Bug 161323

Summary: [ios-simulator] media/track/media-element-enqueue-event-crash.html crashes in Frame::script under HTMLMediaElement::updateMediaControlsAfterPresentationModeChange
Product: WebKit Reporter: Ryan Haddad <ryanhaddad>
Component: MediaAssignee: Nobody <webkit-unassigned>
Status: REOPENED ---    
Severity: Normal CC: ap, dbates, eric.carlson, jer.noble, jiewen_tan, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=160367
Attachments:
Description Flags
crash log none

Description Ryan Haddad 2016-08-29 12:58:00 PDT 
[ios-simulator] LayoutTest media/track/text-track-cue-is-reachable.html is a flaky crash

Full crashlog:
https://build.webkit.org/results/Apple%20iOS%209%20Simulator%20Debug%20WK2%20(Tests)/r205131%20(4801)/results.html

Crashed Thread:        0  Dispatch queue: com.apple.main-thread

Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0x0000000000000378
Exception Note:        EXC_CORPSE_NOTIFY

VM Regions Near 0x378:
--> 
    __TEXT                 0000000102d4f000-0000000102d51000 [    8K] r-x/rwx SM=COW  /Volumes/VOLUME/*/WebKit.framework/XPCServices/com.apple.WebKit.WebContent.Development.xpc/com.apple.WebKit.WebContent.Development

Application Specific Information:
CoreSimulator 209.19 - Device: iPhone 5s WebKit Tester6 - Runtime: iOS 9.3 (13E230) - DeviceType: iPhone 5s
CRASHING TEST: media/track/media-element-enqueue-event-crash.html

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore             	0x000000010ceb580b WebCore::Frame::script() + 43 (Frame.h:349)
1   com.apple.WebCore             	0x000000010d8b5696 WebCore::HTMLMediaElement::updateMediaControlsAfterPresentationModeChange() + 182 (HTMLMediaElement.cpp:6688)
2   com.apple.WebCore             	0x000000010d89fd61 WebCore::HTMLMediaElement::exitFullscreen() + 145 (HTMLMediaElement.cpp:5464)
3   com.apple.WebCore             	0x000000010d8b3f8f WebCore::HTMLMediaElement::stopWithoutDestroyingMediaPlayer() + 79 (HTMLMediaElement.cpp:5089)
4   com.apple.WebCore             	0x000000010d8b41e6 WebCore::HTMLMediaElement::stop() + 70 (HTMLMediaElement.cpp:5131)
5   com.apple.WebCore             	0x000000010d8b428c non-virtual thunk to WebCore::HTMLMediaElement::stop() + 28 (HTMLMediaElement.cpp:5124)
6   com.apple.WebCore             	0x000000010eaf7902 WebCore::ScriptExecutionContext::stopActiveDOMObjects() + 290 (ScriptExecutionContext.cpp:298)
7   com.apple.WebCore             	0x000000010d345c55 WebCore::Document::stopActiveDOMObjects() + 37 (Document.cpp:2499)
8   com.apple.WebCore             	0x000000010d33af4e WebCore::Document::prepareForDestruction() + 286 (Document.cpp:2388)
9   com.apple.WebCore             	0x000000010d696cdd WebCore::Frame::setView(WTF::RefPtr<WebCore::FrameView>&&) + 189 (Frame.cpp:251)
10  com.apple.WebCore             	0x000000010d699f58 WebCore::Frame::createView(WebCore::IntSize const&, WebCore::Color const&, bool, WebCore::IntSize const&, WebCore::IntRect const&, bool, WebCore::ScrollbarMode, bool, WebCore::ScrollbarMode, bool) + 264 (Frame.cpp:864)
11  com.apple.WebKit              	0x000000010371bff2 WebKit::WebFrameLoaderClient::transitionToCommittedForNewPage() + 658 (WebFrameLoaderClient.cpp:1324)
12  com.apple.WebCore             	0x000000010d6b58ae WebCore::FrameLoader::transitionToCommitted(WebCore::CachedPage*) + 1278 (FrameLoader.cpp:1982)
Comment 1 Ryan Haddad 2016-08-29 12:59:41 PDT 
<rdar://problem/27927820>
Comment 2 Radar WebKit Bug Importer 2016-08-29 13:00:04 PDT 
<rdar://problem/28061044>
Comment 3 Jiewen Tan 2016-08-29 13:20:15 PDT 
Committed r205140: <http://trac.webkit.org/changeset/205140>
Comment 4 Ryan Haddad 2016-08-29 13:24:21 PDT 
Reverted r205140 for reason:

The changelog entry for this commit is incorrect and misattributed.

Committed r205141: <http://trac.webkit.org/changeset/205141>
Comment 5 Alexey Proskuryakov 2016-08-31 16:32:02 PDT 
Are we still hitting this crash?
Comment 7 Alexey Proskuryakov 2016-09-15 10:32:07 PDT 
Created attachment 288968 [details]
crash log
Comment 8 Alexey Proskuryakov 2016-09-15 10:48:33 PDT 
This is still happening. Crash logs seem to always have media/track/media-element-enqueue-event-crash.html as the crashing test.

This actually looks like a debug build variant of bug 160367.

First crash on bots: 2016-07-29 11:19:36.
Comment 9 Alexey Proskuryakov 2016-09-15 11:07:24 PDT 
*** Bug 160367 has been marked as a duplicate of this bug. ***
Comment 10 Alexey Proskuryakov 2016-09-15 11:10:09 PDT 
This may be because of one of the tests unskipped in <http://trac.webkit.org/r203906>. Since it's making unrelated tests into crash flakily, we should track it down, and skip again. I'll try to do that today.
Comment 11 Alexey Proskuryakov 2016-09-15 11:27:13 PDT 
I can easily reproduce with media/track/media-element-enqueue-event-crash.html.
Comment 12 Ryan Haddad 2016-09-15 13:11:15 PDT 
Skipped media/track/media-element-enqueue-event-crash.html and media/track/track-remove-crash.html, removed flaky expectation for media/track/text-track-cue-is-reachable.html in 
http://trac.webkit.org/projects/webkit/changeset/205993