18847 – [GTK] crash when closing video that is streaming

RESOLVED FIXED18847

[GTK] crash when closing video that is streaming

https://bugs.webkit.org/show_bug.cgi?id=18847

Summary [GTK] crash when closing video that is streaming

Benjamin Otte

Reported 2008-05-02 10:09:32 PDT

1) install swfdec-mozilla's plugin from git (I guess Adobe has the same problem, but didn't test) 2) configure webkit with soup backend (no idea if it'd break with curl, too) 3) go to Youtube 4) watch any video 5) leave site while video is still loading result: Program received signal SIGSEGV, Segmentation fault. 0x00000007 in ?? () (gdb) where #0 0x00000007 in ?? () #1 0xb7ba9e20 in WebCore::NetscapePlugInStreamLoader::didFinishLoading (this=0xb598a1c0) at WebCore/loader/NetscapePlugInStreamLoader.cpp:97 #2 0xb7baca38 in WebCore::ResourceLoader::didFinishLoading (this=0xb598a1c0) at WebCore/loader/ResourceLoader.cpp:389 #3 0xb7d1eda5 in WebCore::ResourceHandle::cancel (this=0xb2a07818) at WebCore/platform/network/soup/ResourceHandleSoup.cpp:345 #4 0xb7bad7d5 in WebCore::ResourceLoader::didCancel (this=0xb598a1c0, error=@0xbf8e63a0) at WebCore/loader/ResourceLoader.cpp:328 #5 0xb7ba9aa1 in WebCore::NetscapePlugInStreamLoader::didCancel (this=0xb598a1c0, error=@0xbf8e63a0) at WebCore/loader/NetscapePlugInStreamLoader.cpp:116 #6 0xb7bad173 in WebCore::ResourceLoader::cancel (this=0xb598a1c0, error=@0xbf8e63e0) at WebCore/loader/ResourceLoader.cpp:349 #7 0xb7bacae7 in WebCore::ResourceLoader::cancel (this=0xb598a1c0) at WebCore/loader/ResourceLoader.cpp:339 #8 0xb7b7e995 in cancelAll (loaders=@0xb22ec03c) at WebCore/loader/DocumentLoader.cpp:126 #9 0xb7b7e9f0 in WebCore::DocumentLoader::stopLoadingPlugIns (this=0xb22ec000) at WebCore/loader/DocumentLoader.cpp:724 #10 0xb7b7fab1 in WebCore::DocumentLoader::stopLoading (this=0xb22ec000) at WebCore/loader/DocumentLoader.cpp:310 #11 0xb7b8ccac in WebCore::FrameLoader::stopAllLoaders (this=0xb591ba24) at WebCore/loader/FrameLoader.cpp:2493 #12 0xb7b95a18 in WebCore::FrameLoader::continueLoadAfterNavigationPolicy (this=0xb591ba24, request=@0xbf8e65dc, formState=@0xbf8e656c, shouldContinue=true) at WebCore/loader/FrameLoader.cpp:3734 #13 0xb7b95b82 in WebCore::FrameLoader::callContinueLoadAfterNavigationPolicy (argument=0xb591ba24, request=@0xbf8e65dc, formState=@0xbf8e65ac, shouldContinue=true) at WebCore/loader/FrameLoader.cpp:3694 #14 0xb7b8c763 in WebCore::PolicyCheck::call (this=0xbf8e65dc, shouldContinue=true) at WebCore/loader/FrameLoader.cpp:4689 #15 0xb7b8c990 in WebCore::FrameLoader::continueAfterNavigationPolicy (this=0xb591ba24, policy=WebCore::PolicyUse) at WebCore/loader/FrameLoader.cpp:3687 #16 0xb794d488 in WebKit::FrameLoaderClient::dispatchDecidePolicyForNavigationAction (this=0xb5918f00, policyFunction=0xb7b8c804 <WebCore::FrameLoader::continueAfterNavigationPolicy(WebCore::PolicyAction)>, action=@0xbf8e67d8, resourceRequest=@0xb22f01d8) at WebKit/gtk/WebCoreSupport/FrameLoaderClientGtk.cpp:283 #17 0xb7b8c671 in WebCore::FrameLoader::checkNavigationPolicy (this=0xb591ba24, request=@0xb22f01d8, loader=0xb22f0000, formState=@0xbf8e686c, function=0xb7b95b3c <WebCore::FrameLoader::callContinueLoadAfterNavigationPolicy(void*, WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)>, argument=0xb591ba24) at WebCore/loader/FrameLoader.cpp:3656 #18 0xb7b8d7f7 in WebCore::FrameLoader::load (this=0xb591ba24, loader=0xb22f0000, type=WebCore::FrameLoadTypeStandard, formState=@0xbf8e6918) at WebCore/loader/FrameLoader.cpp:2241 #19 0xb7b8e37a in WebCore::FrameLoader::load (this=0xb591ba24, request=@0xbf8e695c, action=@0xbf8e69e8, type=WebCore::FrameLoadTypeStandard, formState=@0xbf8e6a3c) at WebCore/loader/FrameLoader.cpp:2194 #20 0xb7b8e9c2 in WebCore::FrameLoader::load (this=0xb591ba24, newURL=@0xbf8e6bb4, referrer=@0xbf8e6b2c, newLoadType=WebCore::FrameLoadTypeStandard, frameName=@0xbf8e6c40, event=0xb17ff310, formState=@0xbf8e6b04) at WebCore/loader/FrameLoader.cpp:2142 #21 0xb7b8fa53 in WebCore::FrameLoader::load (this=0xb591ba24, request=@0xbf8e6bb4, lockHistory=false, userGesture=true, event=0xb17ff310, submitForm=0xb5948ea0, formValues=@0xb591bb9c) at WebCore/loader/FrameLoader.cpp:2078 #22 0xb7b8fdf7 in WebCore::FrameLoader::submitForm (this=0xb591ba24, request=@0xbf8e6bb4, event=0xb17ff310) at WebCore/loader/FrameLoader.cpp:3253 #23 0xb7b903cc in WebCore::FrameLoader::submitForm (this=0xb591ba24, action=0xb7edd6ea "GET", url=@0xb5948f0c, formData=@0xbf8e6d38, target=@0xb5948f10, contentType=@0xbf8e6d34, boundary=@0xbf8e6d30, event=0xb17ff310) at WebCore/loader/FrameLoader.cpp:567 #24 0xb7b26a58 in WebCore::HTMLFormElement::submit (this=0xb5948ea0, event=0xb17ff310, activateSubmitButton=true) at WebCore/html/HTMLFormElement.cpp:494 #25 0xb7b26c17 in WebCore::HTMLFormElement::prepareSubmit (this=0xb5948ea0, event=0xb17ff310) at WebCore/html/HTMLFormElement.cpp:365 #26 0xb7b38705 in WebCore::HTMLInputElement::defaultEventHandler (this=0xb5918280, evt=0xb17ff310) at WebCore/html/HTMLInputElement.cpp:1160 #27 0xb7a72910 in WebCore::EventTarget::dispatchGenericEvent (this=0xb59182a8, referenceNode=0xb5918280, e=@0xbf8e701c, tempEvent=true) at WebCore/dom/EventTarget.cpp:262 #28 0xb7a7397f in WebCore::EventTargetNode::dispatchEvent (this=0xb5918280, e=@0xbf8e7074, ec=@0xbf8e7084, tempEvent=true) at WebCore/dom/EventTargetNode.cpp:121 ...

