Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 330e342c4a4defc428b538b927d388c00faec0da
https://github.com/WebKit/WebKit/commit/330e342c4a4defc428b538b927d388c00faec0da
Author: Youenn Fablet <[email protected]>
Date: 2026-04-15 (Wed, 15 Apr 2026)
Changed paths:
M Source/WebCore/platform/mock/MockRealtimeVideoSource.cpp
M Source/WebCore/platform/mock/MockRealtimeVideoSource.h
Log Message:
-----------
Use-after-free of MockRealtimeVideoSourceMac in
com.apple.WebKit.GPU.Development
https://bugs.webkit.org/show_bug.cgi?id=312354
rdar://174356166
Reviewed by Chris Dumez.
MockRealtimeVideoSource::m_emitFrameTimer is destroyed in main thread while it
is firing in MockRealtimeVideoSource::m_runLoop.
This creates a race condition between the invalidation/destruction of the timer
(main thread) and its execution (in the run loop).
To prevent this issue, we make m_emitFrameTimer a unique_ptr so that we can, at
destruction time, hop to the run loop to destroy it.
* Source/WebCore/platform/mock/MockRealtimeVideoSource.cpp:
(WebCore::m_emitFrameTimer):
(WebCore::MockRealtimeVideoSource::~MockRealtimeVideoSource):
(WebCore::MockRealtimeVideoSource::applyFrameRateAndZoomWithPreset):
(WebCore::MockRealtimeVideoSource::startCaptureTimer):
(WebCore::MockRealtimeVideoSource::stopProducingData):
(WebCore::MockRealtimeVideoSource::setIsInterrupted):
* Source/WebCore/platform/mock/MockRealtimeVideoSource.h:
Canonical link: https://commits.webkit.org/311300@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
