[webkit-changes] [217048] trunk/Source/WebCore

[pvollan]

Title: [217048] trunk/Source/WebCore

Revision

217048

Author

pvol...@apple.com

Date

2017-05-18 10:17:02 -0700 (Thu, 18 May 2017)

Log Message

Protect MediaDeviceRequest instance during context destruction.
https://bugs.webkit.org/show_bug.cgi?id=172285
<rdar://problem/30369017>

Reviewed by Brent Fulgham.

In MediaDevicesRequest::contextDestroyed(), the call to m_enumerationRequest->cancel() might
end up deleting itself (MediaDevicesRequest). The std::function member m_completionHandler
in MediaDevicesEnumerationRequest contains a captured variable of type
RefPtr<MediaDevicesRequest>. When m_completionHandler is set to null in the cancel() method,
the MediaDevicesRequest object will be deleted if the m_completionHandler member is holding
the last reference.

No new tests, since I am unable to reproduce.

* Modules/mediastream/MediaDevicesRequest.cpp:
(WebCore::MediaDevicesRequest::contextDestroyed):

Modified Paths

• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/Modules/mediastream/MediaDevicesRequest.cpp

Diff

Modified: trunk/Source/WebCore/ChangeLog (217047 => 217048)

--- trunk/Source/WebCore/ChangeLog	2017-05-18 17:07:51 UTC (rev 217047)
+++ trunk/Source/WebCore/ChangeLog	2017-05-18 17:17:02 UTC (rev 217048)
@@ -1,3 +1,23 @@
+2017-05-18  Per Arne Vollan  <pvol...@apple.com>
+
+        Protect MediaDeviceRequest instance during context destruction.
+        https://bugs.webkit.org/show_bug.cgi?id=172285
+        <rdar://problem/30369017>
+
+        Reviewed by Brent Fulgham.
+
+        In MediaDevicesRequest::contextDestroyed(), the call to m_enumerationRequest->cancel() might
+        end up deleting itself (MediaDevicesRequest). The std::function member m_completionHandler
+        in MediaDevicesEnumerationRequest contains a captured variable of type
+        RefPtr<MediaDevicesRequest>. When m_completionHandler is set to null in the cancel() method,
+        the MediaDevicesRequest object will be deleted if the m_completionHandler member is holding
+        the last reference.
+
+        No new tests, since I am unable to reproduce.
+
+        * Modules/mediastream/MediaDevicesRequest.cpp:
+        (WebCore::MediaDevicesRequest::contextDestroyed):
+
 2017-05-18  Antti Koivisto  <an...@apple.com>
 
         Design mode should not affect UA shadow trees

Modified: trunk/Source/WebCore/Modules/mediastream/MediaDevicesRequest.cpp (217047 => 217048)

--- trunk/Source/WebCore/Modules/mediastream/MediaDevicesRequest.cpp	2017-05-18 17:07:51 UTC (rev 217047)
+++ trunk/Source/WebCore/Modules/mediastream/MediaDevicesRequest.cpp	2017-05-18 17:17:02 UTC (rev 217048)
@@ -69,6 +69,9 @@
 
 void MediaDevicesRequest::contextDestroyed()
 {
+    // The call to m_enumerationRequest->cancel() might delete this.
+    auto protectedThis = makeRef(*this);
+
     if (m_enumerationRequest) {
         m_enumerationRequest->cancel();
         m_enumerationRequest = nullptr;

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes