[Webkit-unassigned] [Bug 35992] New: Crash at MediaPlayer::duration()

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Mar 10 15:30:35 PST 2010 

https://bugs.webkit.org/show_bug.cgi?id=35992

           Summary: Crash at MediaPlayer::duration()
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
               URL: http://stewdio.org/pong/
        OS/Version: Windows Vista
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: HTML DOM
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: hclam at google.com


To reproduce the crash, use Chrome 5.0.342.2 dev.

1. Open http://stewdio.org/pong/
2. Click Play
3. While there is still sound playing, close the tab
4. Aw snap tab

The following stack trace is shown:
Call stack:
0x64db296d     [chrome.dll     - htmlmediaelement.cpp:1042]    
WebCore::HTMLMediaElement::duration()
0x64db3527     [chrome.dll     - htmlmediaelement.cpp:1581]    
WebCore::HTMLMediaElement::endedPlayback()
0x64db2a54     [chrome.dll     - htmlmediaelement.cpp:1137]    
WebCore::HTMLMediaElement::playInternal()
0x64db2a29     [chrome.dll     - htmlmediaelement.cpp:1128]    
WebCore::HTMLMediaElement::play(bool)
0x64f7cc52     [chrome.dll     - v8htmlmediaelement.cpp:322]    
WebCore::HTMLMediaElementInternal::playCallback
0x65322206     [chrome.dll     - builtins.cc:451]    
v8::internal::HandleApiCallHelper<0>
0x653224de     [chrome.dll     - builtins.cc:468]    
v8::internal::Builtin_HandleApiCall

The cause of failure is that:
1. Tab is closed
2. HTMLMediaElement::DocumentWillBecomeInactive() is called
3. HTMLMediaElement::m_player is clearer (set to NULL)
4. ... sometime later ...
5. A timer javascript is executed by window.setInterval()
6. The script calls audio.play() which goes into HTMLMediaElement::play()
7. null pointer exception in HTMLMediaElement::duration() when trying to call
to it

The starts to happen from Chrome revision 37051 which seems to be caused by
Changeset 53780 http://trac.webkit.org/changeset/53780.

The problem is that in HTMLMediaElement::ended(), the code is changed from:
   if (!m_player || m_readyState < HAVE_METADATA) 
       return false; 

To

   float dur = duration(); 
   if (!m_player || isnan(dur))
       return false;

It happens that inside duration(), m_player is used without being checked.

This crash only happens after m_player is cleared by a document close and the
javascript is still active, which doesn't seem to happen in WebKit but only in
Chrome.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list