Bug 130971 (CVE-2016-4586)

Summary: media/track/track-remove-track.html is flaky, crashing and failing
Product: WebKit Reporter: Alexey Proskuryakov <ap>
Component: MediaAssignee: Eric Carlson <eric.carlson>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, clopez, commit-queue, eric.carlson, ggaren, jer.noble
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=142484
Attachments:
Description Flags
Proposed patch.
none
Proposed patch.
ap: review+
Patch for landing. none

Alexey Proskuryakov
Reported 2014-03-31 09:39:18 PDT
media/track/track-remove-track.html is flaky. It was this way since the test was added last week. http://webkit-test-results.appspot.com/dashboards/flakiness_dashboard.html#showAllRuns=true&tests=media%2Ftrack%2Ftrack-remove-track.html Crash: Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x00000001126cf84c WebCore::createWrapperInline(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WebCore::Node*) + 156 (JSNodeCustom.cpp:202) 1 com.apple.WebCore 0x00000001126cf795 WebCore::createWrapper(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WebCore::Node*) + 37 (JSNodeCustom.cpp:253) 2 com.apple.WebCore 0x0000000111bc0b55 WebCore::toJS(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WebCore::Node*) + 133 (JSNodeCustom.h:47) 3 com.apple.WebCore 0x0000000111fcdeef WebCore::HTMLMediaElement::didAddUserAgentShadowRoot(WebCore::ShadowRoot*) + 447 (HTMLMediaElement.cpp:5963) Fail: @@ -1,4 +1,2 @@ -PASS Tests that the 'removetrack' event is fired when an out-of-band TextTrack is removed. -PASS Tests that the 'removetrack' event is NOT fired for inband TextTrack on a failed load. - +Harness Error. harness_status.status = 2 , harness_status.message = null
Attachments
Proposed patch. (3.86 KB, patch)
2016-03-23 14:30 PDT, Eric Carlson 		no flags
DetailsFormatted DiffDiff
Proposed patch. (11.41 KB, patch)
2016-03-28 14:15 PDT, Eric Carlson 		ap: review+
DetailsFormatted DiffDiff
Patch for landing. (11.92 KB, patch)
2016-03-29 07:40 PDT, Eric Carlson 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2014-03-31 09:41:36 PDT
Marked as flaky in <http://trac.webkit.org/r166508>.
Carlos Alberto Lopez Perez
Comment 2 2014-04-11 11:50:56 PDT
On GTK this test times out, but if you run it with a high enough timeout it gives this very same failure. I'll update the GTK test expectations for this test to point here also.
Eric Carlson
Comment 3 2016-03-23 14:30:31 PDT
Created attachment 274777 [details] Proposed patch.
Alexey Proskuryakov
Comment 4 2016-03-23 14:36:39 PDT
Comment on attachment 274777 [details] Proposed patch. View in context: https://bugs.webkit.org/attachment.cgi?id=274777&action=review > Source/WebCore/html/HTMLMediaElement.cpp:3890 > + Ref<HTMLMediaElement> protect(*this); // Loading and running script can trigger GC. > + ensureUserAgentShadowRoot(); This is not our usual idiom for protect. It's better to add a Ref[Ptr] to a function that needs to use a pointer after an operation that could destroy it. ensureMediaControlsShadowRoot is clearly not such a function, because it doesn't do anything after calling ensureUserAgentShadowRoot().
Alexey Proskuryakov
Comment 5 2016-03-23 14:37:11 PDT
Comment on attachment 274777 [details] Proposed patch. View in context: https://bugs.webkit.org/attachment.cgi?id=274777&action=review > Source/WebCore/ChangeLog:9 > + No new tests, this fixes an existing test. Is the test still marked as flaky or failing in TestExpectations?
Eric Carlson
Comment 6 2016-03-28 14:15:50 PDT
Created attachment 275050 [details] Proposed patch.
WebKit Commit Bot
Comment 7 2016-03-28 14:18:06 PDT
Attachment 275050 [details] did not pass style-queue: ERROR: Source/WebCore/html/HTMLMediaElement.cpp:192: preprocessor directives (e.g., #ifdef, #define, #import) should never be indented. [whitespace/indent] [4] ERROR: Source/WebCore/html/HTMLMediaElement.cpp:193: Multi line control clauses should use braces. [whitespace/braces] [4] Total errors found: 2 in 4 files If any of these errors are false positives, please file a bug against check-webkit-style.
Alexey Proskuryakov
Comment 8 2016-03-28 14:33:13 PDT
Comment on attachment 275050 [details] Proposed patch. View in context: https://bugs.webkit.org/attachment.cgi?id=275050&action=review > Source/WebCore/html/HTMLMediaElement.cpp:192 > + #define CASE(actionType) \ Please #undef this at the end. > Source/WebCore/html/HTMLMediaElement.cpp:199 > + CASE(HTMLMediaElementEnums::LoadMediaResource); It's probably better to log without the prefix. > Source/WebCore/html/HTMLMediaElement.cpp:409 > + , m_haveSetupCaptionContainer(false) I think that WebKit style for this is m_haveSetUpCaptionContainer. > Source/WebCore/html/HTMLMediaElement.cpp:3911 > + m_creatingControls = true; Should we ASSERT(!m_creatingControls) here?
Eric Carlson
Comment 9 2016-03-29 07:40:27 PDT
Created attachment 275091 [details] Patch for landing.
WebKit Commit Bot
Comment 10 2016-03-29 08:40:33 PDT
Comment on attachment 275091 [details] Patch for landing. Clearing flags on attachment: 275091 Committed r198780: <http://trac.webkit.org/changeset/198780>
WebKit Commit Bot
Comment 11 2016-03-29 08:40:38 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.