Title: [124843] trunk
- Revision
- 124843
- Author
- [email protected]
- Date
- 2012-08-06 20:43:57 -0700 (Mon, 06 Aug 2012)
Log Message
Crash in GenericEventQueue::timerFired since the owner of GenericEventQueue is deleted during dispatching events.
https://bugs.webkit.org/show_bug.cgi?id=92946
Reviewed by Eric Carlson.
Source/WebCore:
In GenericEventQueue::timerFired(), the owner of GenericEventQueue might be deleted.
We have to protect the owner of GenericEventQueue during dispatching events.
Test: media/event-queue-crash.html
* dom/GenericEventQueue.cpp:
(WebCore::GenericEventQueue::timerFired): Added a protection.
LayoutTests:
* media/event-queue-crash-expected.txt: Added.
* media/event-queue-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (124842 => 124843)
--- trunk/LayoutTests/ChangeLog 2012-08-07 03:40:29 UTC (rev 124842)
+++ trunk/LayoutTests/ChangeLog 2012-08-07 03:43:57 UTC (rev 124843)
@@ -1,3 +1,13 @@
+2012-08-06 Shinya Kawanaka <[email protected]>
+
+ Crash in GenericEventQueue::timerFired since the owner of GenericEventQueue is deleted during dispatching events.
+ https://bugs.webkit.org/show_bug.cgi?id=92946
+
+ Reviewed by Eric Carlson.
+
+ * media/event-queue-crash-expected.txt: Added.
+ * media/event-queue-crash.html: Added.
+
2012-08-06 Joshua Bell <[email protected]>
IndexedDB: Throw proper exceptions
Added: trunk/LayoutTests/media/event-queue-crash-expected.txt (0 => 124843)
--- trunk/LayoutTests/media/event-queue-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/media/event-queue-crash-expected.txt 2012-08-07 03:43:57 UTC (rev 124843)
@@ -0,0 +1,3 @@
+When an element containing video is removed, WebKit should not crash.
+
+PASS. WebKit didn't crash.
Added: trunk/LayoutTests/media/event-queue-crash.html (0 => 124843)
--- trunk/LayoutTests/media/event-queue-crash.html (rev 0)
+++ trunk/LayoutTests/media/event-queue-crash.html 2012-08-07 03:43:57 UTC (rev 124843)
@@ -0,0 +1,36 @@
+<!DOCTYPE html>
+<html>
+<script src=""
+
+<script>
+ if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+ }
+
+ function onLoad()
+ {
+ setSrcByTagName('video', findMediaFile('video', 'content/test-25fps'));
+ // Removes the video element here.
+ container.innerHTML = "PASS. WebKit didn't crash.";
+
+ setTimeout(function() {
+ if (window.testRunner)
+ testRunner.notifyDone();
+ }, 10);
+ }
+</script>
+
+<body _onload_="onLoad()">
+ <p>When an element containing video is removed, WebKit should not crash.</p>
+ <div id="container">
+ <div id="contents">
+ <!-- This is required to reproduce. -->
+ <video>
+ <!-- Only if we cannot eval the content of oncanplaythrough (i.e. only if the content of oncanplaythough
+ has invalid syntax), this test causes a crash. -->
+ <video _oncanplaythrough_='if'>
+ </div>
+ </div>
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (124842 => 124843)
--- trunk/Source/WebCore/ChangeLog 2012-08-07 03:40:29 UTC (rev 124842)
+++ trunk/Source/WebCore/ChangeLog 2012-08-07 03:43:57 UTC (rev 124843)
@@ -1,3 +1,18 @@
+2012-08-06 Shinya Kawanaka <[email protected]>
+
+ Crash in GenericEventQueue::timerFired since the owner of GenericEventQueue is deleted during dispatching events.
+ https://bugs.webkit.org/show_bug.cgi?id=92946
+
+ Reviewed by Eric Carlson.
+
+ In GenericEventQueue::timerFired(), the owner of GenericEventQueue might be deleted.
+ We have to protect the owner of GenericEventQueue during dispatching events.
+
+ Test: media/event-queue-crash.html
+
+ * dom/GenericEventQueue.cpp:
+ (WebCore::GenericEventQueue::timerFired): Added a protection.
+
2012-08-06 Joshua Bell <[email protected]>
IndexedDB: Remove IDBRequest::finishCursor() and plumbing
Modified: trunk/Source/WebCore/dom/GenericEventQueue.cpp (124842 => 124843)
--- trunk/Source/WebCore/dom/GenericEventQueue.cpp 2012-08-07 03:40:29 UTC (rev 124842)
+++ trunk/Source/WebCore/dom/GenericEventQueue.cpp 2012-08-07 03:43:57 UTC (rev 124843)
@@ -85,6 +85,7 @@
Vector<RefPtr<Event> > pendingEvents;
m_pendingEvents.swap(pendingEvents);
+ RefPtr<EventTarget> protect(m_owner);
for (unsigned i = 0; i < pendingEvents.size(); ++i) {
EventTarget* target = pendingEvents[i]->target() ? pendingEvents[i]->target() : m_owner;
target->dispatchEvent(pendingEvents[i].release());
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes
