Audio Tap Processor Uses Released Memory

Originator:imesart
Number:rdar://34977000 Date Originated:13 oct 2017
Status:Open Resolved:
Product:iOS + SDK Product Version:iOS 11.0
Classification:Bug Reproducible:Sometimes
 
Summary:
When releasing an AVPlayerItem that is playing and that has an AVAudioMix with an audio tap processor, the processing callback can get called after the finalize callback. This can cause the processing callback and AVFoundation to access memory that has been freed.

Steps to Reproduce:
Run the attached project on a real device. Press the button multiple times. Try to time it so that you press it just after audio starts playing. At some point the Address Sanitizer will stop the execution for "Use of deallocated memory".

Expected Results:
The finalize callback should be the last call to any of the MTAudioProcessingTapCallbacks and (as the finalize callback is called on another thread than the AudioTapCallbackProcess thread) should be done after all calls to the processing callback have returned.

Actual Results:
App can crash.

Version/Build:
iOS 11.0
Did not appear on prior versions of iOS (probably because they did not correctly call the finalize callback unless the audioTapProcessor fields were manually nilled).

Configuration:
iOS 11.0 on a real device

Comments


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!