Title: [219531] trunk
- Revision
- 219531
- Author
- cdu...@apple.com
- Date
- 2017-07-14 16:02:52 -0700 (Fri, 14 Jul 2017)
Log Message
Possible crash in ~UserGestureIndicator() when on non-main thread
https://bugs.webkit.org/show_bug.cgi?id=174522
<rdar://problem/30283071>
Reviewed by Sam Weinig.
Source/WebCore:
UserGestureIndicator objects may be constructed / destructed in worker thread
(e.g. in DOMTimer::fired()). The UserGestureIndicator constructor / destructor
are supposed to be no-op on non-main threads so that it is safe. However,
we were mistakenly initializing m_previousToken data member in the constructor
on background thread, which meant that we could crash later on in the
UserGestureIndicator destructor when destroying m_previousToken.
Test: fast/workers/worker-user-gesture.html
* dom/UserGestureIndicator.cpp:
(WebCore::currentToken):
(WebCore::UserGestureIndicator::UserGestureIndicator):
LayoutTests:
Add layout test coverage.
* fast/workers/worker-user-gesture-expected.txt: Added.
* fast/workers/worker-user-gesture.html: Added.
* fast/workers/worker-user-gesture.js: Added.
(setInterval):
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (219530 => 219531)
--- trunk/LayoutTests/ChangeLog 2017-07-14 22:52:52 UTC (rev 219530)
+++ trunk/LayoutTests/ChangeLog 2017-07-14 23:02:52 UTC (rev 219531)
@@ -1,3 +1,18 @@
+2017-07-14 Chris Dumez <cdu...@apple.com>
+
+ Possible crash in ~UserGestureIndicator() when on non-main thread
+ https://bugs.webkit.org/show_bug.cgi?id=174522
+ <rdar://problem/30283071>
+
+ Reviewed by Sam Weinig.
+
+ Add layout test coverage.
+
+ * fast/workers/worker-user-gesture-expected.txt: Added.
+ * fast/workers/worker-user-gesture.html: Added.
+ * fast/workers/worker-user-gesture.js: Added.
+ (setInterval):
+
2017-07-14 Daniel Bates <daba...@apple.com>
REGRESSION (r219013): Compute source frame info for frameless document
Added: trunk/LayoutTests/fast/workers/worker-user-gesture-expected.txt (0 => 219531)
--- trunk/LayoutTests/fast/workers/worker-user-gesture-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/workers/worker-user-gesture-expected.txt 2017-07-14 23:02:52 UTC (rev 219531)
@@ -0,0 +1,9 @@
+Test that we do not crash when timers fire on the worker thread while user gestures are happening.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/fast/workers/worker-user-gesture.html (0 => 219531)
--- trunk/LayoutTests/fast/workers/worker-user-gesture.html (rev 0)
+++ trunk/LayoutTests/fast/workers/worker-user-gesture.html 2017-07-14 23:02:52 UTC (rev 219531)
@@ -0,0 +1,32 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src=""
+<script src=""
+</head>
+<body>
+<input id="testButton" type="button" value="Click me">
+<script>
+description("Test that we do not crash when timers fire on the worker thread while user gestures are happening.");
+jsTestIsAsync = true;
+
+var worker = new Worker('worker-user-gesture.js');
+
+let gestureCount = 0;
+
+function doUserGesture() {
+ let inputElement = document.getElementById("testButton");
+ let centerX = inputElement.offsetLeft + inputElement.offsetWidth / 2;
+ let centerY = inputElement.offsetTop + inputElement.offsetHeight / 2;
+ UIHelper.activateAt(centerX, centerY);
+ if (++gestureCount == 10) {
+ finishJSTest();
+ return;
+ }
+ setTimeout(doUserGesture, 0);
+}
+
+setTimeout(doUserGesture, 0);
+</script>
+</body>
+</html>
Added: trunk/LayoutTests/fast/workers/worker-user-gesture.js (0 => 219531)
--- trunk/LayoutTests/fast/workers/worker-user-gesture.js (rev 0)
+++ trunk/LayoutTests/fast/workers/worker-user-gesture.js 2017-07-14 23:02:52 UTC (rev 219531)
@@ -0,0 +1,5 @@
+let i = 0;
+
+setInterval(function() {
+ ++i;
+}, 0);
Modified: trunk/Source/WebCore/ChangeLog (219530 => 219531)
--- trunk/Source/WebCore/ChangeLog 2017-07-14 22:52:52 UTC (rev 219530)
+++ trunk/Source/WebCore/ChangeLog 2017-07-14 23:02:52 UTC (rev 219531)
@@ -1,3 +1,24 @@
+2017-07-14 Chris Dumez <cdu...@apple.com>
+
+ Possible crash in ~UserGestureIndicator() when on non-main thread
+ https://bugs.webkit.org/show_bug.cgi?id=174522
+ <rdar://problem/30283071>
+
+ Reviewed by Sam Weinig.
+
+ UserGestureIndicator objects may be constructed / destructed in worker thread
+ (e.g. in DOMTimer::fired()). The UserGestureIndicator constructor / destructor
+ are supposed to be no-op on non-main threads so that it is safe. However,
+ we were mistakenly initializing m_previousToken data member in the constructor
+ on background thread, which meant that we could crash later on in the
+ UserGestureIndicator destructor when destroying m_previousToken.
+
+ Test: fast/workers/worker-user-gesture.html
+
+ * dom/UserGestureIndicator.cpp:
+ (WebCore::currentToken):
+ (WebCore::UserGestureIndicator::UserGestureIndicator):
+
2017-07-14 Matt Lewis <jlew...@apple.com>
Unreviewed, rolling out r219516.
Modified: trunk/Source/WebCore/dom/UserGestureIndicator.cpp (219530 => 219531)
--- trunk/Source/WebCore/dom/UserGestureIndicator.cpp 2017-07-14 22:52:52 UTC (rev 219530)
+++ trunk/Source/WebCore/dom/UserGestureIndicator.cpp 2017-07-14 23:02:52 UTC (rev 219531)
@@ -35,6 +35,7 @@
static RefPtr<UserGestureToken>& currentToken()
{
+ ASSERT(isMainThread());
static NeverDestroyed<RefPtr<UserGestureToken>> token;
return token;
}
@@ -63,11 +64,13 @@
}
UserGestureIndicator::UserGestureIndicator(RefPtr<UserGestureToken> token)
- : m_previousToken(currentToken())
{
if (!isMainThread())
return;
+ // It is only safe to use currentToken() on the main thread.
+ m_previousToken = currentToken();
+
if (token)
currentToken() = token;
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
