WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
182038
REGRESSION(
r227457
): Release assert in updateLayout while destructing a media element
https://bugs.webkit.org/show_bug.cgi?id=182038
Summary
REGRESSION(r227457): Release assert in updateLayout while destructing a media...
Ryosuke Niwa
Reported
2018-01-23 22:55:22 PST
I'm hitting the following assertion by running LayoutTests/media. Application Specific Information: CRASHING TEST: media/video-main-content-autoplay.html Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x00000006dd693ed4 WTFCrash + 36 (Assertions.cpp:272) 1 com.apple.JavaScriptCore 0x00000006dd693ee9 WTFCrashWithSecurityImplication + 9 2 com.apple.WebCore 0x00000006cee11026 WebCore::Document::updateLayout() + 246 (Document.cpp:1980) 3 com.apple.WebCore 0x00000006cfff9b26 WebCore::RenderView::hitTest(WebCore::HitTestRequest const&, WebCore::HitTestLocation const&, WebCore::HitTestResult&) + 54 (RenderView.cpp:143) 4 com.apple.WebCore 0x00000006cfff9ae4 WebCore::RenderView::hitTest(WebCore::HitTestRequest const&, WebCore::HitTestResult&) + 68 (RenderView.cpp:138) 5 com.apple.WebCore 0x00000006cf2730b9 WebCore::isMainContentForPurposesOfAutoplay(WebCore::HTMLMediaElement const&) + 617 (MediaElementSession.cpp:737) 6 com.apple.WebCore 0x00000006cf270d8b WebCore::MediaElementSession::updateIsMainContent() const + 43 (MediaElementSession.cpp:827) 7 com.apple.WebCore 0x00000006cf2704bc WebCore::MediaElementSession::playbackPermitted(WebCore::HTMLMediaElement const&) const + 412 (MediaElementSession.cpp:176) 8 com.apple.WebCore 0x00000006cf271928 WebCore::MediaElementSession::canShowControlsManager(WebCore::MediaElementSession::PlaybackControlsPurpose) const + 776 (MediaElementSession.cpp:343) 9 com.apple.WebCore 0x00000006cf1aa4c9 WebCore::mediaElementSessionInfoForSession(WebCore::MediaElementSession const&, WebCore::MediaElementSession::PlaybackControlsPurpose) + 89 (HTMLMediaElement.cpp:393) 10 com.apple.WebCore 0x00000006cf1aa273 WebCore::HTMLMediaElement::bestMediaElementForShowingPlaybackControlsManager(WebCore::MediaElementSession::PlaybackControlsPurpose) + 179 (HTMLMediaElement.cpp:691) 11 com.apple.WebCore 0x00000006cd6710d8 WebCore::MediaSessionManagerMac::nowPlayingEligibleSession() + 24 (MediaSessionManagerMac.mm:110) 12 com.apple.WebCore 0x00000006cd6701c8 WebCore::MediaSessionManagerMac::updateNowPlayingInfo() + 56 (MediaSessionManagerMac.mm:124) 13 com.apple.WebCore 0x00000006cd6710ac WebCore::MediaSessionManagerMac::clientCharacteristicsChanged(WebCore::PlatformMediaSession&) + 60 (MediaSessionManagerMac.mm:106) 14 com.apple.WebCore 0x00000006cf8eb1d4 WebCore::PlatformMediaSession::clientCharacteristicsChanged() + 52 (PlatformMediaSession.cpp:371) 15 com.apple.WebCore 0x00000006cf1ad20a WebCore::HTMLMediaElement::removedFromAncestor(WebCore::Node::RemovalType, WebCore::ContainerNode&) + 746 (HTMLMediaElement.cpp:977) 16 com.apple.WebCore 0x00000006cedcab4b WebCore::notifyNodeRemovedFromDocument(WebCore::ContainerNode&, WebCore::TreeScopeChange, WebCore::Node&) + 187 (ContainerNodeAlgorithms.cpp:116) 17 com.apple.WebCore 0x00000006cedcac18 WebCore::notifyNodeRemovedFromDocument(WebCore::ContainerNode&, WebCore::TreeScopeChange, WebCore::Node&) + 392 18 com.apple.WebCore 0x00000006cedcac18 WebCore::notifyNodeRemovedFromDocument(WebCore::ContainerNode&, WebCore::TreeScopeChange, WebCore::Node&) + 392 19 com.apple.WebCore 0x00000006cedcaa31 WebCore::notifyChildNodeRemoved(WebCore::ContainerNode&, WebCore::Node&) + 177 (ContainerNodeAlgorithms.cpp:161) 20 com.apple.WebCore 0x00000006cedcb0e5 WebCore::addChildNodesToDeletionQueue(WebCore::Node*&, WebCore::Node*&, WebCore::ContainerNode&) + 533 21 com.apple.WebCore 0x00000006cedc3c90 