Title: [210473] trunk/Source/WebCore
- Revision
- 210473
- Author
- [email protected]
- Date
- 2017-01-06 23:12:00 -0800 (Fri, 06 Jan 2017)
Log Message
Crash in WebCore::MediaPlayerPrivateMediaSourceAVFObjC::sizeWillChangeAtTime(const MediaTime&, const FloatSize&)::block_invoke
https://bugs.webkit.org/show_bug.cgi?id=166738
Reviewed by Eric Carlson.
AVFoundation can potentially call the same boundary time observer multiple times, and
in that case, it's possible that the observer queue will be empty when we attempt
to remove the first item from the queue. There's an ASSERT() in Deque for this case,
but we need to explicitly protect against this case.
Drive-by fix: Explicitly unregister the observer before releasing it.
* platform/graphics/avfoundation/objc/MediaPlayerPrivateMediaSourceAVFObjC.mm:
(WebCore::MediaPlayerPrivateMediaSourceAVFObjC::sizeWillChangeAtTime):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (210472 => 210473)
--- trunk/Source/WebCore/ChangeLog 2017-01-07 06:53:54 UTC (rev 210472)
+++ trunk/Source/WebCore/ChangeLog 2017-01-07 07:12:00 UTC (rev 210473)
@@ -1,3 +1,20 @@
+2017-01-06 Jer Noble <[email protected]>
+
+ Crash in WebCore::MediaPlayerPrivateMediaSourceAVFObjC::sizeWillChangeAtTime(const MediaTime&, const FloatSize&)::block_invoke
+ https://bugs.webkit.org/show_bug.cgi?id=166738
+
+ Reviewed by Eric Carlson.
+
+ AVFoundation can potentially call the same boundary time observer multiple times, and
+ in that case, it's possible that the observer queue will be empty when we attempt
+ to remove the first item from the queue. There's an ASSERT() in Deque for this case,
+ but we need to explicitly protect against this case.
+
+ Drive-by fix: Explicitly unregister the observer before releasing it.
+
+ * platform/graphics/avfoundation/objc/MediaPlayerPrivateMediaSourceAVFObjC.mm:
+ (WebCore::MediaPlayerPrivateMediaSourceAVFObjC::sizeWillChangeAtTime):
+
2017-01-06 Joseph Pecoraro <[email protected]>
REGRESSION(r208886) Web Inspector: Toggling CSS Properties in Styles Sidebar (comment / uncomment)
Modified: trunk/Source/WebCore/platform/graphics/avfoundation/objc/MediaPlayerPrivateMediaSourceAVFObjC.mm (210472 => 210473)
--- trunk/Source/WebCore/platform/graphics/avfoundation/objc/MediaPlayerPrivateMediaSourceAVFObjC.mm 2017-01-07 06:53:54 UTC (rev 210472)
+++ trunk/Source/WebCore/platform/graphics/avfoundation/objc/MediaPlayerPrivateMediaSourceAVFObjC.mm 2017-01-07 07:12:00 UTC (rev 210473)
@@ -712,11 +712,16 @@
{
auto weakThis = m_sizeChangeObserverWeakPtrFactory.createWeakPtr();
NSArray* times = @[[NSValue valueWithCMTime:toCMTime(time)]];
- RetainPtr<id> observer = [m_synchronizer addBoundaryTimeObserverForTimes:times queue:dispatch_get_main_queue() usingBlock:[weakThis, size] {
+ RetainPtr<id> observer = [m_synchronizer addBoundaryTimeObserverForTimes:times queue:dispatch_get_main_queue() usingBlock:[this, weakThis, size] {
if (!weakThis)
return;
- weakThis->m_sizeChangeObservers.removeFirst();
- weakThis->setNaturalSize(size);
+
+ ASSERT(!m_sizeChangeObservers.isEmpty());
+ if (!m_sizeChangeObservers.isEmpty()) {
+ RetainPtr<id> observer = m_sizeChangeObservers.takeFirst();
+ [m_synchronizer removeTimeObserver:observer.get()];
+ }
+ setNaturalSize(size);
}];
m_sizeChangeObservers.append(WTFMove(observer));
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
