Bug 1333931 - Handle nullptr TextTrack objects in sorting. r?kinetik
Check for nullptr arguments passed to CompareTextTracks. Based
on Ben Kelly's analysis this can happen if the cycle collector
has cleared a TextTrack pointer while comparision is still
happening, perhaps in a queued event task.
This change makes nullptr sort to the end, and adds a
MOZ_DIAGNOSTIC_ASSERT for trying to get the position
of a nullptr track should someone add another call at
a later date.
--- a/dom/html/TextTrackManager.cpp
+++ b/dom/html/TextTrackManager.cpp
@@ -32,16 +32,17 @@ NS_IMPL_ISUPPORTS(TextTrackManager::Shut
CompareTextTracks::CompareTextTracks(HTMLMediaElement* aMediaElement)
{
mMediaElement = aMediaElement;
}
int32_t
CompareTextTracks::TrackChildPosition(TextTrack* aTextTrack) const {
+ MOZ_DIAGNOSTIC_ASSERT(aTextTrack);
HTMLTrackElement* trackElement = aTextTrack->GetTrackElement();
if (!trackElement) {
return -1;
}
return mMediaElement->IndexOf(trackElement);
}
bool
@@ -51,16 +52,24 @@ CompareTextTracks::Equals(TextTrack* aOn
// case of tracks coming from AddTextTrack source we put the newest at the
// last position, so they won't be equal as well.
return false;
}
bool
CompareTextTracks::LessThan(TextTrack* aOne, TextTrack* aTwo) const
{
+ // Protect against nullptr TextTrack objects; treat them as
+ // sorting toward the end.
+ if (!aOne) {
+ return false;
+ }
+ if (!aTwo) {
+ return true;
+ }
TextTrackSource sourceOne = aOne->GetTextTrackSource();
TextTrackSource sourceTwo = aTwo->GetTextTrackSource();
if (sourceOne != sourceTwo) {
return sourceOne == TextTrackSource::Track ||
(sourceOne == AddTextTrack && sourceTwo == MediaResourceSpecific);
}
switch (sourceOne) {
case Track: {