[webkit-changes] [277390] trunk/Source/WebCore

[jer . noble]

Title: [277390] trunk/Source/WebCore

Revision

277390

Author

jer.no...@apple.com

Date

2021-05-12 14:19:06 -0700 (Wed, 12 May 2021)

Log Message

TapStorage::lock freed while locked in AudioSourceProviderAVFObjC::destroyMixIfNeeded()
https://bugs.webkit.org/show_bug.cgi?id=225706
<rdar://77719381>

Reviewed by Ryosuke Niwa.

In r275933, an update was made to protect access to TapStorage during destruction by
locking its lock inside destroyMixIfNeeded(), but if TapStorage has a refCount==1
during that teardown, the lock itself is destroyed while it is still held. Add an
explicit scoping to the lock holder, and only deref the TapStorage outside that
locking scope.

* platform/graphics/avfoundation/AudioSourceProviderAVFObjC.mm:
(WebCore::AudioSourceProviderAVFObjC::destroyMixIfNeeded):

Modified Paths

• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/platform/graphics/avfoundation/AudioSourceProviderAVFObjC.mm

Diff

Modified: trunk/Source/WebCore/ChangeLog (277389 => 277390)

--- trunk/Source/WebCore/ChangeLog	2021-05-12 21:08:35 UTC (rev 277389)
+++ trunk/Source/WebCore/ChangeLog	2021-05-12 21:19:06 UTC (rev 277390)
@@ -1,3 +1,20 @@
+2021-05-12  Jer Noble  <jer.no...@apple.com>
+
+        TapStorage::lock freed while locked in AudioSourceProviderAVFObjC::destroyMixIfNeeded()
+        https://bugs.webkit.org/show_bug.cgi?id=225706
+        <rdar://77719381>
+
+        Reviewed by Ryosuke Niwa.
+
+        In r275933, an update was made to protect access to TapStorage during destruction by
+        locking its lock inside destroyMixIfNeeded(), but if TapStorage has a refCount==1
+        during that teardown, the lock itself is destroyed while it is still held. Add an
+        explicit scoping to the lock holder, and only deref the TapStorage outside that
+        locking scope.
+
+        * platform/graphics/avfoundation/AudioSourceProviderAVFObjC.mm:
+        (WebCore::AudioSourceProviderAVFObjC::destroyMixIfNeeded):
+
 2021-05-12  Said Abou-Hallawa  <s...@apple.com>
 
         Removing the transform CSS property from the SVG element does not cause invalidation

Modified: trunk/Source/WebCore/platform/graphics/avfoundation/AudioSourceProviderAVFObjC.mm (277389 => 277390)

--- trunk/Source/WebCore/platform/graphics/avfoundation/AudioSourceProviderAVFObjC.mm	2021-05-12 21:08:35 UTC (rev 277389)
+++ trunk/Source/WebCore/platform/graphics/avfoundation/AudioSourceProviderAVFObjC.mm	2021-05-12 21:19:06 UTC (rev 277390)
@@ -182,17 +182,19 @@
     if (!m_avAudioMix)
         return;
     ASSERT(m_tapStorage);
-    auto locker = holdLock(m_tapStorage->lock);
-    if (m_avPlayerItem)
-        [m_avPlayerItem setAudioMix:nil];
-    [m_avAudioMix setInputParameters:@[ ]];
-    m_avAudioMix.clear();
-    m_tap.clear();
-    m_tapStorage->_this = nullptr;
+    {
+        auto locker = holdLock(m_tapStorage->lock);
+        if (m_avPlayerItem)
+            [m_avPlayerItem setAudioMix:nil];
+        [m_avAudioMix setInputParameters:@[ ]];
+        m_avAudioMix.clear();
+        m_tap.clear();
+        m_tapStorage->_this = nullptr;
+        // Call unprepare, since Tap cannot call it after clear.
+        unprepare();
+        m_weakFactory.revokeAll();
+    }
     m_tapStorage = nullptr;
-    // Call unprepare, since Tap cannot call it after clear.
-    unprepare();
-    m_weakFactory.revokeAll();
 }
 
 void AudioSourceProviderAVFObjC::createMixIfNeeded()

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes