Skipped in Debug in http://trac.webkit.org/changeset/138094

This is followed by a crash in Release: http://build.webkit.org/results/Apple%20Lion%20Release%20WK1%20(Tests)/r138178%20(7486)/media/video-controls-captions-trackmenu-crash-log.txt Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000258 VM Regions Near 0x258: --> __TEXT 00000001016d8000-0000000101738000 [ 384K] r-x/rwx SM=COW /Volumes/VOLUME/* Application Specific Information: CRASHING TEST: media/video-controls-captions-trackmenu.html objc[93675]: garbage collection is OFF Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x00000001024b7a9b WebCore::HTMLMediaElement::textTracks() + 27 (RefPtr.h:66) 1 com.apple.WebCore 0x0000000102d271fd WebCore::TextTrack::trackIndexRelativeToRenderedTracks() + 29 (TextTrack.cpp:335) 2 com.apple.WebCore 0x0000000102d2811d WebCore::TextTrackCue::calculateComputedLinePosition() + 45 (TextTrackCue.cpp:584) 3 com.apple.WebCore 0x0000000102b3b1b2 WebCore::RenderTextTrackCue::initializeLayoutParameters(WebCore::InlineFlowBox*&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) + 130 (RenderTextTrackCue.cpp:74)

Created attachment 180211 [details] Proposed patch

Comment on attachment 180211 [details] Proposed patch Attachment 180211 [details] did not pass qt-ews (qt): Output: http://queues.webkit.org/results/15405766

Comment on attachment 180211 [details] Proposed patch Attachment 180211 [details] did not pass qt-wk2-ews (qt): Output: http://queues.webkit.org/results/15410752

Created attachment 180216 [details] Put "#if ENABLE(VIDEO_TRACK)" around new code.

Comment on attachment 180216 [details] Put "#if ENABLE(VIDEO_TRACK)" around new code. Clearing flags on attachment: 180216 Committed r138224: <http://trac.webkit.org/changeset/138224>

All reviewed patches have been landed. Closing bug.

