+2016-10-13 Jer Noble <jer.noble@apple.com>
+
+ CRASH at WebCore::SourceBuffer::removeCodedFrames + 37
+ https://bugs.webkit.org/show_bug.cgi?id=163336
+
+ Reviewed by Alex Christensen.
+
+ * media/media-source/media-source-remove-crash-expected.txt: Added.
+ * media/media-source/media-source-remove-crash.html: Added.
+
2016-10-13 Sergio Villar Senin <svillar@igalia.com>
[css-grid] Use min-size instead of min-content contribution for intrinsic maximums resolution
--- /dev/null
+
+RUN(video.src = URL.createObjectURL(source))
+EVENT(sourceopen)
+RUN(source.duration = loader.duration())
+RUN(sourceBuffer = source.addSourceBuffer(loader.type()))
+RUN(sourceBuffer.appendBuffer(loader.initSegment()))
+EVENT(update)
+Append a media segment.
+RUN(sourceBuffer.appendBuffer(loader.mediaSegment(0)))
+EVENT(update)
+Remove a range, then remove SourceBuffer from its MediaSource. Should not crash.
+RUN(sourceBuffer.remove(0, source.duration))
+RUN(source.removeSourceBuffer(sourceBuffer))
+END OF TEST
+
--- /dev/null
+<!DOCTYPE html>
+<html>
+<head>
+ <title>media-source-abort-resets-parser</title>
+ <script src="media-source-loader.js"></script>
+ <script src="../video-test.js"></script>
+ <script>
+ var loader;
+ var source;
+ var sourceBuffer;
+
+ function runTest() {
+ findMediaElement();
+
+ loader = new MediaSourceLoader('content/test-fragmented-manifest.json');
+ loader.onload = mediaDataLoaded;
+ loader.onerror = mediaDataLoadingFailed;
+ }
+
+ function mediaDataLoadingFailed() {
+ failTest('Media data loading failed');
+ }
+
+ function mediaDataLoaded() {
+ source = new MediaSource();
+ waitForEvent('sourceopen', sourceOpen, false, false, source);
+ waitForEventAndFail('error');
+ run('video.src = URL.createObjectURL(source)');
+ }
+
+ function sourceOpen() {
+ run('source.duration = loader.duration()');
+ run('sourceBuffer = source.addSourceBuffer(loader.type())');
+ waitForEventOn(sourceBuffer, 'update', sourceInitialized, false, true);
+ run('sourceBuffer.appendBuffer(loader.initSegment())');
+ }
+
+ function sourceInitialized() {
+ consoleWrite('Append a media segment.')
+ waitForEventOn(sourceBuffer, 'update', mediaSegmentAppended, false, true);
+ run('sourceBuffer.appendBuffer(loader.mediaSegment(0))');
+ }
+
+ function mediaSegmentAppended() {
+ consoleWrite('Remove a range, then remove SourceBuffer from its MediaSource. Should not crash.')
+ run('sourceBuffer.remove(0, source.duration)');
+ run('source.removeSourceBuffer(sourceBuffer)');
+ setTimeout(endTest, 100);
+ }
+ </script>
+</head>
+<body onload="runTest()">
+ <video controls></video>
+</body>
+</html>
\ No newline at end of file
+2016-10-13 Jer Noble <jer.noble@apple.com>
+
+ CRASH at WebCore::SourceBuffer::removeCodedFrames + 37
+ https://bugs.webkit.org/show_bug.cgi?id=163336
+
+ Reviewed by Alex Christensen.
+
+ Test: media/media-source/media-source-remove-crash.html
+
+ A null-deref crash can occur if a SourceBuffer is removed from a MediaSource after
+ SourceBuffer.remove() is called, but before the removeTimer is fired.
+
+ * Modules/mediasource/SourceBuffer.cpp:
+ (WebCore::SourceBuffer::removeTimerFired):
+
2016-10-13 Michael Catanzaro <mcatanzaro@igalia.com>
[SOUP] SHOULD NEVER BE REACHED ../../Source/WebCore/platform/URL.cpp(1291) : void WebCore::URL::parse(const WTF::String&)