Bug 301674
| Summary: | WebCore::MediaSource::~MediaSource; WebCore::MediaSource::~MediaSource; mpark::detail::destructor::~destructor | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Jean-Yves Avenard [:jya] <jean-yves.avenard> |
| Component: | Media | Assignee: | Jean-Yves Avenard [:jya] <jean-yves.avenard> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
Jean-Yves Avenard [:jya]
```
Reproduction Command:
DYLD_FRAMEWORK_PATH=$PWD DYLD_LIBRARY_PATH=$PWD __XPC_DYLD_FRAMEWORK_PATH=$PWD __XPC_DYLD_LIBRARY_PATH=$PWD ASAN_OPTIONS=handle_segv=2,handle_sigbus=2,handle_sigill=2,handle_abort=2,handle_sigtrap=2,allocator_may_return_null=1 __XPC_ASAN_OPTIONS=handle_segv=2,handle_sigbus=2,handle_sigill=2,handle_abort=2,handle_sigtrap=2,allocator_may_return_null=1 ./WebKitTestRunner --no-enable-all-experimental-feature --no-timeout fuzz-7.html fuzz-7.html
Crash Log:
AddressSanitizer:DEADLYSIGNAL
=================================================================
==55279==ERROR: AddressSanitizer: TRAP on unknown address 0x00012beeb308 (pc 0x00012beeb308 bp 0x00016bbdac30 sp 0x00016bbdac30 T0)
#0 0x00012beeb308 in WTFCrashWithSecurityImplication+0x10 (JavaScriptCore:arm64e+0x61b7308)
#1 0x00012beeb944 in WTF::RefCountedBase::printRefDuringDestructionLogAndCrash(void const*)+0x9c (JavaScriptCore:arm64e+0x61b7944)
#2 0x0003061a74d8 in WebCore::MediaSource::~MediaSource()+0x11bc (WebCore:arm64e+0x61a74d8)
#3 0x0003061af7ac in WebCore::MediaSource::~MediaSource()+0x1c (WebCore:arm64e+0x61af7ac)
#4 0x00030039102c in WebCore::HTMLMediaElement::~HTMLMediaElement()+0x3370 (WebCore:arm64e+0x39102c)
#5 0x00030038dc14 in WebCore::HTMLVideoElement::~HTMLVideoElement()+0x30 (WebCore:arm64e+0x38dc14)
#6 0x000129fd1dc8 in void JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType<JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::JSDestructibleObjectDestroyFunc const&)::'lambda'()::operator()() const+0x1160 (JavaScriptCore:arm64e+0x429ddc8)
#7 0x000129fa36a0 in void JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType<JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::JSDestructibleObjectDestroyFunc const&)+0x380 (JavaScriptCore:arm64e+0x426f6a0)
#8 0x000129fa32ec in JSC::JSDestructibleObjectHeapCellType::finishSweep(JSC::MarkedBlock::Handle&, JSC::FreeList*) const+0x94 (JavaScriptCore:arm64e+0x426f2ec)
#9 0x000128ebc978 in JSC::MarkedBlock::Handle::sweep(JSC::FreeList*)+0x92c (JavaScriptCore:arm64e+0x3188978)
#10 0x000128ea6d0c in JSC::LocalAllocator::allocateSlowCase(JSC::Heap&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode)+0x210 (JavaScriptCore:arm64e+0x3172d0c)
#11 0x000302bf5274 in WebCore::JSHTMLVideoElement::create(JSC::Structure*, WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::HTMLVideoElement, WTF::RawPtrTraits<WebCore::HTMLVideoElement>, WTF::DefaultRefDerefTraits<WebCore::HTMLVideoElement>>&&)+0x1b4 (WebCore:arm64e+0x2bf5274)
#12 0x000302bf4ee8 in WebCore::JSDOMWrapperConverterTraits<WebCore::HTMLVideoElement>::WrapperClass* WebCore::createWrapper<WebCore::HTMLVideoElement, WebCore::HTMLElement>(WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::HTMLElement, WTF::RawPtrTraits<WebCore::HTMLElement>, WTF::DefaultRefDerefTraits<WebCore::HTMLElement>>&&)+0x16c (WebCore:arm64e+0x2bf4ee8)
#13 0x000302a9b930 in WebCore::createJSHTMLWrapper(WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::HTMLElement, WTF::RawPtrTraits<WebCore::HTMLElement>, WTF::DefaultRefDerefTraits<WebCore::HTMLElement>>&&)+0x5d70 (WebCore:arm64e+0x2a9b930)
#14 0x00030721dfb0 in WebCore::toJSNewlyCreated(JSC::JSGlobalObject*, WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::Element, WTF::RawPtrTraits<WebCore::Element>, WTF::DefaultRefDerefTraits<WebCore::Element>>&&)+0x178 (WebCore:arm64e+0x721dfb0)
#15 0x00030232b888 in JSC::JSValue WebCore::toJSNewlyCreated<WebCore::IDLInterface<WebCore::Element>, WebCore::ExceptionOr<WTF::Ref<WebCore::Element, WTF::RawPtrTraits<WebCore::Element>, WTF::DefaultRefDerefTraits<WebCore::Element>>>>(JSC::JSGlobalObject&, WebCore::JSDOMGlobalObject&, JSC::ThrowScope&, WebCore::ExceptionOr<WTF::Ref<WebCore::Element, WTF::RawPtrTraits<WebCore::Element>, WTF::DefaultRefDerefTraits<WebCore::Element>>>&&)+0x144 (WebCore:arm64e+0x232b888)
#16 0x00030232ad24 in WebCore::jsDocumentPrototypeFunction_createElementBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*)+0x708 (WebCore:arm64e+0x232ad24)
#17 0x00030231fa90 in WebCore::jsDocumentPrototypeFunction_createElement(JSC::JSGlobalObject*, JSC::CallFrame*)+0x1c4 (WebCore:arm64e+0x231fa90)
#18 0x00012e82c03c (<unknown module>)
```
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Jean-Yves Avenard [:jya]
rdar://163479310
Jean-Yves Avenard [:jya]
Pull request: https://github.com/apple/WebKit/pull/3933