CrashTracer beneath JSC::MarkedBlock::specializedSweep
authorggaren@apple.com <ggaren@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 28 Jun 2016 21:35:37 +0000 (21:35 +0000)
committerggaren@apple.com <ggaren@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 28 Jun 2016 21:35:37 +0000 (21:35 +0000)
commit6e147ab4c453129a2924c5a9e57c6dfc8c17143a
tree44ee32d588c50df24b8e6a3d1db219a2faa5b811
parent7522368830f02d3cb14c5bdb5abfb8bd8bf563c6
CrashTracer beneath JSC::MarkedBlock::specializedSweep
https://bugs.webkit.org/show_bug.cgi?id=159223

Reviewed by Saam Barati.

This crash is caused by a media element re-entering JS during the GC
sweep phase.

In theory, other CachedResourceClients in the DOM might also trigger
similar bugs, but our data only implicates the media elements, so this
fix targets them.

* html/HTMLDocument.h: Document has no reason to inherit from
CachedResourceClient. I found this becuase I had to search for all
CachedResourceClients in researching this patch.

* platform/graphics/avfoundation/cf/WebCoreAVCFResourceLoader.cpp:
(WebCore::WebCoreAVCFResourceLoader::invalidate): Delay our call to
stopLoading because it might re-enter JS, and we might have been called
by the GC sweep phase destroying a media element.

* platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.mm:
(WebCore::WebCoreAVFResourceLoader::invalidate): Ditto.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@202590 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/WebCore/ChangeLog
Source/WebCore/html/HTMLDocument.h
Source/WebCore/platform/graphics/avfoundation/cf/WebCoreAVCFResourceLoader.cpp
Source/WebCore/platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.mm