WebCore::removeDetachedChildrenInContainer(WebCore::ContainerNode&) + 48 (ContainerNodeAlgorithms.cpp:213) 22 com.apple.WebCore 0x00000006cedc3c22 WebCore::ContainerNode::removeDetachedChildren() + 114 (ContainerNode.cpp:232) 23 com.apple.WebCore 0x00000006cee0c161 WebCore::Document::removedLastRef() + 529 (Document.cpp:678) 24 com.apple.WebCore 0x00000006cef3daf7 WebCore::Node::removedLastRef() + 55 (Node.cpp:2480) 25 com.apple.WebCore 0x00000006cd09f9c3 WebCore::Node::deref() + 371 (Node.h:727) 26 com.apple.WebCore 0x00000006cef33e25 WebCore::Node::derefEventTarget() + 21 (Node.cpp:757) 27 com.apple.WebCore 0x00000006cd3d2d26 WebCore::EventTarget::deref() + 22 (EventTarget.h:64) 28 com.apple.WebCore 0x00000006cd3d2cff WTF::Ref<WebCore::EventTarget, WTF::DumbPtrTraits<WebCore::EventTarget> >::~Ref() + 47 (Ref.h:62) 29 com.apple.WebCore 0x00000006cd3c0985 WTF::Ref<WebCore::EventTarget, WTF::DumbPtrTraits<WebCore::EventTarget> >::~Ref() + 21 (Ref.h:62) 30 com.apple.WebCore 0x00000006cd87bd29 WebCore::JSDOMWrapper<WebCore::EventTarget>::~JSDOMWrapper() + 25 (JSDOMWrapper.h:79) 31 com.apple.WebCore 0x00000006cd87bd05 WebCore::JSEventTarget::~JSEventTarget() + 21 (JSEventTarget.h:30) 32 com.apple.WebCore 0x00000006cd879be5 WebCore::JSEventTarget::~JSEventTarget() + 21 (JSEventTarget.h:30) 33 com.apple.WebCore 0x00000006cd87683d WebCore::JSEventTarget::destroy(JSC::JSCell*) + 29 (JSEventTarget.cpp:203) 34 com.apple.JavaScriptCore 0x00000006dd234c2a JSC::JSDestructibleObjectDestroyFunc::operator()(JSC::VM&, JSC::JSCell*) const + 42 (JSDestructibleObjectHeapCellType.cpp:38) 35 com.apple.JavaScriptCore 0x00000006dd23c2a5 void JSC::MarkedBlock::Handle::specializedSweep<false, (JSC::MarkedBlock::Handle::EmptyMode)0, (JSC::MarkedBlock::Handle::SweepMode)0, (JSC::MarkedBlock::Handle::SweepDestructionMode)0, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)0, (JSC::MarkedBlock::Handle::MarksMode)0, JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::JSDestructibleObjectDestroyFunc const&)::'lambda'(void*)::operator()(void*) const + 69 (MarkedBlockInlines.h:254) 36 com.apple.JavaScriptCore 0x00000006dd236d92 void JSC::MarkedBlock::Handle::specializedSweep<false, (JSC::MarkedBlock::Handle::EmptyMode)0, (JSC::MarkedBlock::Handle::SweepMode)0, (JSC::MarkedBlock::Handle::SweepDestructionMode)0, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)0, (JSC::MarkedBlock::Handle::MarksMode)0, JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::JSDestructibleObjectDestroyFunc const&) + 706 (MarkedBlockInlines.h:286) 37 com.apple.JavaScriptCore 0x00000006dd234bc0 void JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType<JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::JSDestructibleObjectDestroyFunc const&) + 304 (MarkedBlockInlines.h:430) 38 com.apple.JavaScriptCore 0x00000006dd234a88 JSC::JSDestructibleObjectHeapCellType::finishSweep(JSC::MarkedBlock::Handle&, JSC::FreeList*) + 40 (JSDestructibleObjectHeapCellType.cpp:53) 39 com.apple.JavaScriptCore 0x00000006dcdf3326 JSC::Subspace::finishSweep(JSC::MarkedBlock::Handle&, JSC::FreeList*) + 70 (Subspace.cpp:66) 40 com.apple.JavaScriptCore 0x00000006dcdd0585 JSC::MarkedBlock::Handle::sweep(JSC::FreeList*) + 581 (MarkedBlock.cpp:411) 41 com.apple.JavaScriptCore 0x00000006dcdbb8d7 JSC::IncrementalSweeper::sweepNextBlock() + 183 (IncrementalSweeper.cpp:91) 42 com.apple.JavaScriptCore 0x00000006dcdbb782 JSC::IncrementalSweeper::doSweep(WTF::MonotonicTime) + 34 (IncrementalSweeper.cpp:60) 43 com.apple.JavaScriptCore 0x00000006dcdbb74c JSC::IncrementalSweeper::doWork() + 44 (IncrementalSweeper.cpp:56) 44 com.apple.JavaScriptCore 0x00000006dd2c8eae JSC::JSRunLoopTimer::timerDidFire() + 174 (JSRunLoopTimer.cpp:65) 45 com.apple.JavaScriptCore 0x00000006dd2c933c