[webkit-changes] [269321] trunk/Source/WebCore

Wed, 11 Nov 2020 07:11:58 -0800

Title: [269321] trunk/Source/WebCore
Revision
269321
Author
[email protected]
Date
2020-11-03 11:36:08 -0800 (Tue, 03 Nov 2020)

Log Message

Protect against HTMLMediaElement being destroyed during disptachEvent().
https://bugs.webkit.org/show_bug.cgi?id=218398
<rdar://problem/67613836>

Reviewed by Chris Dumez.

Make the MainThreadGenericEventQueue protect the target as well as the owner of the queue.

Drive-by fix: Create the scoped `eventFiringScope` object after the `protect` object, to ensure
that the member variable set by the first scope will safely occur.

Drive-by fix #2: Also null-check the result of document().page() within HTMLMediaElement::dispatchEvent().

* dom/GenericEventQueue.cpp:
(WebCore::MainThreadGenericEventQueue::dispatchOneEvent):
* html/HTMLMediaElement.cpp:
(WebCore::HTMLMediaElement::dispatchEvent):

Modified Paths

Diff

Modified: trunk/Source/WebCore/ChangeLog (269320 => 269321)


--- trunk/Source/WebCore/ChangeLog	2020-11-03 19:26:49 UTC (rev 269320)
+++ trunk/Source/WebCore/ChangeLog	2020-11-03 19:36:08 UTC (rev 269321)
@@ -1,3 +1,23 @@
+2020-11-03  Jer Noble  <[email protected]>
+
+        Protect against HTMLMediaElement being destroyed during disptachEvent().
+        https://bugs.webkit.org/show_bug.cgi?id=218398
+        <rdar://problem/67613836>
+
+        Reviewed by Chris Dumez.
+
+        Make the MainThreadGenericEventQueue protect the target as well as the owner of the queue.
+
+        Drive-by fix: Create the scoped `eventFiringScope` object after the `protect` object, to ensure
+        that the member variable set by the first scope will safely occur.
+
+        Drive-by fix #2: Also null-check the result of document().page() within HTMLMediaElement::dispatchEvent().
+
+        * dom/GenericEventQueue.cpp:
+        (WebCore::MainThreadGenericEventQueue::dispatchOneEvent):
+        * html/HTMLMediaElement.cpp:
+        (WebCore::HTMLMediaElement::dispatchEvent):
+
 2020-11-03  Commit Queue  <[email protected]>
 
         Unreviewed, reverting r268564, r268957, and r268962.

Modified: trunk/Source/WebCore/dom/GenericEventQueue.cpp (269320 => 269321)


--- trunk/Source/WebCore/dom/GenericEventQueue.cpp	2020-11-03 19:26:49 UTC (rev 269320)
+++ trunk/Source/WebCore/dom/GenericEventQueue.cpp	2020-11-03 19:36:08 UTC (rev 269321)
@@ -64,15 +64,15 @@
 {
     ASSERT(!m_pendingEvents.isEmpty());
 
+    Ref<EventTarget> protect(m_owner);
     SetForScope<bool> eventFiringScope(m_isFiringEvent, true);
-    Ref<EventTarget> protect(m_owner);
 
     RefPtr<Event> event = m_pendingEvents.takeFirst();
-    EventTarget& target = event->target() ? *event->target() : m_owner;
-    ASSERT_WITH_MESSAGE(!target.scriptExecutionContext()->activeDOMObjectsAreStopped(),
+    Ref<EventTarget> target = event->target() ? *event->target() : m_owner;
+    ASSERT_WITH_MESSAGE(!target->scriptExecutionContext()->activeDOMObjectsAreStopped(),
         "An attempt to dispatch an event on a stopped target by EventTargetInterface=%d (nodeName=%s target=%p owner=%p)",
-        m_owner.eventTargetInterface(), m_owner.isNode() ? static_cast<Node&>(m_owner).nodeName().ascii().data() : "", &target, &m_owner);
-    target.dispatchEvent(*event);
+        m_owner.eventTargetInterface(), m_owner.isNode() ? static_cast<Node&>(m_owner).nodeName().ascii().data() : "", target.ptr(), &m_owner);
+    target->dispatchEvent(*event);
 }
 
 void MainThreadGenericEventQueue::close()

Modified: trunk/Source/WebCore/html/HTMLMediaElement.cpp (269320 => 269321)


--- trunk/Source/WebCore/html/HTMLMediaElement.cpp	2020-11-03 19:26:49 UTC (rev 269320)
+++ trunk/Source/WebCore/html/HTMLMediaElement.cpp	2020-11-03 19:36:08 UTC (rev 269321)
@@ -6019,7 +6019,8 @@
         }
 
         setFullscreenMode(VideoFullscreenModeNone);
-        document().page()->chrome().client().exitVideoFullscreenForVideoElement(downcast<HTMLVideoElement>(*this));
+        if (auto* page = document().page())
+            page->chrome().client().exitVideoFullscreenForVideoElement(downcast<HTMLVideoElement>(*this));
     }
 }
 

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to