Skip to content
Find file Blame History Permalink
  • acolwell@chromium.org's avatar
    Heap-use-after-free in WebCore::HTMLMediaElement::~HTMLMediaElement · 21cefa1a
    acolwell@chromium.org authored 
    https://bugs.webkit.org/show_bug.cgi?id=110623

Reviewed by Kentaro Hara.

Source/WebCore:

Test: http/tests/misc/delete-frame-during-readystatechange-with-gc-after-video-removal.html

* bindings/v8/V8GCController.cpp: Fix MinorGCWrapperVisitor so it doesn't collect ActiveDOMObjects
                                  that have pending activity.
* html/HTMLAudioElement.h:
(HTMLAudioElement): Removed hasPendingActivity() now that this is handled by the base class.
* html/HTMLAudioElement.idl: Removed ActiveDOMObject annotation since HTMLMediaElement now has it.
* html/HTMLMediaElement.cpp:
(WebCore::HTMLMediaElement::hasPendingActivity): Update implementation to return true if the media
                                                 has audio and is playing. This brings the code into
                                                 compliance with the detached element behavior outlined
                                                 in the HTML5 spec.
* html/HTMLMediaElement.idl: Added ActiveDOMObject annotation so that all derived classes are
                             considered ActiveDOMObjects.

LayoutTests:

* http/tests/misc/delete-frame-during-readystatechange-with-gc-after-video-removal-expected.txt: Added.
* http/tests/misc/delete-frame-during-readystatechange-with-gc-after-video-removal.html: Added.
* http/tests/misc/resources/delete-frame-during-readystatechange-frame-with-gc-after-video-removal.html: Added.


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@145162 268f45cc-cd09-0410-ab3c-d52691b4dbfc
    21cefa1a