[webkit-changes] [WebKit/WebKit] abafb8: Cherry-pick 252432.1018 at safari-7614-branch (792c09...

Tue Mar 28 10:42:12 PDT 2023

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: abafb86e06cff4ef87143bef6ce7f56e4f6f6415
      https://github.com/WebKit/WebKit/commit/abafb86e06cff4ef87143bef6ce7f56e4f6f6415
  Author: Youenn Fablet <youennf at gmail.com>
  Date:   2023-03-28 (Tue, 28 Mar 2023)

  Changed paths:
    A LayoutTests/streams/blob-and-then-expected.txt
    A LayoutTests/streams/blob-and-then.html
    M Source/WebCore/Modules/fetch/FetchBodyConsumer.cpp
    M Source/WebCore/Modules/streams/ReadableStreamSink.cpp

  Log Message:
  -----------
  Cherry-pick 252432.1018 at safari-7614-branch (792c09f18dc7). rdar://107315556

    Use-after-free in FetchBodyConsumer::resolve
    https://bugs.webkit.org/show_bug.cgi?id=249996
    rdar://103649054

    Reviewed by Jonathan Bedard and Alex Christensen.

    Make sure in FetchBodyConsumer that refed promise/source remain protected.

    We also revert part of an unnecessary and wrong change from https://trac.webkit.org/changeset/227760.
    This makes sure ReadableStreamToSharedBufferSink callback remains valid until completely executed in close case, as was the case in error case.
    We use std::exchange instead of move as it is more semantically correct.

    Covered by added test.

    * LayoutTests/streams/blob-and-then-expected.txt: Added.
    * LayoutTests/streams/blob-and-then.html: Added.
    * Source/WebCore/Modules/fetch/FetchBodyConsumer.cpp:
    (WebCore::FetchBodyConsumer::resolveWithFormData):
    (WebCore::FetchBodyConsumer::consumeFormDataAsStream):
    (WebCore::FetchBodyConsumer::resolve):
    * Source/WebCore/Modules/streams/ReadableStreamSink.cpp:
    (WebCore::ReadableStreamToSharedBufferSink::close):
    (WebCore::ReadableStreamToSharedBufferSink::error):

    Canonical link: https://commits.webkit.org/252432.1018@safari-7614-branch

Canonical link: https://commits.webkit.org/262229@main