Skip to site navigation (Press enter)

[webkit-changes] [149749] trunk

eric . carlson Wed, 08 May 2013 10:14:40 -0700

Title: [149749] trunk

Revision: 149749
Author: [email protected]
Date: 2013-05-08 10:16:21 -0700 (Wed, 08 May 2013)

Log Message

Prevent crash when track is deleted during video element deletion.
https://bugs.webkit.org/show_bug.cgi?id=106183


Reviewed by Dean Jackson.

Source/WebCore:

Test: media/track/track-remove-crash.html

* html/HTMLMediaElement.cpp:
(WebCore::HTMLMediaElement::removedFrom): Set m_inActiveDocument to false so we
    do not process text track cues or dispatch related events.

LayoutTests:

* media/track/track-remove-crash-expected.txt: Added.
* media/track/track-remove-crash.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/html/HTMLMediaElement.cpp

Added Paths

trunk/LayoutTests/media/track/track-remove-crash-expected.txt
trunk/LayoutTests/media/track/track-remove-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (149748 => 149749)


--- trunk/LayoutTests/ChangeLog	2013-05-08 17:03:25 UTC (rev 149748)
+++ trunk/LayoutTests/ChangeLog	2013-05-08 17:16:21 UTC (rev 149749)
@@ -1,3 +1,13 @@
+2013-05-08  Eric Carlson  <[email protected]>
+
+        Prevent crash when track is deleted during video element deletion.
+        https://bugs.webkit.org/show_bug.cgi?id=106183
+
+        Reviewed by Dean Jackson.
+
+        * media/track/track-remove-crash-expected.txt: Added.
+        * media/track/track-remove-crash.html: Added.
+
 2013-05-08  David Kilzer  <[email protected]>
 
         Remove chromium test results added in r149743

Added: trunk/LayoutTests/media/track/track-remove-crash-expected.txt (0 => 149749)


--- trunk/LayoutTests/media/track/track-remove-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/media/track/track-remove-crash-expected.txt	2013-05-08 17:16:21 UTC (rev 149749)
@@ -0,0 +1,7 @@
+Tests that removing a track while its parent is being deleted does not crash.
+
+
+No crash. PASS.
+
+END OF TEST
+

Added: trunk/LayoutTests/media/track/track-remove-crash.html (0 => 149749)


--- trunk/LayoutTests/media/track/track-remove-crash.html	                        (rev 0)
+++ trunk/LayoutTests/media/track/track-remove-crash.html	2013-05-08 17:16:21 UTC (rev 149749)
@@ -0,0 +1,60 @@
+<!DOCTYPE  html>
+<html>
+    <head>
+        <script src=""
+
+        <script>
+            function logEvent(evt)
+            {
+                consoleWrite("EVENT(" + evt.type + ")");
+            }
+
+            function startTest()
+            {
+                track1 = document.getElementsByTagName('track')[0]
+                track1.track.mode  =  'showing';
+                track1.addEventListener('removetrack', logEvent);
+
+                track2 = document.getElementsByTagName('track')[1]
+                track2.track.mode  =  'showing';
+                track2.addEventListener('removetrack', logEvent);
+
+                video = document.getElementsByTagName('video')[0];
+
+                setTimeout("attemptCrash()", 0);
+            }
+            document.addEventListener("DOMContentLoaded", startTest, false);
+
+            function ForceGC()
+            {
+                try { gc(); } catch(e) {}
+
+                consoleWrite("");
+                consoleWrite("No crash. PASS.");
+                consoleWrite("");
+
+                endTest();
+            }
+
+            function attemptCrash()
+            {
+                newDocument  =  document.implementation.createDocument("",  null);
+                newDocument.appendChild(video);
+                delete newDocument;
+
+                setTimeout(ForceGC, 0);
+            }
+        </script>
+    </head>
+
+    <body>
+        <p>Tests that removing a track while its parent is being deleted does not crash.</p>
+        <video autoplay controls >
+            <source src="" type="video/ogg" >
+            <source src="" type="video/mp4" >
+            <track src=""
+            <track src=""
+        </video>
+        </label>
+    </body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (149748 => 149749)


--- trunk/Source/WebCore/ChangeLog	2013-05-08 17:03:25 UTC (rev 149748)
+++ trunk/Source/WebCore/ChangeLog	2013-05-08 17:16:21 UTC (rev 149749)
@@ -1,5 +1,18 @@
 2013-05-08  Eric Carlson  <[email protected]>
 
+        Prevent crash when track is deleted during video element deletion.
+        https://bugs.webkit.org/show_bug.cgi?id=106183
+
+        Reviewed by Dean Jackson.
+
+        Test: media/track/track-remove-crash.html
+
+        * html/HTMLMediaElement.cpp:
+        (WebCore::HTMLMediaElement::removedFrom): Set m_inActiveDocument to false so we
+            do not process text track cues or dispatch related events.
+
+2013-05-08  Eric Carlson  <[email protected]>
+
         [Mac] Unreviewed buildfix after r149741.
 
         * platform/graphics/avfoundation/objc/MediaPlayerPrivateAVFoundationObjC.mm:

Modified: trunk/Source/WebCore/html/HTMLMediaElement.cpp (149748 => 149749)


--- trunk/Source/WebCore/html/HTMLMediaElement.cpp	2013-05-08 17:03:25 UTC (rev 149748)
+++ trunk/Source/WebCore/html/HTMLMediaElement.cpp	2013-05-08 17:16:21 UTC (rev 149749)
@@ -587,8 +587,10 @@
 
 void HTMLMediaElement::removedFrom(ContainerNode* insertionPoint)
 {
+    m_inActiveDocument = false;
+
     if (insertionPoint->inDocument()) {
-        LOG(Media, "HTMLMediaElement::removedFromDocument");
+        LOG(Media, "HTMLMediaElement::removedFrom");
         configureMediaControls();
         if (m_networkState > NETWORK_EMPTY)
             pause();

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes