Title: [240768] branches/safari-607-branch/Source/WebKit
- Revision
- 240768
- Author
- bshaf...@apple.com
- Date
- 2019-01-31 00:10:24 -0800 (Thu, 31 Jan 2019)
Log Message
Cherry-pick r240578. rdar://problem/47685372
WebUserContentController::removeUserScriptMessageHandlerInternal may deref and delete itself
https://bugs.webkit.org/show_bug.cgi?id=193901
<rdar://problem/47338669>
Reviewed by David Kilzer.
Don't know how to repro.
* WebProcess/UserContent/WebUserContentController.cpp:
(WebKit::WebUserContentController::removeUserScriptMessageHandlerInternal):
Calling userMessageHandlers.removeFirstMatching() may remove the last ref to this
(because WebUserMessageHandlerDescriptorProxy refs WebUserContentController).
Fix by protecting this over the function.
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@240578 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Diff
Modified: branches/safari-607-branch/Source/WebKit/ChangeLog (240767 => 240768)
--- branches/safari-607-branch/Source/WebKit/ChangeLog 2019-01-31 08:06:16 UTC (rev 240767)
+++ branches/safari-607-branch/Source/WebKit/ChangeLog 2019-01-31 08:10:24 UTC (rev 240768)
@@ -1,3 +1,42 @@
+2019-01-30 Babak Shafiei <bshaf...@apple.com>
+
+ Cherry-pick r240578. rdar://problem/47685372
+
+ WebUserContentController::removeUserScriptMessageHandlerInternal may deref and delete itself
+ https://bugs.webkit.org/show_bug.cgi?id=193901
+ <rdar://problem/47338669>
+
+ Reviewed by David Kilzer.
+
+ Don't know how to repro.
+
+ * WebProcess/UserContent/WebUserContentController.cpp:
+ (WebKit::WebUserContentController::removeUserScriptMessageHandlerInternal):
+
+ Calling userMessageHandlers.removeFirstMatching() may remove the last ref to this
+ (because WebUserMessageHandlerDescriptorProxy refs WebUserContentController).
+ Fix by protecting this over the function.
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@240578 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2019-01-28 Antti Koivisto <an...@apple.com>
+
+ WebUserContentController::removeUserScriptMessageHandlerInternal may deref and delete itself
+ https://bugs.webkit.org/show_bug.cgi?id=193901
+ <rdar://problem/47338669>
+
+ Reviewed by David Kilzer.
+
+ Don't know how to repro.
+
+ * WebProcess/UserContent/WebUserContentController.cpp:
+ (WebKit::WebUserContentController::removeUserScriptMessageHandlerInternal):
+
+ Calling userMessageHandlers.removeFirstMatching() may remove the last ref to this
+ (because WebUserMessageHandlerDescriptorProxy refs WebUserContentController).
+ Fix by protecting this over the function.
+
2019-01-30 Alan Coon <alanc...@apple.com>
Cherry-pick r240733. rdar://problem/47683434
Modified: branches/safari-607-branch/Source/WebKit/WebProcess/UserContent/WebUserContentController.cpp (240767 => 240768)
--- branches/safari-607-branch/Source/WebKit/WebProcess/UserContent/WebUserContentController.cpp 2019-01-31 08:06:16 UTC (rev 240767)
+++ branches/safari-607-branch/Source/WebKit/WebProcess/UserContent/WebUserContentController.cpp 2019-01-31 08:10:24 UTC (rev 240768)
@@ -330,6 +330,8 @@
if (it == m_userMessageHandlers.end())
return;
+ auto protectedThis = makeRef(*this);
+
auto& userMessageHandlers = it->value;
bool userMessageHandlersChanged = userMessageHandlers.removeFirstMatching([userScriptMessageHandlerIdentifier](auto& pair) {
return pair.first == userScriptMessageHandlerIdentifier;
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
