crashtest for bug 1274083 r?jesup draft
authorKarl Tomlinson <karlt+@karlt.net>
Tue, 04 Apr 2017 16:18:19 +1200
changeset 555393 3367d1643736c6e9bb203480650e7e4ea80af870
parent 555310 b5d8b27a753725c1de41ffae2e338798f3b5cacd
child 555394 e4bf2476b94ad9e2526029863387949ea47fc2ed
push id52233
push userktomlinson@mozilla.com
push dateTue, 04 Apr 2017 07:27:33 +0000
reviewersjesup
bugs1274083
milestone55.0a1
crashtest for bug 1274083 r?jesup This needed some fine tuning to produce the crash, and so is a very specific test. It is still of value because this specific situation is not otherwise tested, and it provides input to fuzzers for potential similar situations. MozReview-Commit-ID: K1zMPZ4kuYO
dom/media/test/crashtests/buffer-source-slow-resampling-1.html
dom/media/test/crashtests/crashtests.list
new file mode 100644
--- /dev/null
+++ b/dom/media/test/crashtests/buffer-source-slow-resampling-1.html
@@ -0,0 +1,34 @@
+<!DOCTYPE html>
+<html class="reftest-wait">
+<script>
+const blockSize = 128;
+// The sample rate is a prime number so that the resampler is not expected to
+// simplify in/out fractions.
+const rate = 44101;
+var context = new window.OfflineAudioContext(1, 3 * blockSize, rate);
+// Non-zero buffer, so it can't be optimized away.
+var buffer = context.createBuffer(1, 128, rate);
+buffer.getChannelData(0)[0] = 1.0;
+var source = context.createBufferSource();
+source.buffer = buffer;
+source.loop = true;
+// Initialize the resampler with a slow input rate. 
+// With the current (Mar 2017) implementation, very slow rates give the
+// resampler a very large denominator.
+source.playbackRate.setValueAtTime(rate / 0x7fffffff, 0.0);
+// Change to a moderate input rate.
+// With the current implementation, skip_frac_num increases by den_rate for
+// each output sample and so one block before the change in playback rate is
+// enough for high skip_frac_num at the time of the change.
+const changeBlock = 1;
+const changeBlockSeconds = changeBlock * blockSize / rate;
+// With the current speex_resampler_set_rate_frac() implementation, the
+// moderate resampler denominator is still large enough to trigger overflow of
+// 32-bit unsigned integer arithmetic.
+source.playbackRate.setValueAtTime(rate / (rate + 1), changeBlockSeconds);
+source.start(0);
+context.startRendering().
+  then(function() {
+    document.documentElement.removeAttribute("class");
+  });
+</script>
--- a/dom/media/test/crashtests/crashtests.list
+++ b/dom/media/test/crashtests/crashtests.list
@@ -87,16 +87,17 @@ load 1304948.html
 load 1319486.html
 load 1291702.html
 load disconnect-wrong-destination.html
 load analyser-channels-1.html
 load audiocontext-double-suspend.html
 load buffer-source-duration-1.html
 load buffer-source-ended-1.html
 load buffer-source-resampling-start-1.html
+load buffer-source-slow-resampling-1.html
 load doppler-1.html
 HTTP load media-element-source-seek-1.html
 load offline-buffer-source-ended-1.html
 load oscillator-ended-1.html
 load oscillator-ended-2.html
 skip-if(Android) load video-replay-after-audio-end.html # bug 1339449
 # This needs to run at the end to avoid leaking busted state into other tests.
 load 691096-1.html