182038 – REGRESSION(r227457): Release assert in updateLayout while destructing a media element

Bug 182038 - REGRESSION(r227457): Release assert in updateLayout while destructing a media element

Summary: REGRESSION(r227457): Release assert in updateLayout while destructing a media...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Media (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Eric Carlson

URL:
Keywords:	InRadar

Depends on:	181914
Blocks:
	Show dependency tree / graph

Reported:	2018-01-23 22:55 PST by Ryosuke Niwa
Modified:	2018-01-25 11:27 PST (History)
CC List:	8 users (show)

See Also:

Attachments
Patch (3.02 KB, patch) 2018-01-24 07:02 PST, Eric Carlson	no flags	Details \| Formatted Diff \| Diff
Patch (1.59 KB, patch) 2018-01-25 07:54 PST, Eric Carlson	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ryosuke Niwa 2018-01-23 22:55:22 PST

I'm hitting the following assertion by running LayoutTests/media.

Application Specific Information:
CRASHING TEST: media/video-main-content-autoplay.html

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.JavaScriptCore      	0x00000006dd693ed4 WTFCrash + 36 (Assertions.cpp:272)
1   com.apple.JavaScriptCore      	0x00000006dd693ee9 WTFCrashWithSecurityImplication + 9
2   com.apple.WebCore             	0x00000006cee11026 WebCore::Document::updateLayout() + 246 (Document.cpp:1980)
3   com.apple.WebCore             	0x00000006cfff9b26 WebCore::RenderView::hitTest(WebCore::HitTestRequest const&, WebCore::HitTestLocation const&, WebCore::HitTestResult&) + 54 (RenderView.cpp:143)
4   com.apple.WebCore             	0x00000006cfff9ae4 WebCore::RenderView::hitTest(WebCore::HitTestRequest const&, WebCore::HitTestResult&) + 68 (RenderView.cpp:138)
5   com.apple.WebCore             	0x00000006cf2730b9 WebCore::isMainContentForPurposesOfAutoplay(WebCore::HTMLMediaElement const&) + 617 (MediaElementSession.cpp:737)
6   com.apple.WebCore             	0x00000006cf270d8b WebCore::MediaElementSession::updateIsMainContent() const + 43 (MediaElementSession.cpp:827)
7   com.apple.WebCore             	0x00000006cf2704bc WebCore::MediaElementSession::playbackPermitted(WebCore::HTMLMediaElement const&) const + 412 (MediaElementSession.cpp:176)
8   com.apple.WebCore             	0x00000006cf271928 WebCore::MediaElementSession::canShowControlsManager(WebCore::MediaElementSession::PlaybackControlsPurpose) const + 776 (MediaElementSession.cpp:343)
9   com.apple.WebCore             	0x00000006cf1aa4c9 WebCore::mediaElementSessionInfoForSession(WebCore::MediaElementSession const&, WebCore::MediaElementSession::PlaybackControlsPurpose) + 89 (HTMLMediaElement.cpp:393)
10  com.apple.WebCore             	0x00000006cf1aa273 WebCore::HTMLMediaElement::bestMediaElementForShowingPlaybackControlsManager(WebCore::MediaElementSession::PlaybackControlsPurpose) + 179 (HTMLMediaElement.cpp:691)
11  com.apple.WebCore             	0x00000006cd6710d8 WebCore::MediaSessionManagerMac::nowPlayingEligibleSession() + 24 (MediaSessionManagerMac.mm:110)
12  com.apple.WebCore             	0x00000006cd6701c8 WebCore::MediaSessionManagerMac::updateNowPlayingInfo() + 56 (MediaSessionManagerMac.mm:124)
13  com.apple.WebCore             	0x00000006cd6710ac WebCore::MediaSessionManagerMac::clientCharacteristicsChanged(WebCore::PlatformMediaSession&) + 60 (MediaSessionManagerMac.mm:106)
14  com.apple.WebCore             	0x00000006cf8eb1d4 WebCore::PlatformMediaSession::clientCharacteristicsChanged() + 52 (PlatformMediaSession.cpp:371)
15  com.apple.WebCore             	0x00000006cf1ad20a WebCore::HTMLMediaElement::removedFromAncestor(WebCore::Node::RemovalType, WebCore::ContainerNode&) + 746 (HTMLMediaElement.cpp:977)
16  com.apple.WebCore             	0x00000006cedcab4b WebCore::notifyNodeRemovedFromDocument(WebCore::ContainerNode&, WebCore::TreeScopeChange, WebCore::Node&) + 187 (ContainerNodeAlgorithms.cpp:116)
17  com.apple.WebCore             	0x00000006cedcac18 WebCore::notifyNodeRemovedFromDocument(WebCore::ContainerNode&, WebCore::TreeScopeChange, WebCore::Node&) + 392
18  com.apple.WebCore             	0x00000006cedcac18 WebCore::notifyNodeRemovedFromDocument(WebCore::ContainerNode&, WebCore::TreeScopeChange, WebCore::Node&) + 392
19  com.apple.WebCore             	0x00000006cedcaa31 WebCore::notifyChildNodeRemoved(WebCore::ContainerNode&, WebCore::Node&) + 177 (ContainerNodeAlgorithms.cpp:161)
20  com.apple.WebCore             	0x00000006cedcb0e5 WebCore::addChildNodesToDeletionQueue(WebCore::Node*&, WebCore::Node*&, WebCore::ContainerNode&) + 533
21  com.apple.WebCore             	0x00000006cedc3c90 WebCore::removeDetachedChildrenInContainer(WebCore::ContainerNode&) + 48 (ContainerNodeAlgorithms.cpp:213)
22  com.apple.WebCore             	0x00000006cedc3c22 WebCore::ContainerNode::removeDetachedChildren() + 114 (ContainerNode.cpp:232)
23  com.apple.WebCore             	0x00000006cee0c161 WebCore::Document::removedLastRef() + 529 (Document.cpp:678)
24  com.apple.WebCore             	0x00000006cef3daf7 WebCore::Node::removedLastRef() + 55 (Node.cpp:2480)
25  com.apple.WebCore             	0x00000006cd09f9c3 WebCore::Node::deref() + 371 (Node.h:727)
26  com.apple.WebCore             	0x00000006cef33e25 WebCore::Node::derefEventTarget() + 21 (Node.cpp:757)
27  com.apple.WebCore             	0x00000006cd3d2d26 WebCore::EventTarget::deref() + 22 (EventTarget.h:64)
28  com.apple.WebCore             	0x00000006cd3d2cff WTF::Ref<WebCore::EventTarget, WTF::DumbPtrTraits<WebCore::EventTarget> >::~Ref() + 47 (Ref.h:62)
29  com.apple.WebCore             	0x00000006cd3c0985 WTF::Ref<WebCore::EventTarget, WTF::DumbPtrTraits<WebCore::EventTarget> >::~Ref() + 21 (Ref.h:62)
30  com.apple.WebCore             	0x00000006cd87bd29 WebCore::JSDOMWrapper<WebCore::EventTarget>::~JSDOMWrapper() + 25 (JSDOMWrapper.h:79)
31  com.apple.WebCore             	0x00000006cd87bd05 WebCore::JSEventTarget::~JSEventTarget() + 21 (JSEventTarget.h:30)
32  com.apple.WebCore             	0x00000006cd879be5 WebCore::JSEventTarget::~JSEventTarget() + 21 (JSEventTarget.h:30)
33  com.apple.WebCore             	0x00000006cd87683d WebCore::JSEventTarget::destroy(JSC::JSCell*) + 29 (JSEventTarget.cpp:203)
34  com.apple.JavaScriptCore      	0x00000006dd234c2a JSC::JSDestructibleObjectDestroyFunc::operator()(JSC::VM&, JSC::JSCell*) const + 42 (JSDestructibleObjectHeapCellType.cpp:38)
35  com.apple.JavaScriptCore      	0x00000006dd23c2a5 void JSC::MarkedBlock::Handle::specializedSweep<false, (JSC::MarkedBlock::Handle::EmptyMode)0, (JSC::MarkedBlock::Handle::SweepMode)0, (JSC::MarkedBlock::Handle::SweepDestructionMode)0, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)0, (JSC::MarkedBlock::Handle::MarksMode)0, JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::JSDestructibleObjectDestroyFunc const&)::'lambda'(void*)::operator()(void*) const + 69 (MarkedBlockInlines.h:254)
36  com.apple.JavaScriptCore      	0x00000006dd236d92 void JSC::MarkedBlock::Handle::specializedSweep<false, (JSC::MarkedBlock::Handle::EmptyMode)0, (JSC::MarkedBlock::Handle::SweepMode)0, (JSC::MarkedBlock::Handle::SweepDestructionMode)0, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)0, (JSC::MarkedBlock::Handle::MarksMode)0, JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::JSDestructibleObjectDestroyFunc const&) + 706 (MarkedBlockInlines.h:286)
37  com.apple.JavaScriptCore      	0x00000006dd234bc0 void JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType<JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::JSDestructibleObjectDestroyFunc const&) + 304 (MarkedBlockInlines.h:430)
38  com.apple.JavaScriptCore      	0x00000006dd234a88 JSC::JSDestructibleObjectHeapCellType::finishSweep(JSC::MarkedBlock::Handle&, JSC::FreeList*) + 40 (JSDestructibleObjectHeapCellType.cpp:53)
39  com.apple.JavaScriptCore      	0x00000006dcdf3326 JSC::Subspace::finishSweep(JSC::MarkedBlock::Handle&, JSC::FreeList*) + 70 (Subspace.cpp:66)
40  com.apple.JavaScriptCore      	0x00000006dcdd0585 JSC::MarkedBlock::Handle::sweep(JSC::FreeList*) + 581 (MarkedBlock.cpp:411)
41  com.apple.JavaScriptCore      	0x00000006dcdbb8d7 JSC::IncrementalSweeper::sweepNextBlock() + 183 (IncrementalSweeper.cpp:91)
42  com.apple.JavaScriptCore      	0x00000006dcdbb782 JSC::IncrementalSweeper::doSweep(WTF::MonotonicTime) + 34 (IncrementalSweeper.cpp:60)
43  com.apple.JavaScriptCore      	0x00000006dcdbb74c JSC::IncrementalSweeper::doWork() + 44 (IncrementalSweeper.cpp:56)
44  com.apple.JavaScriptCore      	0x00000006dd2c8eae JSC::JSRunLoopTimer::timerDidFire() + 174 (JSRunLoopTimer.cpp:65)
45  com.apple.JavaScriptCore      	0x00000006dd2c933c JSC::JSRunLoopTimer::timerDidFireCallback(__CFRunLoopTimer*, void*) + 28 (JSRunLoopTimer.cpp:105)
46  com.apple.CoreFoundation      	0x00007fff3f56fdd4 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20
47  com.apple.CoreFoundation      	0x00007fff3f56fa47 __CFRunLoopDoTimer + 1095
48  com.apple.CoreFoundation      	0x00007fff3f56f54a __CFRunLoopDoTimers + 346
49  com.apple.CoreFoundation      	0x00007fff3f566b4b __CFRunLoopRun + 2427
50  com.apple.CoreFoundation      	0x00007fff3f565f43 CFRunLoopRunSpecific + 483
51  com.apple.HIToolbox           	0x00007fff3e87de26 RunCurrentEventLoopInMode + 286
52  com.apple.HIToolbox           	0x00007fff3e87db96 ReceiveNextEventCommon + 613
53  com.apple.HIToolbox           	0x00007fff3e87d914 _BlockUntilNextEventMatchingListInModeWithFilter + 64
54  com.apple.AppKit              	0x00007fff3cb48f5f _DPSNextEvent + 2085
55  com.apple.AppKit              	0x00007fff3d2deb4c -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 3044
56  com.apple.AppKit              	0x00007fff3cb3dd6d -[NSApplication run] + 764
57  com.apple.AppKit              	0x00007fff3cb0cf1a NSApplicationMain + 804
58  libxpc.dylib                  	0x00007fff672ac42f _xpc_objc_main + 580
59  libxpc.dylib                  	0x00007fff672ab082 xpc_main + 417
60  com.apple.WebKit.WebContent   	0x0000000100c8514b main + 1195 (XPCServiceMain.mm:148)
61  libdyld.dylib                 	0x00007fff66fdf115 start + 1

