Title: [269484] branches/safari-610.3.7.100-branch/Source/WebCore
- Revision
- 269484
- Author
- [email protected]
- Date
- 2020-11-05 15:47:20 -0800 (Thu, 05 Nov 2020)
Log Message
Cherry-pick r269321. rdar://problem/71083865
Integrator's note: added a custom null check in HTMLMediaElement.cpp.
Protect against HTMLMediaElement being destroyed during disptachEvent().
https://bugs.webkit.org/show_bug.cgi?id=218398
<rdar://problem/67613836>
Reviewed by Chris Dumez.
Make the MainThreadGenericEventQueue protect the target as well as the owner of the queue.
Drive-by fix: Create the scoped `eventFiringScope` object after the `protect` object, to ensure
that the member variable set by the first scope will safely occur.
Drive-by fix #2: Also null-check the result of document().page() within HTMLMediaElement::dispatchEvent().
* dom/GenericEventQueue.cpp:
(WebCore::MainThreadGenericEventQueue::dispatchOneEvent):
* html/HTMLMediaElement.cpp:
(WebCore::HTMLMediaElement::dispatchEvent):
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@269321 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Diff
Modified: branches/safari-610.3.7.100-branch/Source/WebCore/ChangeLog (269483 => 269484)
--- branches/safari-610.3.7.100-branch/Source/WebCore/ChangeLog 2020-11-05 23:42:42 UTC (rev 269483)
+++ branches/safari-610.3.7.100-branch/Source/WebCore/ChangeLog 2020-11-05 23:47:20 UTC (rev 269484)
@@ -1,3 +1,47 @@
+2020-11-05 Alan Coon <[email protected]>
+
+ Cherry-pick r269321. rdar://problem/71083865
+
+ Protect against HTMLMediaElement being destroyed during disptachEvent().
+ https://bugs.webkit.org/show_bug.cgi?id=218398
+ <rdar://problem/67613836>
+
+ Reviewed by Chris Dumez.
+
+ Make the MainThreadGenericEventQueue protect the target as well as the owner of the queue.
+
+ Drive-by fix: Create the scoped `eventFiringScope` object after the `protect` object, to ensure
+ that the member variable set by the first scope will safely occur.
+
+ Drive-by fix #2: Also null-check the result of document().page() within HTMLMediaElement::dispatchEvent().
+
+ * dom/GenericEventQueue.cpp:
+ (WebCore::MainThreadGenericEventQueue::dispatchOneEvent):
+ * html/HTMLMediaElement.cpp:
+ (WebCore::HTMLMediaElement::dispatchEvent):
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@269321 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2020-11-03 Jer Noble <[email protected]>
+
+ Protect against HTMLMediaElement being destroyed during disptachEvent().
+ https://bugs.webkit.org/show_bug.cgi?id=218398
+ <rdar://problem/67613836>
+
+ Reviewed by Chris Dumez.
+
+ Make the MainThreadGenericEventQueue protect the target as well as the owner of the queue.
+
+ Drive-by fix: Create the scoped `eventFiringScope` object after the `protect` object, to ensure
+ that the member variable set by the first scope will safely occur.
+
+ Drive-by fix #2: Also null-check the result of document().page() within HTMLMediaElement::dispatchEvent().
+
+ * dom/GenericEventQueue.cpp:
+ (WebCore::MainThreadGenericEventQueue::dispatchOneEvent):
+ * html/HTMLMediaElement.cpp:
+ (WebCore::HTMLMediaElement::dispatchEvent):
+
2020-11-04 Kocsen Chung <[email protected]>
Revert r269190. rdar://problem/70970247
Modified: branches/safari-610.3.7.100-branch/Source/WebCore/dom/GenericEventQueue.cpp (269483 => 269484)
--- branches/safari-610.3.7.100-branch/Source/WebCore/dom/GenericEventQueue.cpp 2020-11-05 23:42:42 UTC (rev 269483)
+++ branches/safari-610.3.7.100-branch/Source/WebCore/dom/GenericEventQueue.cpp 2020-11-05 23:47:20 UTC (rev 269484)
@@ -64,15 +64,15 @@
{
ASSERT(!m_pendingEvents.isEmpty());
+ Ref<EventTarget> protect(m_owner);
SetForScope<bool> eventFiringScope(m_isFiringEvent, true);
- Ref<EventTarget> protect(m_owner);
RefPtr<Event> event = m_pendingEvents.takeFirst();
- EventTarget& target = event->target() ? *event->target() : m_owner;
- ASSERT_WITH_MESSAGE(!target.scriptExecutionContext()->activeDOMObjectsAreStopped(),
+ Ref<EventTarget> target = event->target() ? *event->target() : m_owner;
+ ASSERT_WITH_MESSAGE(!target->scriptExecutionContext()->activeDOMObjectsAreStopped(),
"An attempt to dispatch an event on a stopped target by EventTargetInterface=%d (nodeName=%s target=%p owner=%p)",
- m_owner.eventTargetInterface(), m_owner.isNode() ? static_cast<Node&>(m_owner).nodeName().ascii().data() : "", &target, &m_owner);
- target.dispatchEvent(*event);
+ m_owner.eventTargetInterface(), m_owner.isNode() ? static_cast<Node&>(m_owner).nodeName().ascii().data() : "", target.ptr(), &m_owner);
+ target->dispatchEvent(*event);
}
void MainThreadGenericEventQueue::close()
Modified: branches/safari-610.3.7.100-branch/Source/WebCore/html/HTMLMediaElement.cpp (269483 => 269484)
--- branches/safari-610.3.7.100-branch/Source/WebCore/html/HTMLMediaElement.cpp 2020-11-05 23:42:42 UTC (rev 269483)
+++ branches/safari-610.3.7.100-branch/Source/WebCore/html/HTMLMediaElement.cpp 2020-11-05 23:47:20 UTC (rev 269484)
@@ -6023,6 +6023,9 @@
}
}
+ if (!document().page())
+ return;
+
if (document().activeDOMObjectsAreSuspended() || document().activeDOMObjectsAreStopped()) {
fullscreenModeChanged(VideoFullscreenModeNone);
document().page()->chrome().client().exitVideoFullscreenToModeWithoutAnimation(downcast<HTMLVideoElement>(*this), VideoFullscreenModeNone);
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
