Diff
Modified: trunk/LayoutTests/ChangeLog (145161 => 145162)
--- trunk/LayoutTests/ChangeLog 2013-03-08 01:10:54 UTC (rev 145161)
+++ trunk/LayoutTests/ChangeLog 2013-03-08 01:12:44 UTC (rev 145162)
@@ -1,3 +1,14 @@
+2013-03-07 Aaron Colwell <[email protected]>
+
+ Heap-use-after-free in WebCore::HTMLMediaElement::~HTMLMediaElement
+ https://bugs.webkit.org/show_bug.cgi?id=110623
+
+ Reviewed by Kentaro Hara.
+
+ * http/tests/misc/delete-frame-during-readystatechange-with-gc-after-video-removal-expected.txt: Added.
+ * http/tests/misc/delete-frame-during-readystatechange-with-gc-after-video-removal.html: Added.
+ * http/tests/misc/resources/delete-frame-during-readystatechange-frame-with-gc-after-video-removal.html: Added.
+
2013-03-07 Alexey Proskuryakov <[email protected]>
Roll out an accidentally committed change I made for local testing.
Added: trunk/LayoutTests/http/tests/misc/delete-frame-during-readystatechange-with-gc-after-video-removal-expected.txt (0 => 145162)
--- trunk/LayoutTests/http/tests/misc/delete-frame-during-readystatechange-with-gc-after-video-removal-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/misc/delete-frame-during-readystatechange-with-gc-after-video-removal-expected.txt 2013-03-08 01:12:44 UTC (rev 145162)
@@ -0,0 +1 @@
+Test deleting a subframe from within its readystatechange event and garbage collecting right after removing the video element from the document. We pass if we don't crash.
Added: trunk/LayoutTests/http/tests/misc/delete-frame-during-readystatechange-with-gc-after-video-removal.html (0 => 145162)
--- trunk/LayoutTests/http/tests/misc/delete-frame-during-readystatechange-with-gc-after-video-removal.html (rev 0)
+++ trunk/LayoutTests/http/tests/misc/delete-frame-during-readystatechange-with-gc-after-video-removal.html 2013-03-08 01:12:44 UTC (rev 145162)
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+ <head>
+ <script>
+ if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+ }
+
+ function removeFrame()
+ {
+ document.body.removeChild(document.getElementById("frame"));
+ //if (testRunner)
+ setTimeout(function() { testRunner.notifyDone();}, 0);
+ }
+ </script>
+ </head>
+ <body>
+ Test deleting a subframe from within its readystatechange event and garbage collecting
+ right after removing the video element from the document. We pass if we don't crash.
+ <iframe id="frame" src=""
+ </body>
+</html>
Added: trunk/LayoutTests/http/tests/misc/resources/delete-frame-during-readystatechange-frame-with-gc-after-video-removal.html (0 => 145162)
--- trunk/LayoutTests/http/tests/misc/resources/delete-frame-during-readystatechange-frame-with-gc-after-video-removal.html (rev 0)
+++ trunk/LayoutTests/http/tests/misc/resources/delete-frame-during-readystatechange-frame-with-gc-after-video-removal.html 2013-03-08 01:12:44 UTC (rev 145162)
@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<html>
+ <head>
+ <script src=""
+ <script>
+ i = 0;
+ document.addEventListener('readystatechange', function()
+ {
+ if (i == 1)
+ parent.removeFrame();
+ i++;
+ });
+
+ window.addEventListener('DOMContentLoaded', function()
+ {
+ document.getElementById("videoTag").load();
+ document.body.removeChild(document.getElementById("videoTag"));
+ gc();
+ });
+ </script>
+ </head>
+ <body>
+ <video id="videoTag" src=""
+ </body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (145161 => 145162)
--- trunk/Source/WebCore/ChangeLog 2013-03-08 01:10:54 UTC (rev 145161)
+++ trunk/Source/WebCore/ChangeLog 2013-03-08 01:12:44 UTC (rev 145162)
@@ -1,3 +1,25 @@
+2013-03-07 Aaron Colwell <[email protected]>
+
+ Heap-use-after-free in WebCore::HTMLMediaElement::~HTMLMediaElement
+ https://bugs.webkit.org/show_bug.cgi?id=110623
+
+ Reviewed by Kentaro Hara.
+
+ Test: http/tests/misc/delete-frame-during-readystatechange-with-gc-after-video-removal.html
+
+ * bindings/v8/V8GCController.cpp: Fix MinorGCWrapperVisitor so it doesn't collect ActiveDOMObjects
+ that have pending activity.
+ * html/HTMLAudioElement.h:
+ (HTMLAudioElement): Removed hasPendingActivity() now that this is handled by the base class.
+ * html/HTMLAudioElement.idl: Removed ActiveDOMObject annotation since HTMLMediaElement now has it.
+ * html/HTMLMediaElement.cpp:
+ (WebCore::HTMLMediaElement::hasPendingActivity): Update implementation to return true if the media
+ has audio and is playing. This brings the code into
+ compliance with the detached element behavior outlined
+ in the HTML5 spec.
+ * html/HTMLMediaElement.idl: Added ActiveDOMObject annotation so that all derived classes are
+ considered ActiveDOMObjects.
+
2013-03-07 Jeffrey Pfau <[email protected]>
CFNetwork cache partitioning does not work properly on subdomains
Modified: trunk/Source/WebCore/bindings/v8/V8GCController.cpp (145161 => 145162)
--- trunk/Source/WebCore/bindings/v8/V8GCController.cpp 2013-03-08 01:10:54 UTC (rev 145161)
+++ trunk/Source/WebCore/bindings/v8/V8GCController.cpp 2013-03-08 01:12:44 UTC (rev 145162)
@@ -309,6 +309,10 @@
// Note that node->wrapper().IsEmpty() returns true for nodes that
// do not have wrappers in the main world.
if (!node->wrapper().IsEmpty()) {
+ WrapperTypeInfo* type = toWrapperTypeInfo(wrapper);
+ ActiveDOMObject* activeDOMObject = type->toActiveDOMObject(wrapper);
+ if (activeDOMObject && activeDOMObject->hasPendingActivity())
+ return;
m_nodesInNewSpace.append(node);
node->setV8CollectableDuringMinorGC(true);
}
Modified: trunk/Source/WebCore/html/HTMLAudioElement.h (145161 => 145162)
--- trunk/Source/WebCore/html/HTMLAudioElement.h 2013-03-08 01:10:54 UTC (rev 145161)
+++ trunk/Source/WebCore/html/HTMLAudioElement.h 2013-03-08 01:12:44 UTC (rev 145162)
@@ -39,8 +39,6 @@
static PassRefPtr<HTMLAudioElement> create(const QualifiedName&, Document*, bool);
static PassRefPtr<HTMLAudioElement> createForJSConstructor(Document*, const String& src);
- virtual bool hasPendingActivity() const { return isPlaying() || HTMLMediaElement::hasPendingActivity(); }
-
private:
HTMLAudioElement(const QualifiedName&, Document*, bool);
Modified: trunk/Source/WebCore/html/HTMLAudioElement.idl (145161 => 145162)
--- trunk/Source/WebCore/html/HTMLAudioElement.idl 2013-03-08 01:10:54 UTC (rev 145161)
+++ trunk/Source/WebCore/html/HTMLAudioElement.idl 2013-03-08 01:12:44 UTC (rev 145162)
@@ -24,7 +24,6 @@
*/
[
- ActiveDOMObject,
Conditional=VIDEO,
NamedConstructor=Audio(in [Optional=DefaultIsNullString] DOMString src)
] interface HTMLAudioElement : HTMLMediaElement {
Modified: trunk/Source/WebCore/html/HTMLMediaElement.cpp (145161 => 145162)
--- trunk/Source/WebCore/html/HTMLMediaElement.cpp 2013-03-08 01:10:54 UTC (rev 145161)
+++ trunk/Source/WebCore/html/HTMLMediaElement.cpp 2013-03-08 01:12:44 UTC (rev 145162)
@@ -3957,7 +3957,7 @@
bool HTMLMediaElement::hasPendingActivity() const
{
- return m_asyncEventQueue->hasPendingEvents();
+ return (hasAudio() && isPlaying()) || m_asyncEventQueue->hasPendingEvents();
}
void HTMLMediaElement::mediaVolumeDidChange()
Modified: trunk/Source/WebCore/html/HTMLMediaElement.idl (145161 => 145162)
--- trunk/Source/WebCore/html/HTMLMediaElement.idl 2013-03-08 01:10:54 UTC (rev 145161)
+++ trunk/Source/WebCore/html/HTMLMediaElement.idl 2013-03-08 01:12:44 UTC (rev 145162)
@@ -25,7 +25,8 @@
[
Conditional=VIDEO,
- JSGenerateToNativeObject
+ JSGenerateToNativeObject,
+ ActiveDOMObject
] interface HTMLMediaElement : HTMLElement {
// error state
