| Summary: | Crash at MediaPlayer::duration() | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | Hin-Chung Lam <hclam> | ||||||||
| Component: | DOM | Assignee: | Nobody <webkit-unassigned> | ||||||||
| Status: | RESOLVED FIXED | ||||||||||
| Severity: | Normal | CC: | commit-queue, eric.carlson, hclam | ||||||||
| Priority: | P2 | ||||||||||
| Version: | 528+ (Nightly build) | ||||||||||
| Hardware: | PC | ||||||||||
| OS: | Windows Vista | ||||||||||
| URL: | http://stewdio.org/pong/ | ||||||||||
| Attachments: |
|
||||||||||
|
Description
Hin-Chung Lam
2010-03-10 15:30:35 PST
So the cause of this is as follows: 1. Page A opens a video and open a new window with Page B 2. Page B holds a reference to the video element in Page A 3. Page A closes, media engine is destroyed but HTMLMediaElement still alive 4. Page B tries to call that video element, which calls the internal m_player 5. Bang! Created attachment 50463 [details]
Patch
Comment on attachment 50463 [details] Patch > float HTMLMediaElement::duration() const > { > - if (m_readyState >= HAVE_METADATA) > + if (m_player && m_readyState >= HAVE_METADATA) > return m_player->duration(); While this is a sensible change, it shouldn't be necessary to prevent this crash because m_readyState should be HAVE_NOTHING if m_player is NULL. I haven't looked, but I suspect there are more problems waiting to be discovered when the the player has been destroyed and the state hasn't been reset.Can you please reset m_readyState and m_networkState to their default values when the player is destroyed? > Index: LayoutTests/http/tests/media/video-cancel-load.html I would *really* like to see this test reformatted to have some structure (text in the <body>, <script> in <head> etc). I know that many layout tests do not do this, but I find that it is often much easier to understand what a test is supposed to do if has some structure. (In reply to comment #3) > (From update of attachment 50463 [details]) > > float HTMLMediaElement::duration() const > > { > > - if (m_readyState >= HAVE_METADATA) > > + if (m_player && m_readyState >= HAVE_METADATA) > > return m_player->duration(); > > While this is a sensible change, it shouldn't be necessary to prevent this > crash because m_readyState should be HAVE_NOTHING if m_player is NULL. I > haven't looked, but I suspect there are more problems waiting to be discovered > when the the player has been destroyed and the state hasn't been reset.Can you > please reset m_readyState and m_networkState to their default values when the > player is destroyed? The spec actually doesn't say that we should reset m_readyState to default value, like HAVE_NOTHING. It specifies how m_networkState should be assigned though. Though I think setting m_readyState to HAVE_NOTHING is sensible, but i wasn't sure. Any thoughts? > > > > Index: LayoutTests/http/tests/media/video-cancel-load.html > > I would *really* like to see this test reformatted to have some structure (text > in the <body>, <script> in <head> etc). I know that many layout tests do not do > this, but I find that it is often much easier to understand what a test is > supposed to do if has some structure. Will do. Created attachment 50529 [details]
Patch
Modified the patch and test according to Eric's comments. I'm not very sure about setting m_readyState to HAVE_NOTHING since it isn't in the spec. But testing it with existing tests doesn't seem to reveal a problem. (In reply to comment #4) > (In reply to comment #3) > > (From update of attachment 50463 [details] [details]) > > > float HTMLMediaElement::duration() const > > > { > > > - if (m_readyState >= HAVE_METADATA) > > > + if (m_player && m_readyState >= HAVE_METADATA) > > > return m_player->duration(); > > > > While this is a sensible change, it shouldn't be necessary to prevent this > > crash because m_readyState should be HAVE_NOTHING if m_player is NULL. I > > haven't looked, but I suspect there are more problems waiting to be discovered > > when the the player has been destroyed and the state hasn't been reset.Can you > > please reset m_readyState and m_networkState to their default values when the > > player is destroyed? > > The spec actually doesn't say that we should reset m_readyState to default > value, like HAVE_NOTHING. It specifies how m_networkState should be assigned > though. Though I think setting m_readyState to HAVE_NOTHING is sensible, but i > wasn't sure. Any thoughts? > It does though, HAVE_NOTHING is defined as: No information regarding the media resource is available. No data for the current playback position is available. and we have not data at all if the media engine has been destroyed. Comment on attachment 50529 [details]
Patch
22 function duration()
23 {
24 var d = video.duration;
25 if (count++ >= 10 && window.layoutTestController)
26 layoutTestController.notifyDone();
27 }
I should have noticed this the first time around, but what is magic about 10, what makes you certain that this will work on both fast and slow machines? Can you trigger the crash by getting the duration from an onload handler in the child document (or from a function called via settimout() called from an onload handler)?
The setInterval trick is to simulate the failure, but onload can work better, will change that. Created attachment 50536 [details]
Patch
Changed setInterval to setTimeout, onload doesn't work since it runs too quickly and the parent document hasn't changed, so allow 50ms for parent to switch to a different document.
Comment on attachment 50536 [details]
Patch
Thanks!
Thanks for the review! Comment on attachment 50536 [details] Patch Clearing flags on attachment: 50536 Committed r55917: <http://trac.webkit.org/changeset/55917> All reviewed patches have been landed. Closing bug. |