Bug 158378 - Crash inside moveOutOfAllShadowRoots
Summary: Crash inside moveOutOfAllShadowRoots
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: HTML DOM (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Ryosuke Niwa
URL:
Keywords: InRadar
Depends on:
Blocks: 116046 148695
  Show dependency treegraph
 
Reported: 2016-06-03 22:42 PDT by Ryosuke Niwa
Modified: 2016-06-06 19:38 PDT (History)
12 users (show)

See Also:


Attachments
Fixes the bug (5.71 KB, patch)
2016-06-03 22:59 PDT, Ryosuke Niwa
koivisto: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Ryosuke Niwa 2016-06-03 22:42:47 PDT
Sometimes, we're not removing InShadowTreeFlag after removing a node.

In addition, I'm fixing a bug in VTTCue::~VTTCue that it could ref a document while the document is being destructed.
Comment 1 Ryosuke Niwa 2016-06-03 22:59:51 PDT
Created attachment 280510 [details]
Fixes the bug
Comment 2 Chris Dumez 2016-06-04 10:04:07 PDT
Comment on attachment 280510 [details]
Fixes the bug

View in context: https://bugs.webkit.org/attachment.cgi?id=280510&action=review

> Source/WebCore/html/track/VTTCue.cpp:271
> +    if (m_displayTree && m_displayTree->document().refCount())

It seems very odd to have to check the document ref count. It is also weird that bodes would have to remove themselves from the tree upon destruction. I could not find the code that adds this displayTree to the DOM.
Comment 3 Ryosuke Niwa 2016-06-04 15:41:56 PDT
(In reply to comment #2)
> Comment on attachment 280510 [details]
> Fixes the bug
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=280510&action=review
> 
> > Source/WebCore/html/track/VTTCue.cpp:271
> > +    if (m_displayTree && m_displayTree->document().refCount())
> 
> It seems very odd to have to check the document ref count. It is also weird
> that bodes would have to remove themselves from the tree upon destruction. I
> could not find the code that adds this displayTree to the DOM.

That's done in HTMLMediaElement. The problem here is that m_displayTree refers back to VTTCue using a reference so we can end up doing a use-after-free if we don't remove the nodes from the UA shadow tree.

However, when the document itself is being destructed, we don't need to do this because we won't be updating style, etc... anymore.  On the other hand, Node::remove would try to ref the document before dispatching mutation events, and this would hit an assertion since we've already began destructing the document.

An alternative approach would be to change the reference to a pointer and set it to null when VTTCue is getting destroyed.
Comment 4 Antti Koivisto 2016-06-06 13:37:40 PDT
> An alternative approach would be to change the reference to a pointer and
> set it to null when VTTCue is getting destroyed.

That might be nicer.
Comment 5 Ryosuke Niwa 2016-06-06 18:45:18 PDT
(In reply to comment #4)
> > An alternative approach would be to change the reference to a pointer and
> > set it to null when VTTCue is getting destroyed.
> 
> That might be nicer.

I'm going to add a FIXME for now since I'm not an expert on this area and I couldn't get a feedback from Eric & Jer.
Comment 6 Radar WebKit Bug Importer 2016-06-06 18:45:54 PDT
<rdar://problem/26664749>
Comment 7 Ryosuke Niwa 2016-06-06 19:38:44 PDT
Committed r201736: <http://trac.webkit.org/changeset/201736>