Bug 160366

Summary:

Crash under HTMLMediaElement::{resolve, reject}PendingPlayPromises() when playback is interrupted

Product:

WebKit

Reporter:

Daniel Bates <dbates>

Component:

Media

Assignee:

Daniel Bates <dbates>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

eric.carlson, jer.noble, youennf

Priority:

Keywords:

InRadar

Version:

WebKit Local Build

Hardware:

iPhone / iPad

OS:

Unspecified

Attachments:

Description	Flags
Patch and Layout Tests	none

Daniel Bates

Reported 2016-07-29 16:58:10 PDT

Depending on timing if media.play() is called when a system interruption occurs then we may try to settle the returned Promise twice. This causes the assertion ASSERT(m_deferred) to fail in DeferredWrapper::{resolve, rejectWithValue}() in a debug build and causes a crash in a release build (since m_globalObject is null). Once a Promise is settled we clear out is reference to the global object of the page and its JSPromiseDeferred object so as to ensure that a Promise is only settled once.

Attachments
Patch and Layout Tests (9.01 KB, patch) 2016-07-29 17:02 PDT, Daniel Bates	no flags	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Daniel Bates

Comment 1 2016-07-29 16:58:47 PDT

<rdar://problem/27317407>

Daniel Bates

Comment 2 2016-07-29 17:02:56 PDT

Created attachment 284919 [details] Patch and Layout Tests

Daniel Bates

Comment 3 2016-07-29 17:31:29 PDT

Comment on attachment 284919 [details] Patch and Layout Tests Clearing flags on attachment: 284919 Committed r203931: <http://trac.webkit.org/changeset/203931>

Daniel Bates

Comment 4 2016-07-29 17:31:32 PDT

All reviewed patches have been landed. Closing bug.

Note You need to log in before you can comment on or make changes to this bug.