210555 2020-04-15 10:24:24 -0700 REGRESSION (r258977): Crash under Document::visibilityStateChanged 2020-04-15 11:54:19 -0700 1 1 1 Unclassified WebKit Media WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 208516 1 cdumez cdumez esprehn+autocc ews-watchlist kangil.han webkit-bug-importer youennf oldest_to_newest 1641855 0 cdumez 2020-04-15 10:24:24 -0700 Crash under Document::visibilityStateChanged: [ 0] 0x0000000107974669 WebCore`WebCore::Document::visibilityStateChanged() + 409 at Document.cpp:1749 1745 client->visibilityStateChanged(); 1746 1747 #if ENABLE(MEDIA_STREAM) 1748 if (hidden()) { -> 1749 RealtimeMediaSourceCenter::singleton().setCapturePageState(hidden(), page()->isMediaCaptureMuted()); 1750 return; 1751 } 1752 #if PLATFORM(IOS_FAMILY) 1753 if (!PlatformMediaSessionManager::sharedManager().isInterrupted()) 1641856 1 396546 cdumez 2020-04-15 10:25:51 -0700 Created attachment 396546 Patch 1641858 2 cdumez 2020-04-15 10:26:59 -0700 I am not quite sure how to write a test for this yet. If anybody has an idea, please let me know. 1641861 3 cdumez 2020-04-15 10:28:33 -0700 (In reply to Chris Dumez from comment #2) > I am not quite sure how to write a test for this yet. If anybody has an > idea, please let me know. Looks like there is an internals.setPageVisibility() method. I will try that we a detached iframe document to see if it reproduces. 1641866 4 cdumez 2020-04-15 10:51:56 -0700 Some JS event must get fired synchronously when Document::visibilityStateChanged() is called. The "visibilitychange" is fired asynchronously so I wasn't able to write a test based on this event. I believe a JS event (likely media related) gets fired synchronously and the event handler in JS removes one of the iframes from the document. 1641870 5 youennf 2020-04-15 10:56:14 -0700 Could it be the muted event of a MediaStreamTrack? On iOS, if document goes in the background, a video capture track gets muted. 1641872 6 youennf 2020-04-15 10:58:07 -0700 (In reply to youenn fablet from comment #5) > Could it be the muted event of a MediaStreamTrack? > On iOS, if document goes in the background, a video capture track gets muted. Nope, since this would happen after the setCapturePageState call. 1641874 7 cdumez 2020-04-15 11:05:10 -0700 (In reply to youenn fablet from comment #6) > (In reply to youenn fablet from comment #5) > > Could it be the muted event of a MediaStreamTrack? > > On iOS, if document goes in the background, a video capture track gets muted. > > Nope, since this would happen after the setCapturePageState call. I don't think the order matters. Page::forEachDocument() gathers all the documents of the page in a Vector. Then iterates over this vector and calls Document::visibilityStateChanged() on each document. The first document is the top document. So if the top document has an event listener for any event that gets called synchronously during Document::visibilityStateChanged() and if that event listener removes a subframe from the document then we would hit this crash when calling Document::visibilityStateChanged() for the subframe document. 1641893 8 cdumez 2020-04-15 11:38:20 -0700 (In reply to Chris Dumez from comment #7) > (In reply to youenn fablet from comment #6) > > (In reply to youenn fablet from comment #5) > > > Could it be the muted event of a MediaStreamTrack? > > > On iOS, if document goes in the background, a video capture track gets muted. > > > > Nope, since this would happen after the setCapturePageState call. > > I don't think the order matters. Page::forEachDocument() gathers all the > documents of the page in a Vector. Then iterates over this vector and calls > Document::visibilityStateChanged() on each document. The first document is > the top document. > > So if the top document has an event listener for any event that gets called > synchronously during Document::visibilityStateChanged() and if that event > listener removes a subframe from the document then we would hit this crash > when calling Document::visibilityStateChanged() for the subframe document. HTMLMediaElement::visibilityStateChanged() gets called. Any idea if this can fire an event synchronously? 1641903 9 ews-feeder 2020-04-15 11:53:07 -0700 Committed r260142: <https://trac.webkit.org/changeset/260142> All reviewed patches have been landed. Closing bug and clearing flags on attachment 396546. 1641904 10 webkit-bug-importer 2020-04-15 11:54:19 -0700 <rdar://problem/61840165> 396546 2020-04-15 10:25:51 -0700 2020-04-15 11:53:08 -0700 Patch bug-210555-20200415102550.patch text/plain 1541 cdumez U3VidmVyc2lvbiBSZXZpc2lvbjogMjYwMTMzCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggMTI2MmZkYTVlYTZiOGRm YmE0NDNkMDBiYzg4ZGQxOTVkYzVjMTIyZC4uMTg2OWNkMjIwNjg4N2UzYTZiNjE0MzJlZDk5ZjU4 MzA0NmQ3MmY1ZiAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSwzICsxLDE2IEBACisyMDIwLTA0LTE1ICBDaHJp cyBEdW1leiAgPGNkdW1lekBhcHBsZS5jb20+CisKKyAgICAgICAgUkVHUkVTU0lPTiAocjI1ODk3 Nyk6IENyYXNoIHVuZGVyIERvY3VtZW50Ojp2aXNpYmlsaXR5U3RhdGVDaGFuZ2VkCisgICAgICAg IGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0yMTA1NTUKKworICAgICAg ICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICBSZS1pbnRyb2R1Y2UgbnVs bCBjaGVjayBvZiBwYWdlIGluIERvY3VtZW50Ojp2aXNpYmlsaXR5U3RhdGVDaGFuZ2VkKCkgd2hp Y2ggZ290IGluYWR2ZXJ0ZW50bHkKKyAgICAgICAgZHJvcHBlZCBpbiByMjU4OTc3LgorCisgICAg ICAgICogZG9tL0RvY3VtZW50LmNwcDoKKyAgICAgICAgKFdlYkNvcmU6OkRvY3VtZW50Ojp2aXNp YmlsaXR5U3RhdGVDaGFuZ2VkKToKKwogMjAyMC0wNC0xNSAgQ2FybG9zIEdhcmNpYSBDYW1wb3Mg IDxjZ2FyY2lhQGlnYWxpYS5jb20+CiAKICAgICAgICAgW0dUSzRdIEZpeCB1c2Ugb2YgZ3RrIGlu aXQgZnVuY3Rpb25zCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9kb20vRG9jdW1lbnQuY3Bw IGIvU291cmNlL1dlYkNvcmUvZG9tL0RvY3VtZW50LmNwcAppbmRleCBlZDkwOTVkMWE4MGFiYmY1 OTY3ZDdlZjFmZjYwMTc2NjkzNTc1YTgxLi45OGM0MGRkYzBkNjM1ZWRjYzhmZDEzOGJhNTkzMWFl ODM3YzJlYjEyIDEwMDY0NAotLS0gYS9Tb3VyY2UvV2ViQ29yZS9kb20vRG9jdW1lbnQuY3BwCisr KyBiL1NvdXJjZS9XZWJDb3JlL2RvbS9Eb2N1bWVudC5jcHAKQEAgLTE3NDUsOCArMTc0NSw5IEBA IHZvaWQgRG9jdW1lbnQ6OnZpc2liaWxpdHlTdGF0ZUNoYW5nZWQoKQogICAgICAgICBjbGllbnQt PnZpc2liaWxpdHlTdGF0ZUNoYW5nZWQoKTsKIAogI2lmIEVOQUJMRShNRURJQV9TVFJFQU0pCi0g ICAgaWYgKGhpZGRlbigpKSB7Ci0gICAgICAgIFJlYWx0aW1lTWVkaWFTb3VyY2VDZW50ZXI6OnNp bmdsZXRvbigpLnNldENhcHR1cmVQYWdlU3RhdGUoaGlkZGVuKCksIHBhZ2UoKS0+aXNNZWRpYUNh cHR1cmVNdXRlZCgpKTsKKyAgICBhdXRvKiBwYWdlID0gdGhpcy0+cGFnZSgpOworICAgIGlmIChw YWdlICYmIGhpZGRlbigpKSB7CisgICAgICAgIFJlYWx0aW1lTWVkaWFTb3VyY2VDZW50ZXI6OnNp bmdsZXRvbigpLnNldENhcHR1cmVQYWdlU3RhdGUodHJ1ZSwgcGFnZS0+aXNNZWRpYUNhcHR1cmVN dXRlZCgpKTsKICAgICAgICAgcmV0dXJuOwogICAgIH0KICNpZiBQTEFURk9STShJT1NfRkFNSUxZ KQo=