[webkit-changes] [234446] branches/safari-606-branch/Source/WebCore

[rniwa]

Title: [234446] branches/safari-606-branch/Source/WebCore

Revision

234446

Author

rn...@webkit.org

Date

2018-07-31 20:04:40 -0700 (Tue, 31 Jul 2018)

Log Message

<rdar://problem/40844658> Crash in WebCore::EventTarget::dispatchEvent

Reviewed by Chris Dumez.

Like https://trac.webkit.org/r233496.

The null pointer crash was caused by some GenericEventQueue dispatching an event in a stopped document,
which does not have a valid script execution context because some uses of GenericEventQueue in media code
was not closing the queue upon stopping of all active DOM objects.

Fixed close GenericEventQueue when the script execution context is destoryed in WebKitMediaKeySession,
SourceBuffer, SourceBufferList, and TrackListBase.

No new tests since r233496 relied on a debug assertion for testing but we can't add the same assertion here
since we'll continue to enqueue events after the document had stopped but not yet destroyed.

* Modules/encryptedmedia/legacy/WebKitMediaKeySession.cpp:
(WebCore::WebKitMediaKeySession::stop):
* Modules/mediasource/SourceBuffer.cpp:
(WebCore::SourceBuffer::stop):
* Modules/mediasource/SourceBufferList.cpp:
(WebCore::SourceBufferList::contextDestroyed):
* Modules/mediasource/SourceBufferList.h:
* html/track/TrackListBase.cpp:
(TrackListBase::contextDestroyed):
* html/track/TrackListBase.h:

Modified Paths

• branches/safari-606-branch/Source/WebCore/ChangeLog
• branches/safari-606-branch/Source/WebCore/Modules/encryptedmedia/legacy/WebKitMediaKeySession.cpp
• branches/safari-606-branch/Source/WebCore/Modules/mediasource/SourceBuffer.cpp
• branches/safari-606-branch/Source/WebCore/Modules/mediasource/SourceBufferList.cpp
• branches/safari-606-branch/Source/WebCore/Modules/mediasource/SourceBufferList.h
• branches/safari-606-branch/Source/WebCore/html/track/TrackListBase.cpp
• branches/safari-606-branch/Source/WebCore/html/track/TrackListBase.h

Diff

Modified: branches/safari-606-branch/Source/WebCore/ChangeLog (234445 => 234446)

--- branches/safari-606-branch/Source/WebCore/ChangeLog	2018-08-01 02:53:33 UTC (rev 234445)
+++ branches/safari-606-branch/Source/WebCore/ChangeLog	2018-08-01 03:04:40 UTC (rev 234446)
@@ -1,3 +1,32 @@
+2018-07-31  Ryosuke Niwa  <rn...@webkit.org>
+
+        <rdar://problem/40844658> Crash in WebCore::EventTarget::dispatchEvent
+
+        Reviewed by Chris Dumez.
+
+        Like https://trac.webkit.org/r233496.
+
+        The null pointer crash was caused by some GenericEventQueue dispatching an event in a stopped document,
+        which does not have a valid script execution context because some uses of GenericEventQueue in media code
+        was not closing the queue upon stopping of all active DOM objects.
+
+        Fixed close GenericEventQueue when the script execution context is destoryed in WebKitMediaKeySession,
+        SourceBuffer, SourceBufferList, and TrackListBase.
+
+        No new tests since r233496 relied on a debug assertion for testing but we can't add the same assertion here
+        since we'll continue to enqueue events after the document had stopped but not yet destroyed.
+
+        * Modules/encryptedmedia/legacy/WebKitMediaKeySession.cpp:
+        (WebCore::WebKitMediaKeySession::stop):
+        * Modules/mediasource/SourceBuffer.cpp:
+        (WebCore::SourceBuffer::stop):
+        * Modules/mediasource/SourceBufferList.cpp:
+        (WebCore::SourceBufferList::contextDestroyed):
+        * Modules/mediasource/SourceBufferList.h:
+        * html/track/TrackListBase.cpp:
+        (TrackListBase::contextDestroyed):
+        * html/track/TrackListBase.h:
+
 2018-07-30  Babak Shafiei  <bshaf...@apple.com>
 
         Revert r233926. rdar://problem/42354941

Modified: branches/safari-606-branch/Source/WebCore/Modules/encryptedmedia/legacy/WebKitMediaKeySession.cpp (234445 => 234446)

--- branches/safari-606-branch/Source/WebCore/Modules/encryptedmedia/legacy/WebKitMediaKeySession.cpp	2018-08-01 02:53:33 UTC (rev 234445)
+++ branches/safari-606-branch/Source/WebCore/Modules/encryptedmedia/legacy/WebKitMediaKeySession.cpp	2018-08-01 03:04:40 UTC (rev 234446)
@@ -241,6 +241,7 @@
 
 void WebKitMediaKeySession::stop()
 {
+    m_asyncEventQueue.close();
     close();
 }
 

Modified: branches/safari-606-branch/Source/WebCore/Modules/mediasource/SourceBuffer.cpp (234445 => 234446)

--- branches/safari-606-branch/Source/WebCore/Modules/mediasource/SourceBuffer.cpp	2018-08-01 02:53:33 UTC (rev 234445)
+++ branches/safari-606-branch/Source/WebCore/Modules/mediasource/SourceBuffer.cpp	2018-08-01 03:04:40 UTC (rev 234446)
@@ -460,6 +460,7 @@
 
 void SourceBuffer::stop()
 {
+    m_asyncEventQueue.close();
     m_appendBufferTimer.stop();
     m_removeTimer.stop();
 }

Modified: branches/safari-606-branch/Source/WebCore/Modules/mediasource/SourceBufferList.cpp (234445 => 234446)

--- branches/safari-606-branch/Source/WebCore/Modules/mediasource/SourceBufferList.cpp	2018-08-01 02:53:33 UTC (rev 234445)
+++ branches/safari-606-branch/Source/WebCore/Modules/mediasource/SourceBufferList.cpp	2018-08-01 03:04:40 UTC (rev 234446)
@@ -50,6 +50,12 @@
     ASSERT(m_list.isEmpty());
 }
 
+void SourceBufferList::contextDestroyed()
+{
+    ContextDestructionObserver::contextDestroyed();
+    m_asyncEventQueue.close();
+}
+
 void SourceBufferList::add(Ref<SourceBuffer>&& buffer)
 {
     m_list.append(WTFMove(buffer));

Modified: branches/safari-606-branch/Source/WebCore/Modules/mediasource/SourceBufferList.h (234445 => 234446)

--- branches/safari-606-branch/Source/WebCore/Modules/mediasource/SourceBufferList.h	2018-08-01 02:53:33 UTC (rev 234445)
+++ branches/safari-606-branch/Source/WebCore/Modules/mediasource/SourceBufferList.h	2018-08-01 03:04:40 UTC (rev 234446)
@@ -72,6 +72,8 @@
 private:
     explicit SourceBufferList(ScriptExecutionContext*);
 
+    void contextDestroyed() final;
+
     void scheduleEvent(const AtomicString&);
 
     void refEventTarget() override { ref(); }

Modified: branches/safari-606-branch/Source/WebCore/html/track/TrackListBase.cpp (234445 => 234446)

--- branches/safari-606-branch/Source/WebCore/html/track/TrackListBase.cpp	2018-08-01 02:53:33 UTC (rev 234445)
+++ branches/safari-606-branch/Source/WebCore/html/track/TrackListBase.cpp	2018-08-01 03:04:40 UTC (rev 234446)
@@ -49,6 +49,12 @@
     clearElement();
 }
 
+void TrackListBase::contextDestroyed()
+{
+    ContextDestructionObserver::contextDestroyed();
+    m_asyncEventQueue.close();
+}
+
 void TrackListBase::clearElement()
 {
     m_element = nullptr;

Modified: branches/safari-606-branch/Source/WebCore/html/track/TrackListBase.h (234445 => 234446)

--- branches/safari-606-branch/Source/WebCore/html/track/TrackListBase.h	2018-08-01 02:53:33 UTC (rev 234445)
+++ branches/safari-606-branch/Source/WebCore/html/track/TrackListBase.h	2018-08-01 03:04:40 UTC (rev 234446)
@@ -72,6 +72,7 @@
     Vector<RefPtr<TrackBase>> m_inbandTracks;
 
 private:
+    void contextDestroyed() final;
     void scheduleTrackEvent(const AtomicString& eventName, Ref<TrackBase>&&);
 
     // EventTarget

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes