Cherry-pick a47510d. rdar://problem/103268511

Fix potential crash under IntersectionObserver::disconnect() https://bugs.webkit.org/show_bug.cgi?id=248111 rdar://100355921 Reviewed by Jonathan Bedard and Ryosuke Niwa. Make sure we protect the intersection observers and resize observers before calling disconnect() on them in Document::commonTeardown(). This is a speculative fix to address the crash in the radar, which I was unable to reproduce. * LayoutTests/fast/dom/lazy-loading-iframe-destruction-crash-expected.txt: Added. * LayoutTests/fast/dom/lazy-loading-iframe-destruction-crash.html: Added. Include test from the radar, even though it didn't reproduce the issue for me. * Source/WebCore/dom/Document.cpp: (WebCore::Document::commonTeardown): Canonical link: https://commits.webkit.org/252432.841@safari-7614-branch Canonical link: https://commits.webkit.org/245886.855@safari-7613.4.1.0-branch
WebKit · Dec 16, 2022 · e73e6e8 · e73e6e8
1 parent 439f45e
commit e73e6e8
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 4 deletions.
diff --git a/LayoutTests/fast/dom/lazy-loading-iframe-destruction-crash-expected.txt b/LayoutTests/fast/dom/lazy-loading-iframe-destruction-crash-expected.txt
@@ -0,0 +1,9 @@
+This test passes if it doesn't crash.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/fast/dom/lazy-loading-iframe-destruction-crash.html b/LayoutTests/fast/dom/lazy-loading-iframe-destruction-crash.html
@@ -0,0 +1,24 @@
+<script src="../../resources/js-test.js"></script>
+<script>
+jsTestIsAsync = true;
+
+function runTest() {
+    description("This test passes if it doesn't crash.");
+
+    inputElement.selectionDirection = "forward";
+    inputElement.setRangeText("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA");
+    setTimeout(finishJSTest, 100);
+}
+
+function inputSelectHandler() {
+    outputElement.innerHTML = rpElement.innerHTML;;
+    gc();
+}
+</script>
+<body onload="runTest()">
+<rp id="rpElement" onfocusin="f3()" onfocusout="f2()">
+<iframe inputmode="numeric" loading="lazy" 1px" scrolling="yes">
+</iframe>
+</rp>
+<input id="inputElement" contextmenu="x26" onselect="inputSelectHandler()" height="1024">
+<output id="outputElement" dir="auto">
diff --git a/Source/WebCore/dom/Document.cpp b/Source/WebCore/dom/Document.cpp
@@ -813,14 +813,14 @@ void Document::commonTeardown()
     m_documentFragmentForInnerOuterHTML = nullptr;
 
     auto intersectionObservers = m_intersectionObservers;
-    for (auto& intersectionObserver : intersectionObservers) {
-        if (intersectionObserver)
+    for (auto& weakIntersectionObserver : intersectionObservers) {
+        if (RefPtr intersectionObserver = weakIntersectionObserver.get())
             intersectionObserver->disconnect();
     }
 
     auto resizeObservers = m_resizeObservers;
-    for (auto& resizeObserver : resizeObservers) {
-        if (resizeObserver)
+    for (auto& weakResizeObserver : resizeObservers) {
+        if (RefPtr resizeObserver = weakResizeObserver.get())
             resizeObserver->disconnect();
     }