Crash under WebCore::EventTarget::fireEventListeners
authorcdumez@apple.com <cdumez@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 16 Feb 2018 21:06:34 +0000 (21:06 +0000)
committercdumez@apple.com <cdumez@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 16 Feb 2018 21:06:34 +0000 (21:06 +0000)
https://bugs.webkit.org/show_bug.cgi?id=182880
<rdar://problem/20788804>

Reviewed by Youenn Fablet.

Source/WebCore:

Make sure the 'ended' event does not get dispatched on a
AudioScheduledSourceNode after ActiveDOMObjects have been stopped.

Test: webaudio/audiobuffersource-ended-detached-frame.html

* Modules/webaudio/AudioScheduledSourceNode.cpp:
(WebCore::AudioScheduledSourceNode::finish):

LayoutTests:

Add layout test coverage.

* webaudio/audiobuffersource-ended-detached-frame-expected.txt: Added.
* webaudio/audiobuffersource-ended-detached-frame.html: Added.
* webaudio/resources/audiobuffersource-ended-detached-frame-iframe.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@228574 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/webaudio/audiobuffersource-ended-detached-frame-expected.txt [new file with mode: 0644]
LayoutTests/webaudio/audiobuffersource-ended-detached-frame.html [new file with mode: 0644]
LayoutTests/webaudio/resources/audiobuffersource-ended-detached-frame-iframe.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/Modules/webaudio/AudioScheduledSourceNode.cpp

index be437b4..d649a6b 100644 (file)
@@ -1,3 +1,17 @@
+2018-02-16  Chris Dumez  <cdumez@apple.com>
+
+        Crash under WebCore::EventTarget::fireEventListeners
+        https://bugs.webkit.org/show_bug.cgi?id=182880
+        <rdar://problem/20788804>
+
+        Reviewed by Youenn Fablet.
+
+        Add layout test coverage.
+
+        * webaudio/audiobuffersource-ended-detached-frame-expected.txt: Added.
+        * webaudio/audiobuffersource-ended-detached-frame.html: Added.
+        * webaudio/resources/audiobuffersource-ended-detached-frame-iframe.html: Added.
+
 2018-02-16  Jiewen Tan  <jiewen_tan@apple.com>
 
         [WebAuthN] Implement PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable()
diff --git a/LayoutTests/webaudio/audiobuffersource-ended-detached-frame-expected.txt b/LayoutTests/webaudio/audiobuffersource-ended-detached-frame-expected.txt
new file mode 100644 (file)
index 0000000..5055972
--- /dev/null
@@ -0,0 +1,9 @@
+Test that we do not crash when trying to fire an 'ended' event at a audiobuffersource node in a detached frame.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/webaudio/audiobuffersource-ended-detached-frame.html b/LayoutTests/webaudio/audiobuffersource-ended-detached-frame.html
new file mode 100644 (file)
index 0000000..9005a60
--- /dev/null
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<head>
+    <script src="../resources/js-test.js"></script>
+    <script>
+        function runTest()
+        {
+            description("Test that we do not crash when trying to fire an 'ended' event at a audiobuffersource node in a detached frame.");
+            jsTestIsAsync = true;
+
+            frame = document.createElement("iframe");
+            frame.src = "resources/audiobuffersource-ended-detached-frame-iframe.html";
+            frame.onload = function() {
+                frame.contentWindow.runTest();
+                frame.remove();
+                setTimeout(function() {
+                    finishJSTest();
+                }, 10);
+            };
+            document.body.appendChild(frame);
+        }
+    </script>
+</head>
+<body onload="runTest()">
+</body>
diff --git a/LayoutTests/webaudio/resources/audiobuffersource-ended-detached-frame-iframe.html b/LayoutTests/webaudio/resources/audiobuffersource-ended-detached-frame-iframe.html
new file mode 100644 (file)
index 0000000..6e93a99
--- /dev/null
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<html>
+<body>
+<script src="audio-testing.js"></script>
+<script src="audiobuffersource-testing.js"></script>
+<script>
+    var context;
+    var source;
+
+    function runTest()
+    {
+        var sampleRate = 44100.0;
+        var numberOfFrames = 32;
+        context = new webkitOfflineAudioContext(1, numberOfFrames, sampleRate);
+        source = context.createBufferSource();
+        source.buffer = createTestBuffer(context, numberOfFrames);
+        source.connect(context.destination);
+        source.onended = function()
+        {
+        }
+        source.start(0);
+        context.startRendering();
+    }
+</script>
+</body>
+</html>
index 028cdf4..eea159d 100644 (file)
@@ -1,3 +1,19 @@
+2018-02-16  Chris Dumez  <cdumez@apple.com>
+
+        Crash under WebCore::EventTarget::fireEventListeners
+        https://bugs.webkit.org/show_bug.cgi?id=182880
+        <rdar://problem/20788804>
+
+        Reviewed by Youenn Fablet.
+
+        Make sure the 'ended' event does not get dispatched on a
+        AudioScheduledSourceNode after ActiveDOMObjects have been stopped.
+
+        Test: webaudio/audiobuffersource-ended-detached-frame.html
+
+        * Modules/webaudio/AudioScheduledSourceNode.cpp:
+        (WebCore::AudioScheduledSourceNode::finish):
+
 2018-02-16  Jiewen Tan  <jiewen_tan@apple.com>
 
         [WebAuthN] Implement PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable()
index 8036fd9..74edaca 100644 (file)
@@ -33,6 +33,7 @@
 #include "Event.h"
 #include "EventNames.h"
 #include "ScriptController.h"
+#include "ScriptExecutionContext.h"
 #include <algorithm>
 #include <wtf/MathExtras.h>
 
@@ -166,11 +167,20 @@ void AudioScheduledSourceNode::finish()
         context().decrementActiveSourceCount();
     }
 
-    if (m_hasEndedListener) {
-        callOnMainThread([protectedThis = makeRef(*this)] () mutable {
-            protectedThis->dispatchEvent(Event::create(eventNames().endedEvent, false, false));
-        });
-    }
+    if (!m_hasEndedListener)
+        return;
+
+    auto* scriptExecutionContext = this->scriptExecutionContext();
+    if (!scriptExecutionContext)
+        return;
+
+    scriptExecutionContext->postTask([this, protectedThis = makeRef(*this)] (auto&) {
+        // Make sure ActiveDOMObjects have not been stopped after scheduling this task.
+        if (!this->scriptExecutionContext())
+            return;
+
+        this->dispatchEvent(Event::create(eventNames().endedEvent, false, false));
+    });
 }
 
 bool AudioScheduledSourceNode::addEventListener(const AtomicString& eventType, Ref<EventListener>&& listener, const AddEventListenerOptions& options)