121537 2013-09-17 23:24:08 -0700 Crashed while visit http://html5video.org/wiki/HTML5_Demos 2013-09-23 02:45:04 -0700 1 1 1 Unclassified WebKit WebCore Misc. 528+ (Nightly build) PC Windows 7 RESOLVED DUPLICATE 120297 P2 Normal --- 0 xqhuang.webkit webkit-unassigned darin gyuyoung.kim zan oldest_to_newest 930526 0 xqhuang.webkit 2013-09-17 23:24:08 -0700 OS: Windows 7 WebKit r155740 Steps To Reproduce: 1. Uninstall QuickTime(wasn't QuickTime SDK). 2. Open WinLauncher.exe; 3. Input "http://html5video.org/wiki/HTML5_Demos". Expected Result: Should load http://html5video.org/wiki/HTML5_Demos normally. Actual Result: Crash. How frequently does this problem reproduce? 100% 930558 1 211979 xqhuang.webkit 2013-09-18 00:42:57 -0700 Created attachment 211979 patch for reviewing 930568 2 xqhuang.webkit 2013-09-18 01:13:55 -0700 If QuickTime(wasn't QuickTime SDK) didn't installed, |MediaPlayer::isAvailable()| in |audioConstructor| return false then HTMLUnknownElement was created to insteated of HTMLAudioElement. |isHTMLAudioElement(node)| in |isReachableFromDOM| just check whether element has "audio" tag name, |toHTMLAudioElement(node)| cast HTMLUnknownElement to HTMLAudioElement illegally then call |paused()|. 930809 3 xqhuang.webkit 2013-09-18 18:31:16 -0700 Darin, could you take a look please? 930811 4 211979 darin 2013-09-18 18:39:24 -0700 Comment on attachment 211979 patch for reviewing View in context: https://bugs.webkit.org/attachment.cgi?id=211979&action=review > Source/WebCore/bindings/js/JSNodeCustom.cpp:115 > + // If QuickTime didn't installed, |MediaPlayer::isAvailable()| return false in > + // |audioConstructor| then HTMLUnknowElement was created to instead HTMLAudioElement. Why does paused return false for HTMLUnknownElement? 930822 5 xqhuang.webkit 2013-09-18 19:23:07 -0700 (In reply to comment #4) > (From update of attachment 211979 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=211979&action=review > > > Source/WebCore/bindings/js/JSNodeCustom.cpp:115 > > + // If QuickTime didn't installed, |MediaPlayer::isAvailable()| return false in > > + // |audioConstructor| then HTMLUnknowElement was created to instead HTMLAudioElement. > > Why does paused return false for HTMLUnknownElement? The problem was HTMLUnknownElement has not paused() member function, We convert HTMLUnknownElement to HTMLAudioElement illegally then call paused() will crash. 930823 6 211979 kling 2013-09-18 19:24:48 -0700 Comment on attachment 211979 patch for reviewing View in context: https://bugs.webkit.org/attachment.cgi?id=211979&action=review >>> Source/WebCore/bindings/js/JSNodeCustom.cpp:115 >>> + // |audioConstructor| then HTMLUnknowElement was created to instead HTMLAudioElement. >> >> Why does paused return false for HTMLUnknownElement? > > The problem was HTMLUnknownElement has not paused() member function, We convert HTMLUnknownElement to HTMLAudioElement illegally then call paused() will crash. How does that happen if the isHTMLAudioElement(node) check succeeded on the line just before? 930824 7 xqhuang.webkit 2013-09-18 19:29:30 -0700 (In reply to comment #6) > (From update of attachment 211979 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=211979&action=review > > >>> Source/WebCore/bindings/js/JSNodeCustom.cpp:115 > >>> + // |audioConstructor| then HTMLUnknowElement was created to instead HTMLAudioElement. > >> > >> Why does paused return false for HTMLUnknownElement? > > > > The problem was HTMLUnknownElement has not paused() member function, We convert HTMLUnknownElement to HTMLAudioElement illegally then call paused() will crash. > > How does that happen if the isHTMLAudioElement(node) check succeeded on the line just before? isHTMLAudioElement(node) only check whether element has a tag name "audio", see HTMLElementTypeHelpers.h. But |audioConstructor| in HTMLElementFactory.cpp create HTMLAudioElement failed since MediaPlayer::isAvailable() return false because QuickTime did not installed. HTMLUnknownELement was created as fallback, see HTMLElementFactory::createHTMLElement. 931166 8 darin 2013-09-19 20:37:48 -0700 (In reply to comment #7) > isHTMLAudioElement(node) only check whether element has a tag name "audio" That is the bug we have to fix. 931167 9 211979 darin 2013-09-19 20:38:18 -0700 Comment on attachment 211979 patch for reviewing View in context: https://bugs.webkit.org/attachment.cgi?id=211979&action=review >>>>> Source/WebCore/bindings/js/JSNodeCustom.cpp:115 >>>>> + // |audioConstructor| then HTMLUnknowElement was created to instead HTMLAudioElement. >>>> >>>> Why does paused return false for HTMLUnknownElement? >>> >>> The problem was HTMLUnknownElement has not paused() member function, We convert HTMLUnknownElement to HTMLAudioElement illegally then call paused() will crash. >> >> How does that happen if the isHTMLAudioElement(node) check succeeded on the line just before? > > isHTMLAudioElement(node) only check whether element has a tag name "audio", see HTMLElementTypeHelpers.h. > But |audioConstructor| in HTMLElementFactory.cpp create HTMLAudioElement failed since MediaPlayer::isAvailable() return false because QuickTime did not installed. HTMLUnknownELement was created as fallback, see HTMLElementFactory::createHTMLElement. That is the bug we have to fix. We need to make isHTMLAudioElement return false in such cases. 931168 10 xqhuang.webkit 2013-09-19 20:39:51 -0700 (In reply to comment #9) > (From update of attachment 211979 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=211979&action=review > > >>>>> Source/WebCore/bindings/js/JSNodeCustom.cpp:115 > >>>>> + // |audioConstructor| then HTMLUnknowElement was created to instead HTMLAudioElement. > >>>> > >>>> Why does paused return false for HTMLUnknownElement? > >>> > >>> The problem was HTMLUnknownElement has not paused() member function, We convert HTMLUnknownElement to HTMLAudioElement illegally then call paused() will crash. > >> > >> How does that happen if the isHTMLAudioElement(node) check succeeded on the line just before? > > > > isHTMLAudioElement(node) only check whether element has a tag name "audio", see HTMLElementTypeHelpers.h. > > But |audioConstructor| in HTMLElementFactory.cpp create HTMLAudioElement failed since MediaPlayer::isAvailable() return false because QuickTime did not installed. HTMLUnknownELement was created as fallback, see HTMLElementFactory::createHTMLElement. > > That is the bug we have to fix. We need to make isHTMLAudioElement return false in such cases. All right. Thanks for clarification. 931210 11 zan 2013-09-20 00:36:24 -0700 Bug #120297 is trying to solve the same problem. 932090 12 xqhuang.webkit 2013-09-23 02:45:04 -0700 *** This bug has been marked as a duplicate of bug 120297 *** 211979 2013-09-18 00:42:57 -0700 2013-09-19 20:38:17 -0700 patch for reviewing fix_crash.patch text/plain 1526 xqhuang.webkit SW5kZXg6IFNvdXJjZS9XZWJDb3JlL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvV2Vi Q29yZS9DaGFuZ2VMb2cJKHJldmlzaW9uIDE1NjAyNSkKKysrIFNvdXJjZS9XZWJDb3JlL0NoYW5n ZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDE1IEBACisyMDEzLTA5LTE3ICBYdWVxaW5n IEh1YW5nICA8aHVhbmd4cS53ZWJraXRAZ21haWwuY29tPgorCisgICAgICAgIHRvSFRNTEF1ZGlv RUxlbWVudCgpIG1heWJlIGdldCBIVE1MVW5rbm93bkVsZW1lbnQgaW4gd2hpY2ggY2FzZSB3ZSBz aG91bGQgbm90IGNhbGwgcGF1c2VkKCkuCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3Jn L3Nob3dfYnVnLmNnaT9pZD0xMjE1MzcKKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9P UFMhKS4KKworICAgICAgICBUaGlzIGNhc2UgcmVwcm9kdWNlIHdoaWxlIEphdmFTY3JpcHRDb3Jl IGNvbGxlY3QgR0MgdGh1cyBJIGhhdmUgbm8gaWRlYSBob3cgdG8gdGVzdCBpdC4gCisKKyAgICAg ICAgKiBiaW5kaW5ncy9qcy9KU05vZGVDdXN0b20uY3BwOgorICAgICAgICAoV2ViQ29yZTo6aXNS ZWFjaGFibGVGcm9tRE9NKToKKwogMjAxMy0wOS0xNyAgQW50dGkgS29pdmlzdG8gIDxhbnR0aUBh cHBsZS5jb20+CiAKICAgICAgICAgUmVuYW1lIElubGluZUJveDo6aXNUZXh0KCkKSW5kZXg6IFNv dXJjZS9XZWJDb3JlL2JpbmRpbmdzL2pzL0pTTm9kZUN1c3RvbS5jcHAKPT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0g U291cmNlL1dlYkNvcmUvYmluZGluZ3MvanMvSlNOb2RlQ3VzdG9tLmNwcAkocmV2aXNpb24gMTU1 NzQwKQorKysgU291cmNlL1dlYkNvcmUvYmluZGluZ3MvanMvSlNOb2RlQ3VzdG9tLmNwcAkod29y a2luZyBjb3B5KQpAQCAtMTExLDcgKzExMSw5IEBAIHN0YXRpYyBpbmxpbmUgYm9vbCBpc1JlYWNo YWJsZUZyb21ET00oSlMKICAgICAgICAgfQogICAgICNpZiBFTkFCTEUoVklERU8pCiAgICAgICAg IGVsc2UgaWYgKGlzSFRNTEF1ZGlvRWxlbWVudChub2RlKSkgewotICAgICAgICAgICAgaWYgKCF0 b0hUTUxBdWRpb0VsZW1lbnQobm9kZSktPnBhdXNlZCgpKQorICAgICAgICAgICAgLy8gSWYgUXVp Y2tUaW1lIGRpZG4ndCBpbnN0YWxsZWQsIHxNZWRpYVBsYXllcjo6aXNBdmFpbGFibGUoKXwgcmV0 dXJuIGZhbHNlIGluCisgICAgICAgICAgICAvLyB8YXVkaW9Db25zdHJ1Y3RvcnwgdGhlbiBIVE1M VW5rbm93RWxlbWVudCB3YXMgY3JlYXRlZCB0byBpbnN0ZWFkIEhUTUxBdWRpb0VsZW1lbnQuCisg ICAgICAgICAgICBpZiAoIXRvSFRNTEF1ZGlvRWxlbWVudChub2RlKS0+aXNIVE1MVW5rbm93bkVs ZW1lbnQoKSAmJiAhdG9IVE1MQXVkaW9FbGVtZW50KG5vZGUpLT5wYXVzZWQoKSkKICAgICAgICAg ICAgICAgICByZXR1cm4gdHJ1ZTsKICAgICAgICAgfQogICAgICNlbmRpZgo=