Crash in WebCore::TextTrackList::remove
authoreric.carlson@apple.com <eric.carlson@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 2 May 2012 22:01:37 +0000 (22:01 +0000)
committereric.carlson@apple.com <eric.carlson@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 2 May 2012 22:01:37 +0000 (22:01 +0000)
https://bugs.webkit.org/show_bug.cgi?id=85095

Reviewed by Maciej Stachowiak.

Source/WebCore:

Test: media/track/track-remove-quickly.html

* html/HTMLMediaElement.cpp:
(WebCore::HTMLMediaElement::willRemoveTrack): Return immediately if the tracks collection
    has not been allocated yet.

LayoutTests:

* media/track/track-remove-quickly-expected.txt: Added.
* media/track/track-remove-quickly.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@115896 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/media/track/track-remove-quickly-expected.txt [new file with mode: 0644]
LayoutTests/media/track/track-remove-quickly.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/html/HTMLMediaElement.cpp

index 62ae977..fc65b25 100644 (file)
@@ -1,3 +1,13 @@
+2012-05-02  Eric Carlson  <eric.carlson@apple.com>
+
+        Crash in WebCore::TextTrackList::remove
+        https://bugs.webkit.org/show_bug.cgi?id=85095
+
+        Reviewed by Maciej Stachowiak.
+
+        * media/track/track-remove-quickly-expected.txt: Added.
+        * media/track/track-remove-quickly.html: Added.
+
 2012-05-02  David Barton  <dbarton@mathscribe.com>
 
         After appending MathML with jquery the table renders with overlaps
diff --git a/LayoutTests/media/track/track-remove-quickly-expected.txt b/LayoutTests/media/track/track-remove-quickly-expected.txt
new file mode 100644 (file)
index 0000000..d261a83
--- /dev/null
@@ -0,0 +1,5 @@
+This test that removing a track element before it has been processed doesn't crash (https://bugs.webkit.org/show_bug.cgi?id=85095).
+If this test does not crash, it passes.
+
+END OF TEST
+
diff --git a/LayoutTests/media/track/track-remove-quickly.html b/LayoutTests/media/track/track-remove-quickly.html
new file mode 100644 (file)
index 0000000..1f327d9
--- /dev/null
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+    <head>
+        <script src=../media-file.js></script>
+        <script src=../video-test.js></script>
+    </head>
+    <body>
+        <div id=video_container></div>
+        <script>
+            var mediaFile = findMediaFile("video", "../content/test");
+            document.getElementById('video_container').innerHTML = "<video src='" + mediaFile + "' controls ><track kind='captions' src='captions-webvtt/simple-captions.vtt' default ></video>";
+        </script>
+        <div>
+            This test that removing a track element before it has been processed doesn't crash (https://bugs.webkit.org/show_bug.cgi?id=85095).
+            <p>If this test does not crash, it passes.</p>
+        </div>
+        <script>
+            endTest();
+        </script>
+    </body>
+</html>
index 988e774..385a0ae 100644 (file)
@@ -1,3 +1,16 @@
+2012-05-02  Eric Carlson  <eric.carlson@apple.com>
+
+        Crash in WebCore::TextTrackList::remove
+        https://bugs.webkit.org/show_bug.cgi?id=85095
+
+        Reviewed by Maciej Stachowiak.
+
+        Test: media/track/track-remove-quickly.html
+
+        * html/HTMLMediaElement.cpp:
+        (WebCore::HTMLMediaElement::willRemoveTrack): Return immediately if the tracks collection
+            has not been allocated yet.
+
 2012-05-02  David Barton  <dbarton@mathscribe.com>
 
         After appending MathML with jquery the table renders with overlaps
index eb6deb8..1c18f66 100644 (file)
@@ -2816,6 +2816,9 @@ void HTMLMediaElement::willRemoveTrack(HTMLTrackElement* trackElement)
 
     trackElement->setHasBeenConfigured(false);
 
+    if (!m_textTracks)
+        return;
+    
     RefPtr<TextTrack> textTrack = trackElement->track();
     if (!textTrack)
         return;