Bug 261676 - REGRESSION (iOS 17): Chrome crashes in VideoFullscreenModelContext::requestRouteSharingPolicyAndContextUID
Summary: REGRESSION (iOS 17): Chrome crashes in VideoFullscreenModelContext::requestRo...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Media (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2023-09-18 06:12 PDT by Ali Juma
Modified: 2023-10-18 08:55 PDT (History)
4 users (show)

See Also:

Attachments
Crash log (29.87 KB, text/plain)
2023-09-18 06:12 PDT, Ali Juma 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ali Juma 2023-09-18 06:12:11 PDT 
Created attachment 467737 [details]
Crash log

Chrome for iOS is getting reports of a new crash in VideoFullscreenModelContext::requestRouteSharingPolicyAndContextUID, not seen in iOS 16. We don't have steps to reproduce, but I've attached a crash log.

It looks like VideoFullscreenInterfaceAVKit::setVideoFullscreenModel is calling requestRouteSharingPolicyAndContextUID on a null `model`. This code was most recently changed in bug 258025 (265195@main) to use a WeakPtr to VideoFullscreenModelContext, so this crash is likely a pre-existing problem uncovered by that.

Here's the stack:
Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Subtype: KERN_INVALID_ADDRESS at 0x0000000000000020
0   WebKit                        	0x00000001c092ff48 WebKit::VideoFullscreenModelContext::requestRouteSharingPolicyAndContextUID(WTF::CompletionHandler<void (WebCore::RouteSharingPolicy, WTF::String)>&&) + 128 (VideoFullscreenManagerProxy.mm:358)
1   WebCore                       	0x00000001c0138d18 WebCore::VideoFullscreenInterfaceAVKit::setVideoFullscreenModel(WebCore::VideoFullscreenModel*) + 496 (VideoFullscreenInterfaceAVKit.mm:773)
2   WebKit                        	0x00000001c0931418 WebKit::VideoFullscreenManagerProxy::ensureModelAndInterface(WTF::ObjectIdentifierGeneric<WebCore::HTMLMediaElementIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>) + 592 (VideoFullscreenManagerProxy.mm:535)
3   WebKit                        	0x00000001c092e1e4 WebKit::VideoFullscreenModelContext::setVideoLayerFrame(WebCore::FloatRect) + 740 (VideoFullscreenManagerProxy.mm:245)
4   WebCore                       	0x00000001c014eea8 -[WebAVPlayerLayer resolveBounds] + 2812 (WebAVPlayerLayer.mm:293)
5   WebCore                       	0x00000001c014bce8 -[WebAVPlayerLayer layoutSublayers] + 796 (WebAVPlayerLayer.mm:238)
6   QuartzCore                    	0x00000001ad08b888 0x1ad024000 + 424072
7   UIKitCore                     	0x00000001adc762a4 0x1adc40000 + 221860
8   UIKitCore                     	0x00000001add6a288 0x1adc40000 + 1221256
9   UIKitCore                     	0x00000001adcc6918 0x1adc40000 + 551192
10  UIKitCore                     	0x00000001ae3df9d4 0x1adc40000 + 7993812
11  UIKitCore                     	0x00000001adff1bb0 0x1adc40000 + 3873712
12  UIKitCore                     	0x00000001adcc98ac 0x1adc40000 + 563372
13  UIKitCore                     	0x00000001add67a0c 0x1adc40000 + 1210892
14  UIKitCore                     	0x00000001add676f8 0x1adc40000 + 1210104
15  UIKitCore                     	0x00000001add67544 0x1adc40000 + 1209668
16  UIKitCore                     	0x00000001add67390 0x1adc40000 + 1209232
17  UIKitCore                     	0x00000001addd5158 0x1adc40000 + 1659224
18  UIKitCore                     	0x00000001addd4ee4 0x1adc40000 + 1658596
19  UIKitCore                     	0x00000001addd4c24 0x1adc40000 + 1657892
20  UIKitCore                     	0x00000001addd3ef0 0x1adc40000 + 1654512
21  UIKitCore                     	0x00000001addd3d60 0x1adc40000 + 1654112
22  UIKitCore                     	0x00000001ae30d54c 0x1adc40000 + 7132492
23  UIKitCore                     	0x00000001ae30d064 0x1adc40000 + 7131236
24  UIKitCore                     	0x00000001ae307a8c 0x1adc40000 + 7109260
25  UIKitCore                     	0x00000001ae3bbacc 0x1adc40000 + 7846604
26  UIKitCore                     	0x00000001adc8226c 0x1adc40000 + 270956
27  UIKitCore                     	0x00000001ae3bb92c 0x1adc40000 + 7846188
28  UIKitCore                     	0x00000001adc8226c 0x1adc40000 + 270956
29  UIKitCore                     	0x00000001ae3baf44 0x1adc40000 + 7843652
30  UIKitCore                     	0x00000001ae3ba730 0x1adc40000 + 7841584
31  UIKitCore                     	0x00000001ae3b9fc0 0x1adc40000 + 7839680
32  UIKitCore                     	0x00000001ae3bc284 0x1adc40000 + 7848580
33  UIKitCore                     	0x00000001adf029f4 0x1adc40000 + 2894324
34  UIKitCore                     	0x00000001adf02190 0x1adc40000 + 2892176
35  UIKitCore                     	0x00000001adf01ea8 0x1adc40000 + 2891432
36  UIKitCore                     	0x00000001addd30bc 0x1adc40000 + 1650876
37  WebCore                       	0x00000001c013a95c WebCore::VideoFullscreenInterfaceAVKit::cleanupFullscreen() + 212 (VideoFullscreenInterfaceAVKit.mm:925)
38  WebKit                        	0x00000001c0930e20 WebKit::VideoFullscreenManagerProxy::invalidate() + 208 (VideoFullscreenManagerProxy.mm:455)
39  WebKit                        	0x00000001c0acc064 WebKit::WebPageProxy::resetState(WebKit::WebPageProxy::ResetStateReason) + 644 (WebPageProxy.cpp:9016)
40  WebKit                        	0x00000001c0ac88ac WebKit::WebPageProxy::close() + 1432 (WebPageProxy.cpp:1413)
41  WebKit                        	0x00000001c07b937c -[WKWebView dealloc] + 160 (WKWebView.mm:678)
42  libobjc.A.dylib               	0x00000001a3e0ab60 AutoreleasePoolPage::releaseUntil(objc_object**) + 196 (NSObject.mm:935)
43  libobjc.A.dylib               	0x00000001a3e0a9f8 objc_autoreleasePoolPop + 260 (NSObject.mm:2197)
44  UIKitCore                     	0x00000001ade050f4 0x1adc40000 + 1855732
45  UIKitCore                     	0x00000001ade03a9c 0x1adc40000 + 1850012
46  UIKitCore                     	0x00000001adcead94 0x1adc40000 + 699796
47  UIKitCore                     	0x00000001adcea484 0x1adc40000 + 697476
48  UIKitCore                     	0x00000001adcea540 0x1adc40000 + 697664
49  CoreFoundation                	0x00000001aba64acc 0x1aba2d000 + 228044
50  CoreFoundation                	0x00000001aba63d48 0x1aba2d000 + 224584
51  CoreFoundation                	0x00000001aba624fc 0x1aba2d000 + 218364
52  CoreFoundation                	0x00000001aba61238 0x1aba2d000 + 213560
53  CoreFoundation                	0x00000001aba60e18 0x1aba2d000 + 212504
54  GraphicsServices              	0x00000001ee51d5ec 0x1ee51a000 + 13804
55  UIKitCore                     	0x00000001ade6f350 0x1adc40000 + 2290512
56  UIKitCore                     	0x00000001ade6e98c 0x1adc40000 + 2288012
57  Chrome                        	0x00000001005337d0 0x1004b0000 + 538576
58  dyld                          	0x00000001ce243d44 0x1ce23e000 + 23876
Comment 1 Radar WebKit Bug Importer 2023-09-18 08:52:05 PDT 
<rdar://problem/115659414>
Comment 2 Jer Noble 2023-10-17 13:50:47 PDT 
Thanks for the report! We're tracking this in an earlier radar:

<rdar://80955844>
Comment 3 Jer Noble 2023-10-17 15:22:49 PDT 
<rdar://problem/80955844>
Comment 4 EWS 2023-10-18 08:55:23 PDT 
Committed 269467@main (2ad2ad37c92c): <https://commits.webkit.org/269467@main>

Reviewed commits have been landed. Closing PR #19195 and removing active labels.