Title: [148636] trunk/Source/WebCore
- Revision
- 148636
- Author
- [email protected]
- Date
- 2013-04-17 14:15:03 -0700 (Wed, 17 Apr 2013)
Log Message
Crash in WebCore::HTMLMediaElement::~HTMLMediaElement.
https://bugs.webkit.org/show_bug.cgi?id=113531
Reviewed by Eric Carlson.
No new tests, though this is intermittently reproducible with
http/tests/misc/delete-frame-during-readystatechange.html under ASAN.
* html/HTMLMediaElement.cpp:
(WebCore::HTMLMediaElement::~HTMLMediaElement): Clear the media player manually
before the destructor exits. Clearing the media player may cancel a resource load,
which can trigger a readystatechange event. It's possible for the HTMLMediaElement
to attempt to fire an abort event within the readystatechange event, even though it is
now in an inconsistent state. Clearling the media player before finishing the destructor
ensures that the HTMLMediaElement will at least still be alive if this case is triggered.
Set m_completelyLoaded to true to ensure that if userCancelledLoad() is called, it doesn't
attempt to fire events while destructing.
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (148635 => 148636)
--- trunk/Source/WebCore/ChangeLog 2013-04-17 21:14:08 UTC (rev 148635)
+++ trunk/Source/WebCore/ChangeLog 2013-04-17 21:15:03 UTC (rev 148636)
@@ -1,3 +1,23 @@
+2013-04-16 Jer Noble <[email protected]>
+
+ Crash in WebCore::HTMLMediaElement::~HTMLMediaElement.
+ https://bugs.webkit.org/show_bug.cgi?id=113531
+
+ Reviewed by Eric Carlson.
+
+ No new tests, though this is intermittently reproducible with
+ http/tests/misc/delete-frame-during-readystatechange.html under ASAN.
+
+ * html/HTMLMediaElement.cpp:
+ (WebCore::HTMLMediaElement::~HTMLMediaElement): Clear the media player manually
+ before the destructor exits. Clearing the media player may cancel a resource load,
+ which can trigger a readystatechange event. It's possible for the HTMLMediaElement
+ to attempt to fire an abort event within the readystatechange event, even though it is
+ now in an inconsistent state. Clearling the media player before finishing the destructor
+ ensures that the HTMLMediaElement will at least still be alive if this case is triggered.
+ Set m_completelyLoaded to true to ensure that if userCancelledLoad() is called, it doesn't
+ attempt to fire events while destructing.
+
2013-04-17 Sergio Correia <[email protected]>
Web Inspector: make generate-inspector-protocol-version work with python3
Modified: trunk/Source/WebCore/html/HTMLMediaElement.cpp (148635 => 148636)
--- trunk/Source/WebCore/html/HTMLMediaElement.cpp 2013-04-17 21:14:08 UTC (rev 148635)
+++ trunk/Source/WebCore/html/HTMLMediaElement.cpp 2013-04-17 21:15:03 UTC (rev 148636)
@@ -350,6 +350,10 @@
#endif
removeElementFromDocumentMap(this, document());
+
+ m_completelyLoaded = true;
+ if (m_player)
+ m_player->clearMediaPlayerClient();
}
void HTMLMediaElement::didMoveToNewDocument(Document* oldDocument)
Modified: trunk/Source/WebCore/platform/graphics/MediaPlayer.h (148635 => 148636)
--- trunk/Source/WebCore/platform/graphics/MediaPlayer.h 2013-04-17 21:14:08 UTC (rev 148635)
+++ trunk/Source/WebCore/platform/graphics/MediaPlayer.h 2013-04-17 21:15:03 UTC (rev 148636)
@@ -378,6 +378,7 @@
void repaint();
MediaPlayerClient* mediaPlayerClient() const { return m_mediaPlayerClient; }
+ void clearMediaPlayerClient() { m_mediaPlayerClient = 0; }
bool hasAvailableVideoFrame() const;
void prepareForRendering();
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
