Title: [287751] branches/safari-612.4.9.3-branch
- Revision
- 287751
- Author
- repst...@apple.com
- Date
- 2022-01-07 09:19:18 -0800 (Fri, 07 Jan 2022)
Log Message
Cherry-pick r287604. rdar://problem/85966622
Protect frame from destruction in HTMLMediaElement::setupAndCallJS
https://bugs.webkit.org/show_bug.cgi?id=234259
Patch by Frédéric Wang <fw...@igalia.com> on 2022-01-04
Reviewed by Darin Adler.
Source/WebCore:
Test: http/tests/media/media-element-frame-destroyed-crash.html
* html/HTMLMediaElement.cpp:
(WebCore::HTMLMediaElement::setupAndCallJS): Protect the frame before executing the JS code,
so that it is not destroyed before its associated ScriptController.
LayoutTests:
Add non-regression test, embedded in multiple iframes to make regression easily reproducible.
* http/conf/mime.types: Ensure that ts files are served with MIME type video/mp2t as that's required
to make the non-regression test work properly.
* http/tests/media/media-element-frame-destroyed-crash-expected.txt: Added.
* http/tests/media/media-element-frame-destroyed-crash.html: Added.
* http/tests/media/resources/empty.ts: Added.
* http/tests/media/resources/media-element-frame-destroyed-crash-subframe.html: Added.
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@287604 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Added Paths
Diff
Modified: branches/safari-612.4.9.3-branch/LayoutTests/ChangeLog (287750 => 287751)
--- branches/safari-612.4.9.3-branch/LayoutTests/ChangeLog 2022-01-07 17:17:58 UTC (rev 287750)
+++ branches/safari-612.4.9.3-branch/LayoutTests/ChangeLog 2022-01-07 17:19:18 UTC (rev 287751)
@@ -1,3 +1,50 @@
+2022-01-07 Russell Epstein <repst...@apple.com>
+
+ Cherry-pick r287604. rdar://problem/85966622
+
+ Protect frame from destruction in HTMLMediaElement::setupAndCallJS
+ https://bugs.webkit.org/show_bug.cgi?id=234259
+
+ Patch by Frédéric Wang <fw...@igalia.com> on 2022-01-04
+ Reviewed by Darin Adler.
+
+ Source/WebCore:
+
+ Test: http/tests/media/media-element-frame-destroyed-crash.html
+
+ * html/HTMLMediaElement.cpp:
+ (WebCore::HTMLMediaElement::setupAndCallJS): Protect the frame before executing the JS code,
+ so that it is not destroyed before its associated ScriptController.
+
+ LayoutTests:
+
+ Add non-regression test, embedded in multiple iframes to make regression easily reproducible.
+
+ * http/conf/mime.types: Ensure that ts files are served with MIME type video/mp2t as that's required
+ to make the non-regression test work properly.
+ * http/tests/media/media-element-frame-destroyed-crash-expected.txt: Added.
+ * http/tests/media/media-element-frame-destroyed-crash.html: Added.
+ * http/tests/media/resources/empty.ts: Added.
+ * http/tests/media/resources/media-element-frame-destroyed-crash-subframe.html: Added.
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@287604 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2022-01-04 Frédéric Wang <fw...@igalia.com>
+
+ Protect frame from destruction in HTMLMediaElement::setupAndCallJS
+ https://bugs.webkit.org/show_bug.cgi?id=234259
+
+ Reviewed by Darin Adler.
+
+ Add non-regression test, embedded in multiple iframes to make regression easily reproducible.
+
+ * http/conf/mime.types: Ensure that ts files are served with MIME type video/mp2t as that's required
+ to make the non-regression test work properly.
+ * http/tests/media/media-element-frame-destroyed-crash-expected.txt: Added.
+ * http/tests/media/media-element-frame-destroyed-crash.html: Added.
+ * http/tests/media/resources/empty.ts: Added.
+ * http/tests/media/resources/media-element-frame-destroyed-crash-subframe.html: Added.
+
2022-01-06 Russell Epstein <repst...@apple.com>
Apply patch. rdar://problem/87125345
Modified: branches/safari-612.4.9.3-branch/LayoutTests/http/conf/mime.types (287750 => 287751)
--- branches/safari-612.4.9.3-branch/LayoutTests/http/conf/mime.types 2022-01-07 17:17:58 UTC (rev 287750)
+++ branches/safari-612.4.9.3-branch/LayoutTests/http/conf/mime.types 2022-01-07 17:19:18 UTC (rev 287751)
@@ -578,7 +578,7 @@
video/jpeg
video/mp1s
video/mp2p
-video/mp2t
+video/mp2t ts
video/mp4 mp4
video/mp4v-es
video/mpv
Added: branches/safari-612.4.9.3-branch/LayoutTests/http/tests/media/media-element-frame-destroyed-crash-expected.txt (0 => 287751)
--- branches/safari-612.4.9.3-branch/LayoutTests/http/tests/media/media-element-frame-destroyed-crash-expected.txt (rev 0)
+++ branches/safari-612.4.9.3-branch/LayoutTests/http/tests/media/media-element-frame-destroyed-crash-expected.txt 2022-01-07 17:19:18 UTC (rev 287751)
@@ -0,0 +1,3 @@
+This test PASS if it does not CRASH.
+
+
Added: branches/safari-612.4.9.3-branch/LayoutTests/http/tests/media/media-element-frame-destroyed-crash.html (0 => 287751)
--- branches/safari-612.4.9.3-branch/LayoutTests/http/tests/media/media-element-frame-destroyed-crash.html (rev 0)
+++ branches/safari-612.4.9.3-branch/LayoutTests/http/tests/media/media-element-frame-destroyed-crash.html 2022-01-07 17:19:18 UTC (rev 287751)
@@ -0,0 +1,12 @@
+<script>
+ _onload_ = () => {
+ if (window.testRunner)
+ testRunner.dumpAsText();
+ for (let i = 5; i; i--) {
+ let iframe = document.createElement('iframe');
+ iframe.src = '';
+ document.body.appendChild(iframe);
+ }
+ }
+</script>
+<p>This test PASS if it does not CRASH.</p>
Added: branches/safari-612.4.9.3-branch/LayoutTests/http/tests/media/resources/empty.ts ( => )
Added: branches/safari-612.4.9.3-branch/LayoutTests/http/tests/media/resources/media-element-frame-destroyed-crash-subframe.html
===================================================================
--- branches/safari-612.4.9.3-branch/LayoutTests/http/tests/media/resources/media-element-frame-destroyed-crash-subframe.html (rev 0)
+++ branches/safari-612.4.9.3-branch/LayoutTests/http/tests/media/resources/media-element-frame-destroyed-crash-subframe.html 2022-01-07 17:19:18 UTC (rev 287751)
@@ -0,0 +1,17 @@
+<script>
+ _onload_ = async () => {
+ if (window.testRunner)
+ testRunner.dumpAsText();
+ let embed0 = document.createElement('embed');
+ embed0.src = '';
+ document.body.appendChild(embed0);
+ await new Blob().text();
+ try {
+ await new FontFace('a', 'url(data:)').load();
+ } catch {}
+ document.designMode = 'on';
+ document.execCommand('SelectAll');
+ document.execCommand('Bold');
+ parent.postMessage('done');
+ };
+</script>
Modified: branches/safari-612.4.9.3-branch/Source/WebCore/ChangeLog (287750 => 287751)
--- branches/safari-612.4.9.3-branch/Source/WebCore/ChangeLog 2022-01-07 17:17:58 UTC (rev 287750)
+++ branches/safari-612.4.9.3-branch/Source/WebCore/ChangeLog 2022-01-07 17:19:18 UTC (rev 287751)
@@ -1,3 +1,47 @@
+2022-01-07 Russell Epstein <repst...@apple.com>
+
+ Cherry-pick r287604. rdar://problem/85966622
+
+ Protect frame from destruction in HTMLMediaElement::setupAndCallJS
+ https://bugs.webkit.org/show_bug.cgi?id=234259
+
+ Patch by Frédéric Wang <fw...@igalia.com> on 2022-01-04
+ Reviewed by Darin Adler.
+
+ Source/WebCore:
+
+ Test: http/tests/media/media-element-frame-destroyed-crash.html
+
+ * html/HTMLMediaElement.cpp:
+ (WebCore::HTMLMediaElement::setupAndCallJS): Protect the frame before executing the JS code,
+ so that it is not destroyed before its associated ScriptController.
+
+ LayoutTests:
+
+ Add non-regression test, embedded in multiple iframes to make regression easily reproducible.
+
+ * http/conf/mime.types: Ensure that ts files are served with MIME type video/mp2t as that's required
+ to make the non-regression test work properly.
+ * http/tests/media/media-element-frame-destroyed-crash-expected.txt: Added.
+ * http/tests/media/media-element-frame-destroyed-crash.html: Added.
+ * http/tests/media/resources/empty.ts: Added.
+ * http/tests/media/resources/media-element-frame-destroyed-crash-subframe.html: Added.
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@287604 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2022-01-04 Frédéric Wang <fw...@igalia.com>
+
+ Protect frame from destruction in HTMLMediaElement::setupAndCallJS
+ https://bugs.webkit.org/show_bug.cgi?id=234259
+
+ Reviewed by Darin Adler.
+
+ Test: http/tests/media/media-element-frame-destroyed-crash.html
+
+ * html/HTMLMediaElement.cpp:
+ (WebCore::HTMLMediaElement::setupAndCallJS): Protect the frame before executing the JS code,
+ so that it is not destroyed before its associated ScriptController.
+
2022-01-06 Russell Epstein <repst...@apple.com>
Apply patch. rdar://problem/87125345
Modified: branches/safari-612.4.9.3-branch/Source/WebCore/html/HTMLMediaElement.cpp (287750 => 287751)
--- branches/safari-612.4.9.3-branch/Source/WebCore/html/HTMLMediaElement.cpp 2022-01-07 17:17:58 UTC (rev 287750)
+++ branches/safari-612.4.9.3-branch/Source/WebCore/html/HTMLMediaElement.cpp 2022-01-07 17:19:18 UTC (rev 287751)
@@ -4397,7 +4397,8 @@
auto pendingActivity = makePendingActivity(*this);
auto& world = ensureIsolatedWorld();
- auto& scriptController = document().frame()->script();
+ Ref protectedFrame = *document().frame();
+ auto& scriptController = protectedFrame->script();
auto* globalObject = JSC::jsCast<JSDOMGlobalObject*>(scriptController.globalObject(world));
auto& vm = globalObject->vm();
JSC::JSLockHolder lock(vm);
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes