[webkit-changes] [178950] branches/safari-600.5-branch

Thu, 22 Jan 2015 14:21:17 -0800

Title: [178950] branches/safari-600.5-branch

Diff

Modified: branches/safari-600.5-branch/LayoutTests/ChangeLog (178949 => 178950)


--- branches/safari-600.5-branch/LayoutTests/ChangeLog	2015-01-22 22:19:46 UTC (rev 178949)
+++ branches/safari-600.5-branch/LayoutTests/ChangeLog	2015-01-22 22:20:57 UTC (rev 178950)
@@ -1,5 +1,19 @@
 2015-01-22  Matthew Hanson  <matthew_han...@apple.com>
 
+        Merge r178426. rdar://problem/19526069
+
+    2015-01-14  Jer Noble  <jer.no...@apple.com>
+
+            Null-deref crash when seeking immediately before looping.
+            https://bugs.webkit.org/show_bug.cgi?id=140394
+
+            Reviewed by Eric Carlson.
+
+            * media/video-ended-seek-crash-expected.txt: Added.
+            * media/video-ended-seek-crash.html: Added.
+
+2015-01-22  Matthew Hanson  <matthew_han...@apple.com>
+
         Merge r178038. rdar://problem/19451263
 
     2015-01-07  Chris Fleizach  <cfleiz...@apple.com>

Added: branches/safari-600.5-branch/LayoutTests/media/video-ended-seek-crash-expected.txt (0 => 178950)


--- branches/safari-600.5-branch/LayoutTests/media/video-ended-seek-crash-expected.txt	                        (rev 0)
+++ branches/safari-600.5-branch/LayoutTests/media/video-ended-seek-crash-expected.txt	2015-01-22 22:20:57 UTC (rev 178950)
@@ -0,0 +1,11 @@
+
+EVENT(canplaythrough)
+RUN(video.currentTime = video.duration - 0.1)
+RUN(video.play())
+EVENT(ended)
+RUN(video.setAttribute("loop", "loop"))
+RUN(video.currentTime = 0)
+RUN(video.play())
+EVENT(seeked)
+END OF TEST
+

Added: branches/safari-600.5-branch/LayoutTests/media/video-ended-seek-crash.html (0 => 178950)


--- branches/safari-600.5-branch/LayoutTests/media/video-ended-seek-crash.html	                        (rev 0)
+++ branches/safari-600.5-branch/LayoutTests/media/video-ended-seek-crash.html	2015-01-22 22:20:57 UTC (rev 178950)
@@ -0,0 +1,39 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <title>video-ended-seek-crash</title>
+    <script src=""
+    <script src=""
+    <script>
+        function startTest()
+        {
+            findMediaElement();
+            waitForEventOnce('canplaythrough', canPlayThrough);
+            video.src = "" 'content/test');
+        }
+
+        function canPlayThrough()
+        {
+            waitForEventOnce('ended', ended);
+            run('video.currentTime = video.duration - 0.1');
+            run('video.play()');
+        }
+
+        function ended()
+        {
+            waitForEventOnce('seeked', seekedToBeginning);
+            run('video.setAttribute("loop", "loop")');
+            run('video.currentTime = 0');
+            run('video.play()');
+        }
+
+        function seekedToBeginning()
+        {
+            endTest();
+        }
+    </script>
+</head>
+<body _onload_="startTest()">
+    <video controls></video>
+</body>
+</html>
\ No newline at end of file

Modified: branches/safari-600.5-branch/Source/WebCore/ChangeLog (178949 => 178950)


--- branches/safari-600.5-branch/Source/WebCore/ChangeLog	2015-01-22 22:19:46 UTC (rev 178949)
+++ branches/safari-600.5-branch/Source/WebCore/ChangeLog	2015-01-22 22:20:57 UTC (rev 178950)
@@ -1,5 +1,29 @@
 2015-01-22  Matthew Hanson  <matthew_han...@apple.com>
 
+        Merge r178426. rdar://problem/19526069
+
+    2015-01-14  Jer Noble  <jer.no...@apple.com>
+
+            Null-deref crash when seeking immediately before looping.
+            https://bugs.webkit.org/show_bug.cgi?id=140394
+
+            Reviewed by Eric Carlson.
+
+            It is possible for finishSeek() to be called when a seek() has caused a pending seek task
+            to be scheduled, but before that pending seek task is run. In this case, if a seek request
+            is issued, the existing pending seek task will not be cancelled, which will cause a crash
+            when the pending seek task is run.
+
+            When checking whether an existing seek task needs to be cancelled, check the actual timer,
+            rather than the m_seeking boolean, so that this case is covered.
+
+            Test: media/video-ended-seek-crash.html
+
+            * html/HTMLMediaElement.cpp:
+            (WebCore::HTMLMediaElement::seekWithTolerance):
+
+2015-01-22  Matthew Hanson  <matthew_han...@apple.com>
+
         Merge r178038. rdar://problem/19451263
 
     2015-01-07  Chris Fleizach  <cfleiz...@apple.com>

Modified: branches/safari-600.5-branch/Source/WebCore/html/HTMLMediaElement.cpp (178949 => 178950)


--- branches/safari-600.5-branch/Source/WebCore/html/HTMLMediaElement.cpp	2015-01-22 22:19:46 UTC (rev 178949)
+++ branches/safari-600.5-branch/Source/WebCore/html/HTMLMediaElement.cpp	2015-01-22 22:20:57 UTC (rev 178950)
@@ -2383,7 +2383,7 @@
     // 3 - If the element's seeking IDL attribute is true, then another instance of this algorithm is
     // already running. Abort that other instance of the algorithm without waiting for the step that
     // it is running to complete.
-    if (m_seeking) {
+    if (m_seekTimer.isActive()) {
         m_seekTimer.stop();
         m_pendingSeek = nullptr;
     }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to