[CherryPick] Crash in WebCore::HTMLMediaElement::~HTMLMediaElement.

[Title][CherryPick] Crash in WebCore::HTMLMediaElement::~HTMLMediaElement.
[Problem] Crash reproducible from time to time with HTMLMediaElement
[Cause] Did not clear MediaPlayer cleanly.
[Solution] Clear MediaPlay manually before the destructor exits.
[Cherry-Picker] Soo-Hyun Choi <sh9.choi@samsung.com>

https://bugs.webkit.org/show_bug.cgi?id=113531

Reviewed by Eric Carlson.

No new tests, though this is intermittently reproducible with
http/tests/misc/delete-frame-during-readystatechange.html under ASAN.

* html/HTMLMediaElement.cpp:
(WebCore::HTMLMediaElement::~HTMLMediaElement): Clear the media player manually
    before the destructor exits. Clearing the media player may cancel a resource load,
    which can trigger a readystatechange event. It's possible for the HTMLMediaElement
    to attempt to fire an abort event within the readystatechange event, even though it is
    now in an inconsistent state. Clearling the media player before finishing the destructor
    ensures that the HTMLMediaElement will at least still be alive if this case is triggered.
    Set m_completelyLoaded to true to ensure that if userCancelledLoad() is called, it doesn't
    attempt to fire events while destructing.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@148636 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Conflicts:

	Source/WebCore/ChangeLog
	Source/WebCore/html/HTMLMediaElement.cpp

Change-Id: Ia61805750d80ac1c3ac6ef914e15981382e6e026

diff --git a/Source/WebCore/html/HTMLMediaElement.cpp b/Source/WebCore/html/HTMLMediaElement.cpp
index b218137..33930b5 100755 (executable)
--- a/Source/WebCore/html/HTMLMediaElement.cpp
+++ b/Source/WebCore/html/HTMLMediaElement.cpp
@@ -334,6 +334,11 @@ HTMLMediaElement::~HTMLMediaElement()
         m_mediaController->removeMediaElement(this);
 
     removeElementFromDocumentMap(this, document());
+
+    m_completelyLoaded = true;
+    if (m_player)
+        m_player->clearMediaPlayerClient();
+
 #if ENABLE(TIZEN_DEVICE_ROTATION)
     unregisterRotationCallback();
 #endif

diff --git a/Source/WebCore/platform/graphics/MediaPlayer.h b/Source/WebCore/platform/graphics/MediaPlayer.h
index 3840e6b..c94b4d8 100755 (executable)
--- a/Source/WebCore/platform/graphics/MediaPlayer.h
+++ b/Source/WebCore/platform/graphics/MediaPlayer.h
@@ -356,6 +356,7 @@ public:
     void repaint();
 
     MediaPlayerClient* mediaPlayerClient() const { return m_mediaPlayerClient; }
+    void clearMediaPlayerClient() { m_mediaPlayerClient = 0; }
 
     bool hasAvailableVideoFrame() const;
     void prepareForRendering();