Commit 899e1053 authored by jer.noble@apple.com's avatar jer.noble@apple.com

Crash in WebCore::HTMLMediaElement::~HTMLMediaElement.

https://bugs.webkit.org/show_bug.cgi?id=113531

Reviewed by Eric Carlson.

No new tests, though this is intermittently reproducible with
http/tests/misc/delete-frame-during-readystatechange.html under ASAN.

* html/HTMLMediaElement.cpp:
(WebCore::HTMLMediaElement::~HTMLMediaElement): Clear the media player manually
    before the destructor exits. Clearing the media player may cancel a resource load,
    which can trigger a readystatechange event. It's possible for the HTMLMediaElement
    to attempt to fire an abort event within the readystatechange event, even though it is
    now in an inconsistent state. Clearling the media player before finishing the destructor
    ensures that the HTMLMediaElement will at least still be alive if this case is triggered.
    Set m_completelyLoaded to true to ensure that if userCancelledLoad() is called, it doesn't
    attempt to fire events while destructing.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@148636 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent 0e03c1b5
2013-04-16 Jer Noble <jer.noble@apple.com>
Crash in WebCore::HTMLMediaElement::~HTMLMediaElement.
https://bugs.webkit.org/show_bug.cgi?id=113531
Reviewed by Eric Carlson.
No new tests, though this is intermittently reproducible with
http/tests/misc/delete-frame-during-readystatechange.html under ASAN.
* html/HTMLMediaElement.cpp:
(WebCore::HTMLMediaElement::~HTMLMediaElement): Clear the media player manually
before the destructor exits. Clearing the media player may cancel a resource load,
which can trigger a readystatechange event. It's possible for the HTMLMediaElement
to attempt to fire an abort event within the readystatechange event, even though it is
now in an inconsistent state. Clearling the media player before finishing the destructor
ensures that the HTMLMediaElement will at least still be alive if this case is triggered.
Set m_completelyLoaded to true to ensure that if userCancelledLoad() is called, it doesn't
attempt to fire events while destructing.
2013-04-17 Sergio Correia <sergio.correia@openbossa.org>
Web Inspector: make generate-inspector-protocol-version work with python3
......@@ -350,6 +350,10 @@ HTMLMediaElement::~HTMLMediaElement()
#endif
removeElementFromDocumentMap(this, document());
m_completelyLoaded = true;
if (m_player)
m_player->clearMediaPlayerClient();
}
void HTMLMediaElement::didMoveToNewDocument(Document* oldDocument)
......
......@@ -378,6 +378,7 @@ public:
void repaint();
MediaPlayerClient* mediaPlayerClient() const { return m_mediaPlayerClient; }
void clearMediaPlayerClient() { m_mediaPlayerClient = 0; }
bool hasAvailableVideoFrame() const;
void prepareForRendering();
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment