Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 4b6edc53e68ce12d8b4d0e89704aab3793a221be
https://github.com/WebKit/WebKit/commit/4b6edc53e68ce12d8b4d0e89704aab3793a221be
Author: Chris Dumez <[email protected]>
Date: 2023-07-31 (Mon, 31 Jul 2023)
Changed paths:
A
LayoutTests/fast/workers/pending-requestAnimationFrame-upon-destruction-expected.txt
A
LayoutTests/fast/workers/pending-requestAnimationFrame-upon-destruction.html
A
LayoutTests/fast/workers/resources/pending-requestAnimationFrame-upon-destruction-popup.html
M Source/WebCore/workers/WorkerAnimationController.cpp
Log Message:
-----------
Crash under
WebCore::JSRequestAnimationFrameCallback::~JSRequestAnimationFrameCallback()
https://bugs.webkit.org/show_bug.cgi?id=258058
rdar://110530772
Reviewed by Ryosuke Niwa.
JSRequestAnimationFrameCallback were outliving the VM and thus using the VM
after-free in their destructor. JS Wrapper should never outlive the VM.
JSRequestAnimationFrameCallback are subclasses of RequestAnimationFrameCallback,
which were being kept alive by the WorkerAnimationController via its
m_animationCallbacks vector.
To address the issue, WorkerAnimationController now clears m_animationCallbacks
in stop(), which gets called when the global scope (and thus the VM) are about
to go away.
*
LayoutTests/fast/workers/pending-requestAnimationFrame-upon-destruction-expected.txt:
Added.
* LayoutTests/fast/workers/pending-requestAnimationFrame-upon-destruction.html:
Added.
*
LayoutTests/fast/workers/resources/pending-requestAnimationFrame-upon-destruction-popup.html:
Added.
* Source/WebCore/workers/WorkerAnimationController.cpp:
(WebCore::WorkerAnimationController::stop):
Originally-landed-as: 259548.833@safari-7615-branch (c60c40574fc5).
rdar://110530772
Canonical link: https://commits.webkit.org/266430@main
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
