Cherry-pick 259548.833@safari-7615-branch (c60c405). https://bugs.web…

…kit.org/show_bug.cgi?id=258058 Crash under WebCore::JSRequestAnimationFrameCallback::~JSRequestAnimationFrameCallback() https://bugs.webkit.org/show_bug.cgi?id=258058 rdar://110530772 Reviewed by Ryosuke Niwa. JSRequestAnimationFrameCallback were outliving the VM and thus using the VM after-free in their destructor. JS Wrapper should never outlive the VM. JSRequestAnimationFrameCallback are subclasses of RequestAnimationFrameCallback, which were being kept alive by the WorkerAnimationController via its m_animationCallbacks vector. To address the issue, WorkerAnimationController now clears m_animationCallbacks in stop(), which gets called when the global scope (and thus the VM) are about to go away. * LayoutTests/fast/workers/pending-requestAnimationFrame-upon-destruction-expected.txt: Added. * LayoutTests/fast/workers/pending-requestAnimationFrame-upon-destruction.html: Added. * LayoutTests/fast/workers/resources/pending-requestAnimationFrame-upon-destruction-popup.html: Added. * Source/WebCore/workers/WorkerAnimationController.cpp: (WebCore::WorkerAnimationController::stop): Canonical link: https://commits.webkit.org/259548.833@safari-7615-branch
WebKit · Jul 28, 2023 · a474823 · a474823
1 parent b384b6f
commit a474823
Show file tree

Hide file tree

Showing 4 changed files with 52 additions and 0 deletions.
diff --git a/LayoutTests/fast/workers/pending-requestAnimationFrame-upon-destruction-expected.txt b/LayoutTests/fast/workers/pending-requestAnimationFrame-upon-destruction-expected.txt
@@ -0,0 +1 @@
+This test passes if it doesn't crash.
diff --git a/LayoutTests/fast/workers/pending-requestAnimationFrame-upon-destruction.html b/LayoutTests/fast/workers/pending-requestAnimationFrame-upon-destruction.html
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+<body>
+This test passes if it doesn't crash.
+<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.waitUntilDone();
+}
+
+function popupReloaded()
+{
+    setTimeout(() => {
+        if (window.testRunner)
+            testRunner.notifyDone();
+    }, 0);
+}
+
+open("resources/pending-requestAnimationFrame-upon-destruction-popup.html");
+</script>
+</body>
+</html>
diff --git a/LayoutTests/fast/workers/resources/pending-requestAnimationFrame-upon-destruction-popup.html b/LayoutTests/fast/workers/resources/pending-requestAnimationFrame-upon-destruction-popup.html
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<canvas id="canvas"></canvas>
+<img>
+
+<script>
+if (location.search == "") {
+  const trigger = noWorkers => {
+  let canvas, ctx;
+  const window = {
+    CP: {
+      aa(a) {
+      },
+      ab(e) {} } };
+      requestAnimationFrame(function foo(){});
+};
+
+const createWorker = fn => {
+  const URL = window.URL || window.webkitURL;
+  return new Worker(URL.createObjectURL(new Blob(["(" + fn + ")()"])));
+};
+
+const texture = document.createElement("canvas");
+worker = createWorker(trigger);
+window.location.href += "?foo=bar";
+} else
+    opener.popupReloaded();
+</script>
+</html>
diff --git a/Source/WebCore/workers/WorkerAnimationController.cpp b/Source/WebCore/workers/WorkerAnimationController.cpp
@@ -69,6 +69,7 @@ bool WorkerAnimationController::virtualHasPendingActivity() const
 void WorkerAnimationController::stop()
 {
     m_animationTimer.stop();
+    m_animationCallbacks.clear();
 }
 
 void WorkerAnimationController::suspend(ReasonForSuspension)