[webkit-changes] [277379] trunk/Source/WebCore

[jer . noble]

Title: [277379] trunk/Source/WebCore

Revision

277379

Author

jer.no...@apple.com

Date

2021-05-12 11:00:23 -0700 (Wed, 12 May 2021)

Log Message

HTMLMediaElement::mediaLoadingFailedFatally() does direct dispatch of events; should enqueue
https://bugs.webkit.org/show_bug.cgi?id=225700
<rdar://75576322>

Reviewed by Eric Carlson.

In r274559, an update was made to mediaLoadingFailedFatally to adopt recent spec changes, and as
part of that change, an "error" event was changed from being enqueued to being directly dispatched.
However, directly dispatching events exposes the element to JS and has the potential to cause the
element to be garbage collected, deleting the object and potentially other objects in the backtrace.
Events should always be enqueued, rather than directy dispatched, for this reason.

* html/HTMLMediaElement.cpp:
(WebCore::HTMLMediaElement::mediaLoadingFailedFatally):

Modified Paths

• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/html/HTMLMediaElement.cpp

Diff

Modified: trunk/Source/WebCore/ChangeLog (277378 => 277379)

--- trunk/Source/WebCore/ChangeLog	2021-05-12 17:58:17 UTC (rev 277378)
+++ trunk/Source/WebCore/ChangeLog	2021-05-12 18:00:23 UTC (rev 277379)
@@ -1,3 +1,20 @@
+2021-05-12  Jer Noble  <jer.no...@apple.com>
+
+        HTMLMediaElement::mediaLoadingFailedFatally() does direct dispatch of events; should enqueue
+        https://bugs.webkit.org/show_bug.cgi?id=225700
+        <rdar://75576322>
+
+        Reviewed by Eric Carlson.
+
+        In r274559, an update was made to mediaLoadingFailedFatally to adopt recent spec changes, and as
+        part of that change, an "error" event was changed from being enqueued to being directly dispatched.
+        However, directly dispatching events exposes the element to JS and has the potential to cause the
+        element to be garbage collected, deleting the object and potentially other objects in the backtrace.
+        Events should always be enqueued, rather than directy dispatched, for this reason.
+
+        * html/HTMLMediaElement.cpp:
+        (WebCore::HTMLMediaElement::mediaLoadingFailedFatally):
+
 2021-05-12  Sergio Villar Senin  <svil...@igalia.com>
 
         ASSERTION FAILED: m_clients.contains(&client) in CSSFontFace::removeClient via CSSSegmentedFontFace::~CSSSegmentedFontFace()

Modified: trunk/Source/WebCore/html/HTMLMediaElement.cpp (277378 => 277379)

--- trunk/Source/WebCore/html/HTMLMediaElement.cpp	2021-05-12 17:58:17 UTC (rev 277378)
+++ trunk/Source/WebCore/html/HTMLMediaElement.cpp	2021-05-12 18:00:23 UTC (rev 277379)
@@ -2143,7 +2143,7 @@
     setShouldDelayLoadEvent(false);
 
     // 5 - Fire an event named error at the media element.
-    dispatchEvent(Event::create(eventNames().errorEvent, Event::CanBubble::No, Event::IsCancelable::No));
+    scheduleEvent(eventNames().errorEvent);
 
     // 6 - Abort the overall resource selection algorithm.
     m_currentSourceNode = nullptr;

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes