[Webkit-unassigned] [Bug 187377] New: REGRESSION (r233496): heap-use-after-free in WebCore::VideoTrack::clearClient()

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Jul 5 19:21:20 PDT 2018 

https://bugs.webkit.org/show_bug.cgi?id=187377

            Bug ID: 187377
           Summary: REGRESSION (r233496): heap-use-after-free in
                    WebCore::VideoTrack::clearClient()
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Keywords: InRadar
          Severity: Normal
          Priority: P2
         Component: Media Elements
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: rniwa at webkit.org

e.g.
=90678==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c0005829a8 at pc 0x000462bbf59f bp 0x7ffee52e22e0 sp 0x7ffee52e22d8
WRITE of size 8 at 0x60c0005829a8 thread T0
==90678==WARNING: invalid path to external symbolizer!
==90678==WARNING: Failed to use and restart external symbolizer!
    #0 0x462bbf59e in WebCore::VideoTrack::clearClient() (/Volumes/Data/worker/high-sierra-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore:x86_64+0x28e959e)
    #1 0x462ba8167 in WebCore::HTMLMediaElement::forgetResourceSpecificTracks() (/Volumes/Data/worker/high-sierra-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore:x86_64+0x28d2167)
    #2 0x462bc8689 in WebCore::HTMLMediaElement::clearMediaPlayer(WebCore::HTMLMediaElementEnums::DelayedActionType) (/Volumes/Data/worker/high-sierra-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore:x86_64+0x28f2689)
    #3 0x462bc8f4a in WebCore::HTMLMediaElement::stop() (/Volumes/Data/worker/high-sierra-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore:x86_64+0x28f2f4a)
    #4 0x4628b37ee in WebCore::ScriptExecutionContext::stopActiveDOMObjects() (/Volumes/Data/worker/high-sierra-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore:x86_64+0x25dd7ee)
    #5 0x462719f63 in WebCore::Document::prepareForDestruction() (/Volumes/Data/worker/high-sierra-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore:x86_64+0x2443f63)
    #6 0x4631ec538 in WebCore::Frame::setView(WTF::RefPtr<WebCore::FrameView, WTF::DumbPtrTraits<WebCore::FrameView> >&&) (/Volumes/Data/worker/high-sierra-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore:x86_64+0x2f16538)
    #7 0x4631f0f24 in WebCore::Frame::createView(WebCore::IntSize const&, WebCore::Color const&, bool, WebCore::IntSize const&, WebCore::IntRect const&, bool, WebCore::ScrollbarMode, bool, WebCore::ScrollbarMode, bool) (/Volumes/Data/worker/high-sierra-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore:x86_64+0x2f1af24)
    #8 0x4509bee41 in WebKit::WebFrameLoaderClient::transitionToCommittedForNewPage() (/Volumes/Data/worker/high-sierra-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/WebKit:x86_64+0x9bce41)
    #9 0x463014cb5 in WebCore::FrameLoader::transitionToCommitted(WebCore::CachedPage*) (/Volumes/Data/worker/high-sierra-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore:x86_64+0x2d3ecb5)
    #10 0x463013e41 in WebCore::FrameLoader::commitProvisionalLoad() (/Volumes/Data/worker/high-sierra-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore:x86_64+0x2d3de41)
    #11 0x462fb45f4 in WebCore::DocumentLoader::finishedLoading() (/Volumes/Data/worker/high-sierra-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore:x86_64+0x2cde5f4)
    #12 0x462fc15ba in WebCore::DocumentLoader::maybeLoadEmpty() (/Volumes/Data/worker/high-sierra-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore:x86_64+0x2ceb5ba)
    #13 0x462fc1900 in WebCore::DocumentLoader::startLoadingMainResource(WebCore::ShouldContinue) (/Volumes/Data/worker/high-sierra-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore:x86_64+0x2ceb900)
    #14 0x4630316bc in WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WebCore::FormState*, WebCore::ShouldContinue, WebCore::AllowNavigationToInvalidURL)::$_14::operator()() const (/Volumes/Data/worker/high-sierra-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore:x86_64+0x2d5b6bc)
    #15 0x461c85f6c in WTF::CompletionHandler<void ()>::operator()() const (/Volumes/Data/worker/high-sierra-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore:x86_64+0x19aff6c)

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180706/3746dc4b/attachment-0001.html>

More information about the webkit-unassigned mailing list