<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[202590] trunk/Source/WebCore</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/202590">202590</a></dd>
<dt>Author</dt> <dd>ggaren@apple.com</dd>
<dt>Date</dt> <dd>2016-06-28 14:35:37 -0700 (Tue, 28 Jun 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>CrashTracer beneath JSC::MarkedBlock::specializedSweep
https://bugs.webkit.org/show_bug.cgi?id=159223
Reviewed by Saam Barati.
This crash is caused by a media element re-entering JS during the GC
sweep phase.
In theory, other CachedResourceClients in the DOM might also trigger
similar bugs, but our data only implicates the media elements, so this
fix targets them.
* html/HTMLDocument.h: Document has no reason to inherit from
CachedResourceClient. I found this becuase I had to search for all
CachedResourceClients in researching this patch.
* platform/graphics/avfoundation/cf/WebCoreAVCFResourceLoader.cpp:
(WebCore::WebCoreAVCFResourceLoader::invalidate): Delay our call to
stopLoading because it might re-enter JS, and we might have been called
by the GC sweep phase destroying a media element.
* platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.mm:
(WebCore::WebCoreAVFResourceLoader::invalidate): Ditto.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCorehtmlHTMLDocumenth">trunk/Source/WebCore/html/HTMLDocument.h</a></li>
<li><a href="#trunkSourceWebCoreplatformgraphicsavfoundationcfWebCoreAVCFResourceLoadercpp">trunk/Source/WebCore/platform/graphics/avfoundation/cf/WebCoreAVCFResourceLoader.cpp</a></li>
<li><a href="#trunkSourceWebCoreplatformgraphicsavfoundationobjcWebCoreAVFResourceLoadermm">trunk/Source/WebCore/platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.mm</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (202589 => 202590)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog 2016-06-28 21:33:10 UTC (rev 202589)
+++ trunk/Source/WebCore/ChangeLog 2016-06-28 21:35:37 UTC (rev 202590)
</span><span class="lines">@@ -1,3 +1,29 @@
</span><ins>+2016-06-28 Geoffrey Garen <ggaren@apple.com>
+
+ CrashTracer beneath JSC::MarkedBlock::specializedSweep
+ https://bugs.webkit.org/show_bug.cgi?id=159223
+
+ Reviewed by Saam Barati.
+
+ This crash is caused by a media element re-entering JS during the GC
+ sweep phase.
+
+ In theory, other CachedResourceClients in the DOM might also trigger
+ similar bugs, but our data only implicates the media elements, so this
+ fix targets them.
+
+ * html/HTMLDocument.h: Document has no reason to inherit from
+ CachedResourceClient. I found this becuase I had to search for all
+ CachedResourceClients in researching this patch.
+
+ * platform/graphics/avfoundation/cf/WebCoreAVCFResourceLoader.cpp:
+ (WebCore::WebCoreAVCFResourceLoader::invalidate): Delay our call to
+ stopLoading because it might re-enter JS, and we might have been called
+ by the GC sweep phase destroying a media element.
+
+ * platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.mm:
+ (WebCore::WebCoreAVFResourceLoader::invalidate): Ditto.
+
</ins><span class="cx"> 2016-06-28 Saam Barati <sbarati@apple.com>
</span><span class="cx">
</span><span class="cx"> some Watchpoints' ::fireInternal method will call operations that might GC where the GC will cause the watchpoint itself to destruct
</span></span></pre></div>
<a id="trunkSourceWebCorehtmlHTMLDocumenth"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/html/HTMLDocument.h (202589 => 202590)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/html/HTMLDocument.h 2016-06-28 21:33:10 UTC (rev 202589)
+++ trunk/Source/WebCore/html/HTMLDocument.h 2016-06-28 21:35:37 UTC (rev 202590)
</span><span class="lines">@@ -23,13 +23,12 @@
</span><span class="cx"> #ifndef HTMLDocument_h
</span><span class="cx"> #define HTMLDocument_h
</span><span class="cx">
</span><del>-#include "CachedResourceClient.h"
</del><span class="cx"> #include "Document.h"
</span><span class="cx"> #include <wtf/HashCountedSet.h>
</span><span class="cx">
</span><span class="cx"> namespace WebCore {
</span><span class="cx">
</span><del>-class HTMLDocument : public Document, public CachedResourceClient {
</del><ins>+class HTMLDocument : public Document {
</ins><span class="cx"> public:
</span><span class="cx"> static Ref<HTMLDocument> create(Frame* frame, const URL& url)
</span><span class="cx"> {
</span></span></pre></div>
<a id="trunkSourceWebCoreplatformgraphicsavfoundationcfWebCoreAVCFResourceLoadercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/platform/graphics/avfoundation/cf/WebCoreAVCFResourceLoader.cpp (202589 => 202590)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/platform/graphics/avfoundation/cf/WebCoreAVCFResourceLoader.cpp 2016-06-28 21:33:10 UTC (rev 202589)
+++ trunk/Source/WebCore/platform/graphics/avfoundation/cf/WebCoreAVCFResourceLoader.cpp 2016-06-28 21:35:37 UTC (rev 202590)
</span><span class="lines">@@ -99,8 +99,14 @@
</span><span class="cx">
</span><span class="cx"> void WebCoreAVCFResourceLoader::invalidate()
</span><span class="cx"> {
</span><ins>+ if (!m_parent)
+ return;
+
</ins><span class="cx"> m_parent = nullptr;
</span><del>- stopLoading();
</del><ins>+
+ callOnMainThread([protectedThis = Ref<WebCoreAVCFResourceLoader>(*this)] () mutable {
+ protectedThis->stopLoading();
+ });
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void WebCoreAVCFResourceLoader::responseReceived(CachedResource* resource, const ResourceResponse& response)
</span></span></pre></div>
<a id="trunkSourceWebCoreplatformgraphicsavfoundationobjcWebCoreAVFResourceLoadermm"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.mm (202589 => 202590)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.mm 2016-06-28 21:33:10 UTC (rev 202589)
+++ trunk/Source/WebCore/platform/graphics/avfoundation/objc/WebCoreAVFResourceLoader.mm 2016-06-28 21:35:37 UTC (rev 202590)
</span><span class="lines">@@ -96,8 +96,14 @@
</span><span class="cx">
</span><span class="cx"> void WebCoreAVFResourceLoader::invalidate()
</span><span class="cx"> {
</span><ins>+ if (!m_parent)
+ return;
+
</ins><span class="cx"> m_parent = nullptr;
</span><del>- stopLoading();
</del><ins>+
+ callOnMainThread([protectedThis = Ref<WebCoreAVFResourceLoader>(*this)] () mutable {
+ protectedThis->stopLoading();
+ });
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void WebCoreAVFResourceLoader::responseReceived(CachedResource* resource, const ResourceResponse& response)
</span></span></pre>
</div>
</div>
</body>
</html>