RESOLVED FIXED 156754
Crash under WebKit::PluginView::pluginSnapshotTimerFired 
https://bugs.webkit.org/show_bug.cgi?id=156754
Summary Crash under WebKit::PluginView::pluginSnapshotTimerFired
Chris Dumez
Reported 2016-04-19 11:57:44 PDT
Crash under WebKit::PluginView::pluginSnapshotTimerFired: Thread[0] EXC_BAD_ACCESS (SIGSEGV) (KERN_INVALID_ADDRESS at 0x0000000000000038) [ 0] 0x00007fff8b1128df WebKit`WebKit::PluginView::pluginSnapshotTimerFired() [inlined] WTF::RefPtr<WebCore::Settings>::operator*() const at RefPtr.h:68:51 64 Ref<T> releaseNonNull() { ASSERT(m_ptr); Ref<T> tmp(adoptRef(*m_ptr)); m_ptr = nullptr; return tmp; } 65 66 T* leakRef() WARN_UNUSED_RETURN; 67 -> 68 T& operator*() const { ASSERT(m_ptr); return *m_ptr; } 69 ALWAYS_INLINE T* operator->() const { return m_ptr; } 70 71 bool operator!() const { return !m_ptr; } 72 0x00007fff8b1128cc: movq 0x58(%r15), %rcx 0x00007fff8b1128d0: movq 0x20(%rcx), %rcx 0x00007fff8b1128d4: movq 0x8(%rcx), %rcx 0x00007fff8b1128d8: movq 0x190(%rcx), %rcx -> 0x00007fff8b1128df: movq 0x38(%rcx), %rcx 0x00007fff8b1128e3: cmpl 0xd4(%rcx), %edx 0x00007fff8b1128e9: setne %cl 0x00007fff8b1128ec: orb %cl, %al 0x00007fff8b1128ee: je 0x13c8f4 ; <+1164> at PluginView.cpp:1807 [ 0] 0x00007fff8b1128df WebKit`WebKit::PluginView::pluginSnapshotTimerFired() [inlined] WebCore::Frame::settings() const at Frame.h:170 166 WEBCORE_EXPORT String trackedRepaintRectsAsText() const; 167 168 WEBCORE_EXPORT static Frame* frameForWidget(const Widget*); 169 -> 170 Settings& settings() const { return *m_settings; } 171 172 void setPrinting(bool printing, const FloatSize& pageSize, const FloatSize& originalPageSize, float maximumShrinkRatio, AdjustViewSizeOrNot); 173 bool shouldUsePrintingLayout() const; 174 WEBCORE_EXPORT FloatSize resizePageRectsKeepingRatio(const FloatSize& originalSize, const FloatSize& expectedSize); [ 0] 0x00007fff8b1128df WebKit`WebKit::PluginView::pluginSnapshotTimerFired() + 1143 at PluginView.cpp:1807 1803 } 1804 1805 #if ENABLE(PRIMARY_SNAPSHOTTED_PLUGIN_HEURISTIC) 1806 unsigned candidateArea = 0; -> 1807 bool noSnapshotFoundAfterMaxRetries = m_countSnapshotRetries == frame()->settings().maximumPlugInSnapshotAttempts() && !isPlugInOnScreen && !snapshotFound; 1808 if (m_webPage->plugInIsPrimarySize(plugInImageElement, candidateArea) 1809 && (noSnapshotFoundAfterMaxRetries || plugInCameOnScreen)) 1810 m_pluginElement->setDisplayState(HTMLPlugInElement::Playing); 1811 else [ 1] 0x00007fff9226816e WebCore`WebCore::ThreadTimers::sharedTimerFiredInternal() + 174 at ThreadTimers.cpp:132:9 128 double interval = timer->repeatInterval(); 129 timer->setNextFireTime(interval ? fireTime + interval : 0); 130 131 // Once the timer has been fired, it may be deleted, so do nothing else with it after this point. -> 132 timer->fired(); 133 134 // Catch the case where the timer asked timers to fire in a nested event loop, or we are over time limit. 135 if (!m_firingTimers || timeToQuit < monotonicallyIncreasingTime()) 136 break; [ 2] 0x00007fff92268087 WebCore`WebCore::timerFired(__CFRunLoopTimer*, void*) + 23 at SharedTimerCF.cpp:82:5
Attachments
Patch (1.85 KB, patch)
2016-04-19 12:01 PDT, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Patch (1.91 KB, patch)
2016-04-19 12:27 PDT, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Chris Dumez
Comment 1 2016-04-19 11:58:00 PDT
rdar://problem/22566764
Chris Dumez
Comment 2 2016-04-19 12:01:52 PDT
Created attachment 276740 [details] Patch
Chris Dumez
Comment 3 2016-04-19 12:27:35 PDT
Created attachment 276744 [details] Patch
WebKit Commit Bot
Comment 4 2016-04-19 13:19:54 PDT
Comment on attachment 276744 [details] Patch Clearing flags on attachment: 276744 Committed r199740: <http://trac.webkit.org/changeset/199740>
WebKit Commit Bot
Comment 5 2016-04-19 13:19:58 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.