160366 – Crash under HTMLMediaElement::{resolve, reject}PendingPlayPromises() when playback is interrupted

Bug 160366 - Crash under HTMLMediaElement::{resolve, reject}PendingPlayPromises() when playback is interrupted

Summary: Crash under HTMLMediaElement::{resolve, reject}PendingPlayPromises() when pla...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Media (show other bugs)
Version:	WebKit Local Build
Hardware:	iPhone / iPad Unspecified

Importance:	P2 Normal
Assignee:	Daniel Bates

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2016-07-29 16:58 PDT by Daniel Bates
Modified:	2016-07-29 17:31 PDT (History)
CC List:	3 users (show)

See Also:

Attachments
Patch and Layout Tests (9.01 KB, patch) 2016-07-29 17:02 PDT, Daniel Bates	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Daniel Bates 2016-07-29 16:58:10 PDT

Depending on timing if media.play() is called when a system interruption occurs then we may try to settle the returned Promise twice. This causes the assertion ASSERT(m_deferred) to fail in DeferredWrapper::{resolve, rejectWithValue}() in a debug build and causes a crash in a release build (since m_globalObject is null). Once a Promise is settled we clear out is reference to the global object of the page and its JSPromiseDeferred object so as to ensure that a Promise is only settled once.

Comment 1 Daniel Bates 2016-07-29 16:58:47 PDT

<rdar://problem/27317407>

Comment 2 Daniel Bates 2016-07-29 17:02:56 PDT

Created attachment 284919 [details]
Patch and Layout Tests

Comment 3 Daniel Bates 2016-07-29 17:31:29 PDT

Comment on attachment 284919 [details]
Patch and Layout Tests

Clearing flags on attachment: 284919

Committed r203931: <http://trac.webkit.org/changeset/203931>

Comment 4 Daniel Bates 2016-07-29 17:31:32 PDT

All reviewed patches have been landed.  Closing bug.