constructJSHTMLElement() should protect document and `elementInterf…

…ace` https://bugs.webkit.org/show_bug.cgi?id=241827 <rdar://94610860> Reviewed by Mark Lam. * Source/WebCore/bindings/js/JSHTMLElementCustom.cpp: (WebCore::constructJSHTMLElement): * Source/WebKit/WebProcess/WebPage/WebPage.cpp: (WebKit::WebPage::runModal): Canonical link: https://commits.webkit.org/251709@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@295704 268f45cc-cd09-0410-ab3c-d52691b4dbfc
WebKit · Jun 22, 2022 · 0b46104 · 0b46104
1 parent 206d7d6
commit 0b46104
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 1 deletion.
diff --git a/Source/WebCore/bindings/js/JSHTMLElementCustom.cpp b/Source/WebCore/bindings/js/JSHTMLElementCustom.cpp
@@ -78,6 +78,9 @@ EncodedJSValue constructJSHTMLElement(JSGlobalObject* lexicalGlobalObject, CallF
         return throwVMTypeError(lexicalGlobalObject, scope, "new.target does not define a custom element"_s);
 
     if (!elementInterface->isUpgradingElement()) {
+        Ref<Document> protectedDocument(document);
+        Ref<JSCustomElementInterface> protectedElementInterface(*elementInterface);
+
         Structure* baseStructure = getDOMStructure<JSHTMLElement>(vm, *newTargetGlobalObject);
         auto* newElementStructure = InternalFunction::createSubclassStructure(lexicalGlobalObject, newTarget, baseStructure);
         RETURN_IF_EXCEPTION(scope, { });

diff --git a/Source/WebKit/WebProcess/WebPage/WebPage.cpp b/Source/WebKit/WebProcess/WebPage/WebPage.cpp
@@ -5861,7 +5861,6 @@ void WebPage::runModal()
     Ref<WebPage> protector(*this);
 #endif
     RunLoop::run();
-    ASSERT(!m_isRunningModal);
 }
 
 bool WebPage::canHandleRequest(const WebCore::ResourceRequest& request)