[Webkit-unassigned] [Bug 46777] CRASH at WebCore::HTMLSourceElement::scheduleErrorEvent
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Sep 28 19:35:29 PDT 2010
https://bugs.webkit.org/show_bug.cgi?id=46777
Joseph Pecoraro <joepeck at webkit.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |joepeck at webkit.org
--- Comment #1 from Joseph Pecoraro <joepeck at webkit.org> 2010-09-28 19:35:29 PST ---
I believe this could happen if:
- The markup has a <video> with <source src="unsupported-video.video">
- ENABLE(PLUGIN_PROXY_FOR_VIDEO) is enabled
Sequence of events:
- HTMLMediaElement::loadNextSourceChild triggers a load
- m_loadState = LoadingFromSourceElement
- Somehow documentWillBecomeInactive or userCancelledLoad is triggered
- m_currentSourceNode = 0
- m_readyState = HAVE_NOTHING
- A web plugin post media player notification comes in and triggers setNetworkState calling:
if (m_readyState < HAVE_METADATA && m_loadState == LoadingFromSourceElement) {
m_currentSourceNode->scheduleErrorEvent(); // <-- with a null pointer
I haven't been able to create a test case for this. However, it looks like m_loadState shouldn't
have LoadingFromSourceElement if the current source node is null. In numerous other places
when the currentSourceNode is set to 0 the load state is also changed to WaitingForSource.
I think the case in userCancelledLoad is missing this change.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list