[Webkit-unassigned] [Bug 261676] New: REGRESSION (iOS 17): Chrome crashes in VideoFullscreenModelContext::requestRouteSharingPolicyAndContextUID

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Sep 18 06:12:11 PDT 2023


https://bugs.webkit.org/show_bug.cgi?id=261676

            Bug ID: 261676
           Summary: REGRESSION (iOS 17): Chrome crashes in
                    VideoFullscreenModelContext::requestRouteSharingPolicy
                    AndContextUID
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Media
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: ajuma at chromium.org
                CC: jean-yves.avenard at apple.com, jer.noble at apple.com,
                    youennf at gmail.com

Created attachment 467737

  --> https://bugs.webkit.org/attachment.cgi?id=467737&action=review

Crash log

Chrome for iOS is getting reports of a new crash in VideoFullscreenModelContext::requestRouteSharingPolicyAndContextUID, not seen in iOS 16. We don't have steps to reproduce, but I've attached a crash log.

It looks like VideoFullscreenInterfaceAVKit::setVideoFullscreenModel is calling requestRouteSharingPolicyAndContextUID on a null `model`. This code was most recently changed in bug 258025 (265195 at main) to use a WeakPtr to VideoFullscreenModelContext, so this crash is likely a pre-existing problem uncovered by that.

