Title: [240578] trunk/Source/WebKit
- Revision
- 240578
- Author
- [email protected]
- Date
- 2019-01-28 05:15:03 -0800 (Mon, 28 Jan 2019)
Log Message
WebUserContentController::removeUserScriptMessageHandlerInternal may deref and delete itself
https://bugs.webkit.org/show_bug.cgi?id=193901
<rdar://problem/47338669>
Reviewed by David Kilzer.
Don't know how to repro.
* WebProcess/UserContent/WebUserContentController.cpp:
(WebKit::WebUserContentController::removeUserScriptMessageHandlerInternal):
Calling userMessageHandlers.removeFirstMatching() may remove the last ref to this
(because WebUserMessageHandlerDescriptorProxy refs WebUserContentController).
Fix by protecting this over the function.
Modified Paths
Diff
Modified: trunk/Source/WebKit/ChangeLog (240577 => 240578)
--- trunk/Source/WebKit/ChangeLog 2019-01-28 09:46:20 UTC (rev 240577)
+++ trunk/Source/WebKit/ChangeLog 2019-01-28 13:15:03 UTC (rev 240578)
@@ -1,3 +1,20 @@
+2019-01-28 Antti Koivisto <[email protected]>
+
+ WebUserContentController::removeUserScriptMessageHandlerInternal may deref and delete itself
+ https://bugs.webkit.org/show_bug.cgi?id=193901
+ <rdar://problem/47338669>
+
+ Reviewed by David Kilzer.
+
+ Don't know how to repro.
+
+ * WebProcess/UserContent/WebUserContentController.cpp:
+ (WebKit::WebUserContentController::removeUserScriptMessageHandlerInternal):
+
+ Calling userMessageHandlers.removeFirstMatching() may remove the last ref to this
+ (because WebUserMessageHandlerDescriptorProxy refs WebUserContentController).
+ Fix by protecting this over the function.
+
2018-12-15 Darin Adler <[email protected]>
Replace many uses of String::format with more type-safe alternatives
Modified: trunk/Source/WebKit/WebProcess/UserContent/WebUserContentController.cpp (240577 => 240578)
--- trunk/Source/WebKit/WebProcess/UserContent/WebUserContentController.cpp 2019-01-28 09:46:20 UTC (rev 240577)
+++ trunk/Source/WebKit/WebProcess/UserContent/WebUserContentController.cpp 2019-01-28 13:15:03 UTC (rev 240578)
@@ -330,6 +330,8 @@
if (it == m_userMessageHandlers.end())
return;
+ auto protectedThis = makeRef(*this);
+
auto& userMessageHandlers = it->value;
bool userMessageHandlersChanged = userMessageHandlers.removeFirstMatching([userScriptMessageHandlerIdentifier](auto& pair) {
return pair.first == userScriptMessageHandlerIdentifier;
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes