Deploy more smart pointers in ScriptExecutionContext.cpp and Rejected…

…PromiseTracker.cpp https://bugs.webkit.org/show_bug.cgi?id=264621 Reviewed by Chris Dumez. Deploy smart pointers as warned by the clang static analyzer. * Source/WebCore/dom/RejectedPromiseTracker.cpp: (WebCore::RejectedPromiseTracker::reportUnhandledRejections): (WebCore::RejectedPromiseTracker::reportRejectionHandled): * Source/WebCore/dom/ScriptExecutionContext.cpp: (WebCore::ScriptExecutionContext::reportUnhandledPromiseRejection): (WebCore::ScriptExecutionContext::dispatchErrorEvent): (WebCore::ScriptExecutionContext::protectedVM): Added. (WebCore::ScriptExecutionContext::ensureRejectedPromiseTrackerSlow): * Source/WebCore/dom/ScriptExecutionContext.h: * Source/WebCore/dom/ShadowRoot.cpp: (WebCore::ShadowRoot::~ShadowRoot): Canonical link: https://commits.webkit.org/270615@main
WebKit · Nov 12, 2023 · f739f84 · f739f84
1 parent a1ad995
commit f739f84
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 6 deletions.
diff --git a/Source/WebCore/dom/RejectedPromiseTracker.cpp b/Source/WebCore/dom/RejectedPromiseTracker.cpp
@@ -148,7 +148,7 @@ void RejectedPromiseTracker::reportUnhandledRejections(Vector<UnhandledPromise>&
 {
     // https://html.spec.whatwg.org/multipage/webappapis.html#unhandled-promise-rejections
 
-    VM& vm = m_context->vm();
+    Ref vm = m_context->vm();
     JSC::JSLockHolder lock(vm);
 
     for (auto& unhandledPromise : unhandledPromises) {
@@ -182,7 +182,7 @@ void RejectedPromiseTracker::reportRejectionHandled(Ref<DOMPromise>&& rejectedPr
 {
     // https://html.spec.whatwg.org/multipage/webappapis.html#the-hostpromiserejectiontracker-implementation
 
-    VM& vm = m_context->vm();
+    Ref vm = m_context->vm();
     JSC::JSLockHolder lock(vm);
 
     if (rejectedPromise->isSuspended())

diff --git a/Source/WebCore/dom/ScriptExecutionContext.cpp b/Source/WebCore/dom/ScriptExecutionContext.cpp
@@ -484,7 +484,7 @@ void ScriptExecutionContext::reportUnhandledPromiseRejection(JSC::JSGlobalObject
     if (page && !page->settings().unhandledPromiseRejectionToConsoleEnabled())
         return;
 
-    JSC::VM& vm = state.vm();
+    Ref vm = state.vm();
     auto scope = DECLARE_CATCH_SCOPE(vm);
     JSC::JSValue result = promise.result(vm);
     String resultMessage = retrieveErrorMessage(state, vm, result, scope);
@@ -521,7 +521,7 @@ void ScriptExecutionContext::addConsoleMessage(MessageSource source, MessageLeve
 
 bool ScriptExecutionContext::dispatchErrorEvent(const String& errorMessage, int lineNumber, int columnNumber, const String& sourceURL, JSC::Exception* exception, CachedScript* cachedScript, bool fromModule)
 {
-    auto* target = errorEventTarget();
+    RefPtr target = errorEventTarget();
     if (!target)
         return false;
 
@@ -546,6 +546,11 @@ int ScriptExecutionContext::circularSequentialID()
     return m_circularSequentialID;
 }
 
+Ref<JSC::VM> ScriptExecutionContext::protectedVM()
+{
+    return vm();
+}
+
 PublicURLManager& ScriptExecutionContext::publicURLManager()
 {
     if (!m_publicURLManager)
@@ -595,7 +600,7 @@ RejectedPromiseTracker* ScriptExecutionContext::ensureRejectedPromiseTrackerSlow
         if (!scriptController || scriptController->isTerminatingExecution())
             return nullptr;
     }
-    m_rejectedPromiseTracker = makeUnique<RejectedPromiseTracker>(*this, vm());
+    m_rejectedPromiseTracker = makeUnique<RejectedPromiseTracker>(*this, protectedVM());
     return m_rejectedPromiseTracker.get();
 }
 
@@ -776,7 +781,7 @@ void ScriptExecutionContext::postTaskToResponsibleDocument(Function<void(Documen
     if (!is<WorkerOrWorkletGlobalScope>(this))
         return;
 
-    auto* thread = downcast<WorkerOrWorkletGlobalScope>(this)->workerOrWorkletThread();
+    RefPtr thread = downcast<WorkerOrWorkletGlobalScope>(this)->workerOrWorkletThread();
     if (thread) {
         thread->workerLoaderProxy().postTaskToLoader([callback = WTFMove(callback)](auto&& context) {
             callback(downcast<Document>(context));

diff --git a/Source/WebCore/dom/ScriptExecutionContext.h b/Source/WebCore/dom/ScriptExecutionContext.h
@@ -248,6 +248,7 @@ class ScriptExecutionContext : public SecurityContext, public CanMakeCheckedPtr,
     DOMTimer* findTimeout(int timeoutId) { return m_timeouts.get(timeoutId); }
 
     virtual JSC::VM& vm() = 0;
+    virtual Ref<JSC::VM> protectedVM();
 
     void adjustMinimumDOMTimerInterval(Seconds oldMinimumTimerInterval);
     virtual Seconds minimumDOMTimerInterval() const;

diff --git a/Source/WebCore/dom/ShadowRoot.cpp b/Source/WebCore/dom/ShadowRoot.cpp
@@ -101,6 +101,7 @@ ShadowRoot::~ShadowRoot()
     // for this ShadowRoot instance because TreeScope destructor
     // clears Node::m_treeScope thus ContainerNode is no longer able
     // to access it Document reference after that.
+    // We can't ref document() here since it may have started destruction.
     willBeDeletedFrom(document());
 
     ASSERT(!m_hasBegunDeletingDetachedChildren);