From 12ce1638c1f6d2430362933d13d730ab296c8137 Mon Sep 17 00:00:00 2001
From: Michael Catanzaro <mcatanzaro@redhat.com>
Date: Thu, 17 Oct 2024 16:52:26 +0200
Subject: [PATCH] Fix crash in ProcessLauncher socket monitor callback

Bug: https://bugs.webkit.org/show_bug.cgi?id=281495

===================================================================

Gbp-Pq: Name socket-monitor-crash.patch
---
 Source/WTF/wtf/glib/GSocketMonitor.cpp | 21 +++++++++++++++++++--
 Source/WTF/wtf/glib/GSocketMonitor.h   |  2 ++
 2 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/Source/WTF/wtf/glib/GSocketMonitor.cpp b/Source/WTF/wtf/glib/GSocketMonitor.cpp
index c88ea9f91c..f3e31efb50 100644
--- a/Source/WTF/wtf/glib/GSocketMonitor.cpp
+++ b/Source/WTF/wtf/glib/GSocketMonitor.cpp
@@ -33,6 +33,7 @@ namespace WTF {
 
 GSocketMonitor::~GSocketMonitor()
 {
+    RELEASE_ASSERT(!m_isExecutingCallback);
     stop();
 }
 
@@ -40,7 +41,17 @@ gboolean GSocketMonitor::socketSourceCallback(GSocket*, GIOCondition condition,
 {
     if (g_cancellable_is_cancelled(monitor->m_cancellable.get()))
         return G_SOURCE_REMOVE;
-    return monitor->m_callback(condition);
+
+    monitor->m_isExecutingCallback = true;
+    gboolean result = monitor->m_callback(condition);
+    monitor->m_isExecutingCallback = false;
+
+    if (monitor->m_shouldDestroyCallback) {
+        monitor->m_callback = nullptr;
+        monitor->m_shouldDestroyCallback = false;
+    }
+
+    return result;
 }
 
 void GSocketMonitor::start(GSocket* socket, GIOCondition condition, RunLoop& runLoop, Function<gboolean(GIOCondition)>&& callback)
@@ -65,7 +76,13 @@ void GSocketMonitor::stop()
     m_cancellable = nullptr;
     g_source_destroy(m_source.get());
     m_source = nullptr;
-    m_callback = nullptr;
+
+    // It's normal to stop the socket monitor from inside its callback.
+    // Don't destroy the callback while it's still executing.
+    if (m_isExecutingCallback)
+        m_shouldDestroyCallback = true;
+    else
+        m_callback = nullptr;
 }
 
 } // namespace WTF
diff --git a/Source/WTF/wtf/glib/GSocketMonitor.h b/Source/WTF/wtf/glib/GSocketMonitor.h
index 7ec383a6e3..9393c546b5 100644
--- a/Source/WTF/wtf/glib/GSocketMonitor.h
+++ b/Source/WTF/wtf/glib/GSocketMonitor.h
@@ -51,6 +51,8 @@ private:
     GRefPtr<GSource> m_source;
     GRefPtr<GCancellable> m_cancellable;
     Function<gboolean(GIOCondition)> m_callback;
+    bool m_isExecutingCallback { false };
+    bool m_shouldDestroyCallback { false };
 };
 
 } // namespace WTF
-- 
2.30.2