Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: e5439f454fea7c3e56f167b4e55d66c8289b7024
      
https://github.com/WebKit/WebKit/commit/e5439f454fea7c3e56f167b4e55d66c8289b7024
  Author: Eric Carlson <[email protected]>
  Date:   2026-07-03 (Fri, 03 Jul 2026)

  Changed paths:
    A 
LayoutTests/ipc/legacy-cdm-session-avcontentkeysession-destruction-race-expected.txt
    A 
LayoutTests/ipc/legacy-cdm-session-avcontentkeysession-destruction-race.html
    M LayoutTests/platform/glib/TestExpectations
    M Source/WebCore/platform/graphics/avfoundation/LegacyCDMPrivateAVFObjC.mm
    M 
Source/WebCore/platform/graphics/avfoundation/objc/CDMSessionAVContentKeySession.h
    M 
Source/WebCore/platform/graphics/avfoundation/objc/CDMSessionAVContentKeySession.mm

  Log Message:
  -----------
  [CoreIPC] [GPUP] off-main-thread ~CDMSessionAVContentKeySession mutates 
unlocked LegacyCDMPrivateAVFObjC::m_sessions Vector
https://bugs.webkit.org/show_bug.cgi?id=314134
rdar://175519844

Reviewed by Jean-Yves Avenard.

CDMSessionAVContentKeySession is ThreadSafeRefCountedAndCanMakeThreadSafeWeakPtr
with the default DestructionThread::Any. Its 
WebCDMSessionAVContentKeySessionDelegate
runs on a per-session background WorkQueue and holds a strong RefPtr to the 
session
for the duration of -contentKeySession:didProvideContentKeyRequest:. If the main
thread drops its last Ref while that background RefPtr is live, the destructor 
runs
on the background queue.

~CDMSessionAVContentKeySession then resolves a non-thread-safe
WeakPtr<LegacyCDMPrivateAVFObjC> and calls invalidateSession(this) ->
m_sessions.removeAll(this) on the unlocked 
Vector<CDMSessionAVContentKeySession*>,
racing main-thread createSession() -> m_sessions.append(). Under ASan this 
surfaces
as container-overflow in Vector::reserveCapacity. Taking RefPtr cdm = 
m_cdm.get()
off-main also performs non-atomic ref()/deref() on LegacyCDM via
LegacyCDMPrivateAVFObjC::ref().

Pin destruction to the main thread with WTF::DestructionThread::Main so the
destructor (and therefore the WeakPtr resolution, the LegacyCDM ref/deref, and
invalidateSession) always run on the main thread. Add main-thread asserts to the
destructor and to LegacyCDMPrivateAVFObjC::createSession/invalidateSession to
document and enforce the invariant.

Test: ipc/legacy-cdm-session-avcontentkeysession-destruction-race.html

* 
LayoutTests/ipc/legacy-cdm-session-avcontentkeysession-destruction-race-expected.txt:
 Added.
* LayoutTests/ipc/legacy-cdm-session-avcontentkeysession-destruction-race.html: 
Added.
* LayoutTests/platform/glib/TestExpectations:
* Source/WebCore/platform/graphics/avfoundation/LegacyCDMPrivateAVFObjC.mm:
(WebCore::LegacyCDMPrivateAVFObjC::createSession):
(WebCore::LegacyCDMPrivateAVFObjC::invalidateSession):
* 
Source/WebCore/platform/graphics/avfoundation/objc/CDMSessionAVContentKeySession.h:
* 
Source/WebCore/platform/graphics/avfoundation/objc/CDMSessionAVContentKeySession.mm:
(WebCore::CDMSessionAVContentKeySession::~CDMSessionAVContentKeySession):

Originally-landed-as: 305413.856@safari-7624-branch (190b07df83bc). 
rdar://180429393
Canonical link: https://commits.webkit.org/316483@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to