Bug 130971 (CVE-2016-4586) - media/track/track-remove-track.html is flaky, crashing and failing
Summary: media/track/track-remove-track.html is flaky, crashing and failing
Status: RESOLVED FIXED
Alias: CVE-2016-4586
Product: WebKit
Classification: Unclassified
Component: Media (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Eric Carlson
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2014-03-31 09:39 PDT by Alexey Proskuryakov
Modified: 2016-07-19 17:23 PDT (History)
6 users (show)

See Also:


Attachments
Proposed patch. (3.86 KB, patch)
2016-03-23 14:30 PDT, Eric Carlson
no flags Details | Formatted Diff | Diff
Proposed patch. (11.41 KB, patch)
2016-03-28 14:15 PDT, Eric Carlson
ap: review+
Details | Formatted Diff | Diff
Patch for landing. (11.92 KB, patch)
2016-03-29 07:40 PDT, Eric Carlson
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Alexey Proskuryakov 2014-03-31 09:39:18 PDT
media/track/track-remove-track.html is flaky. It was this way since the test was added last week.

http://webkit-test-results.appspot.com/dashboards/flakiness_dashboard.html#showAllRuns=true&tests=media%2Ftrack%2Ftrack-remove-track.html

Crash:

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore             	0x00000001126cf84c WebCore::createWrapperInline(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WebCore::Node*) + 156 (JSNodeCustom.cpp:202)
1   com.apple.WebCore             	0x00000001126cf795 WebCore::createWrapper(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WebCore::Node*) + 37 (JSNodeCustom.cpp:253)
2   com.apple.WebCore             	0x0000000111bc0b55 WebCore::toJS(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WebCore::Node*) + 133 (JSNodeCustom.h:47)
3   com.apple.WebCore             	0x0000000111fcdeef WebCore::HTMLMediaElement::didAddUserAgentShadowRoot(WebCore::ShadowRoot*) + 447 (HTMLMediaElement.cpp:5963)

Fail:

@@ -1,4 +1,2 @@
 
-PASS Tests that the 'removetrack' event is fired when an out-of-band TextTrack is removed. 
-PASS Tests that the 'removetrack' event is NOT fired for inband TextTrack on a failed load. 
-
+Harness Error. harness_status.status = 2 , harness_status.message = null
Comment 1 Alexey Proskuryakov 2014-03-31 09:41:36 PDT
Marked as flaky in <http://trac.webkit.org/r166508>.
Comment 2 Carlos Alberto Lopez Perez 2014-04-11 11:50:56 PDT
On GTK this test times out, but if you run it with a high enough timeout it gives this very same failure.

I'll update the GTK test expectations for this test to point here also.
Comment 3 Eric Carlson 2016-03-23 14:30:31 PDT
Created attachment 274777 [details]
Proposed patch.
Comment 4 Alexey Proskuryakov 2016-03-23 14:36:39 PDT
Comment on attachment 274777 [details]
Proposed patch.

View in context: https://bugs.webkit.org/attachment.cgi?id=274777&action=review

> Source/WebCore/html/HTMLMediaElement.cpp:3890
> +    Ref<HTMLMediaElement> protect(*this); // Loading and running script can trigger GC.
> +    ensureUserAgentShadowRoot();

This is not our usual idiom for protect. 

It's better to add a Ref[Ptr] to a function that needs to use a pointer after an operation that could destroy it. ensureMediaControlsShadowRoot is clearly not such a function, because it doesn't do anything after calling ensureUserAgentShadowRoot().
Comment 5 Alexey Proskuryakov 2016-03-23 14:37:11 PDT
Comment on attachment 274777 [details]
Proposed patch.

View in context: https://bugs.webkit.org/attachment.cgi?id=274777&action=review

> Source/WebCore/ChangeLog:9
> +        No new tests, this fixes an existing test.

Is the test still marked as flaky or failing in TestExpectations?
Comment 6 Eric Carlson 2016-03-28 14:15:50 PDT
Created attachment 275050 [details]
Proposed patch.
Comment 7 WebKit Commit Bot 2016-03-28 14:18:06 PDT
Attachment 275050 [details] did not pass style-queue:


ERROR: Source/WebCore/html/HTMLMediaElement.cpp:192:  preprocessor directives (e.g., #ifdef, #define, #import) should never be indented.  [whitespace/indent] [4]
ERROR: Source/WebCore/html/HTMLMediaElement.cpp:193:  Multi line control clauses should use braces.  [whitespace/braces] [4]
Total errors found: 2 in 4 files


If any of these errors are false positives, please file a bug against check-webkit-style.
Comment 8 Alexey Proskuryakov 2016-03-28 14:33:13 PDT
Comment on attachment 275050 [details]
Proposed patch.

View in context: https://bugs.webkit.org/attachment.cgi?id=275050&action=review

> Source/WebCore/html/HTMLMediaElement.cpp:192
> +    #define CASE(actionType) \

Please #undef this at the end.

> Source/WebCore/html/HTMLMediaElement.cpp:199
> +    CASE(HTMLMediaElementEnums::LoadMediaResource);

It's probably better to log without the prefix.

> Source/WebCore/html/HTMLMediaElement.cpp:409
> +    , m_haveSetupCaptionContainer(false)

I think that WebKit style for this is m_haveSetUpCaptionContainer.

> Source/WebCore/html/HTMLMediaElement.cpp:3911
> +    m_creatingControls = true;

Should we ASSERT(!m_creatingControls) here?
Comment 9 Eric Carlson 2016-03-29 07:40:27 PDT
Created attachment 275091 [details]
Patch for landing.
Comment 10 WebKit Commit Bot 2016-03-29 08:40:33 PDT
Comment on attachment 275091 [details]
Patch for landing.

Clearing flags on attachment: 275091

Committed r198780: <http://trac.webkit.org/changeset/198780>
Comment 11 WebKit Commit Bot 2016-03-29 08:40:38 PDT
All reviewed patches have been landed.  Closing bug.