Attachments
Add attachment proposed patch, testcase, etc.

Alp Toker

Comment 1 2008-05-02 18:50:50 PDT

This seems to be a bug in the soup backend, caused by didFinishLoading() calls in cancel().

Alp Toker

Comment 2 2008-05-02 18:52:43 PDT

This fixes the issue in ResourceHandleSoup.cpp, but I'm not too sure what the correct fix will be: void ResourceHandle::cancel() { d->m_cancelled = true; if (d->m_msg) { soup_session_cancel_message(session, d->m_msg, SOUP_STATUS_CANCELLED); // For re-entrancy troubles we call didFinishLoading when the message hasn't been handled yet. // FIXME: Temporarily disabled to work around plugin crash // http://bugs.webkit.org/show_bug.cgi?id=18847 //d->client()->didFinishLoading(this); } else if (d->m_cancellable) { g_cancellable_cancel(d->m_cancellable); // FIXME: Temporarily disabled to work around plugin crash // http://bugs.webkit.org/show_bug.cgi?id=18847 //d->client()->didFinishLoading(this); } }

Hiroyuki Ikezoe

Comment 3 2009-01-05 20:46:11 PST

I confirmed this bug is fixed by the patch bug #23116.

Gustavo Noronha (kov)

Comment 4 2009-03-19 07:02:34 PDT

I hadn't seen that bug before =/. Yeah, that was exactly the fix that was actually landed: http://trac.webkit.org/changeset/41453.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Critical

Classification Unclassified

Version 528+ (Nightly build)

Hardware PC

OS OS X 10.5

Product WebKit

Component Plug-ins

Assignee

Nobody

Reported

2008-05-02 10:09 PDT

Modified

2009-03-19 07:02 PDT History

CC List

5 users Show

URL

http://www.youtube.com

Keywords Gtk, Soup

Depends on

Blocks