[webkit-changes] [255170] trunk/Source/WebCore

[ryanhaddad]

Title: [255170] trunk/Source/WebCore

Revision

255170

Author

ryanhad...@apple.com

Date

2020-01-27 13:41:43 -0800 (Mon, 27 Jan 2020)

Log Message

Crash in WebCore::HTMLMediaElement::detachMediaSource()
https://bugs.webkit.org/show_bug.cgi?id=206766

Patch by Peng Liu <peng.l...@apple.com> on 2020-01-27
Reviewed by Jer Noble.

Use WeakPtr<HTMLMediaElement> in MediaSource instead of a raw pointer.
In addition, we need to detach a MediaSource from an HTMLMediaElement before the HTMLMediaElement forgets the reference to the MediaSource.

* Modules/mediasource/MediaSource.cpp:
(WebCore::MediaSource::attachToElement):
* Modules/mediasource/MediaSource.h:
* html/HTMLMediaElement.cpp:
(WebCore::HTMLMediaElement::loadResource):

Modified Paths

• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/Modules/mediasource/MediaSource.cpp
• trunk/Source/WebCore/Modules/mediasource/MediaSource.h
• trunk/Source/WebCore/html/HTMLMediaElement.cpp

Diff

Modified: trunk/Source/WebCore/ChangeLog (255169 => 255170)

--- trunk/Source/WebCore/ChangeLog	2020-01-27 21:37:19 UTC (rev 255169)
+++ trunk/Source/WebCore/ChangeLog	2020-01-27 21:41:43 UTC (rev 255170)
@@ -1,3 +1,19 @@
+2020-01-27  Peng Liu  <peng.l...@apple.com>
+
+        Crash in WebCore::HTMLMediaElement::detachMediaSource()
+        https://bugs.webkit.org/show_bug.cgi?id=206766
+
+        Reviewed by Jer Noble.
+
+        Use WeakPtr<HTMLMediaElement> in MediaSource instead of a raw pointer.
+        In addition, we need to detach a MediaSource from an HTMLMediaElement before the HTMLMediaElement forgets the reference to the MediaSource.
+
+        * Modules/mediasource/MediaSource.cpp:
+        (WebCore::MediaSource::attachToElement):
+        * Modules/mediasource/MediaSource.h:
+        * html/HTMLMediaElement.cpp:
+        (WebCore::HTMLMediaElement::loadResource):
+
 2020-01-27  Andres Gonzalez  <andresg...@apple.com>
 
         Crash in AXIsolatedObject destruction.

Modified: trunk/Source/WebCore/Modules/mediasource/MediaSource.cpp (255169 => 255170)

--- trunk/Source/WebCore/Modules/mediasource/MediaSource.cpp	2020-01-27 21:37:19 UTC (rev 255169)
+++ trunk/Source/WebCore/Modules/mediasource/MediaSource.cpp	2020-01-27 21:41:43 UTC (rev 255170)
@@ -956,7 +956,7 @@
 
     ASSERT(isClosed());
 
-    m_mediaElement = &element;
+    m_mediaElement = makeWeakPtr(&element);
     return true;
 }
 

Modified: trunk/Source/WebCore/Modules/mediasource/MediaSource.h (255169 => 255170)

--- trunk/Source/WebCore/Modules/mediasource/MediaSource.h	2020-01-27 21:37:19 UTC (rev 255169)
+++ trunk/Source/WebCore/Modules/mediasource/MediaSource.h	2020-01-27 21:41:43 UTC (rev 255170)
@@ -36,14 +36,15 @@
 #include "EventTarget.h"
 #include "ExceptionOr.h"
 #include "GenericEventQueue.h"
+#include "HTMLMediaElement.h"
 #include "MediaSourcePrivateClient.h"
 #include "URLRegistry.h"
 #include <wtf/LoggerHelper.h>
+#include <wtf/WeakPtr.h>
 
 namespace WebCore {
 
 class ContentType;
-class HTMLMediaElement;
 class SourceBuffer;
 class SourceBufferList;
 class SourceBufferPrivate;
@@ -97,7 +98,7 @@
     ReadyState readyState() const { return m_readyState; }
     ExceptionOr<void> endOfStream(Optional<EndOfStreamError>);
 
-    HTMLMediaElement* mediaElement() const { return m_mediaElement; }
+    HTMLMediaElement* mediaElement() const { return m_mediaElement.get(); }
 
     SourceBufferList* sourceBuffers() { return m_sourceBuffers.get(); }
     SourceBufferList* activeSourceBuffers() { return m_activeSourceBuffers.get(); }
@@ -161,7 +162,7 @@
     RefPtr<SourceBufferList> m_activeSourceBuffers;
     mutable std::unique_ptr<PlatformTimeRanges> m_buffered;
     std::unique_ptr<PlatformTimeRanges> m_liveSeekable;
-    HTMLMediaElement* m_mediaElement { nullptr };
+    WeakPtr<HTMLMediaElement> m_mediaElement;
     MediaTime m_duration;
     MediaTime m_pendingSeekTime;
     ReadyState m_readyState { ReadyState::Closed };

Modified: trunk/Source/WebCore/html/HTMLMediaElement.cpp (255169 => 255170)

--- trunk/Source/WebCore/html/HTMLMediaElement.cpp	2020-01-27 21:37:19 UTC (rev 255169)
+++ trunk/Source/WebCore/html/HTMLMediaElement.cpp	2020-01-27 21:41:43 UTC (rev 255170)
@@ -1535,11 +1535,16 @@
         loadAttempted = true;
 
         ALWAYS_LOG(LOGIDENTIFIER, "loading MSE blob");
-        if (!m_mediaSource->attachToElement(*this) || !m_player->load(url, contentType, m_mediaSource.get())) {
+        if (!m_mediaSource->attachToElement(*this)) {
             // Forget our reference to the MediaSource, so we leave it alone
             // while processing remainder of load failure.
             m_mediaSource = nullptr;
             mediaLoadingFailed(MediaPlayer::NetworkState::FormatError);
+        } else if (!m_player->load(url, contentType, m_mediaSource.get())) {
+            // We have to detach the MediaSource before we forget the reference to it.
+            m_mediaSource->detachFromElement(*this);
+            m_mediaSource = nullptr;
+            mediaLoadingFailed(MediaPlayer::NetworkState::FormatError);
         }
     }
 #endif

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes