Crash in case of video tag and only audio content and controls active
Reported by
pgorszko...@gmail.com,
Jun 11 2018
|
||||
Issue description
UserAgent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Example URL:
data:text/html, <html><body><video id="vid" width="100%" height="100%" autoplay controls onplaying="setTimeout(function(){vid.src=null;vid.parentNode.removeChild(vid)},1000);" src="http://html5tutorial.info/media/vincent.mp3" type="audio/mpeg"></video></body></html>
Steps to reproduce the problem:
IMPORTANT - it happens only when chromium was built with dcheck_always_on=true
1. Open URL
2. Click 'play'
3. Wait 1-2 seconds
4. Renderer crashes!!!
What is the expected behavior?
No crash
What went wrong?
When we remove video element from DOM during the playback (with audio only content and controls active), we can observe the crash.
Did this work before? N/A
Is it a problem with Flash or HTML5? N/A
Does this work in other browsers? N/A
Chrome version: master Channel: n/a
OS Version: Ubuntu 16.04
Flash Version:
Contents of chrome://gpu:
Logs from console:
[1:1:0611/083943.235219:FATAL:container_node.cc(896)] Check failed: !EventDispatchForbiddenScope::IsEventDispatchForbidden().
#0 0x7fb63856a61d base::debug::StackTrace::StackTrace()
#1 0x7fb6382ceeec base::debug::StackTrace::StackTrace()
#2 0x7fb638356e9a logging::LogMessage::~LogMessage()
#3 0x7fb62808f2af blink::ContainerNode::NotifyNodeInserted()
#4 0x7fb62808be7b blink::ContainerNode::ParserAppendChild()
#5 0x7fb62461d2f6 blink::(anonymous namespace)::MaybeParserAppendChild()
#6 0x7fb62461c94f blink::MediaControlsImpl::PopulatePanel()
#7 0x7fb624624b8b blink::MediaControlsImpl::StopActingAsAudioControls()
#8 0x7fb6246216ff blink::MediaControlsImpl::UpdateActingAsAudioControls()
#9 0x7fb6246218a7 blink::MediaControlsImpl::Hide()
#10 0x7fb6287b8884 blink::HTMLMediaElement::UpdateControlsVisibility()
#11 0x7fb6287bb618 blink::HTMLMediaElement::RemovedFrom()
#12 0x7fb6287d1d57 blink::HTMLVideoElement::RemovedFrom()
#13 0x7fb628090bed blink::ContainerNode::NotifyNodeRemoved()
#14 0x7fb62808fbec blink::ContainerNode::RemoveChild()
#15 0x7fb628167dda blink::Node::removeChild()
#16 0x7fb62949aaae blink::NodeV8Internal::removeChildMethod()
#17 0x7fb62949a76b blink::V8Node::removeChildMethodCallback()
#18 0x7fb62a4c44aa v8::internal::FunctionCallbackArguments::Call()
#19 0x7fb62a478b80 v8::internal::(anonymous namespace)::HandleApiCallHelper<>()
#20 0x7fb62a477039 v8::internal::Builtin_Impl_HandleApiCall()
#21 0x7fb62a476a9d v8::internal::Builtin_HandleApiCall()
#22 0x7fb62b1aa895 <unknown>
Received signal 6
#0 0x7fb63856a61d base::debug::StackTrace::StackTrace()
#1 0x7fb6382ceeec base::debug::StackTrace::StackTrace()
#2 0x7fb63856a074 base::debug::(anonymous namespace)::StackDumpSignalHandler()
#3 0x7fb61e505390 <unknown>
#4 0x7fb61ad15428 gsignal
#5 0x7fb61ad1702a abort
#6 0x7fb6385697f6 base::debug::(anonymous namespace)::DebugBreak()
#7 0x7fb6385697d8 base::debug::BreakDebugger()
#8 0x7fb638357c94 logging::LogMessage::~LogMessage()
#9 0x7fb62808f2af blink::ContainerNode::NotifyNodeInserted()
#10 0x7fb62808be7b blink::ContainerNode::ParserAppendChild()
#11 0x7fb62461d2f6 blink::(anonymous namespace)::MaybeParserAppendChild()
#12 0x7fb62461c94f blink::MediaControlsImpl::PopulatePanel()
#13 0x7fb624624b8b blink::MediaControlsImpl::StopActingAsAudioControls()
#14 0x7fb6246216ff blink::MediaControlsImpl::UpdateActingAsAudioControls()
#15 0x7fb6246218a7 blink::MediaControlsImpl::Hide()
#16 0x7fb6287b8884 blink::HTMLMediaElement::UpdateControlsVisibility()
#17 0x7fb6287bb618 blink::HTMLMediaElement::RemovedFrom()
#18 0x7fb6287d1d57 blink::HTMLVideoElement::RemovedFrom()
#19 0x7fb628090bed blink::ContainerNode::NotifyNodeRemoved()
#20 0x7fb62808fbec blink::ContainerNode::RemoveChild()
#21 0x7fb628167dda blink::Node::removeChild()
#22 0x7fb62949aaae blink::NodeV8Internal::removeChildMethod()
#23 0x7fb62949a76b blink::V8Node::removeChildMethodCallback()
#24 0x7fb62a4c44aa v8::internal::FunctionCallbackArguments::Call()
#25 0x7fb62a478b80 v8::internal::(anonymous namespace)::HandleApiCallHelper<>()
#26 0x7fb62a477039 v8::internal::Builtin_Impl_HandleApiCall()
#27 0x7fb62a476a9d v8::internal::Builtin_HandleApiCall()
#28 0x7fb62b1aa895 <unknown>
r8: fffffffffffffed8 r9: fffffffffffffec8 r10: 0000000000000008 r11: 0000000000000202
r12: 00007fff053ec3e0 r13: 00000b64aa3cb020 r14: 00007fb62949a700 r15: 00007fff053ec468
di: 0000000000000001 si: 0000000000000001 bp: 00007fff053ea1d0 bx: 00007fb6386677f0
dx: 0000000000000006 ax: 0000000000000000 cx: 00007fb61ad15428 sp: 00007fff053ea098
ip: 00007fb61ad15428 efl: 0000000000000202 cgf: 002b000000000033 erf: 0000000000000000
trp: 0000000000000000 msk: 0000000000000000 cr2: 0000000000000000
[end of stack trace]
Calling _exit(1). Core file will not be generated.
,
Jun 12 2018
,
Jun 13 2018
,
Jun 15 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/2c5d8300473328c6e5aad297d6f0ac7986bf1da0 commit 2c5d8300473328c6e5aad297d6f0ac7986bf1da0 Author: Tommy Steimel <steimel@chromium.org> Date: Fri Jun 15 16:44:48 2018 [Media Controls] Prevent DCHECK when removing video acting as audio This CL prevents the is_acting_as_audio_controls_ state from updating during an HTMLMediaElement's removal from the document. This fixes an issue where a DCHECK was firing on the controls inserting elements into the panel during a removal. Bug: 851374 Change-Id: I28a4cd31dd4e0197b8fcad8cfaa9401dbf5aea61 Reviewed-on: https://chromium-review.googlesource.com/1098306 Reviewed-by: Becca Hughes <beccahughes@chromium.org> Commit-Queue: Tommy Steimel <steimel@chromium.org> Cr-Commit-Position: refs/heads/master@{#567689} [add] https://crrev.com/2c5d8300473328c6e5aad297d6f0ac7986bf1da0/third_party/WebKit/LayoutTests/media/controls/removing-video-acting-as-audio-element-does-not-crash.html [modify] https://crrev.com/2c5d8300473328c6e5aad297d6f0ac7986bf1da0/third_party/blink/renderer/modules/media_controls/media_controls_impl.cc
,
Sep 22
|
||||
►
Sign in to add a comment |
||||
Comment 1 by chcunningham@chromium.org
, Jun 11 2018Owner: steimel@chromium.org
Status: Assigned (was: Unconfirmed)