CRASH in WebCore::VideoFullscreenInterfaceMac::~VideoFullscreenInterfaceMac()
authorjer.noble@apple.com <jer.noble@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 22 Jun 2018 20:06:40 +0000 (20:06 +0000)
committerjer.noble@apple.com <jer.noble@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 22 Jun 2018 20:06:40 +0000 (20:06 +0000)
https://bugs.webkit.org/show_bug.cgi?id=186892

Reviewed by Eric Carlson.

Protect against m_contentMap being mutated while its contents are being invalidated
by moving the map into a local variable and iterating over it instead.

* UIProcess/Cocoa/PlaybackSessionManagerProxy.mm:
(WebKit::PlaybackSessionManagerProxy::invalidate):
* UIProcess/Cocoa/VideoFullscreenManagerProxy.mm:
(WebKit::VideoFullscreenManagerProxy::invalidate):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@233091 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebKit/ChangeLog
Source/WebKit/UIProcess/Cocoa/PlaybackSessionManagerProxy.mm
Source/WebKit/UIProcess/Cocoa/VideoFullscreenManagerProxy.mm

index 4e77690..e8e10ff 100644 (file)
@@ -1,3 +1,18 @@
+2018-06-21  Jer Noble  <jer.noble@apple.com>
+
+        CRASH in WebCore::VideoFullscreenInterfaceMac::~VideoFullscreenInterfaceMac()
+        https://bugs.webkit.org/show_bug.cgi?id=186892
+
+        Reviewed by Eric Carlson.
+
+        Protect against m_contentMap being mutated while its contents are being invalidated
+        by moving the map into a local variable and iterating over it instead.
+
+        * UIProcess/Cocoa/PlaybackSessionManagerProxy.mm:
+        (WebKit::PlaybackSessionManagerProxy::invalidate):
+        * UIProcess/Cocoa/VideoFullscreenManagerProxy.mm:
+        (WebKit::VideoFullscreenManagerProxy::invalidate):
+
 2018-06-22  Luming Yin  <luming_yin@apple.com>
 
         Expose colorFilterEnabled SPI in WKPreferencesPrivate.h
index adb8e63..f4c7066 100644 (file)
@@ -303,16 +303,16 @@ void PlaybackSessionManagerProxy::invalidate()
     m_page->process().removeMessageReceiver(Messages::PlaybackSessionManagerProxy::messageReceiverName(), m_page->pageID());
     m_page = nullptr;
 
-    for (auto& tuple : m_contextMap.values()) {
+    auto contextMap = WTFMove(m_contextMap);
+    m_clientCounts.clear();
+
+    for (auto& tuple : contextMap.values()) {
         RefPtr<PlaybackSessionModelContext> model;
         RefPtr<PlatformPlaybackSessionInterface> interface;
         std::tie(model, interface) = tuple;
 
         interface->invalidate();
     }
-
-    m_contextMap.clear();
-    m_clientCounts.clear();
 }
 
 PlaybackSessionManagerProxy::ModelInterfaceTuple PlaybackSessionManagerProxy::createModelAndInterface(uint64_t contextId)
index ec08b3f..dc3b207 100644 (file)
@@ -308,7 +308,10 @@ void VideoFullscreenManagerProxy::invalidate()
     m_page->process().removeMessageReceiver(Messages::VideoFullscreenManagerProxy::messageReceiverName(), m_page->pageID());
     m_page = nullptr;
 
-    for (auto& tuple : m_contextMap.values()) {
+    auto contextMap = WTFMove(m_contextMap);
+    m_clientCounts.clear();
+
+    for (auto& tuple : contextMap.values()) {
         RefPtr<VideoFullscreenModelContext> model;
         RefPtr<PlatformVideoFullscreenInterface> interface;
         std::tie(model, interface) = tuple;
@@ -317,9 +320,6 @@ void VideoFullscreenManagerProxy::invalidate()
         [model->layerHostView() removeFromSuperview];
         model->setLayerHostView(nullptr);
     }
-
-    m_contextMap.clear();
-    m_clientCounts.clear();
 }
 
 void VideoFullscreenManagerProxy::requestHideAndExitFullscreen()