[webkit-changes] [292260] trunk/Source/WebKit

[wenson_hsieh]

Title: [292260] trunk/Source/WebKit

Revision

292260

Author

wenson_hs...@apple.com

Date

2022-04-01 23:27:46 -0700 (Fri, 01 Apr 2022)

Log Message

[iOS] Several tests in media/modern-media-controls crash in -[WKActionSheetAssistant _uiMenuElementsForMediaControlContextMenuItems:]
https://bugs.webkit.org/show_bug.cgi?id=238687

Reviewed by Tim Horton.

Fixes several debug assertions that are hit when running layout tests in media/modern-media-controls, due to
exercising undefined behavior in the case where there is only one item. This is because we currently use
Vector's move assignment operator to set `items` to `items[0].children`; however, this move assignment operator
starts by calling the destructor on the contents of `item`, which puts the first item's vector of children in an
invalid state.

Instead, simply add a new temporary variable, and move into the temporary variable instead.

* UIProcess/ios/WKActionSheetAssistant.mm:
(-[WKActionSheetAssistant _uiMenuElementsForMediaControlContextMenuItems:]):
(-[WKActionSheetAssistant showMediaControlsContextMenu:items:completionHandler:]):

Modified Paths

• trunk/Source/WebKit/ChangeLog
• trunk/Source/WebKit/UIProcess/ios/WKActionSheetAssistant.mm

Diff

Modified: trunk/Source/WebKit/ChangeLog (292259 => 292260)

--- trunk/Source/WebKit/ChangeLog	2022-04-02 06:10:01 UTC (rev 292259)
+++ trunk/Source/WebKit/ChangeLog	2022-04-02 06:27:46 UTC (rev 292260)
@@ -1,3 +1,22 @@
+2022-04-01  Wenson Hsieh  <wenson_hs...@apple.com>
+
+        [iOS] Several tests in media/modern-media-controls crash in -[WKActionSheetAssistant _uiMenuElementsForMediaControlContextMenuItems:]
+        https://bugs.webkit.org/show_bug.cgi?id=238687
+
+        Reviewed by Tim Horton.
+
+        Fixes several debug assertions that are hit when running layout tests in media/modern-media-controls, due to
+        exercising undefined behavior in the case where there is only one item. This is because we currently use
+        Vector's move assignment operator to set `items` to `items[0].children`; however, this move assignment operator
+        starts by calling the destructor on the contents of `item`, which puts the first item's vector of children in an
+        invalid state.
+
+        Instead, simply add a new temporary variable, and move into the temporary variable instead.
+
+        * UIProcess/ios/WKActionSheetAssistant.mm:
+        (-[WKActionSheetAssistant _uiMenuElementsForMediaControlContextMenuItems:]):
+        (-[WKActionSheetAssistant showMediaControlsContextMenu:items:completionHandler:]):
+
 2022-04-01  Michael Saboff  <msab...@apple.com>
 
         Stop copying StagedFrameworks to the secondary path by default

Modified: trunk/Source/WebKit/UIProcess/ios/WKActionSheetAssistant.mm (292259 => 292260)

--- trunk/Source/WebKit/UIProcess/ios/WKActionSheetAssistant.mm	2022-04-02 06:10:01 UTC (rev 292259)
+++ trunk/Source/WebKit/UIProcess/ios/WKActionSheetAssistant.mm	2022-04-02 06:27:46 UTC (rev 292260)
@@ -808,7 +808,7 @@
 
 #if ENABLE(MEDIA_CONTROLS_CONTEXT_MENUS)
 
-- (NSArray<UIMenuElement *> *)_uiMenuElementsForMediaControlContextMenuItems:(Vector<WebCore::MediaControlsContextMenuItem>&&) items
+- (NSArray<UIMenuElement *> *)_uiMenuElementsForMediaControlContextMenuItems:(Vector<WebCore::MediaControlsContextMenuItem>&&)items
 {
     return createNSArray(items, [&] (WebCore::MediaControlsContextMenuItem& item) -> UIMenuElement * {
         UIImage *image = !item.icon.isEmpty() ? [UIImage systemImageNamed:WTFMove(item.icon)] : nil;
@@ -837,17 +837,19 @@
     ASSERT(!_mediaControlsContextMenuCallback);
 
     String menuTitle;
+    Vector<WebCore::MediaControlsContextMenuItem> itemsToPresent;
     if (items.size() == 1) {
         menuTitle = WTFMove(items[0].title);
-        items = WTFMove(items[0].children);
-    }
+        itemsToPresent = WTFMove(items[0].children);
+    } else
+        itemsToPresent = WTFMove(items);
 
-    if (![_view window] || items.isEmpty()) {
+    if (![_view window] || itemsToPresent.isEmpty()) {
         completionHandler(WebCore::MediaControlsContextMenuItem::invalidID);
         return;
     }
 
-    _mediaControlsContextMenu = [UIMenu menuWithTitle:WTFMove(menuTitle) children:[self _uiMenuElementsForMediaControlContextMenuItems:WTFMove(items)]];
+    _mediaControlsContextMenu = [UIMenu menuWithTitle:WTFMove(menuTitle) children:[self _uiMenuElementsForMediaControlContextMenuItems:WTFMove(itemsToPresent)]];
     _mediaControlsContextMenuTargetFrame = WTFMove(targetFrame);
     _mediaControlsContextMenuCallback = WTFMove(completionHandler);
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes