Crash in blink::beforeCallEnteredCallback() |
||
Issue description
Chrome Version: latest
OS: Ubuntu 14.04
What steps will reproduce the problem?
<!DOCTYPE html>
<iframe width=400 height=300></iframe>
<script>
var media = document.createElement('video');
media.src = 'nosuchurl';
var promise = media.play();
if (promise != undefined) {
promise.then(() => {
}).catch(function(error) {
});
}
window.frames[0].document.body.appendChild(media);
</script>
What is the expected result?
Moving media element to new document shoudn't cause a crash
What happens instead?
#1 0x7f982c72c330 <unknown>
#2 0x000002423271 blink::beforeCallEnteredCallback()
#3 0x000000722efd v8::Function::NewInstance()
#4 0x00000242772e blink::V8ScriptRunner::instantiateObject()
#5 0x000002421b01 blink::V8ObjectConstructor::newInstance()
#6 0x000002422089 blink::V8PerContextData::createWrapperFromCacheSlowCase()
#7 0x00000241adaf blink::V8DOMWrapper::createWrapper()
#8 0x00000240d118 blink::ScriptWrappable::wrap()
#9 0x0000023f02ff blink::ScriptPromiseResolver::resolveOrReject<>()
#10 0x0000029098aa blink::HTMLMediaElement::rejectPlayPromisesInternal()
#11 0x0000028fdc72 blink::HTMLMediaElement::invokeLoadAlgorithm()
#12 0x0000028fd719 blink::HTMLMediaElement::didMoveToNewDocument()
#13 0x000002764e40 blink::TreeScopeAdopter::moveTreeToNewScope()
#14 0x0000027631c4 blink::TreeScope::adoptIfNeeded()
#15 0x0000026c4220 blink::ContainerNode::insertNodeVector<>()
#16 0x0000026c3181 blink::ContainerNode::appendChild()
#17 0x00000247a504 blink::NodeV8Internal::appendChildMethodCallbackForMainWorld()
#18 0x00000070d978 v8::internal::FunctionCallbackArguments::Call()
#19 0x00000078a926 v8::internal::(anonymous namespace)::HandleApiCallHelper<>()
#20 0x000000789e6f v8::internal::Builtin_Impl_HandleApiCall()
,
Dec 20 2016
,
Dec 22 2016
,
Jan 20 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/87800a0c858e3ee1e2a406b3aae00e89ae7d077f commit 87800a0c858e3ee1e2a406b3aae00e89ae7d077f Author: a.obzhirov <a.obzhirov@samsung.com> Date: Fri Jan 20 18:51:19 2017 Crash in blink::beforeCallEnteredCallback() Crash occurs because the script is forbidden due to the insertion of the media element node when the media element is moved to a new document and the existing play promise gets rejected because of the invoked load. Check if the script is forbidden to skip reject play promises. BUG=676004 Review-Url: https://codereview.chromium.org/2594353003 Cr-Commit-Position: refs/heads/master@{#445107} [add] https://crrev.com/87800a0c858e3ee1e2a406b3aae00e89ae7d077f/third_party/WebKit/LayoutTests/media/crash-in-media-moved-to-newdocument.html [modify] https://crrev.com/87800a0c858e3ee1e2a406b3aae00e89ae7d077f/third_party/WebKit/Source/bindings/core/v8/ScriptPromiseResolver.h [modify] https://crrev.com/87800a0c858e3ee1e2a406b3aae00e89ae7d077f/third_party/WebKit/Source/core/html/HTMLMediaElement.cpp
,
Feb 7 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/b81015e872d51319648e448129becd5a19799848 commit b81015e872d51319648e448129becd5a19799848 Author: adithyas <adithyas@chromium.org> Date: Tue Feb 07 20:07:21 2017 Add AllowUserAgentScript in ScriptPromiseResolver::resolveOrReject BUG= 679648 ,676004 Review-Url: https://codereview.chromium.org/2644343002 Cr-Commit-Position: refs/heads/master@{#448711} [modify] https://crrev.com/b81015e872d51319648e448129becd5a19799848/third_party/WebKit/Source/bindings/core/v8/ScriptPromiseResolver.h [modify] https://crrev.com/b81015e872d51319648e448129becd5a19799848/third_party/WebKit/Source/core/html/HTMLMediaElement.cpp |
||
►
Sign in to add a comment |
||
Comment 1 by a.obzhirov@samsung.com
, Dec 20 2016