Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: e37953123ad26f8d04ee26239b50297fbc87554e
https://github.com/WebKit/WebKit/commit/e37953123ad26f8d04ee26239b50297fbc87554e
Author: Chris Dumez <[email protected]>
Date: 2026-07-01 (Wed, 01 Jul 2026)
Changed paths:
M Source/WebCore/bindings/js/JSTextTrackCueCustom.cpp
M Source/WebCore/html/HTMLMediaElement.cpp
M Source/WebCore/html/track/InbandDataTextTrack.h
M Source/WebCore/html/track/InbandGenericTextTrack.h
M Source/WebCore/html/track/InbandTextTrack.h
M Source/WebCore/html/track/InbandWebVTTTextTrack.h
M Source/WebCore/html/track/LoadableTextTrack.h
M Source/WebCore/html/track/TextTrack.h
M Source/WebCore/html/track/TextTrackCue.cpp
M Source/WebCore/html/track/TextTrackCue.h
Log Message:
-----------
Data race in JSTextTrackCue::visitAdditionalChildrenInGCThread leading to
use-after-free (variant of bug 311800)
https://bugs.webkit.org/show_bug.cgi?id=314952
rdar://177248996
Reviewed by Geoffrey Garen.
JSTextTrackCue::visitAdditionalChildrenInGCThread() was accessing
`TrackTraceCue::m_track` from the GC thread, even though it is a WeakPtr
which can get nulled out on the main thread.
To address the issue:
- Turn `TrackTraceCue::m_track` into a CheckedPtr. This is OK because the
~Track() destructor takes care of nulling out its cues' m_track pointer
explicitly.
- Add a Lock to synchronize setting m_track on the main thread in
`TextTrackCue::setTrack()` and accessing it on the GC thread.
* Source/WebCore/bindings/js/JSTextTrackCueCustom.cpp:
(WebCore::JSTextTrackCue::visitAdditionalChildren):
* Source/WebCore/html/track/InbandDataTextTrack.h:
* Source/WebCore/html/track/InbandGenericTextTrack.h:
* Source/WebCore/html/track/InbandTextTrack.h:
* Source/WebCore/html/track/InbandWebVTTTextTrack.h:
* Source/WebCore/html/track/LoadableTextTrack.h:
* Source/WebCore/html/track/TextTrack.h:
* Source/WebCore/html/track/TextTrackCue.cpp:
(WebCore::TextTrackCue::willChange):
(WebCore::TextTrackCue::didChange):
(WebCore::TextTrackCue::track const):
(WebCore::TextTrackCue::protectedTrack const):
(WebCore::TextTrackCue::setTrack):
(WebCore::TextTrackCue::cueIndex const):
(WebCore::TextTrackCue::hasEquivalentStartTime const):
(WebCore::TextTrackCue::visitAdditionalChildren):
* Source/WebCore/html/track/TextTrackCue.h:
Originally-landed-as: 305413.937@safari-7624-branch (133b57500c3a).
rdar://180437357
Canonical link: https://commits.webkit.org/316337@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications