Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: e37953123ad26f8d04ee26239b50297fbc87554e
      
https://github.com/WebKit/WebKit/commit/e37953123ad26f8d04ee26239b50297fbc87554e
  Author: Chris Dumez <[email protected]>
  Date:   2026-07-01 (Wed, 01 Jul 2026)

  Changed paths:
    M Source/WebCore/bindings/js/JSTextTrackCueCustom.cpp
    M Source/WebCore/html/HTMLMediaElement.cpp
    M Source/WebCore/html/track/InbandDataTextTrack.h
    M Source/WebCore/html/track/InbandGenericTextTrack.h
    M Source/WebCore/html/track/InbandTextTrack.h
    M Source/WebCore/html/track/InbandWebVTTTextTrack.h
    M Source/WebCore/html/track/LoadableTextTrack.h
    M Source/WebCore/html/track/TextTrack.h
    M Source/WebCore/html/track/TextTrackCue.cpp
    M Source/WebCore/html/track/TextTrackCue.h

  Log Message:
  -----------
  Data race in JSTextTrackCue::visitAdditionalChildrenInGCThread leading to 
use-after-free (variant of bug 311800)
https://bugs.webkit.org/show_bug.cgi?id=314952
rdar://177248996

Reviewed by Geoffrey Garen.

JSTextTrackCue::visitAdditionalChildrenInGCThread() was accessing
`TrackTraceCue::m_track` from the GC thread, even though it is a WeakPtr
which can get nulled out on the main thread.

To address the issue:
- Turn `TrackTraceCue::m_track` into a CheckedPtr. This is OK because the
  ~Track() destructor takes care of nulling out its cues' m_track pointer
  explicitly.
- Add a Lock to synchronize setting m_track on the main thread in
  `TextTrackCue::setTrack()` and accessing it on the GC thread.

* Source/WebCore/bindings/js/JSTextTrackCueCustom.cpp:
(WebCore::JSTextTrackCue::visitAdditionalChildren):
* Source/WebCore/html/track/InbandDataTextTrack.h:
* Source/WebCore/html/track/InbandGenericTextTrack.h:
* Source/WebCore/html/track/InbandTextTrack.h:
* Source/WebCore/html/track/InbandWebVTTTextTrack.h:
* Source/WebCore/html/track/LoadableTextTrack.h:
* Source/WebCore/html/track/TextTrack.h:
* Source/WebCore/html/track/TextTrackCue.cpp:
(WebCore::TextTrackCue::willChange):
(WebCore::TextTrackCue::didChange):
(WebCore::TextTrackCue::track const):
(WebCore::TextTrackCue::protectedTrack const):
(WebCore::TextTrackCue::setTrack):
(WebCore::TextTrackCue::cueIndex const):
(WebCore::TextTrackCue::hasEquivalentStartTime const):
(WebCore::TextTrackCue::visitAdditionalChildren):
* Source/WebCore/html/track/TextTrackCue.h:

Originally-landed-as: 305413.937@safari-7624-branch (133b57500c3a). 
rdar://180437357
Canonical link: https://commits.webkit.org/316337@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to