https://bugs.webkit.org/show_bug.cgi?id=160470
Reviewed by David Kilzer.
Source/WebCore:
Test: media/range-extract-contents-crash.html
* html/HTMLMediaElement.cpp:
(WebCore::HTMLMediaElement::~HTMLMediaElement):
* html/track/AudioTrack.cpp:
(WebCore::AudioTrack::willRemove): ASSERT if media element is NULL.
* html/track/TextTrackList.cpp:
(TextTrackList::clearElement): Clear track media element pointers and client.
* html/track/TextTrackList.h:
* html/track/TrackListBase.cpp:
(TrackListBase::~TrackListBase): Call clearElement.
(TrackListBase::clearElement): Clear track media element pointers and client.
* html/track/TrackListBase.h:
LayoutTests:
* media/range-extract-contents-crash-expected.txt: Added.
* media/range-extract-contents-crash.html: Added.
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@204050
268f45cc-cd09-0410-ab3c-
d52691b4dbfc
+2016-08-02 Eric Carlson <eric.carlson@apple.com>
+
+ Cleanup HTMLMediaElement track lists.
+ https://bugs.webkit.org/show_bug.cgi?id=160470
+
+ Reviewed by David Kilzer.
+
+ * media/range-extract-contents-crash-expected.txt: Added.
+ * media/range-extract-contents-crash.html: Added.
+
2016-08-02 Chris Dumez <cdumez@apple.com>
Named / Indexed properties should be configurable
--- /dev/null
+
+Tests that moving a video element from the document tree into a DocumentFragment does not crash.
+
+If this test does not crash, it passes.
--- /dev/null
+<!DOCTYPE HTML>
+<html>
+<head>
+<script src="../resources/gc.js"></script>
+<script>
+ if (window.testRunner) {
+ window.testRunner.dumpAsText();
+ window.testRunner.waitUntilDone();
+ }
+
+ let tracks = [];
+
+ function runTest()
+ {
+ div = document.getElementsByTagName('div')[0];
+
+ audio = document.createElement("audio");
+ div.appendChild(audio);
+
+ video = document.createElement("video");
+ div.appendChild(video);
+
+ for (let i = 0; i < 10; i++) {
+ let track = document.createElement("track");
+ track.src = 'data:text/vtt,'+encodeURIComponent('WEBVTT\n\n00:00:00.000 --> 00:00:01.000\ntest\n');
+ track.kind = "caption";
+ track.srclang = "fr";
+ video.appendChild(track);
+ tracks.push(track);
+ }
+
+ object = document.createElement("object");
+ video.appendChild(object);
+
+ range = document.createRange();
+ range.selectNodeContents(audio);
+ range.setEndBefore(object);
+ setTimeout(step1, 0);
+ gc();
+ }
+
+ function step1()
+ {
+ range.extractContents();
+ gc();
+ setTimeout(step2, 0);
+ }
+
+ function step2()
+ {
+ for (let i = 0; i < 10; i++)
+ tracks[i].srclang = "en";
+
+ if (window.testRunner)
+ window.testRunner.notifyDone();
+ }
+</script>
+</head>
+<body onload="runTest()">
+ <div></div>
+ <p>Tests that moving a video element from the document tree into a DocumentFragment does not crash.</p>
+ <p>If this test does not crash, it passes.</p>
+</body>
+</html>
+2016-08-02 Eric Carlson <eric.carlson@apple.com>
+
+ Cleanup HTMLMediaElement track lists.
+ https://bugs.webkit.org/show_bug.cgi?id=160470
+
+ Reviewed by David Kilzer.
+
+ Test: media/range-extract-contents-crash.html
+
+ * html/HTMLMediaElement.cpp:
+ (WebCore::HTMLMediaElement::~HTMLMediaElement):
+
+ * html/track/AudioTrack.cpp:
+ (WebCore::AudioTrack::willRemove): ASSERT if media element is NULL.
+
+ * html/track/TextTrackList.cpp:
+ (TextTrackList::clearElement): Clear track media element pointers and client.
+ * html/track/TextTrackList.h:
+
+ * html/track/TrackListBase.cpp:
+ (TrackListBase::~TrackListBase): Call clearElement.
+ (TrackListBase::clearElement): Clear track media element pointers and client.
+ * html/track/TrackListBase.h:
+
2016-08-02 Anders Carlsson <andersca@apple.com>
Remove more Objective-C bindings that are not used
unregisterWithDocument(document());
#if ENABLE(VIDEO_TRACK)
- if (m_audioTracks) {
+ if (m_audioTracks)
m_audioTracks->clearElement();
- for (unsigned i = 0; i < m_audioTracks->length(); ++i)
- m_audioTracks->item(i)->clearClient();
- }
if (m_textTracks)
m_textTracks->clearElement();
- if (m_textTracks) {
- for (unsigned i = 0; i < m_textTracks->length(); ++i)
- m_textTracks->item(i)->clearClient();
- }
- if (m_videoTracks) {
+ if (m_videoTracks)
m_videoTracks->clearElement();
- for (unsigned i = 0; i < m_videoTracks->length(); ++i)
- m_videoTracks->item(i)->clearClient();
- }
#endif
#if ENABLE(WIRELESS_PLAYBACK_TARGET)
void AudioTrack::willRemove(TrackPrivateBase* trackPrivate)
{
ASSERT_UNUSED(trackPrivate, trackPrivate == m_private);
- mediaElement()->removeAudioTrack(*this);
+ ASSERT(mediaElement());
+ if (mediaElement())
+ mediaElement()->removeAudioTrack(*this);
}
void AudioTrack::updateKindFromPrivate()
{
}
+void TextTrackList::clearElement()
+{
+ TrackListBase::clearElement();
+ for (auto& track : m_elementTracks) {
+ track->setMediaElement(nullptr);
+ track->clearClient();
+ }
+ for (auto& track : m_addTrackTracks) {
+ track->setMediaElement(nullptr);
+ track->clearClient();
+ }
+}
+
unsigned TextTrackList::length() const
{
return m_addTrackTracks.size() + m_elementTracks.size() + m_inbandTracks.size();
}
virtual ~TextTrackList();
+ void clearElement() override;
+
unsigned length() const override;
int getTrackIndex(TextTrack&);
int getTrackIndexRelativeToRenderedTracks(TextTrack&);
TrackListBase::~TrackListBase()
{
+ clearElement();
+}
+
+void TrackListBase::clearElement()
+{
+ m_element = nullptr;
+ for (auto& track : m_inbandTracks) {
+ track->setMediaElement(nullptr);
+ track->clearClient();
+ }
}
Element* TrackListBase::element() const
using RefCounted<TrackListBase>::deref;
ScriptExecutionContext* scriptExecutionContext() const final { return m_context; }
- void clearElement() { m_element = 0; }
+ virtual void clearElement();
Element* element() const;
HTMLMediaElement* mediaElement() const { return m_element; }
git://git.webkit.org / WebKit-https.git / commitdiff