RESOLVED FIXED 261676
REGRESSION (iOS 17): Chrome crashes in VideoFullscreenModelContext::requestRouteSharingPolicyAndContextUID 
https://bugs.webkit.org/show_bug.cgi?id=261676
Summary REGRESSION (iOS 17): Chrome crashes in VideoFullscreenModelContext::requestRo...
Ali Juma
Reported 2023-09-18 06:12:11 PDT
Created attachment 467737 [details] Crash log Chrome for iOS is getting reports of a new crash in VideoFullscreenModelContext::requestRouteSharingPolicyAndContextUID, not seen in iOS 16. We don't have steps to reproduce, but I've attached a crash log. It looks like VideoFullscreenInterfaceAVKit::setVideoFullscreenModel is calling requestRouteSharingPolicyAndContextUID on a null `model`. This code was most recently changed in bug 258025 (265195@main) to use a WeakPtr to VideoFullscreenModelContext, so this crash is likely a pre-existing problem uncovered by that. Here's the stack: Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Subtype: KERN_INVALID_ADDRESS at 0x0000000000000020 0 WebKit 0x00000001c092ff48 WebKit::VideoFullscreenModelContext::requestRouteSharingPolicyAndContextUID(WTF::CompletionHandler<void (WebCore::RouteSharingPolicy, WTF::String)>&&) + 128 (VideoFullscreenManagerProxy.mm:358) 1 WebCore 0x00000001c0138d18 WebCore::VideoFullscreenInterfaceAVKit::setVideoFullscreenModel(WebCore::VideoFullscreenModel*) + 496 (VideoFullscreenInterfaceAVKit.mm:773) 2 WebKit 0x00000001c0931418 WebKit::VideoFullscreenManagerProxy::ensureModelAndInterface(WTF::ObjectIdentifierGeneric<WebCore::HTMLMediaElementIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>) + 592 (VideoFullscreenManagerProxy.mm:535) 3 WebKit 0x00000001c092e1e4 WebKit::VideoFullscreenModelContext::setVideoLayerFrame(WebCore::FloatRect) + 740 (VideoFullscreenManagerProxy.mm:245) 4 WebCore 0x00000001c014eea8 -[WebAVPlayerLayer resolveBounds] + 2812 (WebAVPlayerLayer.mm:293) 5 WebCore 0x00000001c014bce8 -[WebAVPlayerLayer layoutSublayers] + 796 (WebAVPlayerLayer.mm:238) 6 QuartzCore 0x00000001ad08b888 0x1ad024000 + 424072 7 UIKitCore 0x00000001adc762a4 0x1adc40000 + 221860 8 UIKitCore 0x00000001add6a288 0x1adc40000 + 1221256 9 UIKitCore 0x00000001adcc6918 0x1adc40000 + 551192 10 UIKitCore 0x00000001ae3df9d4 0x1adc40000 + 7993812 11 UIKitCore 0x00000001adff1bb0 0x1adc40000 + 3873712 12 UIKitCore 0x00000001adcc98ac 0x1adc40000 + 563372 13 UIKitCore 0x00000001add67a0c 0x1adc40000 + 1210892 14 UIKitCore 0x00000001add676f8 0x1adc40000 + 1210104 15 UIKitCore 0x00000001add67544 0x1adc40000 + 1209668 16 UIKitCore 0x00000001add67390 0x1adc40000 + 1209232 17 UIKitCore 0x00000001addd5158 0x1adc40000 + 1659224 18 UIKitCore 0x00000001addd4ee4 0x1adc40000 + 1658596 19 UIKitCore 0x00000001addd4c24 0x1adc40000 + 1657892 20 UIKitCore 0x00000001addd3ef0 0x1adc40000 + 1654512 21 UIKitCore 0x00000001addd3d60 0x1adc40000 + 1654112 22 UIKitCore 0x00000001ae30d54c 0x1adc40000 + 7132492 23 UIKitCore 