Skip to site navigation (Press enter)

[webkit-changes] [229898] trunk

youenn Fri, 23 Mar 2018 09:55:30 -0700

Title: [229898] trunk

Revision: 229898
Author: you...@apple.com
Date: 2018-03-23 09:55:10 -0700 (Fri, 23 Mar 2018)

Log Message

Safari WebKitWebRTCAudioModule crash during <video> tag update when audio track present in MediaStream
https://bugs.webkit.org/show_bug.cgi?id=181180
<rdar://problem/36302375>


Reviewed by Eric Carlson.

Source/WebCore:

Test: webrtc/video-update-often.html

AudioTrackPrivateMediaStreamCocoa needs to be destroyed in the main thread since it owns a Ref to its MediaStreamTrackPrivate.
We can still ref it on a background thread but we always deref it on the main thread.

* platform/mediastream/mac/AudioTrackPrivateMediaStreamCocoa.cpp:
(WebCore::AudioTrackPrivateMediaStreamCocoa::audioSamplesAvailable):
(WebCore::AudioTrackPrivateMediaStreamCocoa::render):

LayoutTests:

* webrtc/video-update-often-expected.txt: Added.
* webrtc/video-update-often.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/platform/mediastream/mac/AudioTrackPrivateMediaStreamCocoa.cpp

Added Paths

trunk/LayoutTests/webrtc/video-update-often-expected.txt
trunk/LayoutTests/webrtc/video-update-often.html

Diff

Modified: trunk/LayoutTests/ChangeLog (229897 => 229898)


--- trunk/LayoutTests/ChangeLog	2018-03-23 16:44:27 UTC (rev 229897)
+++ trunk/LayoutTests/ChangeLog	2018-03-23 16:55:10 UTC (rev 229898)
@@ -1,3 +1,14 @@
+2018-03-23  Youenn Fablet  <you...@apple.com>
+
+        Safari WebKitWebRTCAudioModule crash during <video> tag update when audio track present in MediaStream
+        https://bugs.webkit.org/show_bug.cgi?id=181180
+        <rdar://problem/36302375>
+
+        Reviewed by Eric Carlson.
+
+        * webrtc/video-update-often-expected.txt: Added.
+        * webrtc/video-update-often.html: Added.
+
 2018-03-23  Antoine Quint  <grao...@apple.com>
 
         [Web Animations] infinite repeat counts aren't reflected for CSS Animations

Added: trunk/LayoutTests/webrtc/video-update-often-expected.txt (0 => 229898)


--- trunk/LayoutTests/webrtc/video-update-often-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/webrtc/video-update-often-expected.txt	2018-03-23 16:55:10 UTC (rev 229898)
@@ -0,0 +1,3 @@
+
+PASS Video element being updated did not crash 
+

Added: trunk/LayoutTests/webrtc/video-update-often.html (0 => 229898)


--- trunk/LayoutTests/webrtc/video-update-often.html	                        (rev 0)
+++ trunk/LayoutTests/webrtc/video-update-often.html	2018-03-23 16:55:10 UTC (rev 229898)
@@ -0,0 +1,56 @@
+<!doctype html>
+<html>
+    <head>
+        <meta charset="utf-8">
+        <title>Testing video being updated and changed often</title>
+        <script src=""
+        <script src=""
+        <script src=""
+    </head>
+    <body>
+        <video id="video" autoplay=""></video>
+        <script src =""
+        <script>
+video = document.getElementById("video");
+var counter =0;
+var resolveFunction;
+
+async function updateVideoElement()
+{
+    await video.play();
+    if (++counter >= 4) {
+        video.srcObject = null;
+        document.body.removeChild(video);
+        resolveFunction();
+        return;
+    }
+
+    document.body.removeChild(video);
+    video.srcObject = null;
+    video = document.createElement('video');
+    video.setAttribute("id", "video");
+    video.autoplay = true;
+    video.srcObject = await navigator.mediaDevices.getUserMedia({audio: true, video: true});
+    document.body.appendChild(video);
+    if (window.gc)
+        gc();
+    setTimeout(updateVideoElement, 0);
+}
+
+promise_test((test) => {
+    if (window.testRunner)
+        testRunner.setUserMediaPermission(true);
+
+    return navigator.mediaDevices.getUserMedia({audio: true, video: true}).then((stream) => {
+        video.srcObject = stream;
+        return video.play();
+    }).then(async () => {
+        await new Promise((resolve) => {
+            resolveFunction = resolve;
+            updateVideoElement();
+        });
+    });
+}, "Video element being updated did not crash");
+        </script>
+    </body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (229897 => 229898)


--- trunk/Source/WebCore/ChangeLog	2018-03-23 16:44:27 UTC (rev 229897)
+++ trunk/Source/WebCore/ChangeLog	2018-03-23 16:55:10 UTC (rev 229898)
@@ -1,3 +1,20 @@
+2018-03-23  Youenn Fablet  <you...@apple.com>
+
+        Safari WebKitWebRTCAudioModule crash during <video> tag update when audio track present in MediaStream
+        https://bugs.webkit.org/show_bug.cgi?id=181180
+        <rdar://problem/36302375>
+
+        Reviewed by Eric Carlson.
+
+        Test: webrtc/video-update-often.html
+
+        AudioTrackPrivateMediaStreamCocoa needs to be destroyed in the main thread since it owns a Ref to its MediaStreamTrackPrivate.
+        We can still ref it on a background thread but we always deref it on the main thread.
+
+        * platform/mediastream/mac/AudioTrackPrivateMediaStreamCocoa.cpp:
+        (WebCore::AudioTrackPrivateMediaStreamCocoa::audioSamplesAvailable):
+        (WebCore::AudioTrackPrivateMediaStreamCocoa::render):
+
 2018-03-23  Sergio Villar Senin  <svil...@igalia.com>
 
         [css-grid] Fix auto repeat tracks computation with definite min sizes

Modified: trunk/Source/WebCore/platform/mediastream/mac/AudioTrackPrivateMediaStreamCocoa.cpp (229897 => 229898)


--- trunk/Source/WebCore/platform/mediastream/mac/AudioTrackPrivateMediaStreamCocoa.cpp	2018-03-23 16:44:27 UTC (rev 229897)
+++ trunk/Source/WebCore/platform/mediastream/mac/AudioTrackPrivateMediaStreamCocoa.cpp	2018-03-23 16:55:10 UTC (rev 229898)
@@ -34,6 +34,7 @@
 
 #include <pal/cf/CoreMediaSoftLink.h>
 #include <pal/spi/cocoa/AudioToolboxSPI.h>
+#include <wtf/Scope.h>
 
 #if ENABLE(VIDEO_TRACK) && ENABLE(MEDIA_STREAM)
 
@@ -169,7 +170,10 @@
 {
     // This function is called on a background thread. The following protectedThis object ensures the object is not
     // destroyed on the main thread before this function exits.
-    Ref<AudioTrackPrivateMediaStreamCocoa> protectedThis { *this };
+    auto scopeExit = WTF::makeScopeExit([protectedThis = makeRef(*this)]() mutable {
+        callOnMainThread([protectedThis = WTFMove(protectedThis)] { });
+    });
+
     ASSERT(description.platformDescription().type == PlatformDescription::CAAudioStreamBasicType);
 
     if (!m_inputDescription || *m_inputDescription != description) {
@@ -220,7 +224,9 @@
 {
     // This function is called on a high-priority background thread. The following protectedThis object ensures the object is not
     // destroyed on the main thread before this function exits.
-    Ref<AudioTrackPrivateMediaStreamCocoa> protectedThis { *this };
+    auto scopeExit = WTF::makeScopeExit([protectedThis = makeRef(*this)]() mutable {
+        callOnMainThread([protectedThis = WTFMove(protectedThis)] { });
+    });
 
     if (!m_isPlaying || m_muted || !m_dataSource || streamTrack().muted() || streamTrack().ended() || !streamTrack().enabled()) {
         AudioSampleBufferList::zeroABL(ioData, static_cast<size_t>(sampleCount * m_outputDescription->bytesPerFrame()));

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes