Closed
Bug 894104
Opened 11 years ago
Closed 11 years ago
Crash using WebVTT getCueAsHTML from removed frame
Categories
(Core :: Audio/Video, defect)
Core
Audio/Video
Tracking
()
RESOLVED
FIXED
mozilla25
People
(Reporter: jruderman, Assigned: rillian)
References
Details
(Keywords: crash, testcase)
Crash Data
Attachments
(6 files, 2 obsolete files)
|
382 bytes,
text/html
|
Details | |
|
14.93 KB,
text/plain
|
Details | |
|
374 bytes,
text/html
|
Details | |
|
1.25 KB,
patch
|
bzbarsky
:
review+
|
Details | Diff | Splinter Review |
|
3.37 KB,
patch
|
bzbarsky
:
review+
|
Details | Diff | Splinter Review |
|
6.72 KB,
patch
|
rillian
:
review+
|
Details | Diff | Splinter Review |
With:
user_pref("media.webvtt.enabled", true);
Assertion failure: value, at BindingUtils.h:659
> #0 mozilla::dom::WrapNewBindingObject<mozilla::dom::DocumentFragment>
> #1 0x0000000101cc4060 in mozilla::dom::WrapNewBindingObjectHelper<nsRefPtr<mozilla::dom::DocumentFragment>, true>::Wrap
> #2 0x0000000101cc3f9d in mozilla::dom::WrapNewBindingObject<nsRefPtr<mozilla::dom::DocumentFragment> >
> #3 0x000000010212b1f7 in mozilla::dom::TextTrackCueBinding::getCueAsHTML
|
Reporter | |
Comment 1•11 years ago
|
||
|
||
Comment 2•11 years ago
|
||
This was caused by bug 882549. That bug changed the implementation of getCueAsHTML to sometimes return null, but the IDL still claims it never returns null, and the binding generator generates code accordingly. Either the IDL or the implementation is wrong. Ralph, can you take this? I doubt caitp will...
Blocks: 882549
Flags: needinfo?(giles)
|
||
Comment 3•11 years ago
|
||
On Windows: bp-777740b4-a2dc-447c-9231-cdf352130716.
Crash Signature: [@ mozilla::dom::WrapNewBindingObjectHelper<nsRefPtr<nsDOMEvent>, int>::Wrap(JSContext*, JS::Handle<JSObject*>, nsRefPtr<nsDOMEvent> const&, JS::MutableHandle<JS::Value>) ]
OS: Mac OS X → All
Hardware: x86_64 → All
|
Assignee | |
Comment 4•11 years ago
|
||
Thanks for the analysis, bz.
Assignee: nobody → giles
Flags: needinfo?(giles)
|
|
Assignee | |
Comment 5•11 years ago
|
||
See bug 895045 for a similar issue with Jetpack accessing closed tabs.
|
|
Assignee | |
Comment 6•11 years ago
|
||
The testcase calls the TextTrackCue constructor on a detached iframe. We are supposed to 'discard the nested browsing context' (whatwg spec, iframe element) but we do so asynchronously. When the testcase calls TextTrackCue it happens to still be available, but really it shouldn't be. As such I think it makes the most sense for the constructor to throw if an owning document isn't available, rather than GetCueAsHTML() throwing, or any of the other options. To see this, run the same sequence of operations manually in the console; frameWin.TextTrackCue will be undefined and the crash will not happen. Interestingly, calling the constructor from a setTimeout, even with a 30s delay, still crashes. It appears the timeout is blocking the teardown. See http://people.mozilla.org/~rgiles/2013/htmlcue-02.html for an example of this. For comparison XMLHttpRequest can be created on the frameWin of a detached iframe. It loses reference to its origin, but can still fetch absolute urls. See http://people.mozilla.org/~rgiles/2013/htmlcue-04.html Chrome also crashes on the testcase, although it is more robust to the htmlcue-0?.html variants. It posts a CORS violation because the iframe's 'data' protocol is different from the page's 'http' protocol, then throws "TypeError: Property 'TextTrackCue'/'XMLHttpRequest' is not a function". It seems Chrome manages to clean the frame's window in the other test variants.
|
|
Assignee | |
Comment 7•11 years ago
|
||
|
|
Reporter | |
Comment 8•11 years ago
|
||
It also crashes if I call the constructor before detaching the iframe. So while restricting the use of the constructor may be a good idea, it won't fix the crash bug.
|
|
||
Comment 9•11 years ago
|
||
The patch restricts the constructor _and_ takes a reference to the document in the constructor. The latter part is what fixes the bug.
|
|
Assignee | |
Comment 10•11 years ago
|
||
Or both really; the first testcase throws because there's no window when the constructor is called, the second succeeds because it still has a reference to the window. But the patch does handle both cases. Jesse, what's the purpose of the statement frameWin.TextTrackCue; in the testcase. Are you just checking if touching the property will crash?
|
|
Assignee | |
Comment 11•11 years ago
|
||
Updated patch to fix commit message, comment.
Attachment #777494 -
Attachment is obsolete: true
Attachment #778130 -
Flags: review?(bzbarsky)
|
|
Assignee | |
Comment 12•11 years ago
|
||
Attachment #778131 -
Flags: review?(bzbarsky)
|
|
Assignee | |
Comment 13•11 years ago
|
||
Remove mGlobal and return mDocument instead from GetParentObject() as per irc discussion.
Attachment #778132 -
Flags: review?(bzbarsky)
|
|
Assignee | |
Comment 14•11 years ago
|
||
https://tbpl.mozilla.org/?tree=Try&rev=7ed380df17be
|
|
Reporter | |
Comment 15•11 years ago
|
||
(In reply to Ralph Giles (:rillian) from comment #10) > Jesse, what's the purpose of the statement > > frameWin.TextTrackCue; > > in the testcase. Are you just checking if touching the property will crash? If I remove it, two lines later I get "frameWin.TextTrackCue is not a function". Maybe there's some kind of property lookup caching going on? bz would know.
|
|
||
Comment 16•11 years ago
|
||
Yes, interface objects are defined lazily on window objects.
|
|
Assignee | |
Comment 17•11 years ago
|
||
Fascinating. Patches are green on try.
|
|
Assignee | |
Comment 18•11 years ago
|
||
Chromium crash filed as http://code.google.com/p/chromium/issues/detail?id=261653
|
|
||
Comment 19•11 years ago
|
||
Comment on attachment 778130 [details] [diff] [review] Part 1: Retain a document reference in TextTracCue. >+TextTrackCue::CreateCueOverlay() >+{ >+ mDocument->CreateElem(NS_LITERAL_STRING("div"), nullptr, > kNameSpaceID_XHTML, > getter_AddRefs(mDisplayState)); Please fix the indent. Likewise in TextTrackCue::ConvertInternalNodeToContent. r=me
Attachment #778130 -
Flags: review?(bzbarsky) → review+
|
|
||
Comment 20•11 years ago
|
||
Comment on attachment 778131 [details] [diff] [review] Part 2: add crashtest r=me
Attachment #778131 -
Flags: review?(bzbarsky) → review+
|
|
||
Comment 21•11 years ago
|
||
Comment on attachment 778132 [details] [diff] [review] Part 3: Remove mGlobal. r=me
Attachment #778132 -
Flags: review?(bzbarsky) → review+
|
|
Assignee | |
Comment 22•11 years ago
|
||
Thanks for the review. Updated patch to fix indent. Carrying forward r=bz.
Attachment #778130 -
Attachment is obsolete: true
Attachment #779325 -
Flags: review+
|
|
Assignee | |
Comment 23•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/ed080cdb1b02 https://hg.mozilla.org/integration/mozilla-inbound/rev/f5874eb61a9b https://hg.mozilla.org/integration/mozilla-inbound/rev/bb21d96a3274
|
||
Comment 24•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/ed080cdb1b02 https://hg.mozilla.org/mozilla-central/rev/f5874eb61a9b https://hg.mozilla.org/mozilla-central/rev/bb21d96a3274
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla25
You need to log in
before you can comment on or make changes to this bug.
Description
•