CrashTracer beneath JSC::MarkedBlock::specializedSweep
authorggaren@apple.com <ggaren@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 28 Jun 2016 21:35:37 +0000 (21:35 +0000)
committerggaren@apple.com <ggaren@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 28 Jun 2016 21:35:37 +0000 (21:35 +0000)
https://bugs.webkit.org/show_bug.cgi?id=159223

Reviewed by Saam Barati.

This crash is caused by a media element re-entering JS during the GC
sweep phase.

In theory, other CachedResourceClients in the DOM might also trigger
similar bugs, but our data only implicates the media elements, so this
fix targets them.

* html/HTMLDocument.h: Document has no reason to inherit from
CachedResourceClient. I found this becuase I had to search for all
CachedResourceClients in researching this patch.

* platform/graphics/avfoundation/cf/WebCoreAVCFResourceLoader.cpp:
(WebCore::WebCoreAVCFResourceLoader::invalidate): Delay our call to
stopLoading because it might re-enter JS, and we might have been called
by the GC sweep phase destroying a media element.

* platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.mm:
(WebCore::WebCoreAVFResourceLoader::invalidate): Ditto.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@202590 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebCore/ChangeLog
Source/WebCore/html/HTMLDocument.h
Source/WebCore/platform/graphics/avfoundation/cf/WebCoreAVCFResourceLoader.cpp
Source/WebCore/platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.mm

index 15180ef..63bef20 100644 (file)
@@ -1,3 +1,29 @@
+2016-06-28  Geoffrey Garen  <ggaren@apple.com>
+
+        CrashTracer beneath JSC::MarkedBlock::specializedSweep
+        https://bugs.webkit.org/show_bug.cgi?id=159223
+
+        Reviewed by Saam Barati.
+
+        This crash is caused by a media element re-entering JS during the GC
+        sweep phase.
+
+        In theory, other CachedResourceClients in the DOM might also trigger
+        similar bugs, but our data only implicates the media elements, so this
+        fix targets them.
+
+        * html/HTMLDocument.h: Document has no reason to inherit from
+        CachedResourceClient. I found this becuase I had to search for all
+        CachedResourceClients in researching this patch.
+
+        * platform/graphics/avfoundation/cf/WebCoreAVCFResourceLoader.cpp:
+        (WebCore::WebCoreAVCFResourceLoader::invalidate): Delay our call to
+        stopLoading because it might re-enter JS, and we might have been called
+        by the GC sweep phase destroying a media element.
+
+        * platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.mm:
+        (WebCore::WebCoreAVFResourceLoader::invalidate): Ditto.
+
 2016-06-28  Saam Barati  <sbarati@apple.com>
 
         some Watchpoints' ::fireInternal method will call operations that might GC where the GC will cause the watchpoint itself to destruct
index 9003f6d..cff8d62 100644 (file)
 #ifndef HTMLDocument_h
 #define HTMLDocument_h
 
-#include "CachedResourceClient.h"
 #include "Document.h"
 #include <wtf/HashCountedSet.h>
 
 namespace WebCore {
 
-class HTMLDocument : public Document, public CachedResourceClient {
+class HTMLDocument : public Document {
 public:
     static Ref<HTMLDocument> create(Frame* frame, const URL& url)
     {
index e013c66..67c3d57 100644 (file)
@@ -99,8 +99,14 @@ void WebCoreAVCFResourceLoader::stopLoading()
 
 void WebCoreAVCFResourceLoader::invalidate()
 {
+    if (!m_parent)
+        return;
+
     m_parent = nullptr;
-    stopLoading();
+
+    callOnMainThread([protectedThis = Ref<WebCoreAVCFResourceLoader>(*this)] () mutable {
+        protectedThis->stopLoading();
+    });
 }
 
 void WebCoreAVCFResourceLoader::responseReceived(CachedResource* resource, const ResourceResponse& response)
index 782fc1f..9269fe1 100644 (file)
@@ -96,8 +96,14 @@ void WebCoreAVFResourceLoader::stopLoading()
 
 void WebCoreAVFResourceLoader::invalidate()
 {
+    if (!m_parent)
+        return;
+
     m_parent = nullptr;
-    stopLoading();
+
+    callOnMainThread([protectedThis = Ref<WebCoreAVFResourceLoader>(*this)] () mutable {
+        protectedThis->stopLoading();
+    });
 }
 
 void WebCoreAVFResourceLoader::responseReceived(CachedResource* resource, const ResourceResponse& response)