[webkit-changes] [240814] tags/Safari-607.1.29.1/Source/WebKit

Thu, 31 Jan 2019 13:56:51 -0800

Title: [240814] tags/Safari-607.1.29.1/Source/WebKit
Revision
240814
Author
[email protected]
Date
2019-01-31 13:55:39 -0800 (Thu, 31 Jan 2019)

Log Message

Cherry-pick r240578. rdar://problem/47685372

    WebUserContentController::removeUserScriptMessageHandlerInternal may deref and delete itself
    https://bugs.webkit.org/show_bug.cgi?id=193901
    <rdar://problem/47338669>

    Reviewed by David Kilzer.

    Don't know how to repro.

    * WebProcess/UserContent/WebUserContentController.cpp:
    (WebKit::WebUserContentController::removeUserScriptMessageHandlerInternal):

    Calling userMessageHandlers.removeFirstMatching() may remove the last ref to this
    (because WebUserMessageHandlerDescriptorProxy refs WebUserContentController).
    Fix by protecting this over the function.

    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@240578 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Modified Paths

Diff

Modified: tags/Safari-607.1.29.1/Source/WebKit/ChangeLog (240813 => 240814)


--- tags/Safari-607.1.29.1/Source/WebKit/ChangeLog	2019-01-31 21:53:25 UTC (rev 240813)
+++ tags/Safari-607.1.29.1/Source/WebKit/ChangeLog	2019-01-31 21:55:39 UTC (rev 240814)
@@ -1,3 +1,42 @@
+2019-01-31  Alan Coon  <[email protected]>
+
+        Cherry-pick r240578. rdar://problem/47685372
+
+    WebUserContentController::removeUserScriptMessageHandlerInternal may deref and delete itself
+    https://bugs.webkit.org/show_bug.cgi?id=193901
+    <rdar://problem/47338669>
+    
+    Reviewed by David Kilzer.
+    
+    Don't know how to repro.
+    
+    * WebProcess/UserContent/WebUserContentController.cpp:
+    (WebKit::WebUserContentController::removeUserScriptMessageHandlerInternal):
+    
+    Calling userMessageHandlers.removeFirstMatching() may remove the last ref to this
+    (because WebUserMessageHandlerDescriptorProxy refs WebUserContentController).
+    Fix by protecting this over the function.
+    
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@240578 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2019-01-28  Antti Koivisto  <[email protected]>
+
+            WebUserContentController::removeUserScriptMessageHandlerInternal may deref and delete itself
+            https://bugs.webkit.org/show_bug.cgi?id=193901
+            <rdar://problem/47338669>
+
+            Reviewed by David Kilzer.
+
+            Don't know how to repro.
+
+            * WebProcess/UserContent/WebUserContentController.cpp:
+            (WebKit::WebUserContentController::removeUserScriptMessageHandlerInternal):
+
+            Calling userMessageHandlers.removeFirstMatching() may remove the last ref to this
+            (because WebUserMessageHandlerDescriptorProxy refs WebUserContentController).
+            Fix by protecting this over the function.
+
 2019-01-28  Alan Coon  <[email protected]>
 
         Cherry-pick r240599. rdar://problem/47609799

Modified: tags/Safari-607.1.29.1/Source/WebKit/WebProcess/UserContent/WebUserContentController.cpp (240813 => 240814)


--- tags/Safari-607.1.29.1/Source/WebKit/WebProcess/UserContent/WebUserContentController.cpp	2019-01-31 21:53:25 UTC (rev 240813)
+++ tags/Safari-607.1.29.1/Source/WebKit/WebProcess/UserContent/WebUserContentController.cpp	2019-01-31 21:55:39 UTC (rev 240814)
@@ -330,6 +330,8 @@
     if (it == m_userMessageHandlers.end())
         return;
 
+    auto protectedThis = makeRef(*this);
+
     auto& userMessageHandlers = it->value;
     bool userMessageHandlersChanged = userMessageHandlers.removeFirstMatching([userScriptMessageHandlerIdentifier](auto& pair) {
         return pair.first ==  userScriptMessageHandlerIdentifier;

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to