Title: [287604] trunk
- Revision
- 287604
- Author
- commit-qu...@webkit.org
- Date
- 2022-01-04 23:52:54 -0800 (Tue, 04 Jan 2022)
Log Message
Protect frame from destruction in HTMLMediaElement::setupAndCallJS
https://bugs.webkit.org/show_bug.cgi?id=234259
Patch by Frédéric Wang <fw...@igalia.com> on 2022-01-04
Reviewed by Darin Adler.
Source/WebCore:
Test: http/tests/media/media-element-frame-destroyed-crash.html
* html/HTMLMediaElement.cpp:
(WebCore::HTMLMediaElement::setupAndCallJS): Protect the frame before executing the JS code,
so that it is not destroyed before its associated ScriptController.
LayoutTests:
Add non-regression test, embedded in multiple iframes to make regression easily reproducible.
* http/conf/mime.types: Ensure that ts files are served with MIME type video/mp2t as that's required
to make the non-regression test work properly.
* http/tests/media/media-element-frame-destroyed-crash-expected.txt: Added.
* http/tests/media/media-element-frame-destroyed-crash.html: Added.
* http/tests/media/resources/empty.ts: Added.
* http/tests/media/resources/media-element-frame-destroyed-crash-subframe.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (287603 => 287604)
--- trunk/LayoutTests/ChangeLog 2022-01-05 07:33:56 UTC (rev 287603)
+++ trunk/LayoutTests/ChangeLog 2022-01-05 07:52:54 UTC (rev 287604)
@@ -1,3 +1,19 @@
+2022-01-04 Frédéric Wang <fw...@igalia.com>
+
+ Protect frame from destruction in HTMLMediaElement::setupAndCallJS
+ https://bugs.webkit.org/show_bug.cgi?id=234259
+
+ Reviewed by Darin Adler.
+
+ Add non-regression test, embedded in multiple iframes to make regression easily reproducible.
+
+ * http/conf/mime.types: Ensure that ts files are served with MIME type video/mp2t as that's required
+ to make the non-regression test work properly.
+ * http/tests/media/media-element-frame-destroyed-crash-expected.txt: Added.
+ * http/tests/media/media-element-frame-destroyed-crash.html: Added.
+ * http/tests/media/resources/empty.ts: Added.
+ * http/tests/media/resources/media-element-frame-destroyed-crash-subframe.html: Added.
+
2022-01-04 Antoine Quint <grao...@webkit.org>
WPT test css/css-transitions/parsing/transition-shorthand.html has failures
Modified: trunk/LayoutTests/http/conf/mime.types (287603 => 287604)
--- trunk/LayoutTests/http/conf/mime.types 2022-01-05 07:33:56 UTC (rev 287603)
+++ trunk/LayoutTests/http/conf/mime.types 2022-01-05 07:52:54 UTC (rev 287604)
@@ -579,7 +579,7 @@
video/jpeg
video/mp1s
video/mp2p
-video/mp2t
+video/mp2t ts
video/mp4 mp4
video/mp4v-es
video/mpv
Added: trunk/LayoutTests/http/tests/media/media-element-frame-destroyed-crash-expected.txt (0 => 287604)
--- trunk/LayoutTests/http/tests/media/media-element-frame-destroyed-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/media/media-element-frame-destroyed-crash-expected.txt 2022-01-05 07:52:54 UTC (rev 287604)
@@ -0,0 +1,3 @@
+This test PASS if it does not CRASH.
+
+
Added: trunk/LayoutTests/http/tests/media/media-element-frame-destroyed-crash.html (0 => 287604)
--- trunk/LayoutTests/http/tests/media/media-element-frame-destroyed-crash.html (rev 0)
+++ trunk/LayoutTests/http/tests/media/media-element-frame-destroyed-crash.html 2022-01-05 07:52:54 UTC (rev 287604)
@@ -0,0 +1,12 @@
+<script>
+ _onload_ = () => {
+ if (window.testRunner)
+ testRunner.dumpAsText();
+ for (let i = 5; i; i--) {
+ let iframe = document.createElement('iframe');
+ iframe.src = '';
+ document.body.appendChild(iframe);
+ }
+ }
+</script>
+<p>This test PASS if it does not CRASH.</p>
Added: trunk/LayoutTests/http/tests/media/resources/empty.ts ( => )
Added: trunk/LayoutTests/http/tests/media/resources/media-element-frame-destroyed-crash-subframe.html
===================================================================
--- trunk/LayoutTests/http/tests/media/resources/media-element-frame-destroyed-crash-subframe.html (rev 0)
+++ trunk/LayoutTests/http/tests/media/resources/media-element-frame-destroyed-crash-subframe.html 2022-01-05 07:52:54 UTC (rev 287604)
@@ -0,0 +1,17 @@
+<script>
+ _onload_ = async () => {
+ if (window.testRunner)
+ testRunner.dumpAsText();
+ let embed0 = document.createElement('embed');
+ embed0.src = '';
+ document.body.appendChild(embed0);
+ await new Blob().text();
+ try {
+ await new FontFace('a', 'url(data:)').load();
+ } catch {}
+ document.designMode = 'on';
+ document.execCommand('SelectAll');
+ document.execCommand('Bold');
+ parent.postMessage('done');
+ };
+</script>
Modified: trunk/Source/WebCore/ChangeLog (287603 => 287604)
--- trunk/Source/WebCore/ChangeLog 2022-01-05 07:33:56 UTC (rev 287603)
+++ trunk/Source/WebCore/ChangeLog 2022-01-05 07:52:54 UTC (rev 287604)
@@ -1,3 +1,16 @@
+2022-01-04 Frédéric Wang <fw...@igalia.com>
+
+ Protect frame from destruction in HTMLMediaElement::setupAndCallJS
+ https://bugs.webkit.org/show_bug.cgi?id=234259
+
+ Reviewed by Darin Adler.
+
+ Test: http/tests/media/media-element-frame-destroyed-crash.html
+
+ * html/HTMLMediaElement.cpp:
+ (WebCore::HTMLMediaElement::setupAndCallJS): Protect the frame before executing the JS code,
+ so that it is not destroyed before its associated ScriptController.
+
2022-01-04 Antoine Quint <grao...@webkit.org>
RenderStyle::transitionForProperty() is unused
Modified: trunk/Source/WebCore/html/HTMLMediaElement.cpp (287603 => 287604)
--- trunk/Source/WebCore/html/HTMLMediaElement.cpp 2022-01-05 07:33:56 UTC (rev 287603)
+++ trunk/Source/WebCore/html/HTMLMediaElement.cpp 2022-01-05 07:52:54 UTC (rev 287604)
@@ -4584,7 +4584,8 @@
auto pendingActivity = makePendingActivity(*this);
auto& world = ensureIsolatedWorld();
- auto& scriptController = document().frame()->script();
+ Ref protectedFrame = *document().frame();
+ auto& scriptController = protectedFrame->script();
auto* globalObject = JSC::jsCast<JSDOMGlobalObject*>(scriptController.globalObject(world));
auto& vm = globalObject->vm();
JSC::JSLockHolder lock(vm);
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
