Crash in HTMLCanvasElement::createContext2d after the element got adopted to a new...
authorrniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 3 Apr 2019 20:04:37 +0000 (20:04 +0000)
committerrniwa@webkit.org <rniwa@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 3 Apr 2019 20:04:37 +0000 (20:04 +0000)
commit697f62678fc2522f172a85493294b88b380446a1
treedfc7943e50d26d4c755ccf32d378051de033dd4a
parent0e53e8fff2baaf646e5ef0757459ba872fa6e26e
Crash in HTMLCanvasElement::createContext2d after the element got adopted to a new document
https://bugs.webkit.org/show_bug.cgi?id=196527

Reviewed by Antti Koivisto.

We need to update CanvasBase::m_scriptExecutionContext when HTMLCanvasElement moves from
one document to another. Fixed the bug by making CanvasBase::scriptExecutionContext make
a virtual function call instead of directly storing a raw pointer. In HTMLCanvasElement,
we use Node::scriptExecutionContext(). Use ContextDestructionObserver in CustomPaintCanvas
and OffscreenCanvas instead of a raw pointer.

Unfortunately, no new tests since there is no reproducible test case.

* html/CanvasBase.cpp:
(WebCore::CanvasBase::CanvasBase):
* html/CanvasBase.h:
(WebCore::CanvasBase::scriptExecutionContext const):
* html/CustomPaintCanvas.cpp:
(WebCore::CustomPaintCanvas::CustomPaintCanvas):
* html/CustomPaintCanvas.h:
* html/HTMLCanvasElement.cpp:
(WebCore::HTMLCanvasElement::HTMLCanvasElement):
* html/HTMLCanvasElement.h:
* html/OffscreenCanvas.cpp:
(WebCore::OffscreenCanvas::OffscreenCanvas):
* html/OffscreenCanvas.h:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@243820 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/WebCore/ChangeLog
Source/WebCore/html/CanvasBase.cpp
Source/WebCore/html/CanvasBase.h
Source/WebCore/html/CustomPaintCanvas.cpp
Source/WebCore/html/CustomPaintCanvas.h
Source/WebCore/html/HTMLCanvasElement.cpp
Source/WebCore/html/HTMLCanvasElement.h
Source/WebCore/html/OffscreenCanvas.cpp
Source/WebCore/html/OffscreenCanvas.h