[webkit-changes] [202590] trunk/Source/WebCore

[ggaren]

Title: [202590] trunk/Source/WebCore

Revision

202590

Author

gga...@apple.com

Date

2016-06-28 14:35:37 -0700 (Tue, 28 Jun 2016)

Log Message

CrashTracer beneath JSC::MarkedBlock::specializedSweep
https://bugs.webkit.org/show_bug.cgi?id=159223

Reviewed by Saam Barati.

This crash is caused by a media element re-entering JS during the GC
sweep phase.

In theory, other CachedResourceClients in the DOM might also trigger
similar bugs, but our data only implicates the media elements, so this
fix targets them.

* html/HTMLDocument.h: Document has no reason to inherit from
CachedResourceClient. I found this becuase I had to search for all
CachedResourceClients in researching this patch.

* platform/graphics/avfoundation/cf/WebCoreAVCFResourceLoader.cpp:
(WebCore::WebCoreAVCFResourceLoader::invalidate): Delay our call to
stopLoading because it might re-enter JS, and we might have been called
by the GC sweep phase destroying a media element.

* platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.mm:
(WebCore::WebCoreAVFResourceLoader::invalidate): Ditto.

Modified Paths

• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/html/HTMLDocument.h
• trunk/Source/WebCore/platform/graphics/avfoundation/cf/WebCoreAVCFResourceLoader.cpp
• trunk/Source/WebCore/platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.mm

Diff

Modified: trunk/Source/WebCore/ChangeLog (202589 => 202590)

--- trunk/Source/WebCore/ChangeLog	2016-06-28 21:33:10 UTC (rev 202589)
+++ trunk/Source/WebCore/ChangeLog	2016-06-28 21:35:37 UTC (rev 202590)
@@ -1,3 +1,29 @@
+2016-06-28  Geoffrey Garen  <gga...@apple.com>
+
+        CrashTracer beneath JSC::MarkedBlock::specializedSweep
+        https://bugs.webkit.org/show_bug.cgi?id=159223
+
+        Reviewed by Saam Barati.
+
+        This crash is caused by a media element re-entering JS during the GC
+        sweep phase.
+
+        In theory, other CachedResourceClients in the DOM might also trigger
+        similar bugs, but our data only implicates the media elements, so this
+        fix targets them.
+
+        * html/HTMLDocument.h: Document has no reason to inherit from
+        CachedResourceClient. I found this becuase I had to search for all
+        CachedResourceClients in researching this patch.
+
+        * platform/graphics/avfoundation/cf/WebCoreAVCFResourceLoader.cpp:
+        (WebCore::WebCoreAVCFResourceLoader::invalidate): Delay our call to
+        stopLoading because it might re-enter JS, and we might have been called
+        by the GC sweep phase destroying a media element.
+
+        * platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.mm:
+        (WebCore::WebCoreAVFResourceLoader::invalidate): Ditto.
+
 2016-06-28  Saam Barati  <sbar...@apple.com>
 
         some Watchpoints' ::fireInternal method will call operations that might GC where the GC will cause the watchpoint itself to destruct

Modified: trunk/Source/WebCore/html/HTMLDocument.h (202589 => 202590)

--- trunk/Source/WebCore/html/HTMLDocument.h	2016-06-28 21:33:10 UTC (rev 202589)
+++ trunk/Source/WebCore/html/HTMLDocument.h	2016-06-28 21:35:37 UTC (rev 202590)
@@ -23,13 +23,12 @@
 #ifndef HTMLDocument_h
 #define HTMLDocument_h
 
-#include "CachedResourceClient.h"
 #include "Document.h"
 #include <wtf/HashCountedSet.h>
 
 namespace WebCore {
 
-class HTMLDocument : public Document, public CachedResourceClient {
+class HTMLDocument : public Document {
 public:
     static Ref<HTMLDocument> create(Frame* frame, const URL& url)
     {

Modified: trunk/Source/WebCore/platform/graphics/avfoundation/cf/WebCoreAVCFResourceLoader.cpp (202589 => 202590)

--- trunk/Source/WebCore/platform/graphics/avfoundation/cf/WebCoreAVCFResourceLoader.cpp	2016-06-28 21:33:10 UTC (rev 202589)
+++ trunk/Source/WebCore/platform/graphics/avfoundation/cf/WebCoreAVCFResourceLoader.cpp	2016-06-28 21:35:37 UTC (rev 202590)
@@ -99,8 +99,14 @@
 
 void WebCoreAVCFResourceLoader::invalidate()
 {
+    if (!m_parent)
+        return;
+
     m_parent = nullptr;
-    stopLoading();
+
+    callOnMainThread([protectedThis = Ref<WebCoreAVCFResourceLoader>(*this)] () mutable {
+        protectedThis->stopLoading();
+    });
 }
 
 void WebCoreAVCFResourceLoader::responseReceived(CachedResource* resource, const ResourceResponse& response)

Modified: trunk/Source/WebCore/platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.mm (202589 => 202590)

--- trunk/Source/WebCore/platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.mm	2016-06-28 21:33:10 UTC (rev 202589)
+++ trunk/Source/WebCore/platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.mm	2016-06-28 21:35:37 UTC (rev 202590)
@@ -96,8 +96,14 @@
 
 void WebCoreAVFResourceLoader::invalidate()
 {
+    if (!m_parent)
+        return;
+
     m_parent = nullptr;
-    stopLoading();
+
+    callOnMainThread([protectedThis = Ref<WebCoreAVFResourceLoader>(*this)] () mutable {
+        protectedThis->stopLoading();
+    });
 }
 
 void WebCoreAVFResourceLoader::responseReceived(CachedResource* resource, const ResourceResponse& response)

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes