Heap-use-after-free in WebCore::HTMLMediaElement::~HTMLMediaElement

author acolwell@chromium.org <acolwell@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>

Wed, 6 Mar 2013 02:11:03 +0000 (02:11 +0000)

committer acolwell@chromium.org <acolwell@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>

Wed, 6 Mar 2013 02:11:03 +0000 (02:11 +0000)
author acolwell@chromium.org <acolwell@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 6 Mar 2013 02:11:03 +0000 (02:11 +0000)
committer acolwell@chromium.org <acolwell@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 6 Mar 2013 02:11:03 +0000 (02:11 +0000)
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog

index d2d7b79..04b8c2f 100644 (file)
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,14 @@
+2013-03-05  Aaron Colwell  <acolwell@chromium.org>
+
+        Heap-use-after-free in WebCore::HTMLMediaElement::~HTMLMediaElement
+        https://bugs.webkit.org/show_bug.cgi?id=110623
+
+        Reviewed by Eric Seidel.
+
+        * http/tests/misc/delete-frame-during-readystatechange-with-gc-after-video-removal-expected.txt: Added.
+        * http/tests/misc/delete-frame-during-readystatechange-with-gc-after-video-removal.html: Added.
+        * http/tests/misc/resources/delete-frame-during-readystatechange-frame-with-gc-after-video-removal.html: Added.
+
  2013-03-05  Chris Fleizach  <cfleizach@apple.com>
  
          AX: Support aria-posinset/setsize
diff --git a/LayoutTests/http/tests/misc/delete-frame-during-readystatechange-with-gc-after-video-removal-expected.txt b/LayoutTests/http/tests/misc/delete-frame-during-readystatechange-with-gc-after-video-removal-expected.txt

new file mode 100644 (file)

index 0000000..4dc1a53
--- /dev/null
+++ b/LayoutTests/http/tests/misc/delete-frame-during-readystatechange-with-gc-after-video-removal-expected.txt
@@ -0,0 +1 @@
+Test deleting a subframe from within its readystatechange event and garbage collecting right after removing the video element from the document. We pass if we don't crash.
diff --git a/LayoutTests/http/tests/misc/delete-frame-during-readystatechange-with-gc-after-video-removal.html b/LayoutTests/http/tests/misc/delete-frame-during-readystatechange-with-gc-after-video-removal.html

new file mode 100644 (file)

index 0000000..aa65bc4
--- /dev/null
+++ b/LayoutTests/http/tests/misc/delete-frame-during-readystatechange-with-gc-after-video-removal.html
@@ -0,0 +1,15 @@
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.waitUntilDone();
+}
+
+function r()
+{
+    document.body.removeChild(document.getElementById("f"));
+    setTimeout(function() { testRunner.notifyDone();}, 0);
+}
+</script>
+Test deleting a subframe from within its readystatechange event and garbage collecting right after removing the video element from the document. 
+We pass if we don't crash.
+<iframe id="f" src="resources/delete-frame-during-readystatechange-frame-with-gc-after-video-removal.html"></iframe>
diff --git a/LayoutTests/http/tests/misc/resources/delete-frame-during-readystatechange-frame-with-gc-after-video-removal.html b/LayoutTests/http/tests/misc/resources/delete-frame-during-readystatechange-frame-with-gc-after-video-removal.html

new file mode 100644 (file)

index 0000000..9d7bc86
--- /dev/null
+++ b/LayoutTests/http/tests/misc/resources/delete-frame-during-readystatechange-frame-with-gc-after-video-removal.html
@@ -0,0 +1,22 @@
+<html>
+<head>
+<script>
+i = 0;
+document.addEventListener('readystatechange', function() {
+    if (i == 1)
+        parent.r();
+    i++;
+});
+
+window.addEventListener('DOMContentLoaded', function() {
+    document.getElementById("v").load(); 
+    document.body.removeChild(document.getElementById("v"));
+    window.gc();
+});
+
+</script>
+</head>
+<body>
+<video id=v src=empty.ogv></video>
+</body>
+</html>
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog

index a905d2f..cdf79f6 100644 (file)
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -1,3 +1,19 @@
+2013-03-05  Aaron Colwell  <acolwell@chromium.org>
+
+        Heap-use-after-free in WebCore::HTMLMediaElement::~HTMLMediaElement
+        https://bugs.webkit.org/show_bug.cgi?id=110623
+
+        Reviewed by Eric Seidel.
+
+        Test: http/tests/misc/delete-frame-during-readystatechange-with-gc-after-video-removal.html
+
+        * html/HTMLAudioElement.h:
+        (HTMLAudioElement):
+        * html/HTMLAudioElement.idl:
+        * html/HTMLMediaElement.cpp:
+        (WebCore::HTMLMediaElement::hasPendingActivity):
+        * html/HTMLMediaElement.idl:
+
  2013-03-05  Chris Fleizach  <cfleizach@apple.com>
   
          AX: Support aria-posinset/setsize
diff --git a/Source/WebCore/html/HTMLAudioElement.h b/Source/WebCore/html/HTMLAudioElement.h

index b9150f3..62c3cc0 100644 (file)
--- a/Source/WebCore/html/HTMLAudioElement.h
+++ b/Source/WebCore/html/HTMLAudioElement.h
@@ -39,8 +39,6 @@ public:
      static PassRefPtr<HTMLAudioElement> create(const QualifiedName&, Document*, bool);
      static PassRefPtr<HTMLAudioElement> createForJSConstructor(Document*, const String& src);
  
-    virtual bool hasPendingActivity() const { return isPlaying() || HTMLMediaElement::hasPendingActivity(); }
-
      virtual bool isActiveNode() const { return true; }
  
  private:
diff --git a/Source/WebCore/html/HTMLAudioElement.idl b/Source/WebCore/html/HTMLAudioElement.idl

index 9b3f8c6..d0feced 100644 (file)
--- a/Source/WebCore/html/HTMLAudioElement.idl
+++ b/Source/WebCore/html/HTMLAudioElement.idl
@@ -24,7 +24,6 @@
   */
  
  [
-    ActiveDOMObject,
      Conditional=VIDEO,
      NamedConstructor=Audio(in [Optional=DefaultIsNullString] DOMString src)
  ] interface HTMLAudioElement : HTMLMediaElement {
diff --git a/Source/WebCore/html/HTMLMediaElement.cpp b/Source/WebCore/html/HTMLMediaElement.cpp

index 1e89dfc..600ab35 100644 (file)
--- a/Source/WebCore/html/HTMLMediaElement.cpp
+++ b/Source/WebCore/html/HTMLMediaElement.cpp
@@ -3957,7 +3957,7 @@ void HTMLMediaElement::resume()
  
  bool HTMLMediaElement::hasPendingActivity() const
  {
-    return m_asyncEventQueue->hasPendingEvents();
+    return (hasAudio() && isPlaying()) || m_asyncEventQueue->hasPendingEvents();
  }
  
  void HTMLMediaElement::mediaVolumeDidChange()
diff --git a/Source/WebCore/html/HTMLMediaElement.idl b/Source/WebCore/html/HTMLMediaElement.idl

index 5ebf447..939452d 100644 (file)
--- a/Source/WebCore/html/HTMLMediaElement.idl
+++ b/Source/WebCore/html/HTMLMediaElement.idl
@@ -25,7 +25,8 @@
  
  [
      Conditional=VIDEO,
-    JSGenerateToNativeObject
+    JSGenerateToNativeObject,
+    ActiveDOMObject
  ] interface HTMLMediaElement : HTMLElement {
  
  // error state
author	acolwell@chromium.org <acolwell@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
	Wed, 6 Mar 2013 02:11:03 +0000 (02:11 +0000)
committer	acolwell@chromium.org <acolwell@chromium.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
	Wed, 6 Mar 2013 02:11:03 +0000 (02:11 +0000)
LayoutTests/ChangeLog		patch \| blob \| history
LayoutTests/http/tests/misc/delete-frame-during-readystatechange-with-gc-after-video-removal-expected.txt	[new file with mode: 0644]	patch \| blob
LayoutTests/http/tests/misc/delete-frame-during-readystatechange-with-gc-after-video-removal.html	[new file with mode: 0644]	patch \| blob
LayoutTests/http/tests/misc/resources/delete-frame-during-readystatechange-frame-with-gc-after-video-removal.html	[new file with mode: 0644]	patch \| blob
Source/WebCore/ChangeLog		patch \| blob \| history
Source/WebCore/html/HTMLAudioElement.h		patch \| blob \| history
Source/WebCore/html/HTMLAudioElement.idl		patch \| blob \| history
Source/WebCore/html/HTMLMediaElement.cpp		patch \| blob \| history
Source/WebCore/html/HTMLMediaElement.idl		patch \| blob \| history