0x00000001ae30d064 0x1adc40000 + 7131236 24 UIKitCore 0x00000001ae307a8c 0x1adc40000 + 7109260 25 UIKitCore 0x00000001ae3bbacc 0x1adc40000 + 7846604 26 UIKitCore 0x00000001adc8226c 0x1adc40000 + 270956 27 UIKitCore 0x00000001ae3bb92c 0x1adc40000 + 7846188 28 UIKitCore 0x00000001adc8226c 0x1adc40000 + 270956 29 UIKitCore 0x00000001ae3baf44 0x1adc40000 + 7843652 30 UIKitCore 0x00000001ae3ba730 0x1adc40000 + 7841584 31 UIKitCore 0x00000001ae3b9fc0 0x1adc40000 + 7839680 32 UIKitCore 0x00000001ae3bc284 0x1adc40000 + 7848580 33 UIKitCore 0x00000001adf029f4 0x1adc40000 + 2894324 34 UIKitCore 0x00000001adf02190 0x1adc40000 + 2892176 35 UIKitCore 0x00000001adf01ea8 0x1adc40000 + 2891432 36 UIKitCore 0x00000001addd30bc 0x1adc40000 + 1650876 37 WebCore 0x00000001c013a95c WebCore::VideoFullscreenInterfaceAVKit::cleanupFullscreen() + 212 (VideoFullscreenInterfaceAVKit.mm:925) 38 WebKit 0x00000001c0930e20 WebKit::VideoFullscreenManagerProxy::invalidate() + 208 (VideoFullscreenManagerProxy.mm:455) 39 WebKit 0x00000001c0acc064 WebKit::WebPageProxy::resetState(WebKit::WebPageProxy::ResetStateReason) + 644 (WebPageProxy.cpp:9016) 40 WebKit 0x00000001c0ac88ac WebKit::WebPageProxy::close() + 1432 (WebPageProxy.cpp:1413) 41 WebKit 0x00000001c07b937c -[WKWebView dealloc] + 160 (WKWebView.mm:678) 42 libobjc.A.dylib 0x00000001a3e0ab60 AutoreleasePoolPage::releaseUntil(objc_object**) + 196 (NSObject.mm:935) 43 libobjc.A.dylib 0x00000001a3e0a9f8 objc_autoreleasePoolPop + 260 (NSObject.mm:2197) 44 UIKitCore 0x00000001ade050f4 0x1adc40000 + 1855732 45 UIKitCore 0x00000001ade03a9c 0x1adc40000 + 1850012 46 UIKitCore 0x00000001adcead94 0x1adc40000 + 699796 47 UIKitCore 0x00000001adcea484 0x1adc40000 + 697476 48 UIKitCore 0x00000001adcea540 0x1adc40000 + 697664 49 CoreFoundation 0x00000001aba64acc 0x1aba2d000 + 228044 50 CoreFoundation 0x00000001aba63d48 0x1aba2d000 + 224584 51 CoreFoundation 0x00000001aba624fc 0x1aba2d000 + 218364 52 CoreFoundation 0x00000001aba61238 0x1aba2d000 + 213560 53 CoreFoundation 0x00000001aba60e18 0x1aba2d000 + 212504 54 GraphicsServices 0x00000001ee51d5ec 0x1ee51a000 + 13804 55 UIKitCore 0x00000001ade6f350 0x1adc40000 + 2290512 56 UIKitCore 0x00000001ade6e98c 0x1adc40000 + 2288012 57 Chrome 0x00000001005337d0 0x1004b0000 + 538576 58 dyld 0x00000001ce243d44 0x1ce23e000 + 23876
Attachments
Crash log (29.87 KB, text/plain)
2023-09-18 06:12 PDT, Ali Juma 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2023-09-18 08:52:05 PDT
<rdar://problem/115659414>
Jer Noble
Comment 2 2023-10-17 13:50:47 PDT
Thanks for the report! We're tracking this in an earlier radar: <rdar://80955844>
Jer Noble
Comment 3 2023-10-17 15:22:49 PDT
<rdar://problem/80955844>
EWS
Comment 4 2023-10-18 08:55:23 PDT
Committed 269467@main (2ad2ad37c92c): <https://commits.webkit.org/269467@main> Reviewed commits have been landed. Closing PR #19195 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.