I’m seeing another crash on /media/track/track-prefer-captions-crash.html: http://build.webkit.org/results/Apple%20MountainLion%20Release%20WK1%20(Tests)/r138293%20(5052)/media/track/track-prefer-captions-crash-log.txt 0 com.apple.WebCore 0x0000000106c50933 WebCore::HTMLMediaElement::removeTrack(WebCore::TextTrack*) + 67 (HTMLMediaElement.cpp:2805) 1 com.apple.WebCore 0x0000000106c50e7d WebCore::HTMLMediaElement::didRemoveTrack(WebCore::HTMLTrackElement*) + 93 (HTMLMediaElement.cpp:4267) 2 com.apple.WebCore 0x0000000106c9a6a5 WebCore::HTMLTrackElement::removedFrom(WebCore::ContainerNode*) + 85 (HTMLTrackElement.cpp:92) 3 com.apple.WebCore 0x00000001068ff346 WebCore::Private::NodeRemovalDispatcher<WebCore::Node, WebCore::ContainerNode, true>::dispatch(WebCore::Node*, WebCore::ContainerNode*) + 70 (Node.h:724) 4 com.apple.WebCore 0x00000001068fecca void WebCore::removeAllChildrenInContainer<WebCore::Node, WebCore::ContainerNode>(WebCore::ContainerNode*) + 378 (TreeShared.h:77) 5 com.apple.WebCore 0x00000001069e854b WebCore::Document::removedLastRef() + 539 (OwnPtr.h:72) 6 com.apple.WebCore 0x0000000106f458cb WebCore::JSNodeOwner::finalize(JSC::Handle<JSC::Unknown>, void*) + 59 (JSNode.h:69) 7 com.apple.JavaScriptCore 0x0000000106255f4c JSC::WeakBlock::sweep() + 108 (WeakImpl.h:84) 8 com.apple.JavaScriptCore 0x00000001062562b8 JSC::WeakSet::sweep() + 40 (DoublyLinkedList.h:118) 9 com.apple.JavaScriptCore 0x000000010618d2d8 JSC::MarkedBlock::sweep(JSC::MarkedBlock::SweepMode) + 24 (MarkedBlock.cpp:112) 10 com.apple.JavaScriptCore 0x0000000106254fa3 JSC::MarkedAllocator::allocateSlowCase(unsigned long) + 99 (MarkedAllocator.cpp:34) 11 com.apple.JavaScriptCore 0x000000010614a52d JSC::FunctionPrototype::create(JSC::ExecState*, JSC::JSGlobalObject*, JSC::Structure*) + 77 (MarkedAllocator.h:78) 12 com.apple.JavaScriptCore 0x0000000106145c21 JSC::JSGlobalObject::reset(JSC::JSValue) + 209 (JSGlobalObject.cpp:202) 13 com.apple.WebCore 0x0000000106e55ae3 WebCore::JSDOMWindowBase::finishCreation(JSC::JSGlobalData&, WebCore::JSDOMWindowShell*) + 35 (JSDOMWindowBase.cpp:69) 14 com.apple.WebCore 0x0000000106e5a53f WebCore::JSDOMWindow::create(JSC::JSGlobalData&, JSC::Structure*, WTF::PassRefPtr<WebCore::DOMWindow>, WebCore::JSDOMWindowShell*) + 175 (JSDOMWindow.h:42) 15 com.apple.WebCore 0x0000000106e5a23c WebCore::JSDOMWindowShell::setWindow(WTF::PassRefPtr<WebCore::DOMWindow>) + 380 (JSDOMWindowShell.cpp:75) 16 com.apple.WebCore 0x0000000107328124 WebCore::ScriptController::clearWindowShell(WebCore::DOMWindow*, bool) + 276 (PassRefPtr.h:68) 17 com.apple.WebCore 0x0000000106b8dfaf WebCore::FrameLoader::clear(WebCore::Document*, bool, bool, bool) + 271 (FrameLoader.cpp:568) 18 com.apple.WebCore 0x0000000106a14f71 WebCore::DocumentWriter::begin(WebCore::KURL const&, bool, WebCore::Document*) + 369 (DocumentWriter.cpp:135) 19 com.apple.WebCore 0x0000000106a04beb WebCore::DocumentLoader::commitData(char const*, unsigned long) + 91 (RefPtr.h:56) 20 com.apple.WebKit 0x000000010656c7b4 -[WebHTMLRepresentation receivedData:withDataSource:] + 100 (WebHTMLRepresentation.mm:186) 21 com.apple.WebKit 0x000000010653f49d -[WebDataSource(WebInternal) _receivedData:] + 77 (WebDataSource.mm:216) 22 com.apple.WebKit 0x00000001065574f7 WebFrameLoaderClient::committedLoad(WebCore::DocumentLoader*, char const*, int) + 103 (WebFrameLoaderClient.mm:841) 23 com.apple.WebCore 0x0000000106a04e30 WebCore::DocumentLoader::commitLoad(char const*, int) + 144 (RefCounted.h:148) 24 com.apple.WebCore 0x00000001070ef173 WebCore::MainResourceLoader::dataReceived(WebCore::CachedResource*, char const*, int) + 787 (MainResourceLoader.cpp:497) 25 com.apple.WebCore 0x00000001068bb5c5 WebCore::CachedRawResource::data(WTF::PassRefPtr<WebCore::ResourceBuffer>, bool) + 309 (CachedRawResource.cpp:70) 26 com.apple.WebCore 0x00000001073ff1fa WebCore::SubresourceLoader::sendDataToResource(char const*, int) + 122 (PassRefPtr.h:68) 27 com.apple.WebCore 0x00000001073ff2dc WebCore::SubresourceLoader::didReceiveData(char const*, int, long long, bool) + 76 (ResourceLoader.h:142) 28 com.apple.WebCore 0x0000000107308c38 WebCore::ResourceLoader::didReceiveData(WebCore::ResourceHandle*, char const*, int, int) + 136 (InspectorInstrumentation.h:260) 29 com.apple.Foundation 0x00007fff87ee6f58 __65-[NSURLConnectionInternal _withConnectionAndDelegate:onlyActive:]_block_invoke_0 + 28 30 com.apple.Foundation 0x00007fff87ee6e9c -[NSURLConnectionInternal _withConnectionAndDelegate:onlyActive:] + 227 31 com.apple.Foundation 0x00007fff87ee6d98 -[NSURLConnectionInternal _withActiveConnectionAndDelegate:] + 63 32 com.apple.Foundation 0x00007fff87ee992b _NSURLConnectionDidReceiveData_LengthReceived + 86 33 com.apple.CFNetwork 0x00007fff8971d7b1 ___delegate_didReceiveDataArray_block_invoke_0 + 132 34 com.apple.CFNetwork 0x00007fff89710753 ___withDelegateAsync_block_invoke_0 + 90 35 com.apple.CFNetwork 0x00007fff8979f2ca __block_global_1 + 28 36 com.apple.CoreFoundation 0x00007fff92f8c724 CFArrayApplyFunction + 68 37 com.apple.CFNetwork 0x00007fff89701a6c RunloopBlockContext::perform() + 126 38 com.apple.CFNetwork 0x00007fff8970194b MultiplexerSource::perform() + 221 39 com.apple.CoreFoundation 0x00007fff92f6e101 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17 40 com.apple.CoreFoundation 0x00007fff92f6da25 __CFRunLoopDoSources0 + 245 41 com.apple.CoreFoundation 0x00007fff92f90dc5 __CFRunLoopRun + 789 42 com.apple.CoreFoundation 0x00007fff92f906b2 CFRunLoopRunSpecific + 290 43 com.apple.Foundation 0x00007fff87f6489e -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 268 44 DumpRenderTree 0x0000000105e714c9 runTest(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) + 1624 (DumpRenderTree.mm:1378) 45 DumpRenderTree 0x0000000105e70c54 dumpRenderTree(int, char const**) + 1855 (DumpRenderTree.mm:842) 46 DumpRenderTree 0x0000000105e71832 main + 86 (DumpRenderTree.mm:927) 47 libdyld.dylib 0x00007fff89a677e1 start + 1

Here's an interesting stack trace. Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x000000010ce8f631 WebCore::TreeShared<WebCore::Node, WebCore::ContainerNode>::ref() + 161 (TreeShared.h:64) 1 com.apple.WebCore 0x000000010e02f8cc WebCore::Node::refEventTarget() + 28 (Node.cpp:848) 2 com.apple.WebCore 0x000000010d2da016 WebCore::EventTarget::ref() + 22 (EventTarget.h:105) 3 com.apple.WebCore 0x000000010d2d9ff2 void WTF::refIfNotNull<WebCore::EventTarget>(WebCore::EventTarget*) + 50 (PassRefPtr.h:48) 4 com.apple.WebCore 0x000000010d2d9fb4 WTF::PassRefPtr<WebCore::EventTarget>::PassRefPtr(WebCore::EventTarget*) + 36 (PassRefPtr.h:61) 5 com.apple.WebCore 0x000000010d2b733d WTF::PassRefPtr<WebCore::EventTarget>::PassRefPtr(WebCore::EventTarget*) + 29 (PassRefPtr.h:61) 6 com.apple.WebCore 0x000000010d74b56d WebCore::HTMLMediaElement::scheduleEvent(WTF::AtomicString const&) + 109 (HTMLMediaElement.cpp:639) 7 com.apple.WebCore 0x000000010d74fb5b WebCore::HTMLMediaElement::scheduleTimeupdateEvent(bool) + 171 (HTMLMediaElement.cpp:2718) 8 com.apple.WebCore 0x000000010d74cb53 WebCore::HTMLMediaElement::updateActiveTextTrackCues(float) + 1075 (HTMLMediaElement.cpp:1146) 9 com.apple.WebCore 0x000000010d750a63 WebCore::HTMLMediaElement::endIgnoringTrackDisplayUpdateRequests() + 163 (HTMLMediaElement.cpp:1385) 10 com.apple.WebCore 0x000000010d76d6ed WebCore::TrackDisplayUpdateScope::~TrackDisplayUpdateScope() + 109 (HTMLMediaElement.cpp:217) 11 com.apple.WebCore 0x000000010d75b6c5 WebCore::TrackDisplayUpdateScope::~TrackDisplayUpdateScope() + 21 (HTMLMediaElement.cpp:217) 12 com.apple.WebCore 0x000000010d754dd1 WebCore::HTMLMediaElement::removeTrack(WebCore::TextTrack*) + 129 (HTMLMediaElement.cpp:2809) 13 com.apple.WebCore 0x000000010d755417 WebCore::HTMLMediaElement::didRemoveTrack(WebCore::HTMLTrackElement*) + 423 (HTMLMediaElement.cpp:2928) 14 com.apple.WebCore 0x000000010d7b85d9 WebCore::HTMLTrackElement::removedFrom(WebCore::ContainerNode*) + 105 (HTMLTrackElement.cpp:88) 15 com.apple.WebCore 0x000000010d0917b2 WebCore::ChildNodeRemovalNotifier::notifyNodeRemovedFromDocument(WebCore::Node*) + 130 (ContainerNodeAlgorithms.h:239) 16 com.apple.WebCore 0x000000010d08ef9b WebCore::ChildNodeRemovalNotifier::notify(WebCore::Node*) + 59 (ContainerNodeAlgorithms.h:256) 17 com.apple.WebCore 0x000000010d091214 WebCore::Private::NodeRemovalDispatcher<WebCore::Node, WebCore::ContainerNode, true>::dispatch(WebCore::Node*, WebCore::ContainerNode*) + 116 (ContainerNodeAlgorithms.h:143) 18 com.apple.WebCore 0x000000010d09115b void WebCore::Private::addChildNodesToDeletionQueue<WebCore::Node, WebCore::ContainerNode>(WebCore::Node*&, WebCore::Node*&, WebCore::ContainerNode*) + 331 (ContainerNodeAlgorithms.h:183) 19 com.apple.WebCore 0x000000010d08e9fa void WebCore::removeAllChildrenInContainer<WebCore::Node, WebCore::ContainerNode>(WebCore::ContainerNode*) + 250 (ContainerNodeAlgorithms.h:104) 20 com.apple.WebCore 0x000000010d089b15 WebCore::ContainerNode::removeAllChildren() + 21 (ContainerNode.cpp:95) 21 com.apple.WebCore 0x000000010d29d070 WebCore::Document::removedLastRef() + 448 (Document.cpp:710) The problem is that we can't dispatch an event inside removedFrom(). When removedFrom is called, m_deletionHasBegun had already set to true and nobody can ref that node. We need to find some other way of fixing this bug.

If we really do have a requirement to fire an event at this timing, then we need to invent a new class like ChildFrameDisconnector (see http://trac.webkit.org/changeset/116629) and use that instead.