Changeset 248376 in webkit
- Timestamp:
- Aug 7, 2019 10:31:10 AM (5 years ago)
- Location:
- trunk/Source/WebCore
- Files:
-
- 3 edited
-
ChangeLog (modified) (1 diff)
-
bindings/js/JSHistoryCustom.cpp (modified) (1 diff)
-
page/History.h (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/WebCore/ChangeLog
r248373 r248376 1 2019-08-07 Chris Dumez <cdumez@apple.com> 2 3 Fix thread safety issue under JSHistory::visitAdditionalChildren() 4 https://bugs.webkit.org/show_bug.cgi?id=200504 5 6 Reviewed by Darin Adler. 7 8 JSHistory::visitAdditionalChildren() is called from a GC thread and was calling 9 History::cachedState() whose implementation goes deep into WebCore 10 (FrameLoader / HistoryController). Among other things, it null checks m_window 11 which is a WeakPtr and then later dereferences it to get the Frame object, which 12 is not safe from the non-main thread. 13 14 To address the issue, introduce a simpler cachedStateForGC() getter which is 15 thread safe, and use it in JSHistory::visitAdditionalChildren(). 16 17 * bindings/js/JSHistoryCustom.cpp: 18 (WebCore::JSHistory::visitAdditionalChildren): 19 * page/History.h: 20 1 21 2019-08-07 Priyanka Agarwal <pagarwal999@apple.com> 2 22 -
trunk/Source/WebCore/bindings/js/JSHistoryCustom.cpp
r244225 r248376 47 47 void JSHistory::visitAdditionalChildren(SlotVisitor& visitor) 48 48 { 49 wrapped().cachedState ().visit(visitor);49 wrapped().cachedStateForGC().visit(visitor); 50 50 } 51 51 -
trunk/Source/WebCore/page/History.h
r243887 r248376 54 54 SerializedScriptValue* state(); 55 55 JSValueInWrappedObject& cachedState(); 56 JSValueInWrappedObject& cachedStateForGC() { return m_cachedState; } 56 57 57 58 void back();
Note: See TracChangeset
for help on using the changeset viewer.
