[iOS] Crash in WebKit::WebPageProxy::dispatchViewStateChange() tappin…

…g a link from another app while playing a video

https://bugs.webkit.org/show_bug.cgi?id=139550

Reviewed by Anders Carlsson.

The existing "dispatch to WebThread, then release" model is insufficient and still
can result in RefPtr race conditions between the main thread and the web thread.
Make WebVideoFullscreenInterfaceAVKit a thread-safe ref-counted class, which
eliminates the necessity of disptaching back to the web thread before releasing.

* platform/ios/WebVideoFullscreenInterfaceAVKit.h:
* platform/ios/WebVideoFullscreenInterfaceAVKit.mm:
(WebVideoFullscreenInterfaceAVKit::setDuration): Use a strongThis model.
(WebVideoFullscreenInterfaceAVKit::setCurrentTime): Ditto.
(WebVideoFullscreenInterfaceAVKit::setRate): Ditto.
(WebVideoFullscreenInterfaceAVKit::setVideoDimensions): Ditto.
(WebVideoFullscreenInterfaceAVKit::setSeekableRanges): Ditto.
(mediaSelectionOptions): Return a RetainPtr object.
(WebVideoFullscreenInterfaceAVKit::setAudioMediaSelectionOptions): Use a strongThis model.
(WebVideoFullscreenInterfaceAVKit::setLegibleMediaSelectionOptions): Ditto.
(WebVideoFullscreenInterfaceAVKit::setExternalPlayback): Ditto.
(WebVideoFullscreenInterfaceAVKit::setupFullscreen): Ditto.
(WebVideoFullscreenInterfaceAVKit::enterFullscreen): Ditto.
(WebVideoFullscreenInterfaceAVKit::exitFullscreen): Ditto.
(WebVideoFullscreenInterfaceAVKit::cleanupFullscreen): Ditto.
(WebVideoFullscreenInterfaceAVKit::setupFullscreenInternal): Added utility
    function. Lets us use the implied this pointer rather than an explicit
    strongThis.
(WebVideoFullscreenInterfaceAVKit::enterFullscreenOptimized): Ditto.
(WebVideoFullscreenInterfaceAVKit::enterFullscreenStandard): Ditto.
(WebVideoFullscreenInterfaceAVKit::exitFullscreenInternal): Ditto.
(WebVideoFullscreenInterfaceAVKit::cleanupFullscreenInternal): Ditto.
(WebVideoFullscreenInterfaceAVKit::requestHideAndExitFullscreen): Use a strongThis model.


Canonical link: https://commits.webkit.org/157581@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@177375 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebCore/ChangeLog

@@ -1,3 +1,39 @@
+2014-12-16  Jer Noble  <jer.noble@apple.com>
+
+        [iOS] Crash in WebKit::WebPageProxy::dispatchViewStateChange() tapping a link from another app while playing a video
+        https://bugs.webkit.org/show_bug.cgi?id=139550
+
+        Reviewed by Anders Carlsson.
+
+        The existing "dispatch to WebThread, then release" model is insufficient and still
+        can result in RefPtr race conditions between the main thread and the web thread.
+        Make WebVideoFullscreenInterfaceAVKit a thread-safe ref-counted class, which
+        eliminates the necessity of disptaching back to the web thread before releasing.
+
+        * platform/ios/WebVideoFullscreenInterfaceAVKit.h:
+        * platform/ios/WebVideoFullscreenInterfaceAVKit.mm:
+        (WebVideoFullscreenInterfaceAVKit::setDuration): Use a strongThis model.
+        (WebVideoFullscreenInterfaceAVKit::setCurrentTime): Ditto.
+        (WebVideoFullscreenInterfaceAVKit::setRate): Ditto.
+        (WebVideoFullscreenInterfaceAVKit::setVideoDimensions): Ditto.
+        (WebVideoFullscreenInterfaceAVKit::setSeekableRanges): Ditto.
+        (mediaSelectionOptions): Return a RetainPtr object.
+        (WebVideoFullscreenInterfaceAVKit::setAudioMediaSelectionOptions): Use a strongThis model.
+        (WebVideoFullscreenInterfaceAVKit::setLegibleMediaSelectionOptions): Ditto.
+        (WebVideoFullscreenInterfaceAVKit::setExternalPlayback): Ditto.
+        (WebVideoFullscreenInterfaceAVKit::setupFullscreen): Ditto.
+        (WebVideoFullscreenInterfaceAVKit::enterFullscreen): Ditto.
+        (WebVideoFullscreenInterfaceAVKit::exitFullscreen): Ditto.
+        (WebVideoFullscreenInterfaceAVKit::cleanupFullscreen): Ditto.
+        (WebVideoFullscreenInterfaceAVKit::setupFullscreenInternal): Added utility
+            function. Lets us use the implied this pointer rather than an explicit
+            strongThis.
+        (WebVideoFullscreenInterfaceAVKit::enterFullscreenOptimized): Ditto.
+        (WebVideoFullscreenInterfaceAVKit::enterFullscreenStandard): Ditto.
+        (WebVideoFullscreenInterfaceAVKit::exitFullscreenInternal): Ditto.
+        (WebVideoFullscreenInterfaceAVKit::cleanupFullscreenInternal): Ditto.
+        (WebVideoFullscreenInterfaceAVKit::requestHideAndExitFullscreen): Use a strongThis model.
+
 2014-12-16  Ryosuke Niwa  <rniwa@webkit.org>
 
         Nested template contents are not cloned by document.importNode

Source/WebCore/platform/ios/WebVideoFullscreenInterfaceAVKit.h

@@ -35,6 +35,7 @@
 #include <WebCore/WebVideoFullscreenInterface.h>
 #include <wtf/RefPtr.h>
 #include <wtf/RetainPtr.h>
+#include <wtf/ThreadSafeRefCounted.h>
 
 OBJC_CLASS WebAVPlayerController;
 OBJC_CLASS AVPlayerViewController;
@@ -64,7 +65,7 @@ class WebVideoFullscreenChangeObserver {
 
 class WebVideoFullscreenInterfaceAVKit
     : public WebVideoFullscreenInterface
-    , public RefCounted<WebVideoFullscreenInterfaceAVKit> {
+    , public ThreadSafeRefCounted<WebVideoFullscreenInterfaceAVKit> {
 
 public:
     WEBCORE_EXPORT WebVideoFullscreenInterfaceAVKit();
@@ -94,7 +95,12 @@ class WebVideoFullscreenInterfaceAVKit
     bool mayAutomaticallyShowVideoOptimized();
 
 protected:
-
+    void setupFullscreenInternal(PlatformLayer&, IntRect initialRect, UIView *, HTMLMediaElement::VideoFullscreenMode, bool allowOptimizedFullscreen);
+    void enterFullscreenOptimized();
+    void enterFullscreenStandard();
+    void exitFullscreenInternal(IntRect finalRect);
+    void cleanupFullscreenInternal();
+
     RetainPtr<WebAVPlayerController> m_playerController;
     RetainPtr<AVPlayerViewController> m_playerViewController;
     RetainPtr<CALayer> m_videoLayer;