ca6b581 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
5   com.apple.CoreFoundation      	0x00007fff4cb238ac __CFRunLoopDoSource0 + 108
6   com.apple.CoreFoundation      	0x00007fff4ca4e530 __CFRunLoopDoSources0 + 208
7   com.apple.CoreFoundation      	0x00007fff4ca4d9ad __CFRunLoopRun + 1293
8   com.apple.CoreFoundation      	0x00007fff4ca4d207 CFRunLoopRunSpecific + 487
9   DumpRenderTree                	0x000000010285482f runTest(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) + 3601 (DumpRenderTree.mm:2087)
10  DumpRenderTree                	0x000000010285365a dumpRenderTree(int, char const**) + 3439 (DumpRenderTree.mm:1210)
11  DumpRenderTree                	0x00000001028550dd DumpRenderTreeMain(int, char const**) + 1456 (DumpRenderTree.mm:1442)
12  libdyld.dylib                 	0x00007fff74a0d015 start + 1

Comment 2 Chris Dumez 2019-08-08 10:37:54 PDT

Created attachment 375815 [details]
Patch

Comment 3 Chris Dumez 2019-08-08 10:51:20 PDT

Created attachment 375820 [details]
Patch

Comment 4 Chris Dumez 2019-08-08 11:42:21 PDT

Comment on attachment 375820 [details]
Patch

Clearing flags on attachment: 375820

Committed r248432: <https://trac.webkit.org/changeset/248432>

Comment 5 Chris Dumez 2019-08-08 11:42:22 PDT

All reviewed patches have been landed.  Closing bug.

Comment 6 Radar WebKit Bug Importer 2019-08-08 11:43:50 PDT

<rdar://problem/54089364>