Ticket #267 (closed defect: invalid)

Opened 6 months ago

Last modified 6 months ago

firefox + Flash 9.0 r115 crashes on pa_mutex_lock

Reported by: tiagosh Assigned to: lennart
Priority: normal Milestone:
Component: core Severity: normal
Keywords: Cc:

Description

It seems like a race condition. In frame 3, before the poll(), m is not null. After the poll, m gets null. Then it will try to dereference a null pointer in frame 2 and segfaults.

0 0xffffe410 in kernel_vsyscall ()

1 0xb7d05525 in pthread_mutex_lock () from /lib/i686/libpthread.so.0

2 0xae65927f in pa_mutex_lock (m=0x0) at pulsecore/mutex-posix.c:92

3 0xae6409c0 in poll_func (ufds=0x90866a8, nfds=2, timeout=99, userdata=0x942cdc0) at pulse/thread-mainloop.c:73

4 0xae6368af in pa_mainloop_poll (m=0x8b74790) at pulse/mainloop.c:853

5 0xae637945 in pa_mainloop_iterate (m=0x8b74790, block=1, retval=0x0) at pulse/mainloop.c:919

6 0xae6379f4 in pa_mainloop_run (m=0x8b74790, retval=0x0) at pulse/mainloop.c:937

7 0xae6408ae in thread (userdata=0x92bd748) at pulse/thread-mainloop.c:91

8 0xae659a5a in internal_thread_func (userdata=0x8a94e48) at pulsecore/thread-posix.c:73

Change History

04/02/08 20:57:40 changed by tiagosh

  • status changed from new to closed.
  • resolution set to invalid.

Actually, this bug seems to be in flashplayer when using libflashsupport. As far as I can see, there is a condition where 2 pthread_mutex_lock() are called. It really looks like a deadlock. Main firefox thread asks to close the stream and calls pthread_mutex_lock(), pa_thread() in libflashsupport calls FPI_SoundOutput_FillBuffer, where there is another pthread_mutex_lock(), probably to the same mutex.