<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[202923] trunk/Source/WebCore</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/202923">202923</a></dd>
<dt>Author</dt> <dd>jer.noble@apple.com</dd>
<dt>Date</dt> <dd>2016-07-07 11:53:19 -0700 (Thu, 07 Jul 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>Crash due to HTMLMediaElement at JavaScriptCore: JSC::JSLockHolder::JSLockHolder
https://bugs.webkit.org/show_bug.cgi?id=159517
<rdar://problem/27221109>
Reviewed by Eric Carlson.
When WebKit on iOS gets a notification that the UIProcess has been backgrounded, it sends an
interruption event to the WebProcess to pause any playing HTMLMediaElements. When the
elements which get this interruption have pending promises created during a previous call to
play(), these promises get rejected.
However, if the HTMLMediaElement's document has already been destroyed, the pending Promises
are in an inconsistent state: their script execution context (the document) has been
destroyed, leading to the crash in JSLockHolder.
When HTMLMediaElement is notified that its ScriptExecutionContext has been destroyed, also
clear the list of pending Promises.
* html/HTMLMediaElement.cpp:
(WebCore::HTMLMediaElement::contextDestroyed):</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCorehtmlHTMLMediaElementcpp">trunk/Source/WebCore/html/HTMLMediaElement.cpp</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (202922 => 202923)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog 2016-07-07 18:47:51 UTC (rev 202922)
+++ trunk/Source/WebCore/ChangeLog 2016-07-07 18:53:19 UTC (rev 202923)
</span><span class="lines">@@ -1,3 +1,26 @@
</span><ins>+2016-07-07 Jer Noble <jer.noble@apple.com>
+
+ Crash due to HTMLMediaElement at JavaScriptCore: JSC::JSLockHolder::JSLockHolder
+ https://bugs.webkit.org/show_bug.cgi?id=159517
+ <rdar://problem/27221109>
+
+ Reviewed by Eric Carlson.
+
+ When WebKit on iOS gets a notification that the UIProcess has been backgrounded, it sends an
+ interruption event to the WebProcess to pause any playing HTMLMediaElements. When the
+ elements which get this interruption have pending promises created during a previous call to
+ play(), these promises get rejected.
+
+ However, if the HTMLMediaElement's document has already been destroyed, the pending Promises
+ are in an inconsistent state: their script execution context (the document) has been
+ destroyed, leading to the crash in JSLockHolder.
+
+ When HTMLMediaElement is notified that its ScriptExecutionContext has been destroyed, also
+ clear the list of pending Promises.
+
+ * html/HTMLMediaElement.cpp:
+ (WebCore::HTMLMediaElement::contextDestroyed):
+
</ins><span class="cx"> 2016-07-05 Jer Noble <jer.noble@apple.com>
</span><span class="cx">
</span><span class="cx"> Facebook videos without audio tracks will sometimes cause playback controls to appear.
</span></span></pre></div>
<a id="trunkSourceWebCorehtmlHTMLMediaElementcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/html/HTMLMediaElement.cpp (202922 => 202923)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/html/HTMLMediaElement.cpp 2016-07-07 18:47:51 UTC (rev 202922)
+++ trunk/Source/WebCore/html/HTMLMediaElement.cpp 2016-07-07 18:53:19 UTC (rev 202923)
</span><span class="lines">@@ -5096,6 +5096,8 @@
</span><span class="cx"> m_pauseAfterDetachedTaskQueue.close();
</span><span class="cx"> m_updatePlaybackControlsManagerQueue.close();
</span><span class="cx">
</span><ins>+ m_pendingPlayPromises.clear();
+
</ins><span class="cx"> ActiveDOMObject::contextDestroyed();
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre>
</div>
</div>
</body>
</html>