Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: e5439f454fea7c3e56f167b4e55d66c8289b7024
https://github.com/WebKit/WebKit/commit/e5439f454fea7c3e56f167b4e55d66c8289b7024
Author: Eric Carlson <[email protected]>
Date: 2026-07-03 (Fri, 03 Jul 2026)
Changed paths:
A
LayoutTests/ipc/legacy-cdm-session-avcontentkeysession-destruction-race-expected.txt
A
LayoutTests/ipc/legacy-cdm-session-avcontentkeysession-destruction-race.html
M LayoutTests/platform/glib/TestExpectations
M Source/WebCore/platform/graphics/avfoundation/LegacyCDMPrivateAVFObjC.mm
M
Source/WebCore/platform/graphics/avfoundation/objc/CDMSessionAVContentKeySession.h
M
Source/WebCore/platform/graphics/avfoundation/objc/CDMSessionAVContentKeySession.mm
Log Message:
-----------
[CoreIPC] [GPUP] off-main-thread ~CDMSessionAVContentKeySession mutates
unlocked LegacyCDMPrivateAVFObjC::m_sessions Vector
https://bugs.webkit.org/show_bug.cgi?id=314134
rdar://175519844
Reviewed by Jean-Yves Avenard.
CDMSessionAVContentKeySession is ThreadSafeRefCountedAndCanMakeThreadSafeWeakPtr
with the default DestructionThread::Any. Its
WebCDMSessionAVContentKeySessionDelegate
runs on a per-session background WorkQueue and holds a strong RefPtr to the
session
for the duration of -contentKeySession:didProvideContentKeyRequest:. If the main
thread drops its last Ref while that background RefPtr is live, the destructor
runs
on the background queue.
~CDMSessionAVContentKeySession then resolves a non-thread-safe
WeakPtr<LegacyCDMPrivateAVFObjC> and calls invalidateSession(this) ->
m_sessions.removeAll(this) on the unlocked
Vector<CDMSessionAVContentKeySession*>,
racing main-thread createSession() -> m_sessions.append(). Under ASan this
surfaces
as container-overflow in Vector::reserveCapacity. Taking RefPtr cdm =
m_cdm.get()
off-main also performs non-atomic ref()/deref() on LegacyCDM via
LegacyCDMPrivateAVFObjC::ref().
Pin destruction to the main thread with WTF::DestructionThread::Main so the
destructor (and therefore the WeakPtr resolution, the LegacyCDM ref/deref, and
invalidateSession) always run on the main thread. Add main-thread asserts to the
destructor and to LegacyCDMPrivateAVFObjC::createSession/invalidateSession to
document and enforce the invariant.
Test: ipc/legacy-cdm-session-avcontentkeysession-destruction-race.html
*
LayoutTests/ipc/legacy-cdm-session-avcontentkeysession-destruction-race-expected.txt:
Added.
* LayoutTests/ipc/legacy-cdm-session-avcontentkeysession-destruction-race.html:
Added.
* LayoutTests/platform/glib/TestExpectations:
* Source/WebCore/platform/graphics/avfoundation/LegacyCDMPrivateAVFObjC.mm:
(WebCore::LegacyCDMPrivateAVFObjC::createSession):
(WebCore::LegacyCDMPrivateAVFObjC::invalidateSession):
*
Source/WebCore/platform/graphics/avfoundation/objc/CDMSessionAVContentKeySession.h:
*
Source/WebCore/platform/graphics/avfoundation/objc/CDMSessionAVContentKeySession.mm:
(WebCore::CDMSessionAVContentKeySession::~CDMSessionAVContentKeySession):
Originally-landed-as: 305413.856@safari-7624-branch (190b07df83bc).
rdar://180429393
Canonical link: https://commits.webkit.org/316483@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications