Title: [264319] trunk/Source/WebCore
- Revision
- 264319
- Author
- [email protected]
- Date
- 2020-07-13 15:10:25 -0700 (Mon, 13 Jul 2020)
Log Message
ScriptController needs to SetForScope m_sourceURL after Refing its Frame
https://bugs.webkit.org/show_bug.cgi?id=214276
Reviewed by Chris Dumez.
The SetForScopes in ScriptController need to be constructed after the
Frame is retained otherwise the Ref to the frame may be destroyed
before m_sourceURL is restored. Since the Frame owns the ScriptController
we end up writing the SourceURL after the ScriptController has been freed.
No new tests because my recent code change already caused ASAN failures.
* bindings/js/ScriptController.cpp:
(WebCore::ScriptController::evaluateInWorld):
(WebCore::ScriptController::evaluateModule):
(WebCore::ScriptController::callInWorld):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (264318 => 264319)
--- trunk/Source/WebCore/ChangeLog 2020-07-13 21:44:22 UTC (rev 264318)
+++ trunk/Source/WebCore/ChangeLog 2020-07-13 22:10:25 UTC (rev 264319)
@@ -1,3 +1,22 @@
+2020-07-13 Keith Miller <[email protected]>
+
+ ScriptController needs to SetForScope m_sourceURL after Refing its Frame
+ https://bugs.webkit.org/show_bug.cgi?id=214276
+
+ Reviewed by Chris Dumez.
+
+ The SetForScopes in ScriptController need to be constructed after the
+ Frame is retained otherwise the Ref to the frame may be destroyed
+ before m_sourceURL is restored. Since the Frame owns the ScriptController
+ we end up writing the SourceURL after the ScriptController has been freed.
+
+ No new tests because my recent code change already caused ASAN failures.
+
+ * bindings/js/ScriptController.cpp:
+ (WebCore::ScriptController::evaluateInWorld):
+ (WebCore::ScriptController::evaluateModule):
+ (WebCore::ScriptController::callInWorld):
+
2020-07-13 Geoffrey Garen <[email protected]>
Unreviewed, re-landing r264242 with crash fixed.
Modified: trunk/Source/WebCore/bindings/js/ScriptController.cpp (264318 => 264319)
--- trunk/Source/WebCore/bindings/js/ScriptController.cpp 2020-07-13 21:44:22 UTC (rev 264318)
+++ trunk/Source/WebCore/bindings/js/ScriptController.cpp 2020-07-13 22:10:25 UTC (rev 264319)
@@ -136,9 +136,9 @@
// See smart window.open policy for where this is used.
auto& proxy = jsWindowProxy(world);
auto& globalObject = *proxy.window();
- SetForScope<const URL*> sourceURLScope(m_sourceURL, &sourceURL);
Ref<Frame> protector(m_frame);
+ SetForScope<const URL*> sourceURLScope(m_sourceURL, &sourceURL);
InspectorInstrumentation::willEvaluateScript(m_frame, sourceURL.string(), sourceCode.startLine(), sourceCode.startColumn());
@@ -233,9 +233,9 @@
auto& proxy = jsWindowProxy(world);
auto& lexicalGlobalObject = *proxy.window();
- SetForScope<const URL*> sourceURLScope(m_sourceURL, &sourceURL);
Ref<Frame> protector(m_frame);
+ SetForScope<const URL*> sourceURLScope(m_sourceURL, &sourceURL);
InspectorInstrumentation::willEvaluateScript(m_frame, sourceURL.string(), jsSourceCode.firstLine().oneBasedInt(), jsSourceCode.startColumn().oneBasedInt());
auto returnValue = moduleRecord.evaluate(&lexicalGlobalObject);
@@ -648,9 +648,9 @@
const auto& jsSourceCode = sourceCode.jsSourceCode();
const URL& sourceURL = jsSourceCode.provider()->sourceOrigin().url();
- SetForScope<const URL*> sourceURLScope(m_sourceURL, &sourceURL);
Ref<Frame> protector(m_frame);
+ SetForScope<const URL*> sourceURLScope(m_sourceURL, &sourceURL);
InspectorInstrumentation::willEvaluateScript(m_frame, sourceURL.string(), sourceCode.startLine(), sourceCode.startColumn());
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
