[webkit-changes] [200062] trunk/Source/WebCore

[cdumez]

Title: [200062] trunk/Source/WebCore

Revision

200062

Author

cdu...@apple.com

Date

2016-04-25 17:13:03 -0700 (Mon, 25 Apr 2016)

Log Message

Crash under WebCore::MutationObserver::deliverAllMutations()
https://bugs.webkit.org/show_bug.cgi?id=156997
<rdar://problem/16542323>

Reviewed by Ryosuke Niwa.

The crash traces indicate that we may derefence a null pointer when
dereferencing MutationCallback::scriptExecutationContext() in
MutationObserver::canDeliver(). This can happen when the script
execution context gets destroyed as a JSMutationCallback is an
ActiveDOMObject, which is a ContextDestructionObserver.

This patch refactors the code so that MutationObserver::canDeliver()
now simply asks JSMutationCallback if it can invoke its callback.
JSMutationCallback makes this decision using
ActiveDOMCallback::canInvokeCallback() which does a proper null
check of the ScriptExecutationContext. This avoids some code
duplication and fixes the crash.

* bindings/js/JSMutationCallback.h:
* dom/MutationCallback.h:
* dom/MutationObserver.cpp:
(WebCore::MutationObserver::canDeliver):

Modified Paths

• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/bindings/js/JSMutationCallback.h
• trunk/Source/WebCore/dom/MutationCallback.h
• trunk/Source/WebCore/dom/MutationObserver.cpp

Diff

Modified: trunk/Source/WebCore/ChangeLog (200061 => 200062)

--- trunk/Source/WebCore/ChangeLog	2016-04-26 00:12:22 UTC (rev 200061)
+++ trunk/Source/WebCore/ChangeLog	2016-04-26 00:13:03 UTC (rev 200062)
@@ -1,3 +1,29 @@
+2016-04-25  Chris Dumez  <cdu...@apple.com>
+
+        Crash under WebCore::MutationObserver::deliverAllMutations()
+        https://bugs.webkit.org/show_bug.cgi?id=156997
+        <rdar://problem/16542323>
+
+        Reviewed by Ryosuke Niwa.
+
+        The crash traces indicate that we may derefence a null pointer when
+        dereferencing MutationCallback::scriptExecutationContext() in
+        MutationObserver::canDeliver(). This can happen when the script
+        execution context gets destroyed as a JSMutationCallback is an
+        ActiveDOMObject, which is a ContextDestructionObserver.
+
+        This patch refactors the code so that MutationObserver::canDeliver()
+        now simply asks JSMutationCallback if it can invoke its callback.
+        JSMutationCallback makes this decision using
+        ActiveDOMCallback::canInvokeCallback() which does a proper null
+        check of the ScriptExecutationContext. This avoids some code
+        duplication and fixes the crash.
+
+        * bindings/js/JSMutationCallback.h:
+        * dom/MutationCallback.h:
+        * dom/MutationObserver.cpp:
+        (WebCore::MutationObserver::canDeliver):
+
 2016-04-25  Brady Eidson  <beid...@apple.com>
 
         Fix a flaky test after r200032

Modified: trunk/Source/WebCore/bindings/js/JSMutationCallback.h (200061 => 200062)

--- trunk/Source/WebCore/bindings/js/JSMutationCallback.h	2016-04-26 00:12:22 UTC (rev 200061)
+++ trunk/Source/WebCore/bindings/js/JSMutationCallback.h	2016-04-26 00:13:03 UTC (rev 200062)
@@ -37,7 +37,7 @@
 
 class JSDOMGlobalObject;
 
-class JSMutationCallback : public MutationCallback, public ActiveDOMCallback {
+class JSMutationCallback final : public MutationCallback, public ActiveDOMCallback {
 public:
     static Ref<JSMutationCallback> create(JSC::JSObject* callback, JSDOMGlobalObject* globalObject)
     {
@@ -47,9 +47,8 @@
     virtual ~JSMutationCallback();
 
     void call(const Vector<Ref<MutationRecord>>&, MutationObserver*) override;
+    bool canInvokeCallback() const override { return ActiveDOMCallback::canInvokeCallback(); }
 
-    ScriptExecutionContext* scriptExecutionContext() const override { return ContextDestructionObserver::scriptExecutionContext(); }
-
 private:
     JSMutationCallback(JSC::JSObject* callback, JSDOMGlobalObject*);
 

Modified: trunk/Source/WebCore/dom/MutationCallback.h (200061 => 200062)

--- trunk/Source/WebCore/dom/MutationCallback.h	2016-04-26 00:12:22 UTC (rev 200061)
+++ trunk/Source/WebCore/dom/MutationCallback.h	2016-04-26 00:13:03 UTC (rev 200062)
@@ -45,7 +45,7 @@
     virtual ~MutationCallback() { }
 
     virtual void call(const Vector<Ref<MutationRecord>>&, MutationObserver*) = 0;
-    virtual ScriptExecutionContext* scriptExecutionContext() const = 0;
+    virtual bool canInvokeCallback() const = 0;
 };
 
 }

Modified: trunk/Source/WebCore/dom/MutationObserver.cpp (200061 => 200062)

--- trunk/Source/WebCore/dom/MutationObserver.cpp	2016-04-26 00:12:22 UTC (rev 200061)
+++ trunk/Source/WebCore/dom/MutationObserver.cpp	2016-04-26 00:13:03 UTC (rev 200062)
@@ -211,7 +211,7 @@
 
 bool MutationObserver::canDeliver()
 {
-    return !m_callback->scriptExecutionContext()->activeDOMObjectsAreSuspended();
+    return m_callback->canInvokeCallback();
 }
 
 void MutationObserver::deliver()

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes