Fix a crash caused by track insertion after load().

This patch fixes a crash caused by stale LoadMediaResource flag in m_pendingActionFlags when load() is explicitly called on a media element. The insertion of a <track> element triggers the crash by triggering the scheduling of the m_loadTimer, which ends up using the stale flag data when the timer fires. The fix is to clear the LoadMediaResource flag from m_pendingActionFlags when a new load is initiated. BUG=356352 TEST=LayoutTests/media/track/track-insert-after-load-crash.html Review URL: https://codereview.chromium.org/211373009 git-svn-id: svn://svn.chromium.org/blink/trunk@170003 bbb929c8-8fbe-4397-9dbb-9b2b20218538

Fix a crash caused by track insertion after load().
This patch fixes a crash caused by stale LoadMediaResource flag in m_pendingActionFlags when load() is explicitly called on a media element. The insertion of a <track> element triggers the crash by triggering the scheduling of the m_loadTimer, which ends up using the stale flag data when the timer fires. The fix is to clear the LoadMediaResource flag from m_pendingActionFlags when a new load is initiated. BUG=356352 TEST=LayoutTests/media/track/track-insert-after-load-crash.html Review URL: https://codereview.chromium.org/211373009 git-svn-id: svn://svn.chromium.org/blink/trunk@170003 bbb929c8-8fbe-4397-9dbb-9b2b20218538
c1a066cb · acolwell@chromium.org · 0ab3db3f · c1a066cb · c1a066cb · c1a066cb
Commit c1a066cb authored Mar 26, 2014 by acolwell@chromium.org
3 changed files
--- a/third_party/WebKit/LayoutTests/media/track/track-insert-after-load-crash-expected.txt
+++ b/third_party/WebKit/LayoutTests/media/track/track-insert-after-load-crash-expected.txt
+Tests that inserting a <track> element immediately after a load() doesn't crash.
+END OF TEST
--- a/third_party/WebKit/LayoutTests/media/track/track-insert-after-load-crash.html
+++ b/third_party/WebKit/LayoutTests/media/track/track-insert-after-load-crash.html
+<!DOCTYPE  html>
+<html>
+    <head>
+        <script src="../media-file.js"></script>
+        <script src="../video-test.js"></script>
+    </head>
+    <body>
+      <p>Tests that inserting a &lt;track&gt; element immediately after a load() doesn't crash.</p>
+      <video id="v"></video>
+      <script>
+        var v = document.querySelector('#v');
+        v.src = findMediaFile('video', '../content/test');
+        v.load();
+        v.appendChild(document.createElement('track'));
+        v.addEventListener('loadedmetadata', endTest);
+      </script>
+    </body>
+</html>
--- a/third_party/WebKit/Source/core/html/HTMLMediaElement.cpp
+++ b/third_party/WebKit/Source/core/html/HTMLMediaElement.cpp
@@ -604,6 +604,8 @@ void HTMLMediaElement::prepareForLoad()
    // Perform the cleanup required for the resource load algorithm to run.
    stopPeriodicTimers();
    m_loadTimer.stop();
+    // FIXME: Figure out appropriate place to reset LoadTextTrackResource if necessary and set m_pendingActionFlags to 0 here.
+    m_pendingActionFlags &= ~LoadMediaResource;
    m_sentEndEvent = false;
    m_sentStalledEvent = false;
    m_haveFiredLoadedData = false;