[webkit-changes] [WebKit/WebKit] 962309: CRASH: GPUP at -[WebCoreNSURLSessionDataTask _cancel]

[Jer Noble]

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 96230945f879c8a4188fd341a56841c79e986378
      https://github.com/WebKit/WebKit/commit/96230945f879c8a4188fd341a56841c79e986378
  Author: Jer Noble <jer.noble at apple.com>
  Date:   2023-02-28 (Tue, 28 Feb 2023)

  Changed paths:
    M Source/WebCore/platform/network/cocoa/WebCoreNSURLSession.mm

  Log Message:
  -----------
  CRASH: GPUP at -[WebCoreNSURLSessionDataTask _cancel]
https://bugs.webkit.org/show_bug.cgi?id=253044
rdar://94878533

Reviewed by Eric Carlson.

-[WebCoreNSURLSessionDataTask session] currently converts a WeakObjC pointer (safely) into
a RetainPtr, then returns a raw pointer from that RetainPtr. The RetainPtr is destroyed after
returning, which reduces the retain count. It is then stored into a RetainPtr again by the
caller inside -_cancel;

Meanwhile, on another thread, the WebCoreNSURLSession can be released by the system, leaving
an opportunity to release the WebCoreNSURLSession and reduce it's retain count to zero in
between the two RetainPtr calls on the main thread, leading to the client retaining a dealloc'd
object.

Instead, -session should return an autorelease()'d pointer, thereby ensuring the session is
retained long enough for the client to retain it. This will increase retain-count churn, but
will also guarantee the object cannot be destroyed on a background thread while it's still
being used on the main thread.

* Source/WebCore/platform/network/cocoa/WebCoreNSURLSession.mm:
(-[WebCoreNSURLSessionDataTask session]):

Canonical link: https://commits.webkit.org/260941@main