Comment 1 Ryosuke Niwa 2018-01-23 22:58:20 PST

It looks like MediaSessionManagerMac::clientCharacteristicsChanged just needs to call scheduleUpdateNowPlayingInfo() instead of updateNowPlayingInfo()?

Comment 2 Radar WebKit Bug Importer 2018-01-23 23:02:23 PST

<rdar://problem/36812083>

Comment 3 Eric Carlson 2018-01-24 06:48:53 PST

The assert is RELEASE_ASSERT_WITH_SECURITY_IMPLICATION(isSafeToUpdateStyleOrLayout()) which is interesting because isMainContentForPurposesOfAutoplay returns early when "!document.isSafeToUpdateStyleOrLayout()"

Comment 4 Eric Carlson 2018-01-24 06:54:39 PST

I can't reproduce with run-webkit-tests -fg --iter 10 --no-retry LayoutTests/media/video-main-content*.html

Comment 5 Eric Carlson 2018-01-24 07:02:01 PST

Created attachment 332156 [details]
Patch

Comment 6 WebKit Commit Bot 2018-01-24 10:07:22 PST

Comment on attachment 332156 [details]
Patch

Clearing flags on attachment: 332156

Committed r227529: <https://trac.webkit.org/changeset/227529>

Comment 7 WebKit Commit Bot 2018-01-24 10:07:24 PST

All reviewed patches have been landed.  Closing bug.

Comment 8 Ryan Haddad 2018-01-24 18:02:33 PST

It looks like this introduced an API test failure on Sierra:

FAIL NowPlayingControlsTests.NowPlayingControlsDoNotShowForForegroundPage

/Volumes/Data/slave/sierra-release/build/Tools/TestWebKitAPI/Tests/WebKitCocoa/NowPlayingControlsTests.mm:106
Value of: webView.get().lastUpdatedTitle.UTF8String
  Actual: ""
Expected: "foo"

https://build.webkit.org/builders/Apple%20Sierra%20Release%20WK2%20%28Tests%29/builds/7160

Comment 9 Eric Carlson 2018-01-25 07:54:33 PST

Reopening to attach new patch.

Comment 10 Eric Carlson 2018-01-25 07:54:35 PST

Created attachment 332267 [details]
Patch

Comment 11 Ryan Haddad 2018-01-25 11:16:01 PST

Comment on attachment 332267 [details]
Patch

The mac-debug failure appears to be a bot-specific issue. Marking cq+.

Comment 12 WebKit Commit Bot 2018-01-25 11:27:38 PST

Comment on attachment 332267 [details]
Patch

Clearing flags on attachment: 332267

Committed r227616: <https://trac.webkit.org/changeset/227616>

Comment 13 WebKit Commit Bot 2018-01-25 11:27:40 PST

All reviewed patches have been landed.  Closing bug.