[webkit-changes] [210963] branches/safari-603-branch/Source/WebCore

Fri, 20 Jan 2017 08:26:12 -0800

Title: [210963] branches/safari-603-branch/Source/WebCore
Revision
210963
Author
matthew_han...@apple.com
Date
2017-01-20 08:25:55 -0800 (Fri, 20 Jan 2017)

Log Message

Merge r210473. rdar://problem/29204422


Modified Paths

Diff

Modified: branches/safari-603-branch/Source/WebCore/ChangeLog (210962 => 210963)


--- branches/safari-603-branch/Source/WebCore/ChangeLog	2017-01-20 16:25:52 UTC (rev 210962)
+++ branches/safari-603-branch/Source/WebCore/ChangeLog	2017-01-20 16:25:55 UTC (rev 210963)
@@ -1,5 +1,26 @@
 2017-01-20  Matthew Hanson  <matthew_han...@apple.com>
 
+        Merge r210473. rdar://problem/29204422
+
+    2017-01-06  Jer Noble  <jer.no...@apple.com>
+
+            Crash in WebCore::MediaPlayerPrivateMediaSourceAVFObjC::sizeWillChangeAtTime(const MediaTime&, const FloatSize&)::block_invoke
+            https://bugs.webkit.org/show_bug.cgi?id=166738
+
+            Reviewed by Eric Carlson.
+
+            AVFoundation can potentially call the same boundary time observer multiple times, and
+            in that case, it's possible that the observer queue will be empty when we attempt
+            to remove the first item from the queue. There's an ASSERT() in Deque for this case,
+            but we need to explicitly protect against this case.
+
+            Drive-by fix: Explicitly unregister the observer before releasing it.
+
+            * platform/graphics/avfoundation/objc/MediaPlayerPrivateMediaSourceAVFObjC.mm:
+            (WebCore::MediaPlayerPrivateMediaSourceAVFObjC::sizeWillChangeAtTime):
+
+2017-01-20  Matthew Hanson  <matthew_han...@apple.com>
+
         Merge r210939. rdar://problem/29885052
 
     2017-01-19  Chris Dumez  <cdu...@apple.com>

Modified: branches/safari-603-branch/Source/WebCore/platform/graphics/avfoundation/objc/MediaPlayerPrivateMediaSourceAVFObjC.mm (210962 => 210963)


--- branches/safari-603-branch/Source/WebCore/platform/graphics/avfoundation/objc/MediaPlayerPrivateMediaSourceAVFObjC.mm	2017-01-20 16:25:52 UTC (rev 210962)
+++ branches/safari-603-branch/Source/WebCore/platform/graphics/avfoundation/objc/MediaPlayerPrivateMediaSourceAVFObjC.mm	2017-01-20 16:25:55 UTC (rev 210963)
@@ -712,11 +712,16 @@
 {
     auto weakThis = m_sizeChangeObserverWeakPtrFactory.createWeakPtr();
     NSArray* times = @[[NSValue valueWithCMTime:toCMTime(time)]];
-    RetainPtr<id> observer = [m_synchronizer addBoundaryTimeObserverForTimes:times queue:dispatch_get_main_queue() usingBlock:[weakThis, size] {
+    RetainPtr<id> observer = [m_synchronizer addBoundaryTimeObserverForTimes:times queue:dispatch_get_main_queue() usingBlock:[this, weakThis, size] {
         if (!weakThis)
             return;
-        weakThis->m_sizeChangeObservers.removeFirst();
-        weakThis->setNaturalSize(size);
+
+        ASSERT(!m_sizeChangeObservers.isEmpty());
+        if (!m_sizeChangeObservers.isEmpty()) {
+            RetainPtr<id> observer = m_sizeChangeObservers.takeFirst();
+            [m_synchronizer removeTimeObserver:observer.get()];
+        }
+        setNaturalSize(size);
     }];
     m_sizeChangeObservers.append(WTFMove(observer));
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to