Title: [207294] trunk
- Revision
- 207294
- Author
- jer.no...@apple.com
- Date
- 2016-10-13 11:13:19 -0700 (Thu, 13 Oct 2016)
Log Message
CRASH at WebCore::SourceBuffer::removeCodedFrames + 37
https://bugs.webkit.org/show_bug.cgi?id=163336
Reviewed by Alex Christensen.
Source/WebCore:
Test: media/media-source/media-source-remove-crash.html
A null-deref crash can occur if a SourceBuffer is removed from a MediaSource after
SourceBuffer.remove() is called, but before the removeTimer is fired.
* Modules/mediasource/SourceBuffer.cpp:
(WebCore::SourceBuffer::removeTimerFired):
LayoutTests:
* media/media-source/media-source-remove-crash-expected.txt: Added.
* media/media-source/media-source-remove-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (207293 => 207294)
--- trunk/LayoutTests/ChangeLog 2016-10-13 18:11:29 UTC (rev 207293)
+++ trunk/LayoutTests/ChangeLog 2016-10-13 18:13:19 UTC (rev 207294)
@@ -1,3 +1,13 @@
+2016-10-13 Jer Noble <jer.no...@apple.com>
+
+ CRASH at WebCore::SourceBuffer::removeCodedFrames + 37
+ https://bugs.webkit.org/show_bug.cgi?id=163336
+
+ Reviewed by Alex Christensen.
+
+ * media/media-source/media-source-remove-crash-expected.txt: Added.
+ * media/media-source/media-source-remove-crash.html: Added.
+
2016-10-13 Sergio Villar Senin <svil...@igalia.com>
[css-grid] Use min-size instead of min-content contribution for intrinsic maximums resolution
Added: trunk/LayoutTests/media/media-source/media-source-remove-crash-expected.txt (0 => 207294)
--- trunk/LayoutTests/media/media-source/media-source-remove-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/media/media-source/media-source-remove-crash-expected.txt 2016-10-13 18:13:19 UTC (rev 207294)
@@ -0,0 +1,15 @@
+
+RUN(video.src = ""
+EVENT(sourceopen)
+RUN(source.duration = loader.duration())
+RUN(sourceBuffer = source.addSourceBuffer(loader.type()))
+RUN(sourceBuffer.appendBuffer(loader.initSegment()))
+EVENT(update)
+Append a media segment.
+RUN(sourceBuffer.appendBuffer(loader.mediaSegment(0)))
+EVENT(update)
+Remove a range, then remove SourceBuffer from its MediaSource. Should not crash.
+RUN(sourceBuffer.remove(0, source.duration))
+RUN(source.removeSourceBuffer(sourceBuffer))
+END OF TEST
+
Added: trunk/LayoutTests/media/media-source/media-source-remove-crash.html (0 => 207294)
--- trunk/LayoutTests/media/media-source/media-source-remove-crash.html (rev 0)
+++ trunk/LayoutTests/media/media-source/media-source-remove-crash.html 2016-10-13 18:13:19 UTC (rev 207294)
@@ -0,0 +1,55 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <title>media-source-abort-resets-parser</title>
+ <script src=""
+ <script src=""
+ <script>
+ var loader;
+ var source;
+ var sourceBuffer;
+
+ function runTest() {
+ findMediaElement();
+
+ loader = new MediaSourceLoader('content/test-fragmented-manifest.json');
+ loader._onload_ = mediaDataLoaded;
+ loader._onerror_ = mediaDataLoadingFailed;
+ }
+
+ function mediaDataLoadingFailed() {
+ failTest('Media data loading failed');
+ }
+
+ function mediaDataLoaded() {
+ source = new MediaSource();
+ waitForEvent('sourceopen', sourceOpen, false, false, source);
+ waitForEventAndFail('error');
+ run('video.src = ""
+ }
+
+ function sourceOpen() {
+ run('source.duration = loader.duration()');
+ run('sourceBuffer = source.addSourceBuffer(loader.type())');
+ waitForEventOn(sourceBuffer, 'update', sourceInitialized, false, true);
+ run('sourceBuffer.appendBuffer(loader.initSegment())');
+ }
+
+ function sourceInitialized() {
+ consoleWrite('Append a media segment.')
+ waitForEventOn(sourceBuffer, 'update', mediaSegmentAppended, false, true);
+ run('sourceBuffer.appendBuffer(loader.mediaSegment(0))');
+ }
+
+ function mediaSegmentAppended() {
+ consoleWrite('Remove a range, then remove SourceBuffer from its MediaSource. Should not crash.')
+ run('sourceBuffer.remove(0, source.duration)');
+ run('source.removeSourceBuffer(sourceBuffer)');
+ setTimeout(endTest, 100);
+ }
+ </script>
+</head>
+<body _onload_="runTest()">
+ <video controls></video>
+</body>
+</html>
\ No newline at end of file
Modified: trunk/Source/WebCore/ChangeLog (207293 => 207294)
--- trunk/Source/WebCore/ChangeLog 2016-10-13 18:11:29 UTC (rev 207293)
+++ trunk/Source/WebCore/ChangeLog 2016-10-13 18:13:19 UTC (rev 207294)
@@ -1,3 +1,18 @@
+2016-10-13 Jer Noble <jer.no...@apple.com>
+
+ CRASH at WebCore::SourceBuffer::removeCodedFrames + 37
+ https://bugs.webkit.org/show_bug.cgi?id=163336
+
+ Reviewed by Alex Christensen.
+
+ Test: media/media-source/media-source-remove-crash.html
+
+ A null-deref crash can occur if a SourceBuffer is removed from a MediaSource after
+ SourceBuffer.remove() is called, but before the removeTimer is fired.
+
+ * Modules/mediasource/SourceBuffer.cpp:
+ (WebCore::SourceBuffer::removeTimerFired):
+
2016-10-13 Michael Catanzaro <mcatanz...@igalia.com>
[SOUP] SHOULD NEVER BE REACHED ../../Source/WebCore/platform/URL.cpp(1291) : void WebCore::URL::parse(const WTF::String&)
Modified: trunk/Source/WebCore/Modules/mediasource/SourceBuffer.cpp (207293 => 207294)
--- trunk/Source/WebCore/Modules/mediasource/SourceBuffer.cpp 2016-10-13 18:11:29 UTC (rev 207293)
+++ trunk/Source/WebCore/Modules/mediasource/SourceBuffer.cpp 2016-10-13 18:13:19 UTC (rev 207294)
@@ -829,6 +829,9 @@
void SourceBuffer::removeTimerFired()
{
+ if (isRemoved())
+ return;
+
ASSERT(m_updating);
ASSERT(m_pendingRemoveStart.isValid());
ASSERT(m_pendingRemoveStart < m_pendingRemoveEnd);
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
