[WebIDL] Hoist protectedThis reference in JSEventListener::handleEvent()

https://bugs.webkit.org/show_bug.cgi?id=248328 Reviewed by Yusuke Suzuki. While this change is non-observable since the only caller of handleEvent(), innerInvokeEventListeners(), keeps it as RefPtr, theoretically both getCallData() and jsFunction->get() may remove currently running event listener and cause its destruction. * Source/WebCore/bindings/js/JSEventListener.cpp: (WebCore::JSEventListener::handleEvent): Canonical link: https://commits.webkit.org/257027@main
WebKit · Nov 25, 2022 · a8c7d4f · a8c7d4f
1 parent a3765e7
commit a8c7d4f
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/Source/WebCore/bindings/js/JSEventListener.cpp b/Source/WebCore/bindings/js/JSEventListener.cpp
@@ -180,6 +180,8 @@ void JSEventListener::handleEvent(ScriptExecutionContext& scriptExecutionContext
 
     JSValue handleEventFunction = jsFunction;
 
+    Ref protectedThis { *this };
+
     auto callData = JSC::getCallData(handleEventFunction);
 
     // If jsFunction is not actually a function and this is an EventListener, see if it implements callback interface.
@@ -203,8 +205,6 @@ void JSEventListener::handleEvent(ScriptExecutionContext& scriptExecutionContext
         }
     }
 
-    Ref<JSEventListener> protectedThis(*this);
-
     MarkedArgumentBuffer args;
     args.append(toJS(lexicalGlobalObject, globalObject, &event));
     ASSERT(!args.hasOverflowed());