JSC::JSRunLoopTimer::timerDidFireCallback(__CFRunLoopTimer*, void*) + 28 (JSRunLoopTimer.cpp:105) 46 com.apple.CoreFoundation 0x00007fff3f56fdd4 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20 47 com.apple.CoreFoundation 0x00007fff3f56fa47 __CFRunLoopDoTimer + 1095 48 com.apple.CoreFoundation 0x00007fff3f56f54a __CFRunLoopDoTimers + 346 49 com.apple.CoreFoundation 0x00007fff3f566b4b __CFRunLoopRun + 2427 50 com.apple.CoreFoundation 0x00007fff3f565f43 CFRunLoopRunSpecific + 483 51 com.apple.HIToolbox 0x00007fff3e87de26 RunCurrentEventLoopInMode + 286 52 com.apple.HIToolbox 0x00007fff3e87db96 ReceiveNextEventCommon + 613 53 com.apple.HIToolbox 0x00007fff3e87d914 _BlockUntilNextEventMatchingListInModeWithFilter + 64 54 com.apple.AppKit 0x00007fff3cb48f5f _DPSNextEvent + 2085 55 com.apple.AppKit 0x00007fff3d2deb4c -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 3044 56 com.apple.AppKit 0x00007fff3cb3dd6d -[NSApplication run] + 764 57 com.apple.AppKit 0x00007fff3cb0cf1a NSApplicationMain + 804 58 libxpc.dylib 0x00007fff672ac42f _xpc_objc_main + 580 59 libxpc.dylib 0x00007fff672ab082 xpc_main + 417 60 com.apple.WebKit.WebContent 0x0000000100c8514b main + 1195 (XPCServiceMain.mm:148) 61 libdyld.dylib 0x00007fff66fdf115 start + 1
Attachments
Patch
(3.02 KB, patch)
2018-01-24 07:02 PST
,
Eric Carlson
no flags
Details
Formatted Diff
Diff
Patch
(1.59 KB, patch)
2018-01-25 07:54 PST
,
Eric Carlson
no flags
Details
Formatted Diff
Diff
View All
Add attachment
proposed patch, testcase, etc.
Ryosuke Niwa
Comment 1
2018-01-23 22:58:20 PST
It looks like MediaSessionManagerMac::clientCharacteristicsChanged just needs to call scheduleUpdateNowPlayingInfo() instead of updateNowPlayingInfo()?
Radar WebKit Bug Importer
Comment 2
2018-01-23 23:02:23 PST
<
rdar://problem/36812083
>
Eric Carlson
Comment 3
2018-01-24 06:48:53 PST
The assert is RELEASE_ASSERT_WITH_SECURITY_IMPLICATION(isSafeToUpdateStyleOrLayout()) which is interesting because isMainContentForPurposesOfAutoplay returns early when "!document.isSafeToUpdateStyleOrLayout()"
Eric Carlson
Comment 4
2018-01-24 06:54:39 PST
I can't reproduce with run-webkit-tests -fg --iter 10 --no-retry LayoutTests/media/video-main-content*.html
Eric Carlson
Comment 5
2018-01-24 07:02:01 PST
Created
attachment 332156
[details]
Patch
WebKit Commit Bot
Comment 6
2018-01-24 10:07:22 PST
Comment on
attachment 332156
[details]
Patch Clearing flags on attachment: 332156 Committed
r227529
: <
https://trac.webkit.org/changeset/227529
>
WebKit Commit Bot
Comment 7
2018-01-24 10:07:24 PST
All reviewed patches have been landed. Closing bug.
Ryan Haddad
Comment 8
2018-01-24 18:02:33 PST
It looks like this introduced an API test failure on Sierra: FAIL NowPlayingControlsTests.NowPlayingControlsDoNotShowForForegroundPage /Volumes/Data/slave/sierra-release/build/Tools/TestWebKitAPI/Tests/WebKitCocoa/NowPlayingControlsTests.mm:106 Value of: webView.get().lastUpdatedTitle.UTF8String Actual: "" Expected: "foo"
https://build.webkit.org/builders/Apple%20Sierra%20Release%20WK2%20%28Tests%29/builds/7160
Eric Carlson
Comment 9
2018-01-25 07:54:33 PST
Reopening to attach new patch.
Eric Carlson
Comment 10
2018-01-25 07:54:35 PST
Created
attachment 332267
[details]
Patch
Ryan Haddad
Comment 11
2018-01-25 11:16:01 PST
Comment on
attachment 332267
[details]
Patch The mac-debug failure appears to be a bot-specific issue. Marking cq+.
WebKit Commit Bot
Comment 12
2018-01-25 11:27:38 PST
Comment on
attachment 332267
[details]
Patch Clearing flags on attachment: 332267 Committed
r227616
: <
https://trac.webkit.org/changeset/227616
>
WebKit Commit Bot
Comment 13
2018-01-25 11:27:40 PST
All reviewed patches have been landed. Closing bug.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug