New issue
Advanced search Search tips

Issue 881772 link

Starred by 2 users
Status: Duplicate
Owner: ----
Closed: Sep 10
Cc:
rbasuvula@chromium.org
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug-Regression



Sign in to add a comment

Removing a video element on click crashes tab

Reported by tschr...@newpointe.org, Sep 7 
UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.81 Safari/537.36

Steps to reproduce the problem:
1. Have a page which removes a video element when it gets clicked:
```
<video controls="" muted="" id="video" >
    <source src="//derpicdn.net/img/2017/7/10/1483108/large.webm" type="video/webm">
</video>
<script>
    const video = document.getElementById("video");
    document.addEventListener("click", evt => video.parentNode.removeChild(video));
</script>
```
2. Click on the video (not on the play button)

What is the expected behavior?
The video element is removed.

What went wrong?
The tab crashes.

Crashed report ID: 71fed01fbfbdfa9c 

How much crashed? Just one tab

Is it a problem with a plugin? No 

Did this work before? Yes 68.0.3440

Chrome version: 69.0.3497.81  Channel: stable
OS Version: 10.0
Flash Version: 

Tested and reproduced on 69.0.3497.91 and 71.0.3545.0 on all platforms (I've tested Ubuntu, Windows 10, and Android).

Links to relevant posts on an affected site's forms:
https://derpibooru.org/meta/report-site-bugs-here/post/3980538#post_3980538
https://derpibooru.org/meta/report-site-bugs-here/post/3980621#post_3980621
https://derpibooru.org/meta/report-site-bugs-here/post/3981405#post_3981405

Comment 1 by rbasuvula@chromium.org, Sep 10

Cc: rbasuvula@chromium.org
Mergedinto: 870490
Status: Duplicate (was: Unconfirmed)
Thanks for filing the issue! Seems this issue is similar to issue #870490. Hence merging this issue with 870490.

Please undo if this is not similar.

Thanks.

Comment 2 by liam.mcs...@gmail.com, Sep 10 

I am not sure how anyone else could know if it was similar to the merge target, considering that the bug this was merged into is forbidden to view.

Comment 3 by steimel@chromium.org, Sep 10 

Thanks for the report! We had seen crashes but didn't know the scenario/repro steps.
Project Member

Comment 4 by bugdroid1@chromium.org, Sep 10 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/98a5ecf7c521574e965655c8a87cfb0d403dec84

commit 98a5ecf7c521574e965655c8a87cfb0d403dec84
Author: Tommy Steimel <steimel@chromium.org>
Date: Mon Sep 10 20:59:59 2018

[Media Controls] Prevent crash when video is removed on click

This CL adds an isConnected check in the overlay play button's click
positioning check to prevent a crash when trying to access the layout
data after it's been removed.

Bug: 870490,  881772 
Change-Id: Ic005ae9d3acc2945ed67645bfe98a237c89e38f0
Reviewed-on: https://chromium-review.googlesource.com/1217065
Reviewed-by: Becca Hughes <beccahughes@chromium.org>
Commit-Queue: Tommy Steimel <steimel@chromium.org>
Cr-Commit-Position: refs/heads/master@{#590058}
[add] https://crrev.com/98a5ecf7c521574e965655c8a87cfb0d403dec84/third_party/WebKit/LayoutTests/media/controls/remove-on-click-does-not-crash.html
[modify] https://crrev.com/98a5ecf7c521574e965655c8a87cfb0d403dec84/third_party/blink/renderer/modules/media_controls/elements/media_control_overlay_play_button_element.cc
Project Member

Comment 5 by bugdroid1@chromium.org, Sep 12

Labels: merge-merged-3538
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/e59e6d3558661b1898c4bfee805eb8c7363bff7a

commit e59e6d3558661b1898c4bfee805eb8c7363bff7a
Author: Tommy Steimel <steimel@chromium.org>
Date: Wed Sep 12 17:46:16 2018

[Media Controls] Prevent crash when video is removed on click

This CL adds an isConnected check in the overlay play button's click
positioning check to prevent a crash when trying to access the layout
data after it's been removed.

Bug: 870490,  881772 
Change-Id: Ic005ae9d3acc2945ed67645bfe98a237c89e38f0
Reviewed-on: https://chromium-review.googlesource.com/1217065
Reviewed-by: Becca Hughes <beccahughes@chromium.org>
Commit-Queue: Tommy Steimel <steimel@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#590058}(cherry picked from commit 98a5ecf7c521574e965655c8a87cfb0d403dec84)
Reviewed-on: https://chromium-review.googlesource.com/1222288
Reviewed-by: Tommy Steimel <steimel@chromium.org>
Cr-Commit-Position: refs/branch-heads/3538@{#334}
Cr-Branched-From: 79f7c91a2b2a2932cd447fa6f865cb6662fa8fa6-refs/heads/master@{#587811}
[add] https://crrev.com/e59e6d3558661b1898c4bfee805eb8c7363bff7a/third_party/WebKit/LayoutTests/media/controls/remove-on-click-does-not-crash.html
[modify] https://crrev.com/e59e6d3558661b1898c4bfee805eb8c7363bff7a/third_party/blink/renderer/modules/media_controls/elements/media_control_overlay_play_button_element.cc

Sign in to add a comment