Here's the stack:
Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Subtype: KERN_INVALID_ADDRESS at 0x0000000000000020
0   WebKit                              0x00000001c092ff48 WebKit::VideoFullscreenModelContext::requestRouteSharingPolicyAndContextUID(WTF::CompletionHandler<void (WebCore::RouteSharingPolicy, WTF::String)>&&) + 128 (VideoFullscreenManagerProxy.mm:358)
1   WebCore                             0x00000001c0138d18 WebCore::VideoFullscreenInterfaceAVKit::setVideoFullscreenModel(WebCore::VideoFullscreenModel*) + 496 (VideoFullscreenInterfaceAVKit.mm:773)
2   WebKit                              0x00000001c0931418 WebKit::VideoFullscreenManagerProxy::ensureModelAndInterface(WTF::ObjectIdentifierGeneric<WebCore::HTMLMediaElementIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>) + 592 (VideoFullscreenManagerProxy.mm:535)
3   WebKit                              0x00000001c092e1e4 WebKit::VideoFullscreenModelContext::setVideoLayerFrame(WebCore::FloatRect) + 740 (VideoFullscreenManagerProxy.mm:245)
4   WebCore                             0x00000001c014eea8 -[WebAVPlayerLayer resolveBounds] + 2812 (WebAVPlayerLayer.mm:293)
5   WebCore                             0x00000001c014bce8 -[WebAVPlayerLayer layoutSublayers] + 796 (WebAVPlayerLayer.mm:238)
6   QuartzCore                          0x00000001ad08b888 0x1ad024000 + 424072
7   UIKitCore                           0x00000001adc762a4 0x1adc40000 + 221860
8   UIKitCore                           0x00000001add6a288 0x1adc40000 + 1221256
9   UIKitCore                           0x00000001adcc6918 0x1adc40000 + 551192
10  UIKitCore                           0x00000001ae3df9d4 0x1adc40000 + 7993812
11  UIKitCore                           0x00000001adff1bb0 0x1adc40000 + 3873712
12  UIKitCore                           0x00000001adcc98ac 0x1adc40000 + 563372
13  UIKitCore                           0x00000001add67a0c 0x1adc40000 + 1210892
14  UIKitCore                           0x00000001add676f8 0x1adc40000 + 1210104
15  UIKitCore                           0x00000001add67544 0x1adc40000 + 1209668
16  UIKitCore                           0x00000001add67390 0x1adc40000 + 1209232
17  UIKitCore                           0x00000001addd5158 0x1adc40000 + 1659224
18  UIKitCore                           0x00000001addd4ee4 0x1adc40000 + 1658596
19  UIKitCore                           0x00000001addd4c24 0x1adc40000 + 1657892
20  UIKitCore                           0x00000001addd3ef0 0x1adc40000 + 1654512
21  UIKitCore                           0x00000001addd3d60 0x1adc40000 + 1654112
22  UIKitCore                           0x00000001ae30d54c 0x1adc40000 + 7132492
23  UIKitCore                           0x00000001ae30d064 0x1adc40000 + 7131236
24  UIKitCore                           0x00000001ae307a8c 0x1adc40000 + 7109260
25  UIKitCore                           0x00000001ae3bbacc 0x1adc40000 + 7846604
26  UIKitCore                           0x00000001adc8226c 0x1adc40000 + 270956
27  UIKitCore                           0x00000001ae3bb92c 0x1adc40000 + 7846188
28  UIKitCore                           0x00000001adc8226c 0x1adc40000 + 270956
29  UIKitCore                           0x00000001ae3baf44 0x1adc40000 + 7843652
30  UIKitCore                           0x00000001ae3ba730 0x1adc40000 + 7841584
31  UIKitCore                           0x00000001ae3b9fc0 0x1adc40000 + 7839680
32  UIKitCore                           0x00000001ae3bc284 0x1adc40000 + 7848580
33  UIKitCore                           0x00000001adf029f4 0x1adc40000 + 2894324
34  UIKitCore                           0x00000001adf02190 0x1adc40000 + 2892176
35  UIKitCore                           0x00000001adf01ea8 0x1adc40000 + 2891432
36  UIKitCore                           0x00000001addd30bc 0x1adc40000 + 1650876
37  WebCore                             0x00000001c013a95c WebCore::VideoFullscreenInterfaceAVKit::cleanupFullscreen() + 212 (VideoFullscreenInterfaceAVKit.mm:925)
38  WebKit                              0x00000001c0930e20 WebKit::VideoFullscreenManagerProxy::invalidate() + 208 (VideoFullscreenManagerProxy.mm:455)
39  WebKit                              0x00000001c0acc064 WebKit::WebPageProxy::resetState(WebKit::WebPageProxy::ResetStateReason) + 644 (WebPageProxy.cpp:9016)
40  WebKit                              0x00000001c0ac88ac WebKit::WebPageProxy::close() + 1432 (WebPageProxy.cpp:1413)
41  WebKit                              0x00000001c07b937c -[WKWebView dealloc] + 160 (WKWebView.mm:678)
42  libobjc.A.dylib                     0x00000001a3e0ab60 AutoreleasePoolPage::releaseUntil(objc_object**) + 196 (NSObject.mm:935)
43  libobjc.A.dylib                     0x00000001a3e0a9f8 objc_autoreleasePoolPop + 260 (NSObject.mm:2197)
44  UIKitCore                           0x00000001ade050f4 0x1adc40000 + 1855732
45  UIKitCore                           0x00000001ade03a9c 0x1adc40000 + 1850012
46  UIKitCore                           0x00000001adcead94 0x1adc40000 + 699796
47  UIKitCore                           0x00000001adcea484 0x1adc40000 + 697476
48  UIKitCore                           0x00000001adcea540 0x1adc40000 + 697664
49  CoreFoundation                      0x00000001aba64acc 0x1aba2d000 + 228044
50  CoreFoundation                      0x00000001aba63d48 0x1aba2d000 + 224584
51  CoreFoundation                      0x00000001aba624fc 0x1aba2d000 + 218364
52  CoreFoundation                      0x00000001aba61238 0x1aba2d000 + 213560
53  CoreFoundation                      0x00000001aba60e18 0x1aba2d000 + 212504
54  GraphicsServices                    0x00000001ee51d5ec 0x1ee51a000 + 13804
55  UIKitCore                           0x00000001ade6f350 0x1adc40000 + 2290512
56  UIKitCore                           0x00000001ade6e98c 0x1adc40000 + 2288012
57  Chrome                              0x00000001005337d0 0x1004b0000 + 538576
58  dyld                                0x00000001ce243d44 0x1ce23e000 + 23876

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20230918/96321401/attachment-0001.htm>


More information about the webkit-unassigned mailing list