[webkit-changes] [WebKit/WebKit] 4b6edc: Crash under WebCore::JSRequestAnimationFrameCallba...
Chris Dumez
noreply at github.com
Mon Jul 31 10:45:13 PDT 2023
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 4b6edc53e68ce12d8b4d0e89704aab3793a221be
https://github.com/WebKit/WebKit/commit/4b6edc53e68ce12d8b4d0e89704aab3793a221be
Author: Chris Dumez <cdumez at apple.com>
Date: 2023-07-31 (Mon, 31 Jul 2023)
Changed paths:
A LayoutTests/fast/workers/pending-requestAnimationFrame-upon-destruction-expected.txt
A LayoutTests/fast/workers/pending-requestAnimationFrame-upon-destruction.html
A LayoutTests/fast/workers/resources/pending-requestAnimationFrame-upon-destruction-popup.html
M Source/WebCore/workers/WorkerAnimationController.cpp
Log Message:
-----------
Crash under WebCore::JSRequestAnimationFrameCallback::~JSRequestAnimationFrameCallback()
https://bugs.webkit.org/show_bug.cgi?id=258058
rdar://110530772
Reviewed by Ryosuke Niwa.
JSRequestAnimationFrameCallback were outliving the VM and thus using the VM
after-free in their destructor. JS Wrapper should never outlive the VM.
JSRequestAnimationFrameCallback are subclasses of RequestAnimationFrameCallback,
which were being kept alive by the WorkerAnimationController via its
m_animationCallbacks vector.
To address the issue, WorkerAnimationController now clears m_animationCallbacks
in stop(), which gets called when the global scope (and thus the VM) are about
to go away.
* LayoutTests/fast/workers/pending-requestAnimationFrame-upon-destruction-expected.txt: Added.
* LayoutTests/fast/workers/pending-requestAnimationFrame-upon-destruction.html: Added.
* LayoutTests/fast/workers/resources/pending-requestAnimationFrame-upon-destruction-popup.html: Added.
* Source/WebCore/workers/WorkerAnimationController.cpp:
(WebCore::WorkerAnimationController::stop):
Originally-landed-as: 259548.833 at safari-7615-branch (c60c40574fc5). rdar://110530772
Canonical link: https://commits.webkit.org/266430@main
More information about the webkit-changes
mailing list