[webkit-changes] [231833] branches/safari-605-branch/Source/WebCore

Tue, 15 May 2018 18:43:02 -0700

Title: [231833] branches/safari-605-branch/Source/WebCore
Revision
231833
Author
[email protected]
Date
2018-05-15 18:42:05 -0700 (Tue, 15 May 2018)

Log Message

Cherry-pick r231392. rdar://problem/40230018

    Release assert in ScriptController::canExecuteScripts via HTMLMediaElement::~HTMLMediaElement()
    https://bugs.webkit.org/show_bug.cgi?id=185288

    Reviewed by Jer Noble.

    The crash is caused by HTMLMediaElement::~HTMLMediaElement canceling the resource load via CachedResource
    which ends up calling FrameLoader::checkCompleted() and fire load event on the document synchronously.
    Speculatively fix the crash by scheduling the check instead.

    In long term, ResourceLoader::cancel should never fire load event synchronously: webkit.org/b/185284.

    Unfortunately, no new tests since I can't get MediaResource to get destructed at the right time.

    * html/HTMLMediaElement.cpp:
    (WebCore::HTMLMediaElement::isRunningDestructor): Added to detect this specific case.
    (WebCore::HTMLMediaElementDestructorScope): Added.
    (WebCore::HTMLMediaElementDestructorScope::HTMLMediaElementDestructorScope): Added.
    (WebCore::HTMLMediaElementDestructorScope::~HTMLMediaElementDestructorScope): Added.
    (WebCore::HTMLMediaElement::~HTMLMediaElement): Instantiate HTMLMediaElement.
    * html/HTMLMediaElement.h:
    * loader/FrameLoader.cpp:
    (WebCore::FrameLoader::checkCompleted): Call scheduleCheckCompleted instead of synchronously calling
    checkCompleted if we're in the middle of destructing a HTMLMediaElement.

    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@231392 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Modified Paths

Diff

Modified: branches/safari-605-branch/Source/WebCore/ChangeLog (231832 => 231833)


--- branches/safari-605-branch/Source/WebCore/ChangeLog	2018-05-16 01:42:02 UTC (rev 231832)
+++ branches/safari-605-branch/Source/WebCore/ChangeLog	2018-05-16 01:42:05 UTC (rev 231833)
@@ -1,5 +1,61 @@
 2018-05-15  Kocsen Chung  <[email protected]>
 
+        Cherry-pick r231392. rdar://problem/40230018
+
+    Release assert in ScriptController::canExecuteScripts via HTMLMediaElement::~HTMLMediaElement()
+    https://bugs.webkit.org/show_bug.cgi?id=185288
+    
+    Reviewed by Jer Noble.
+    
+    The crash is caused by HTMLMediaElement::~HTMLMediaElement canceling the resource load via CachedResource
+    which ends up calling FrameLoader::checkCompleted() and fire load event on the document synchronously.
+    Speculatively fix the crash by scheduling the check instead.
+    
+    In long term, ResourceLoader::cancel should never fire load event synchronously: webkit.org/b/185284.
+    
+    Unfortunately, no new tests since I can't get MediaResource to get destructed at the right time.
+    
+    * html/HTMLMediaElement.cpp:
+    (WebCore::HTMLMediaElement::isRunningDestructor): Added to detect this specific case.
+    (WebCore::HTMLMediaElementDestructorScope): Added.
+    (WebCore::HTMLMediaElementDestructorScope::HTMLMediaElementDestructorScope): Added.
+    (WebCore::HTMLMediaElementDestructorScope::~HTMLMediaElementDestructorScope): Added.
+    (WebCore::HTMLMediaElement::~HTMLMediaElement): Instantiate HTMLMediaElement.
+    * html/HTMLMediaElement.h:
+    * loader/FrameLoader.cpp:
+    (WebCore::FrameLoader::checkCompleted): Call scheduleCheckCompleted instead of synchronously calling
+    checkCompleted if we're in the middle of destructing a HTMLMediaElement.
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@231392 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2018-05-03  Ryosuke Niwa  <[email protected]>
+
+            Release assert in ScriptController::canExecuteScripts via HTMLMediaElement::~HTMLMediaElement()
+            https://bugs.webkit.org/show_bug.cgi?id=185288
+
+            Reviewed by Jer Noble.
+
+            The crash is caused by HTMLMediaElement::~HTMLMediaElement canceling the resource load via CachedResource
+            which ends up calling FrameLoader::checkCompleted() and fire load event on the document synchronously.
+            Speculatively fix the crash by scheduling the check instead.
+
+            In long term, ResourceLoader::cancel should never fire load event synchronously: webkit.org/b/185284.
+
+            Unfortunately, no new tests since I can't get MediaResource to get destructed at the right time.
+
+            * html/HTMLMediaElement.cpp:
+            (WebCore::HTMLMediaElement::isRunningDestructor): Added to detect this specific case.
+            (WebCore::HTMLMediaElementDestructorScope): Added.
+            (WebCore::HTMLMediaElementDestructorScope::HTMLMediaElementDestructorScope): Added.
+            (WebCore::HTMLMediaElementDestructorScope::~HTMLMediaElementDestructorScope): Added.
+            (WebCore::HTMLMediaElement::~HTMLMediaElement): Instantiate HTMLMediaElement.
+            * html/HTMLMediaElement.h:
+            * loader/FrameLoader.cpp:
+            (WebCore::FrameLoader::checkCompleted): Call scheduleCheckCompleted instead of synchronously calling
+            checkCompleted if we're in the middle of destructing a HTMLMediaElement.
+
+2018-05-15  Kocsen Chung  <[email protected]>
+
         Cherry-pick r231713. rdar://problem/40172913
 
     LinkLoader fails to remove CachedResourceClient in some cases

Modified: branches/safari-605-branch/Source/WebCore/html/HTMLMediaElement.cpp (231832 => 231833)


--- branches/safari-605-branch/Source/WebCore/html/HTMLMediaElement.cpp	2018-05-16 01:42:02 UTC (rev 231832)
+++ branches/safari-605-branch/Source/WebCore/html/HTMLMediaElement.cpp	2018-05-16 01:42:05 UTC (rev 231833)
@@ -578,8 +578,23 @@
     mediaSession().clientWillBeginAutoplaying();
 }
 
+// FIXME: Remove this code once https://webkit.org/b/185284 is fixed.
+static unsigned s_destructorCount = 0;
+
+bool HTMLMediaElement::isRunningDestructor()
+{
+    return !!s_destructorCount;
+}
+
+class HTMLMediaElementDestructorScope {
+public:
+    HTMLMediaElementDestructorScope() { ++s_destructorCount; }
+    ~HTMLMediaElementDestructorScope() { --s_destructorCount; }
+};
+
 HTMLMediaElement::~HTMLMediaElement()
 {
+    HTMLMediaElementDestructorScope destructorScope;
     ALWAYS_LOG(LOGIDENTIFIER);
 
     beginIgnoringTrackDisplayUpdateRequests();

Modified: branches/safari-605-branch/Source/WebCore/html/HTMLMediaElement.h (231832 => 231833)


--- branches/safari-605-branch/Source/WebCore/html/HTMLMediaElement.h	2018-05-16 01:42:02 UTC (rev 231832)
+++ branches/safari-605-branch/Source/WebCore/html/HTMLMediaElement.h	2018-05-16 01:42:05 UTC (rev 231833)
@@ -158,6 +158,8 @@
     static HTMLMediaElement* bestMediaElementForShowingPlaybackControlsManager(MediaElementSession::PlaybackControlsPurpose);
 
     void rewind(double timeDelta);
+    static bool isRunningDestructor();
+
     WEBCORE_EXPORT void returnToRealtime() override;
 
     // Eventually overloaded in HTMLVideoElement

Modified: branches/safari-605-branch/Source/WebCore/loader/FrameLoader.cpp (231832 => 231833)


--- branches/safari-605-branch/Source/WebCore/loader/FrameLoader.cpp	2018-05-16 01:42:02 UTC (rev 231832)
+++ branches/safari-605-branch/Source/WebCore/loader/FrameLoader.cpp	2018-05-16 01:42:05 UTC (rev 231833)
@@ -803,6 +803,13 @@
     // Have we completed before?
     if (m_isComplete)
         return;
+    
+    // FIXME: Remove this code once https://webkit.org/b/185284 is fixed.
+    if (HTMLMediaElement::isRunningDestructor()) {
+        ASSERT_NOT_REACHED();
+        scheduleCheckCompleted();
+        return;
+    }
 
     // FIXME: It would be better if resource loads were kicked off after render tree update (or didn't complete synchronously).
     //        https://bugs.webkit.org/show_bug.cgi?id=171729

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to