/
cherry-pick-138b748dd0a4.patch
64 lines (55 loc) · 3 KB
/
cherry-pick-138b748dd0a4.patch
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Alexander Cooper <alcooper@chromium.org>
Date: Tue, 4 Aug 2020 00:31:54 +0000
Subject: Update FocusChanged notifiers to operate on a copy
These focus changed calls ultimately trigger javascript events. These
events could potentially run code that would modify the list of items
that the FocusChanged notifiers are notifying, and thus invalidate their
in-use iterators.
Fix this by having these methods iterate over a copy instead of the
member list.
(cherry picked from commit d8f526f4e25c24ed29e60b46b3416bfabd5e8f11)
Fixed: 1107815
Change-Id: I03fa08eeadc60736f3a3fae079253dbd3ee26476
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2314158
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Reviewed-by: Klaus Weidner <klausw@chromium.org>
Commit-Queue: Daniel Cheng <dcheng@chromium.org>
Auto-Submit: Alexander Cooper <alcooper@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#791261}
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2335893
Reviewed-by: Alexander Cooper <alcooper@chromium.org>
Commit-Queue: Alexander Cooper <alcooper@chromium.org>
Cr-Commit-Position: refs/branch-heads/4147@{#1015}
Cr-Branched-From: 16307825352720ae04d898f37efa5449ad68b606-refs/heads/master@{#768962}
diff --git a/third_party/blink/renderer/core/page/focus_controller.cc b/third_party/blink/renderer/core/page/focus_controller.cc
index 03eef54ac1e7b8f4cc635b5315f6ecb0d27e0019..19615ab1bcbf1d0a6e87f5dd549d014ba6826356 100644
--- a/third_party/blink/renderer/core/page/focus_controller.cc
+++ b/third_party/blink/renderer/core/page/focus_controller.cc
@@ -1326,7 +1326,12 @@ void FocusController::RegisterFocusChangedObserver(
}
void FocusController::NotifyFocusChangedObservers() const {
- for (const auto& it : focus_changed_observers_)
+ // Since this eventually dispatches an event to the page, the page could add
+ // new observer, which would invalidate our iterators; so iterate over a copy
+ // of the observer list.
+ HeapHashSet<WeakMember<FocusChangedObserver>> observers =
+ focus_changed_observers_;
+ for (const auto& it : observers)
it->FocusedFrameChanged();
}
diff --git a/third_party/blink/renderer/modules/xr/xr.cc b/third_party/blink/renderer/modules/xr/xr.cc
index 0f0a0c792c2a7479228f377488a413c7b32e3854..968a1a4dca1a680e00870e42258f4824963f6b16 100644
--- a/third_party/blink/renderer/modules/xr/xr.cc
+++ b/third_party/blink/renderer/modules/xr/xr.cc
@@ -524,7 +524,11 @@ XR::XR(LocalFrame& frame, int64_t ukm_source_id)
void XR::FocusedFrameChanged() {
// Tell all sessions that focus changed.
- for (const auto& session : sessions_) {
+ // Since this eventually dispatches an event to the page, the page could
+ // create a new session which would invalidate our iterators; so iterate over
+ // a copy of the session map.
+ HeapHashSet<WeakMember<XRSession>> processing_sessions = sessions_;
+ for (const auto& session : processing_sessions) {
session->OnFocusChanged();
}