Fix use-after-free of m_currentSpeechUtterance.

Source/modules/speech/SpeechSynthesis.cpp

 /*
  * Copyright (C) 2013 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
@@ skipping 24 matching lines @@
 namespace WebCore {
 
 PassRefPtrWillBeRawPtr<SpeechSynthesis> SpeechSynthesis::create(ExecutionContext* context)
 {
     return adoptRefWillBeRefCountedGarbageCollected(new SpeechSynthesis(context));
 }
 
 SpeechSynthesis::SpeechSynthesis(ExecutionContext* context)
     : ContextLifecycleObserver(context)
     , m_platformSpeechSynthesizer(PlatformSpeechSynthesizer::create(this))
-    , m_currentSpeechUtterance(nullptr)
     , m_isPaused(false)
 {
     ScriptWrappable::init(this);
 }
 
 void SpeechSynthesis::setPlatformSynthesizer(PassOwnPtr<PlatformSpeechSynthesizer> synthesizer)
 {
     m_platformSpeechSynthesizer = synthesizer;
 }
 
@@ skipping 20 matching lines @@
     for (size_t k = 0; k < voiceCount; k++)
         m_voiceList.append(SpeechSynthesisVoice::create(platformVoices[k]));
 
     return m_voiceList;
 }
 
 bool SpeechSynthesis::speaking() const
 {
     // If we have a current speech utterance, then that means we're assumed to be in a speaking state.
     // This state is independent of whether the utterance happens to be paused.
-    return m_currentSpeechUtterance;
+    return currentSpeechUtterance();
 }
 
 bool SpeechSynthesis::pending() const
 {
     // This is true if there are any utterances that have not started.
     // That means there will be more than one in the queue.
     return m_utteranceQueue.size() > 1;
 }
 
 bool SpeechSynthesis::paused() const
 {
     return m_isPaused;
 }
 
-void SpeechSynthesis::startSpeakingImmediately(SpeechSynthesisUtterance* utterance)
+void SpeechSynthesis::startSpeakingImmediately()
 {
-    ASSERT(!m_currentSpeechUtterance);
+    SpeechSynthesisUtterance* utterance = currentSpeechUtterance();
+    ASSERT(utterance);
+
     utterance->setStartTime(monotonicallyIncreasingTime());
-    m_currentSpeechUtterance = utterance;
     m_isPaused = false;
     m_platformSpeechSynthesizer->speak(utterance->platformUtterance());
 }
 
 void SpeechSynthesis::speak(SpeechSynthesisUtterance* utterance, ExceptionState& exceptionState)
 {
     if (!utterance) {
         exceptionState.throwTypeError("Invalid utterance argument");
         return;
     }
 
     m_utteranceQueue.append(utterance);
 
-    // If the queue was empty, speak this immediately and add it to the queue.
+    // If the queue was empty, speak this immediately.
     if (m_utteranceQueue.size() == 1)
-        startSpeakingImmediately(utterance);
+        startSpeakingImmediately();
 }
 
 void SpeechSynthesis::cancel()
 {
-    // Remove all the items from the utterance queue.
-    // Hold on to the current utterance so the platform synthesizer can have a chance to clean up.
-    RefPtrWillBeMember<SpeechSynthesisUtterance> current = m_currentSpeechUtterance;
+    // Remove all the items from the utterance queue. The platform
+    // may still have references to some of these utterances and may
+    // fire events on them asynchronously.
     m_utteranceQueue.clear();
     m_platformSpeechSynthesizer->cancel();
-    current = nullptr;
-
-    // The platform should have called back immediately and cleared the current utterance.
-    ASSERT(!m_currentSpeechUtterance);
 }
 
 void SpeechSynthesis::pause()
 {
     if (!m_isPaused)
         m_platformSpeechSynthesizer->pause();
 }
 
 void SpeechSynthesis::resume()
 {
-    if (!m_currentSpeechUtterance)
+    if (!currentSpeechUtterance())
         return;
     m_platformSpeechSynthesizer->resume();
 }
 
 void SpeechSynthesis::fireEvent(const AtomicString& type, SpeechSynthesisUtterance* utterance, unsigned long charIndex, const String& name)
 {
     if (!executionContext()->activeDOMObjectsAreStopped())
         utterance->dispatchEvent(SpeechSynthesisEvent::create(type, charIndex, (currentTime() - utterance->startTime()), name));
 }
 
 void SpeechSynthesis::handleSpeakingCompleted(SpeechSynthesisUtterance* utterance, bool errorOccurred)
 {
     ASSERT(utterance);
-    ASSERT(m_currentSpeechUtterance);
-    m_currentSpeechUtterance = nullptr;
 
+    bool didJustFinishCurrentUtterance = false;
+    // If the utterance that completed was the one we're currently speaking,
+    // remove it from the queue and start speaking the next one.
+    if (utterance == currentSpeechUtterance()) {
+        m_utteranceQueue.removeFirst();
+        didJustFinishCurrentUtterance = true;
+    }
+
+    // Always fire the event, because the platform may have asynchronously
+    // sent an event on an utterance before it got the message that we
+    // canceled it, and we should always report to the user what actually
+    // happened.
     fireEvent(errorOccurred ? EventTypeNames::error : EventTypeNames::end, utterance, 0, String());
 
-    if (m_utteranceQueue.size()) {
-        RefPtrWillBeMember<SpeechSynthesisUtterance> firstUtterance = m_utteranceQueue.first();
-        ASSERT(firstUtterance == utterance);
-        if (firstUtterance == utterance)
-            m_utteranceQueue.removeFirst();
-
-        // Start the next job if there is one pending.
-        if (!m_utteranceQueue.isEmpty())
-            startSpeakingImmediately(m_utteranceQueue.first().get());
-    }
+    // Start the next utterance if we just finished one and one was pending.
+    if (didJustFinishCurrentUtterance && !m_utteranceQueue.isEmpty())
+        startSpeakingImmediately();
 }
 
 void SpeechSynthesis::boundaryEventOccurred(PassRefPtr<PlatformSpeechSynthesisUtterance> utterance, SpeechBoundary boundary, unsigned charIndex)
 {
     DEFINE_STATIC_LOCAL(const String, wordBoundaryString, ("word"));
     DEFINE_STATIC_LOCAL(const String, sentenceBoundaryString, ("sentence"));
 
     switch (boundary) {
     case SpeechWordBoundary:
         fireEvent(EventTypeNames::boundary, static_cast<SpeechSynthesisUtterance*>(utterance->client()), charIndex, wordBoundaryString);
@@ skipping 31 matching lines @@
     if (utterance->client())
         handleSpeakingCompleted(static_cast<SpeechSynthesisUtterance*>(utterance->client()), false);
 }
 
 void SpeechSynthesis::speakingErrorOccurred(PassRefPtr<PlatformSpeechSynthesisUtterance> utterance)
 {
     if (utterance->client())
         handleSpeakingCompleted(static_cast<SpeechSynthesisUtterance*>(utterance->client()), true);
 }
 
+SpeechSynthesisUtterance* SpeechSynthesis::currentSpeechUtterance() const
+{
+    if (!m_utteranceQueue.isEmpty())
+        return m_utteranceQueue.first().get();
+    return 0;
+}
+
 const AtomicString& SpeechSynthesis::interfaceName() const
 {
     return EventTargetNames::SpeechSynthesisUtterance;
 }
 
 void SpeechSynthesis::trace(Visitor* visitor)
 {
     visitor->trace(m_voiceList);
-    visitor->trace(m_currentSpeechUtterance);
     visitor->trace(m_utteranceQueue);
 }
 
 } // namespace WebCore