[webkit-changes] [231392] trunk/Source/WebCore

[rniwa]

Title: [231392] trunk/Source/WebCore

Revision

231392

Author

rn...@webkit.org

Date

2018-05-04 16:58:04 -0700 (Fri, 04 May 2018)

Log Message

Release assert in ScriptController::canExecuteScripts via HTMLMediaElement::~HTMLMediaElement()
https://bugs.webkit.org/show_bug.cgi?id=185288

Reviewed by Jer Noble.

The crash is caused by HTMLMediaElement::~HTMLMediaElement canceling the resource load via CachedResource
which ends up calling FrameLoader::checkCompleted() and fire load event on the document synchronously.
Speculatively fix the crash by scheduling the check instead.

In long term, ResourceLoader::cancel should never fire load event synchronously: webkit.org/b/185284.

Unfortunately, no new tests since I can't get MediaResource to get destructed at the right time.

* html/HTMLMediaElement.cpp:
(WebCore::HTMLMediaElement::isRunningDestructor): Added to detect this specific case.
(WebCore::HTMLMediaElementDestructorScope): Added.
(WebCore::HTMLMediaElementDestructorScope::HTMLMediaElementDestructorScope): Added.
(WebCore::HTMLMediaElementDestructorScope::~HTMLMediaElementDestructorScope): Added.
(WebCore::HTMLMediaElement::~HTMLMediaElement): Instantiate HTMLMediaElement.
* html/HTMLMediaElement.h:
* loader/FrameLoader.cpp:
(WebCore::FrameLoader::checkCompleted): Call scheduleCheckCompleted instead of synchronously calling
checkCompleted if we're in the middle of destructing a HTMLMediaElement.

Modified Paths

• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/html/HTMLMediaElement.cpp
• trunk/Source/WebCore/html/HTMLMediaElement.h
• trunk/Source/WebCore/loader/FrameLoader.cpp

Diff

Modified: trunk/Source/WebCore/ChangeLog (231391 => 231392)

--- trunk/Source/WebCore/ChangeLog	2018-05-04 23:56:10 UTC (rev 231391)
+++ trunk/Source/WebCore/ChangeLog	2018-05-04 23:58:04 UTC (rev 231392)
@@ -1,3 +1,29 @@
+2018-05-03  Ryosuke Niwa  <rn...@webkit.org>
+
+        Release assert in ScriptController::canExecuteScripts via HTMLMediaElement::~HTMLMediaElement()
+        https://bugs.webkit.org/show_bug.cgi?id=185288
+
+        Reviewed by Jer Noble.
+
+        The crash is caused by HTMLMediaElement::~HTMLMediaElement canceling the resource load via CachedResource
+        which ends up calling FrameLoader::checkCompleted() and fire load event on the document synchronously.
+        Speculatively fix the crash by scheduling the check instead.
+
+        In long term, ResourceLoader::cancel should never fire load event synchronously: webkit.org/b/185284.
+
+        Unfortunately, no new tests since I can't get MediaResource to get destructed at the right time.
+
+        * html/HTMLMediaElement.cpp:
+        (WebCore::HTMLMediaElement::isRunningDestructor): Added to detect this specific case.
+        (WebCore::HTMLMediaElementDestructorScope): Added.
+        (WebCore::HTMLMediaElementDestructorScope::HTMLMediaElementDestructorScope): Added.
+        (WebCore::HTMLMediaElementDestructorScope::~HTMLMediaElementDestructorScope): Added.
+        (WebCore::HTMLMediaElement::~HTMLMediaElement): Instantiate HTMLMediaElement.
+        * html/HTMLMediaElement.h:
+        * loader/FrameLoader.cpp:
+        (WebCore::FrameLoader::checkCompleted): Call scheduleCheckCompleted instead of synchronously calling
+        checkCompleted if we're in the middle of destructing a HTMLMediaElement.
+
 2018-05-04  Ryosuke Niwa  <rn...@webkit.org>
 
         Rename DocumentOrderedMap to TreeScopeOrderedMap

Modified: trunk/Source/WebCore/html/HTMLMediaElement.cpp (231391 => 231392)

--- trunk/Source/WebCore/html/HTMLMediaElement.cpp	2018-05-04 23:56:10 UTC (rev 231391)
+++ trunk/Source/WebCore/html/HTMLMediaElement.cpp	2018-05-04 23:58:04 UTC (rev 231392)
@@ -576,8 +576,23 @@
     mediaSession().clientWillBeginAutoplaying();
 }
 
+// FIXME: Remove this code once https://webkit.org/b/185284 is fixed.
+static unsigned s_destructorCount = 0;
+
+bool HTMLMediaElement::isRunningDestructor()
+{
+    return !!s_destructorCount;
+}
+
+class HTMLMediaElementDestructorScope {
+public:
+    HTMLMediaElementDestructorScope() { ++s_destructorCount; }
+    ~HTMLMediaElementDestructorScope() { --s_destructorCount; }
+};
+
 HTMLMediaElement::~HTMLMediaElement()
 {
+    HTMLMediaElementDestructorScope destructorScope;
     ALWAYS_LOG(LOGIDENTIFIER);
 
     beginIgnoringTrackDisplayUpdateRequests();

Modified: trunk/Source/WebCore/html/HTMLMediaElement.h (231391 => 231392)

--- trunk/Source/WebCore/html/HTMLMediaElement.h	2018-05-04 23:56:10 UTC (rev 231391)
+++ trunk/Source/WebCore/html/HTMLMediaElement.h	2018-05-04 23:58:04 UTC (rev 231392)
@@ -157,6 +157,8 @@
 
     static HTMLMediaElement* bestMediaElementForShowingPlaybackControlsManager(MediaElementSession::PlaybackControlsPurpose);
 
+    static bool isRunningDestructor();
+
     WEBCORE_EXPORT void rewind(double timeDelta);
     WEBCORE_EXPORT void returnToRealtime() override;
 

Modified: trunk/Source/WebCore/loader/FrameLoader.cpp (231391 => 231392)

--- trunk/Source/WebCore/loader/FrameLoader.cpp	2018-05-04 23:56:10 UTC (rev 231391)
+++ trunk/Source/WebCore/loader/FrameLoader.cpp	2018-05-04 23:58:04 UTC (rev 231392)
@@ -805,6 +805,13 @@
     // Have we completed before?
     if (m_isComplete)
         return;
+    
+    // FIXME: Remove this code once https://webkit.org/b/185284 is fixed.
+    if (HTMLMediaElement::isRunningDestructor()) {
+        ASSERT_NOT_REACHED();
+        scheduleCheckCompleted();
+        return;
+    }
 
     // FIXME: It would be better if resource loads were kicked off after render tree update (or didn't complete synchronously).
     //        https://bugs.webkit.org/show_bug.cgi?id=171729

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes