Title: [237067] trunk/Source/WebCore
- Revision
- 237067
- Author
- [email protected]
- Date
- 2018-10-12 08:28:40 -0700 (Fri, 12 Oct 2018)
Log Message
CRASH in WebCore::MediaPlayerPrivateAVFoundation::setPreload
https://bugs.webkit.org/show_bug.cgi?id=190485
<rdar://problem/34613350>
Reviewed by Eric Carlson.
Crash analytics show that a pure-virtual function is called by MediaPlayerPrivateAVFoundation::setPreload(), and
the likely cause of that pure-virtual function call is that the MediaPlayerPrivateAVFoundation object itself has
been destroyed, likely as a side effect of calling MediaPlayerPrivateAVFoundationObjC::createAVAssetForURL().
The usual suspect for this kind of crash is due to calling into JS (e.g., from a callback passed up to
HTMLMediaElement). Code inspection hasn't yielded any good hints about why this might be occurring, so we will
add a ScriptDisallowedScope assertion inside HTMLMediaElement::prepareToPlay(), to generate a good crashlog
showing exactly what callback is resulting in a JS call. But just in case the deallocation is not due to JS,
also add an explicit strong-ref inside MediaPlayer::prepareToPlay.
* html/HTMLMediaElement.cpp:
(WebCore::HTMLMediaElement::prepareToPlay):
* platform/graphics/MediaPlayer.cpp:
(WebCore::MediaPlayer::prepareToPlay):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (237066 => 237067)
--- trunk/Source/WebCore/ChangeLog 2018-10-12 15:28:14 UTC (rev 237066)
+++ trunk/Source/WebCore/ChangeLog 2018-10-12 15:28:40 UTC (rev 237067)
@@ -1,5 +1,27 @@
2018-10-12 Jer Noble <[email protected]>
+ CRASH in WebCore::MediaPlayerPrivateAVFoundation::setPreload
+ https://bugs.webkit.org/show_bug.cgi?id=190485
+ <rdar://problem/34613350>
+
+ Reviewed by Eric Carlson.
+
+ Crash analytics show that a pure-virtual function is called by MediaPlayerPrivateAVFoundation::setPreload(), and
+ the likely cause of that pure-virtual function call is that the MediaPlayerPrivateAVFoundation object itself has
+ been destroyed, likely as a side effect of calling MediaPlayerPrivateAVFoundationObjC::createAVAssetForURL().
+ The usual suspect for this kind of crash is due to calling into JS (e.g., from a callback passed up to
+ HTMLMediaElement). Code inspection hasn't yielded any good hints about why this might be occurring, so we will
+ add a ScriptDisallowedScope assertion inside HTMLMediaElement::prepareToPlay(), to generate a good crashlog
+ showing exactly what callback is resulting in a JS call. But just in case the deallocation is not due to JS,
+ also add an explicit strong-ref inside MediaPlayer::prepareToPlay.
+
+ * html/HTMLMediaElement.cpp:
+ (WebCore::HTMLMediaElement::prepareToPlay):
+ * platform/graphics/MediaPlayer.cpp:
+ (WebCore::MediaPlayer::prepareToPlay):
+
+2018-10-12 Jer Noble <[email protected]>
+
Null-dereference in SourceBufferPrivateAVFObjC::outputObscuredDueToInsufficientExternalProtectionChanged
https://bugs.webkit.org/show_bug.cgi?id=190490
<rdar://problem/42213807>
Modified: trunk/Source/WebCore/html/HTMLMediaElement.cpp (237066 => 237067)
--- trunk/Source/WebCore/html/HTMLMediaElement.cpp 2018-10-12 15:28:14 UTC (rev 237066)
+++ trunk/Source/WebCore/html/HTMLMediaElement.cpp 2018-10-12 15:28:40 UTC (rev 237067)
@@ -2972,6 +2972,8 @@
void HTMLMediaElement::prepareToPlay()
{
+ ScriptDisallowedScope::InMainThread scriptDisallowedScope;
+
INFO_LOG(LOGIDENTIFIER);
if (m_havePreparedToPlay || !document().hasBrowsingContext())
return;
Modified: trunk/Source/WebCore/platform/graphics/MediaPlayer.cpp (237066 => 237067)
--- trunk/Source/WebCore/platform/graphics/MediaPlayer.cpp 2018-10-12 15:28:14 UTC (rev 237066)
+++ trunk/Source/WebCore/platform/graphics/MediaPlayer.cpp 2018-10-12 15:28:40 UTC (rev 237067)
@@ -540,6 +540,8 @@
void MediaPlayer::prepareToPlay()
{
+ Ref<MediaPlayer> protectedThis(*this);
+
m_private->prepareToPlay();
}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
