Diff
Modified: branches/safari-612.4.9.3-branch/LayoutTests/ChangeLog (287803 => 287804)
--- branches/safari-612.4.9.3-branch/LayoutTests/ChangeLog 2022-01-08 02:20:37 UTC (rev 287803)
+++ branches/safari-612.4.9.3-branch/LayoutTests/ChangeLog 2022-01-08 02:45:22 UTC (rev 287804)
@@ -1,50 +1,3 @@
-2022-01-07 Russell Epstein <[email protected]>
-
- Cherry-pick r287604. rdar://problem/85966622
-
- Protect frame from destruction in HTMLMediaElement::setupAndCallJS
- https://bugs.webkit.org/show_bug.cgi?id=234259
-
- Patch by Frédéric Wang <[email protected]> on 2022-01-04
- Reviewed by Darin Adler.
-
- Source/WebCore:
-
- Test: http/tests/media/media-element-frame-destroyed-crash.html
-
- * html/HTMLMediaElement.cpp:
- (WebCore::HTMLMediaElement::setupAndCallJS): Protect the frame before executing the JS code,
- so that it is not destroyed before its associated ScriptController.
-
- LayoutTests:
-
- Add non-regression test, embedded in multiple iframes to make regression easily reproducible.
-
- * http/conf/mime.types: Ensure that ts files are served with MIME type video/mp2t as that's required
- to make the non-regression test work properly.
- * http/tests/media/media-element-frame-destroyed-crash-expected.txt: Added.
- * http/tests/media/media-element-frame-destroyed-crash.html: Added.
- * http/tests/media/resources/empty.ts: Added.
- * http/tests/media/resources/media-element-frame-destroyed-crash-subframe.html: Added.
-
- git-svn-id: https://svn.webkit.org/repository/webkit/trunk@287604 268f45cc-cd09-0410-ab3c-d52691b4dbfc
-
- 2022-01-04 Frédéric Wang <[email protected]>
-
- Protect frame from destruction in HTMLMediaElement::setupAndCallJS
- https://bugs.webkit.org/show_bug.cgi?id=234259
-
- Reviewed by Darin Adler.
-
- Add non-regression test, embedded in multiple iframes to make regression easily reproducible.
-
- * http/conf/mime.types: Ensure that ts files are served with MIME type video/mp2t as that's required
- to make the non-regression test work properly.
- * http/tests/media/media-element-frame-destroyed-crash-expected.txt: Added.
- * http/tests/media/media-element-frame-destroyed-crash.html: Added.
- * http/tests/media/resources/empty.ts: Added.
- * http/tests/media/resources/media-element-frame-destroyed-crash-subframe.html: Added.
-
2022-01-06 Russell Epstein <[email protected]>
Apply patch. rdar://problem/87125345
Modified: branches/safari-612.4.9.3-branch/LayoutTests/http/conf/mime.types (287803 => 287804)
--- branches/safari-612.4.9.3-branch/LayoutTests/http/conf/mime.types 2022-01-08 02:20:37 UTC (rev 287803)
+++ branches/safari-612.4.9.3-branch/LayoutTests/http/conf/mime.types 2022-01-08 02:45:22 UTC (rev 287804)
@@ -578,7 +578,7 @@
video/jpeg
video/mp1s
video/mp2p
-video/mp2t ts
+video/mp2t
video/mp4 mp4
video/mp4v-es
video/mpv
Deleted: branches/safari-612.4.9.3-branch/LayoutTests/http/tests/media/media-element-frame-destroyed-crash-expected.txt (287803 => 287804)
--- branches/safari-612.4.9.3-branch/LayoutTests/http/tests/media/media-element-frame-destroyed-crash-expected.txt 2022-01-08 02:20:37 UTC (rev 287803)
+++ branches/safari-612.4.9.3-branch/LayoutTests/http/tests/media/media-element-frame-destroyed-crash-expected.txt 2022-01-08 02:45:22 UTC (rev 287804)
@@ -1,3 +0,0 @@
-This test PASS if it does not CRASH.
-
-
Deleted: branches/safari-612.4.9.3-branch/LayoutTests/http/tests/media/media-element-frame-destroyed-crash.html (287803 => 287804)
--- branches/safari-612.4.9.3-branch/LayoutTests/http/tests/media/media-element-frame-destroyed-crash.html 2022-01-08 02:20:37 UTC (rev 287803)
+++ branches/safari-612.4.9.3-branch/LayoutTests/http/tests/media/media-element-frame-destroyed-crash.html 2022-01-08 02:45:22 UTC (rev 287804)
@@ -1,12 +0,0 @@
-<script>
- _onload_ = () => {
- if (window.testRunner)
- testRunner.dumpAsText();
- for (let i = 5; i; i--) {
- let iframe = document.createElement('iframe');
- iframe.src = '';
- document.body.appendChild(iframe);
- }
- }
-</script>
-<p>This test PASS if it does not CRASH.</p>
Deleted: branches/safari-612.4.9.3-branch/LayoutTests/http/tests/media/resources/empty.ts ( => )
Deleted: branches/safari-612.4.9.3-branch/LayoutTests/http/tests/media/resources/media-element-frame-destroyed-crash-subframe.html
===================================================================
--- branches/safari-612.4.9.3-branch/LayoutTests/http/tests/media/resources/media-element-frame-destroyed-crash-subframe.html 2022-01-08 02:20:37 UTC (rev 287803)
+++ branches/safari-612.4.9.3-branch/LayoutTests/http/tests/media/resources/media-element-frame-destroyed-crash-subframe.html 2022-01-08 02:45:22 UTC (rev 287804)
@@ -1,17 +0,0 @@
-<script>
- _onload_ = async () => {
- if (window.testRunner)
- testRunner.dumpAsText();
- let embed0 = document.createElement('embed');
- embed0.src = '';
- document.body.appendChild(embed0);
- await new Blob().text();
- try {
- await new FontFace('a', 'url(data:)').load();
- } catch {}
- document.designMode = 'on';
- document.execCommand('SelectAll');
- document.execCommand('Bold');
- parent.postMessage('done');
- };
-</script>
Modified: branches/safari-612.4.9.3-branch/Source/WebCore/ChangeLog (287803 => 287804)
--- branches/safari-612.4.9.3-branch/Source/WebCore/ChangeLog 2022-01-08 02:20:37 UTC (rev 287803)
+++ branches/safari-612.4.9.3-branch/Source/WebCore/ChangeLog 2022-01-08 02:45:22 UTC (rev 287804)
@@ -1,47 +1,3 @@
-2022-01-07 Russell Epstein <[email protected]>
-
- Cherry-pick r287604. rdar://problem/85966622
-
- Protect frame from destruction in HTMLMediaElement::setupAndCallJS
- https://bugs.webkit.org/show_bug.cgi?id=234259
-
- Patch by Frédéric Wang <[email protected]> on 2022-01-04
- Reviewed by Darin Adler.
-
- Source/WebCore:
-
- Test: http/tests/media/media-element-frame-destroyed-crash.html
-
- * html/HTMLMediaElement.cpp:
- (WebCore::HTMLMediaElement::setupAndCallJS): Protect the frame before executing the JS code,
- so that it is not destroyed before its associated ScriptController.
-
- LayoutTests:
-
- Add non-regression test, embedded in multiple iframes to make regression easily reproducible.
-
- * http/conf/mime.types: Ensure that ts files are served with MIME type video/mp2t as that's required
- to make the non-regression test work properly.
- * http/tests/media/media-element-frame-destroyed-crash-expected.txt: Added.
- * http/tests/media/media-element-frame-destroyed-crash.html: Added.
- * http/tests/media/resources/empty.ts: Added.
- * http/tests/media/resources/media-element-frame-destroyed-crash-subframe.html: Added.
-
- git-svn-id: https://svn.webkit.org/repository/webkit/trunk@287604 268f45cc-cd09-0410-ab3c-d52691b4dbfc
-
- 2022-01-04 Frédéric Wang <[email protected]>
-
- Protect frame from destruction in HTMLMediaElement::setupAndCallJS
- https://bugs.webkit.org/show_bug.cgi?id=234259
-
- Reviewed by Darin Adler.
-
- Test: http/tests/media/media-element-frame-destroyed-crash.html
-
- * html/HTMLMediaElement.cpp:
- (WebCore::HTMLMediaElement::setupAndCallJS): Protect the frame before executing the JS code,
- so that it is not destroyed before its associated ScriptController.
-
2022-01-06 Russell Epstein <[email protected]>
Apply patch. rdar://problem/87125345
Modified: branches/safari-612.4.9.3-branch/Source/WebCore/html/HTMLMediaElement.cpp (287803 => 287804)
--- branches/safari-612.4.9.3-branch/Source/WebCore/html/HTMLMediaElement.cpp 2022-01-08 02:20:37 UTC (rev 287803)
+++ branches/safari-612.4.9.3-branch/Source/WebCore/html/HTMLMediaElement.cpp 2022-01-08 02:45:22 UTC (rev 287804)
@@ -4397,8 +4397,7 @@
auto pendingActivity = makePendingActivity(*this);
auto& world = ensureIsolatedWorld();
- Ref protectedFrame = *document().frame();
- auto& scriptController = protectedFrame->script();
+ auto& scriptController = document().frame()->script();
auto* globalObject = JSC::jsCast<JSDOMGlobalObject*>(scriptController.globalObject(world));
auto& vm = globalObject->vm();
JSC::JSLockHolder lock(vm);
