/[blink]
Chromium logo

Revision 168171


Jump to revision: Previous Next
Author: dmazzoni@google.com
Date: Fri Feb 28 23:50:59 2014 UTC (9 years, 2 months ago)
Changed paths: 6
Log Message:
Fix use-after-free of m_currentSpeechUtterance.

SpeechSynthesis.cpp incorrectly assumed that calling
m_platformSpeechSynthesizer->cancel() would immediately call
didFinishSpeaking or speakingErrorOccurred, which would null out
m_currentSpeechUtterance. This assumption was true in WebKit/Mac, but
Chromium's platform implementation is asynchronous, so that call may
come later.

Fix the issue and simplify the logic by getting rid of the raw pointer
to the current utterance altogether. Now the RefPtr at the front of the
utterance queue is the current utterance, and the platform implementation
is allowed to fire events on utterances that are no longer in the queue.

BUG=344881
R=abarth@chromium.org

Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=168092

Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=168169

Review URL: https://codereview.chromium.org/180553004

Changed paths

Path Details
Directorytrunk/LayoutTests/fast/speechsynthesis/speech-synthesis-cancel-twice-expected.txt added
Directorytrunk/LayoutTests/fast/speechsynthesis/speech-synthesis-cancel-twice.html added
Directorytrunk/Source/modules/speech/SpeechSynthesis.cpp modified , text changed
Directorytrunk/Source/modules/speech/SpeechSynthesis.h modified , text changed
Directorytrunk/Source/modules/speech/testing/PlatformSpeechSynthesizerMock.cpp modified , text changed
Directorytrunk/Source/modules/speech/testing/PlatformSpeechSynthesizerMock.h modified , text changed

Powered by ViewVC 1.1.26 ViewVC Help