Skip to site navigation (Press enter)

[webkit-changes] [178426] trunk

jer . noble Wed, 14 Jan 2015 10:43:59 -0800

Title: [178426] trunk

Revision: 178426
Author: [email protected]
Date: 2015-01-14 10:43:05 -0800 (Wed, 14 Jan 2015)

Log Message

Null-deref crash when seeking immediately before looping.
https://bugs.webkit.org/show_bug.cgi?id=140394


Reviewed by Eric Carlson.

Source/WebCore:

It is possible for finishSeek() to be called when a seek() has caused a pending seek task
to be scheduled, but before that pending seek task is run. In this case, if a seek request
is issued, the existing pending seek task will not be cancelled, which will cause a crash
when the pending seek task is run.

When checking whether an existing seek task needs to be cancelled, check the actual timer,
rather than the m_seeking boolean, so that this case is covered.

Test: media/video-ended-seek-crash.html

* html/HTMLMediaElement.cpp:
(WebCore::HTMLMediaElement::seekWithTolerance):

LayoutTests:

* media/video-ended-seek-crash-expected.txt: Added.
* media/video-ended-seek-crash.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/html/HTMLMediaElement.cpp

Added Paths

trunk/LayoutTests/media/video-ended-seek-crash-expected.txt
trunk/LayoutTests/media/video-ended-seek-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (178425 => 178426)


--- trunk/LayoutTests/ChangeLog	2015-01-14 18:39:03 UTC (rev 178425)
+++ trunk/LayoutTests/ChangeLog	2015-01-14 18:43:05 UTC (rev 178426)
@@ -1,3 +1,13 @@
+2015-01-14  Jer Noble  <[email protected]>
+
+        Null-deref crash when seeking immediately before looping.
+        https://bugs.webkit.org/show_bug.cgi?id=140394
+
+        Reviewed by Eric Carlson.
+
+        * media/video-ended-seek-crash-expected.txt: Added.
+        * media/video-ended-seek-crash.html: Added.
+
 2015-01-14  Brent Fulgham  <[email protected]>
 
         [Win] Unreviewed gardening.

Added: trunk/LayoutTests/media/video-ended-seek-crash-expected.txt (0 => 178426)


--- trunk/LayoutTests/media/video-ended-seek-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/media/video-ended-seek-crash-expected.txt	2015-01-14 18:43:05 UTC (rev 178426)
@@ -0,0 +1,11 @@
+
+EVENT(canplaythrough)
+RUN(video.currentTime = video.duration - 0.1)
+RUN(video.play())
+EVENT(ended)
+RUN(video.setAttribute("loop", "loop"))
+RUN(video.currentTime = 0)
+RUN(video.play())
+EVENT(seeked)
+END OF TEST
+

Added: trunk/LayoutTests/media/video-ended-seek-crash.html (0 => 178426)


--- trunk/LayoutTests/media/video-ended-seek-crash.html	                        (rev 0)
+++ trunk/LayoutTests/media/video-ended-seek-crash.html	2015-01-14 18:43:05 UTC (rev 178426)
@@ -0,0 +1,39 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <title>video-ended-seek-crash</title>
+    <script src=""
+    <script src=""
+    <script>
+        function startTest()
+        {
+            findMediaElement();
+            waitForEventOnce('canplaythrough', canPlayThrough);
+            video.src = "" 'content/test');
+        }
+
+        function canPlayThrough()
+        {
+            waitForEventOnce('ended', ended);
+            run('video.currentTime = video.duration - 0.1');
+            run('video.play()');
+        }
+
+        function ended()
+        {
+            waitForEventOnce('seeked', seekedToBeginning);
+            run('video.setAttribute("loop", "loop")');
+            run('video.currentTime = 0');
+            run('video.play()');
+        }
+
+        function seekedToBeginning()
+        {
+            endTest();
+        }
+    </script>
+</head>
+<body _onload_="startTest()">
+    <video controls></video>
+</body>
+</html>
\ No newline at end of file

Modified: trunk/Source/WebCore/ChangeLog (178425 => 178426)


--- trunk/Source/WebCore/ChangeLog	2015-01-14 18:39:03 UTC (rev 178425)
+++ trunk/Source/WebCore/ChangeLog	2015-01-14 18:43:05 UTC (rev 178426)
@@ -1,3 +1,23 @@
+2015-01-14  Jer Noble  <[email protected]>
+
+        Null-deref crash when seeking immediately before looping.
+        https://bugs.webkit.org/show_bug.cgi?id=140394
+
+        Reviewed by Eric Carlson.
+
+        It is possible for finishSeek() to be called when a seek() has caused a pending seek task
+        to be scheduled, but before that pending seek task is run. In this case, if a seek request
+        is issued, the existing pending seek task will not be cancelled, which will cause a crash
+        when the pending seek task is run.
+
+        When checking whether an existing seek task needs to be cancelled, check the actual timer,
+        rather than the m_seeking boolean, so that this case is covered.
+
+        Test: media/video-ended-seek-crash.html
+
+        * html/HTMLMediaElement.cpp:
+        (WebCore::HTMLMediaElement::seekWithTolerance):
+
 2015-01-14  Brent Fulgham  <[email protected]>
 
         [Win] Layout Test fast/css/crash-on-custom-cursor-when-loading.html is failing

Modified: trunk/Source/WebCore/html/HTMLMediaElement.cpp (178425 => 178426)


--- trunk/Source/WebCore/html/HTMLMediaElement.cpp	2015-01-14 18:39:03 UTC (rev 178425)
+++ trunk/Source/WebCore/html/HTMLMediaElement.cpp	2015-01-14 18:43:05 UTC (rev 178426)
@@ -2349,7 +2349,7 @@
     // 3 - If the element's seeking IDL attribute is true, then another instance of this algorithm is
     // already running. Abort that other instance of the algorithm without waiting for the step that
     // it is running to complete.
-    if (m_seeking) {
+    if (m_seekTimer.isActive()) {
         m_seekTimer.stop();
         m_pendingSeek = nullptr;
     }

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes