Title: [138966] trunk
- Revision
- 138966
- Author
- [email protected]
- Date
- 2013-01-07 11:21:07 -0800 (Mon, 07 Jan 2013)
Log Message
[Track] Rendering crash
https://bugs.webkit.org/show_bug.cgi?id=106199
Reviewed by Eric Carlson.
Source/WebCore:
The browser is crashing if a text track is added through _javascript_,
due to the fact that the containing block is not marked as inline at
the time RenderTextTrackCue::layout() is called. The fix consists
of ensuring that the pseudo id is set, even if the track isn't
yet visible.
Test: media/track/track-cue-inline-assertion-crash.html
* html/track/TextTrackCue.cpp:
(WebCore::TextTrackCue::updateDisplayTree): The pseudo-id should
be set when the display tree is generated.
(WebCore::TextTrackCue::getDisplayTree): Added extra check to not
do unneccessary logic if the track will never be displayed.
LayoutTests:
* media/track/track-cue-inline-assertion-crash-expected.txt: Added.
* media/track/track-cue-inline-assertion-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (138965 => 138966)
--- trunk/LayoutTests/ChangeLog 2013-01-07 19:04:56 UTC (rev 138965)
+++ trunk/LayoutTests/ChangeLog 2013-01-07 19:21:07 UTC (rev 138966)
@@ -1,3 +1,13 @@
+2013-01-07 Victor Carbune <[email protected]>
+
+ [Track] Rendering crash
+ https://bugs.webkit.org/show_bug.cgi?id=106199
+
+ Reviewed by Eric Carlson.
+
+ * media/track/track-cue-inline-assertion-crash-expected.txt: Added.
+ * media/track/track-cue-inline-assertion-crash.html: Added.
+
2013-01-07 Michael Pruett <[email protected]>
[JSC] Copy non-index properties of arrays in SerializedScriptValue
Added: trunk/LayoutTests/media/track/track-cue-inline-assertion-crash-expected.txt (0 => 138966)
--- trunk/LayoutTests/media/track/track-cue-inline-assertion-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/media/track/track-cue-inline-assertion-crash-expected.txt 2013-01-07 19:21:07 UTC (rev 138966)
@@ -0,0 +1,10 @@
+Tests that adding a track and changing its mode through JS doesn't crash the browser.
+
+** Add a text track through JS to the video element **
+** Add cue to the text track **
+** Set the track mode to showing **
+
+No crash. PASS.
+
+END OF TEST
+
Added: trunk/LayoutTests/media/track/track-cue-inline-assertion-crash.html (0 => 138966)
--- trunk/LayoutTests/media/track/track-cue-inline-assertion-crash.html (rev 0)
+++ trunk/LayoutTests/media/track/track-cue-inline-assertion-crash.html 2013-01-07 19:21:07 UTC (rev 138966)
@@ -0,0 +1,40 @@
+<!DOCTYPE html>
+<html>
+ <head>
+ <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+
+ <script src=""
+ <script src=""
+
+ <script>
+ function startTest()
+ {
+ findMediaElement();
+
+ consoleWrite("** Add a text track through JS to the video element **");
+ var t = video.addTextTrack('captions', 'English', 'en');
+
+ consoleWrite("** Add cue to the text track **");
+ t.addCue(new TextTrackCue(0.0, 10.0, 'wow wow'));
+
+ consoleWrite("** Set the track mode to showing **");
+ t.mode = "showing";
+
+ consoleWrite("");
+ consoleWrite("No crash. PASS.");
+ consoleWrite("");
+
+ endTest();
+ }
+ </script>
+ </head>
+
+ <body _onload_="startTest()">
+ <p>Tests that adding a track and changing its mode through JS doesn't crash the browser.</p>
+ <video controls>
+ <!-- If the src is specified through JS after the body load, the test doesn't crash anymore. -->
+ <source src="" type="video/mp4">
+ <source src="" type="video/ogg">
+ </video>
+ </body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (138965 => 138966)
--- trunk/Source/WebCore/ChangeLog 2013-01-07 19:04:56 UTC (rev 138965)
+++ trunk/Source/WebCore/ChangeLog 2013-01-07 19:21:07 UTC (rev 138966)
@@ -1,3 +1,24 @@
+2013-01-07 Victor Carbune <[email protected]>
+
+ [Track] Rendering crash
+ https://bugs.webkit.org/show_bug.cgi?id=106199
+
+ Reviewed by Eric Carlson.
+
+ The browser is crashing if a text track is added through _javascript_,
+ due to the fact that the containing block is not marked as inline at
+ the time RenderTextTrackCue::layout() is called. The fix consists
+ of ensuring that the pseudo id is set, even if the track isn't
+ yet visible.
+
+ Test: media/track/track-cue-inline-assertion-crash.html
+
+ * html/track/TextTrackCue.cpp:
+ (WebCore::TextTrackCue::updateDisplayTree): The pseudo-id should
+ be set when the display tree is generated.
+ (WebCore::TextTrackCue::getDisplayTree): Added extra check to not
+ do unneccessary logic if the track will never be displayed.
+
2013-01-07 Michael Pruett <[email protected]>
[JSC] Copy non-index properties of arrays in SerializedScriptValue
Modified: trunk/Source/WebCore/html/track/TextTrackCue.cpp (138965 => 138966)
--- trunk/Source/WebCore/html/track/TextTrackCue.cpp 2013-01-07 19:04:56 UTC (rev 138965)
+++ trunk/Source/WebCore/html/track/TextTrackCue.cpp 2013-01-07 19:21:07 UTC (rev 138966)
@@ -695,10 +695,8 @@
if (!track()->isRendered())
return;
-
// Clear the contents of the set.
m_allDocumentNodes->removeChildren();
- m_allDocumentNodes->setPseudo(allNodesShadowPseudoId());
// Update the two sets containing past and future WebVTT objects.
RefPtr<DocumentFragment> referenceTree = getCueAsHTML();
@@ -709,7 +707,7 @@
PassRefPtr<TextTrackCueBox> TextTrackCue::getDisplayTree()
{
- if (!m_displayTreeShouldChange)
+ if (!m_displayTreeShouldChange || !track()->isRendered())
return m_displayTree;
// 10.1 - 10.10
@@ -727,6 +725,7 @@
// background box.
// Note: This is contained by default in m_allDocumentNodes.
+ m_allDocumentNodes->setPseudo(allNodesShadowPseudoId());
m_displayTree->appendChild(m_allDocumentNodes, ASSERT_NO_EXCEPTION, true);
// FIXME(BUG 79916): Runs of children of WebVTT Ruby Objects that are not
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes
