Bug 181057 - com.apple.WebKit.WebContent.Development crashed in com.apple.WebCore: WebCore::UserMediaRequest::stop + 126
Summary: com.apple.WebKit.WebContent.Development crashed in com.apple.WebCore: WebCore...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebRTC (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: youenn fablet
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2017-12-20 14:51 PST by youenn fablet
Modified: 2018-01-03 16:20 PST (History)
6 users (show)

See Also:


Attachments
Patch (2.01 KB, patch)
2017-12-20 14:53 PST, youenn fablet
no flags Details | Formatted Diff | Diff
Patch for landing (2.10 KB, patch)
2017-12-20 15:32 PST, youenn fablet
no flags Details | Formatted Diff | Diff
Patch for landing (2.10 KB, patch)
2017-12-20 15:41 PST, youenn fablet
no flags Details | Formatted Diff | Diff
Fixed typo (1.54 KB, patch)
2017-12-21 21:04 PST, youenn fablet
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description youenn fablet 2017-12-20 14:51:05 PST
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore             	0x0000000110e3a4ee WebCore::UserMediaRequest::stop() + 126
1   com.apple.WebCore             	0x00000001104d49d8 WebCore::ScriptExecutionContext::stopActiveDOMObjects() + 152
2   com.apple.WebCore             	0x00000001104d44c9 WebCore::Document::prepareForDestruction() + 761
3   com.apple.WebCore             	0x000000011142e641 WebCore::Frame::setView(WTF::RefPtr<WebCore::FrameView, WTF::DumbPtrTraits<WebCore::FrameView> >&&) + 177
4   com.apple.WebCore             	0x0000000110497e62 WebCore::Frame::createView(WebCore::IntSize const&, WebCore::Color const&, bool, WebCore::IntSize const&, WebCore::IntRect const&, bool, WebCore::ScrollbarMode, bool, WebCore::ScrollbarMode, bool) + 82
5   com.apple.WebKit              	0x0000000105309804 WebKit::WebFrameLoaderClient::transitionToCommittedForNewPage() + 338
6   com.apple.WebCore             	0x000000011139ef49 WebCore::FrameLoader::transitionToCommitted(WebCore::CachedPage*) + 409
7   com.apple.WebCore             	0x0000000110496f1f WebCore::FrameLoader::commitProvisionalLoad() + 335
8   com.apple.WebCore             	0x0000000111384ef1 WebCore::DocumentLoader::finishedLoading() + 353
9   com.apple.WebCore             	0x000000011049666b WebCore::DocumentLoader::maybeLoadEmpty() + 891
10  com.apple.WebCore             	0x00000001104960af WebCore::DocumentLoader::startLoadingMainResource() + 591
11  com.apple.WebCore             	0x000000011139e056 WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WebCore::FormState*, bool, WebCore::AllowNavigationToInvalidURL) + 694
12  com.apple.WebCore             	0x00000001113b58cb W
Comment 1 youenn fablet 2017-12-20 14:53:28 PST
Created attachment 329956 [details]
Patch
Comment 2 Eric Carlson 2017-12-20 15:24:13 PST
Comment on attachment 329956 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=329956&action=review

> Source/WebCore/Modules/mediastream/UserMediaRequest.cpp:280
> +    Ref<UserMediaRequest> protectedThis(*this);

This is quite subtle, so I it think it would be a good idea to add a comment about why it is necessary to protect this because of the side effects of clearing m_pendingActivationMediaStream.
Comment 3 youenn fablet 2017-12-20 15:32:10 PST
Created attachment 329958 [details]
Patch for landing
Comment 4 WebKit Commit Bot 2017-12-20 15:33:40 PST
Comment on attachment 329958 [details]
Patch for landing

Rejecting attachment 329958 [details] from commit-queue.

Failed to run "['/Volumes/Data/EWS/WebKit/Tools/Scripts/webkit-patch', '--status-host=webkit-queues.webkit.org', '--bot-id=webkit-cq-01', 'validate-changelog', '--check-oops', '--non-interactive', 329958, '--port=mac']" exit_code: 1 cwd: /Volumes/Data/EWS/WebKit

ChangeLog entry in Source/WebCore/ChangeLog contains OOPS!.

Full output: http://webkit-queues.webkit.org/results/5780780
Comment 5 youenn fablet 2017-12-20 15:41:07 PST
Created attachment 329959 [details]
Patch for landing
Comment 6 WebKit Commit Bot 2017-12-20 16:13:13 PST
Comment on attachment 329959 [details]
Patch for landing

Clearing flags on attachment: 329959

Committed r226203: <https://trac.webkit.org/changeset/226203>
Comment 7 WebKit Commit Bot 2017-12-20 16:13:14 PST
All reviewed patches have been landed.  Closing bug.
Comment 8 Radar WebKit Bug Importer 2017-12-20 16:14:44 PST
<rdar://problem/36167175>
Comment 9 Darin Adler 2017-12-21 09:33:03 PST
Comment on attachment 329959 [details]
Patch for landing

View in context: https://bugs.webkit.org/attachment.cgi?id=329959&action=review

> Source/WebCore/Modules/mediastream/UserMediaRequest.cpp:280
> +    // Protecting 'it'this' since nulling m_pendingActivationMediaStream might destroy it.

Typ: 'it'this'
Comment 10 Darin Adler 2017-12-21 09:33:18 PST
(In reply to Darin Adler from comment #9)
> Typ: 'it'this'

Typo: Typ
Comment 11 youenn fablet 2017-12-21 21:04:10 PST
Reopening to attach new patch.
Comment 12 youenn fablet 2017-12-21 21:04:12 PST
Created attachment 330107 [details]
Fixed typo
Comment 13 WebKit Commit Bot 2017-12-21 21:37:52 PST
Comment on attachment 330107 [details]
Fixed typo

Clearing flags on attachment: 330107

Committed r226258: <https://trac.webkit.org/changeset/226258>
Comment 14 WebKit Commit Bot 2017-12-21 21:37:53 PST
All reviewed patches have been landed.  Closing bug.
Comment 15 Ryan Haddad 2018-01-03 13:31:37 PST
This change caused LayoutTest http/tests/media/media-stream/disconnected-frame.html to consistently fail an assertion:

ASSERTION FAILED: !m_adoptionIsRequired
/Volumes/Data/slave/highsierra-debug/build/WebKitBuild/Debug/usr/local/include/wtf/RefCounted.h(44) : void WTF::RefCountedBase::ref() const
1   0x33849168d WTFCrash
2   0x32801fa4e WTF::RefCountedBase::ref() const
3   0x32968a92b WTF::Ref<WebCore::UserMediaRequest, WTF::DumbPtrTraits<WebCore::UserMediaRequest> >::Ref(WebCore::UserMediaRequest&)
4   0x32968829d WTF::Ref<WebCore::UserMediaRequest, WTF::DumbPtrTraits<WebCore::UserMediaRequest> >::Ref(WebCore::UserMediaRequest&)
5   0x329688214 WebCore::UserMediaRequest::stop()
6   0x329ec3fd5 WebCore::ScriptExecutionContext::suspendActiveDOMObjectIfNeeded(WebCore::ActiveDOMObject&)
7   0x329cf6cd3 WebCore::ActiveDOMObject::suspendIfNeeded()
8   0x329686dab WebCore::UserMediaRequest::UserMediaRequest(WebCore::Document&, WebCore::MediaStreamRequest&&, WebCore::DOMPromiseDeferred<WebCore::IDLInterface<WebCore::MediaStream> >&&)
9   0x329686c4d WebCore::UserMediaRequest::UserMediaRequest(WebCore::Document&, WebCore::MediaStreamRequest&&, WebCore::DOMPromiseDeferred<WebCore::IDLInterface<WebCore::MediaStream> >&&)
10  0x329686b36 WebCore::UserMediaRequest::create(WebCore::Document&, WebCore::MediaStreamRequest&&, WebCore::DOMPromiseDeferred<WebCore::IDLInterface<WebCore::MediaStream> >&&)
11  0x329644d6d WebCore::MediaDevices::getUserMedia(WebCore::MediaDevices::StreamConstraints const&, WebCore::DOMPromiseDeferred<WebCore::IDLInterface<WebCore::MediaStream> >&&) const
12  0x328bcc968 WebCore::jsMediaDevicesPrototypeFunctionGetUserMediaBody(JSC::ExecState*, WebCore::JSMediaDevices*, WTF::Ref<WebCore::DeferredPromise, WTF::DumbPtrTraits<WebCore::DeferredPromise> >&&, JSC::ThrowScope&)
13  0x328bccf38 long long WebCore::IDLOperationReturningPromise<WebCore::JSMediaDevices>::call<&(WebCore::jsMediaDevicesPrototypeFunctionGetUserMediaBody(JSC::ExecState*, WebCore::JSMediaDevices*, WTF::Ref<WebCore::DeferredPromise, WTF::DumbPtrTraits<WebCore::DeferredPromise> >&&, JSC::ThrowScope&)), (WebCore::PromiseExecutionScope)0, (WebCore::CastedThisErrorBehavior)2>(JSC::ExecState&, char const*)::'lambda'(JSC::ExecState&, WTF::Ref<WebCore::DeferredPromise, WTF::DumbPtrTraits<WebCore::DeferredPromise> >&&)::operator()(JSC::ExecState&, WTF::Ref<WebCore::DeferredPromise, WTF::DumbPtrTraits<WebCore::DeferredPromise> >&&) const
14  0x328bccaba JSC::JSValue WebCore::callPromiseFunction<(WebCore::PromiseExecutionScope)0, long long WebCore::IDLOperationReturningPromise<WebCore::JSMediaDevices>::call<&(WebCore::jsMediaDevicesPrototypeFunctionGetUserMediaBody(JSC::ExecState*, WebCore::JSMediaDevices*, WTF::Ref<WebCore::DeferredPromise, WTF::DumbPtrTraits<WebCore::DeferredPromise> >&&, JSC::ThrowScope&)), (WebCore::PromiseExecutionScope)0, (WebCore::CastedThisErrorBehavior)2>(JSC::ExecState&, char const*)::'lambda'(JSC::ExecState&, WTF::Ref<WebCore::DeferredPromise, WTF::DumbPtrTraits<WebCore::DeferredPromise> >&&)>(JSC::ExecState&, long long WebCore::IDLOperationReturningPromise<WebCore::JSMediaDevices>::call<&(WebCore::jsMediaDevicesPrototypeFunctionGetUserMediaBody(JSC::ExecState*, WebCore::JSMediaDevices*, WTF::Ref<WebCore::DeferredPromise, WTF::DumbPtrTraits<WebCore::DeferredPromise> >&&, JSC::ThrowScope&)), (WebCore::PromiseExecutionScope)0, (WebCore::CastedThisErrorBehavior)2>(JSC::ExecState&, char const*)::'lambda'(JSC::ExecState&, WTF::Ref<WebCore::DeferredPromise, WTF::DumbPtrTraits<WebCore::DeferredPromise> >&&))
15  0x328bbc0f5 long long WebCore::IDLOperationReturningPromise<WebCore::JSMediaDevices>::call<&(WebCore::jsMediaDevicesPrototypeFunctionGetUserMediaBody(JSC::ExecState*, WebCore::JSMediaDevices*, WTF::Ref<WebCore::DeferredPromise, WTF::DumbPtrTraits<WebCore::DeferredPromise> >&&, JSC::ThrowScope&)), (WebCore::PromiseExecutionScope)0, (WebCore::CastedThisErrorBehavior)2>(JSC::ExecState&, char const*)
16  0x328bbb6bc WebCore::jsMediaDevicesPrototypeFunctionGetUserMedia(JSC::ExecState*)
17  0x473f17601178
18  0x336ff3d04 llint_entry
19  0x336ff3d04 llint_entry
20  0x336ff3d04 llint_entry
21  0x336febdf2 vmEntryToJavaScript
22  0x337d4443e JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)
23  0x337ceb475 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
24  0x337f518ea JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
25  0x337f519c9 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)
26  0x337f51c6d JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)
27  0x3298872db WebCore::JSMainThreadExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)
28  0x3298c1932 WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&)
29  0x329e23c22 WebCore::EventTarget::fireEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::DumbPtrTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>)
30  0x329e1b6aa WebCore::EventTarget::fireEventListeners(WebCore::Event&)
31  0x32a58db78 WebCore::DOMWindow::dispatchEvent(WebCore::Event&, WebCore::EventTarget*)
LEAK: 2 WebPageProxy

https://build.webkit.org/results/Apple%20High%20Sierra%20Debug%20WK2%20(Tests)/r226357%20(1424)/results.html
Comment 16 youenn fablet 2018-01-03 16:20:33 PST
Filed https://bugs.webkit.org/show_bug.cgi?id=181264 for the crash.
Will upload a fix quickly.