[MediaCapabilities] Protect MediaCapabilities JS wrapper from GC#1678
Open
asurdej-comcast wants to merge 1 commit into
Open
[MediaCapabilities] Protect MediaCapabilities JS wrapper from GC#1678asurdej-comcast wants to merge 1 commit into
asurdej-comcast wants to merge 1 commit into
Conversation
Add GenerateIsReachable=ReachableFromNavigator to prevent wrapper GC. The MediaCapabilities interface is annotated [SameObject] in the spec, meaning navigator.mediaCapabilities must return the same object on every access. Without GC protection, the JS wrapper can be collected when no JS reference holds it, causing a new wrapper to be created on next access. This breaks object identity and loses any user-set properties.
|
This seems to be a good candidate for upstreaming first. I am working on it. |
|
PR in upstream: WebKit/WebKit#65807 |
webkit-commit-queue
pushed a commit
to pgorszkowski-igalia/WebKit
that referenced
this pull request
Jun 12, 2026
…before its navigator object https://bugs.webkit.org/show_bug.cgi?id=315684 Reviewed by Ryosuke Niwa. navigator.mediaCapabilities wrapper should not become GC-collectable before its navigator object. The MediaCapabilities interface is annotated [SameObject] in the spec: https://www.w3.org/TR/media-capabilities/#idl-index It means that navigator.mediaCapabilities must return the same object on every access. See: WebPlatformForEmbedded/WPEWebKit#1678 Original author: Andrzej Surdej (https://github.com/asurdej-comcast) Updated existing LayoutTest with mediaCapabilities case. * LayoutTests/fast/dom/navigator-property-gc-after-frame-detach-expected.txt: * LayoutTests/fast/dom/navigator-property-gc-after-frame-detach.html: * Source/WebCore/Modules/mediacapabilities/MediaCapabilities.cpp: (WebCore::MediaCapabilities::MediaCapabilities): (WebCore::MediaCapabilities::navigator): * Source/WebCore/Modules/mediacapabilities/MediaCapabilities.h: (WebCore::MediaCapabilities::create): * Source/WebCore/Modules/mediacapabilities/MediaCapabilities.idl: * Source/WebCore/Modules/mediacapabilities/NavigatorMediaCapabilities.cpp: (WebCore::NavigatorMediaCapabilities::NavigatorMediaCapabilities): (WebCore::NavigatorMediaCapabilities::from): * Source/WebCore/Modules/mediacapabilities/NavigatorMediaCapabilities.h: * Source/WebCore/Modules/mediacapabilities/WorkerNavigatorMediaCapabilities.cpp: (WebCore::WorkerNavigatorMediaCapabilities::WorkerNavigatorMediaCapabilities): (WebCore::WorkerNavigatorMediaCapabilities::from): * Source/WebCore/Modules/mediacapabilities/WorkerNavigatorMediaCapabilities.h: Canonical link: https://commits.webkit.org/315088@main
|
The backport of this change from upstream is here: #1687. I close this. |
pgorszkowski-igalia
added a commit
that referenced
this pull request
Jun 12, 2026
…before its navigator object https://bugs.webkit.org/show_bug.cgi?id=315684 Reviewed by Ryosuke Niwa. navigator.mediaCapabilities wrapper should not become GC-collectable before its navigator object. The MediaCapabilities interface is annotated [SameObject] in the spec: https://www.w3.org/TR/media-capabilities/#idl-index It means that navigator.mediaCapabilities must return the same object on every access. See: #1678 Original author: Andrzej Surdej (https://github.com/asurdej-comcast) Updated existing LayoutTest with mediaCapabilities case. * LayoutTests/fast/dom/navigator-property-gc-after-frame-detach-expected.txt: * LayoutTests/fast/dom/navigator-property-gc-after-frame-detach.html: * Source/WebCore/Modules/mediacapabilities/MediaCapabilities.cpp: (WebCore::MediaCapabilities::MediaCapabilities): (WebCore::MediaCapabilities::navigator): * Source/WebCore/Modules/mediacapabilities/MediaCapabilities.h: (WebCore::MediaCapabilities::create): * Source/WebCore/Modules/mediacapabilities/MediaCapabilities.idl: * Source/WebCore/Modules/mediacapabilities/NavigatorMediaCapabilities.cpp: (WebCore::NavigatorMediaCapabilities::NavigatorMediaCapabilities): (WebCore::NavigatorMediaCapabilities::from): * Source/WebCore/Modules/mediacapabilities/NavigatorMediaCapabilities.h: * Source/WebCore/Modules/mediacapabilities/WorkerNavigatorMediaCapabilities.cpp: (WebCore::WorkerNavigatorMediaCapabilities::WorkerNavigatorMediaCapabilities): (WebCore::WorkerNavigatorMediaCapabilities::from): * Source/WebCore/Modules/mediacapabilities/WorkerNavigatorMediaCapabilities.h: Canonical link: https://commits.webkit.org/315088@main
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add GenerateIsReachable=ReachableFromNavigator to prevent wrapper GC. The MediaCapabilities interface is annotated [SameObject] in the spec, meaning navigator.mediaCapabilities must return the same object on every access. Without GC protection, the JS wrapper can be collected when no JS reference holds it, causing a new wrapper to be created on next access. This breaks object identity and loses any user-set properties.
This fixes an issue with ShakaPlayer that sets its own, custom navigator.mediaCapabilities.decodingInfo wrapper JS function that provides DRM data in addition to native decodingInfo impl.
See https://github.com/shaka-project/shaka-player/blob/ce7ee4b76f1fd6104519fe6f20fe7dda9d759eaf/lib/polyfill/mcap_encryption_scheme.js#L131
53edfff