<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[198143] trunk/Source</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/198143">198143</a></dd>
<dt>Author</dt> <dd>bfulgham@apple.com</dd>
<dt>Date</dt> <dd>2016-03-14 11:29:05 -0700 (Mon, 14 Mar 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>PingHandle delete's itself but pointer is still used by handleDataURL
https://bugs.webkit.org/show_bug.cgi?id=154752
<rdar://problem/24872347>
Source/WebCore:
Patch by Chris Vienneau <chris.vno@outlook.com> on 2016-03-14
Reviewed by Alex Christensen.
When a PingHandle is destroyed, we should tell its client so that the client can clear the pointer it
holds to the element to avoid accidentally attempting to use deallocated memory.
The ResourceHandle's client member may be null after "didReceiveResponse" is called. We should confirm
the client is still valid after these calls.
* platform/network/DataURL.cpp:
(WebCore::handleDataURL): Check the client pointer before using it.
* platform/network/PingHandle.h:
(WebCore::PingHandle::~PingHandle): Notify the client we are being destroyed.
* platform/platform/network/ResourceHandle.h:
Source/WebKit2:
Reviewed by Alex Christensen.
When a PingLoad is destroyed, we should tell its client so that the client can clear the pointer it
holds to the element to avoid accidentally attempting to use deallocated memory.
* NetworkProcess/PingLoad.h:
(WebKit::PingLoad::~PingLoad): Notify the client we are being destroyed.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCoreplatformnetworkDataURLcpp">trunk/Source/WebCore/platform/network/DataURL.cpp</a></li>
<li><a href="#trunkSourceWebCoreplatformnetworkPingHandleh">trunk/Source/WebCore/platform/network/PingHandle.h</a></li>
<li><a href="#trunkSourceWebCoreplatformnetworkResourceHandleh">trunk/Source/WebCore/platform/network/ResourceHandle.h</a></li>
<li><a href="#trunkSourceWebKit2ChangeLog">trunk/Source/WebKit2/ChangeLog</a></li>
<li><a href="#trunkSourceWebKit2NetworkProcessNetworkDataTaskh">trunk/Source/WebKit2/NetworkProcess/NetworkDataTask.h</a></li>
<li><a href="#trunkSourceWebKit2NetworkProcessPingLoadh">trunk/Source/WebKit2/NetworkProcess/PingLoad.h</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (198142 => 198143)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog 2016-03-14 18:13:02 UTC (rev 198142)
+++ trunk/Source/WebCore/ChangeLog 2016-03-14 18:29:05 UTC (rev 198143)
</span><span class="lines">@@ -1,3 +1,23 @@
</span><ins>+2016-03-14 Chris Vienneau <chris.vno@outlook.com>
+
+ PingHandle delete's itself but pointer is still used by handleDataURL
+ https://bugs.webkit.org/show_bug.cgi?id=154752
+ <rdar://problem/24872347>
+
+ Reviewed by Alex Christensen.
+
+ When a PingHandle is destroyed, we should tell its client so that the client can clear the pointer it
+ holds to the element to avoid accidentally attempting to use deallocated memory.
+
+ The ResourceHandle's client member may be null after "didReceiveResponse" is called. We should confirm
+ the client is still valid after these calls.
+
+ * platform/network/DataURL.cpp:
+ (WebCore::handleDataURL): Check the client pointer before using it.
+ * platform/network/PingHandle.h:
+ (WebCore::PingHandle::~PingHandle): Notify the client we are being destroyed.
+ * platform/platform/network/ResourceHandle.h:
+
</ins><span class="cx"> 2016-03-14 Zalan Bujtas <zalan@apple.com>
</span><span class="cx">
</span><span class="cx"> Negative outline offset could break curved outline-style: auto
</span></span></pre></div>
<a id="trunkSourceWebCoreplatformnetworkDataURLcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/platform/network/DataURL.cpp (198142 => 198143)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/platform/network/DataURL.cpp 2016-03-14 18:13:02 UTC (rev 198142)
+++ trunk/Source/WebCore/platform/network/DataURL.cpp 2016-03-14 18:29:05 UTC (rev 198143)
</span><span class="lines">@@ -44,6 +44,9 @@
</span><span class="cx"> ASSERT(handle->firstRequest().url().protocolIsData());
</span><span class="cx"> String url = handle->firstRequest().url().string();
</span><span class="cx">
</span><ins>+ ASSERT(handle);
+ ASSERT(handle->client());
+
</ins><span class="cx"> int index = url.find(',');
</span><span class="cx"> if (index == -1) {
</span><span class="cx"> handle->client()->cannotShowURL(handle);
</span><span class="lines">@@ -75,23 +78,30 @@
</span><span class="cx"> data = decodeURLEscapeSequences(data);
</span><span class="cx"> handle->client()->didReceiveResponse(handle, response);
</span><span class="cx">
</span><del>- Vector<char> out;
- if (base64Decode(data, out, Base64IgnoreSpacesAndNewLines) && out.size() > 0) {
- response.setExpectedContentLength(out.size());
- handle->client()->didReceiveData(handle, out.data(), out.size(), 0);
</del><ins>+ // didReceiveResponse might cause the client to be deleted.
+ if (handle->client()) {
+ Vector<char> out;
+ if (base64Decode(data, out, Base64IgnoreSpacesAndNewLines) && out.size() > 0) {
+ response.setExpectedContentLength(out.size());
+ handle->client()->didReceiveData(handle, out.data(), out.size(), 0);
+ }
</ins><span class="cx"> }
</span><span class="cx"> } else {
</span><span class="cx"> TextEncoding encoding(charset);
</span><span class="cx"> data = decodeURLEscapeSequences(data, encoding);
</span><span class="cx"> handle->client()->didReceiveResponse(handle, response);
</span><span class="cx">
</span><del>- CString encodedData = encoding.encode(data, URLEncodedEntitiesForUnencodables);
- response.setExpectedContentLength(encodedData.length());
- if (encodedData.length())
- handle->client()->didReceiveData(handle, encodedData.data(), encodedData.length(), 0);
</del><ins>+ // didReceiveResponse might cause the client to be deleted.
+ if (handle->client()) {
+ CString encodedData = encoding.encode(data, URLEncodedEntitiesForUnencodables);
+ response.setExpectedContentLength(encodedData.length());
+ if (encodedData.length())
+ handle->client()->didReceiveData(handle, encodedData.data(), encodedData.length(), 0);
+ }
</ins><span class="cx"> }
</span><span class="cx">
</span><del>- handle->client()->didFinishLoading(handle, 0);
</del><ins>+ if (handle->client())
+ handle->client()->didFinishLoading(handle, 0);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> } // namespace WebCore
</span></span></pre></div>
<a id="trunkSourceWebCoreplatformnetworkPingHandleh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/platform/network/PingHandle.h (198142 => 198143)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/platform/network/PingHandle.h 2016-03-14 18:13:02 UTC (rev 198142)
+++ trunk/Source/WebCore/platform/network/PingHandle.h 2016-03-14 18:29:05 UTC (rev 198143)
</span><span class="lines">@@ -67,8 +67,11 @@
</span><span class="cx">
</span><span class="cx"> virtual ~PingHandle()
</span><span class="cx"> {
</span><del>- if (m_handle)
</del><ins>+ if (m_handle) {
+ ASSERT(m_handle->client() == this);
+ m_handle->clearClient();
</ins><span class="cx"> m_handle->cancel();
</span><ins>+ }
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> RefPtr<ResourceHandle> m_handle;
</span></span></pre></div>
<a id="trunkSourceWebCoreplatformnetworkResourceHandleh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/platform/network/ResourceHandle.h (198142 => 198143)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/platform/network/ResourceHandle.h 2016-03-14 18:13:02 UTC (rev 198142)
+++ trunk/Source/WebCore/platform/network/ResourceHandle.h 2016-03-14 18:29:05 UTC (rev 198143)
</span><span class="lines">@@ -198,7 +198,7 @@
</span><span class="cx"> WEBCORE_EXPORT virtual void cancel();
</span><span class="cx">
</span><span class="cx"> // The client may be 0, in which case no callbacks will be made.
</span><del>- ResourceHandleClient* client() const;
</del><ins>+ WEBCORE_EXPORT ResourceHandleClient* client() const;
</ins><span class="cx"> WEBCORE_EXPORT void clearClient();
</span><span class="cx">
</span><span class="cx"> // Called in response to ResourceHandleClient::willSendRequestAsync().
</span></span></pre></div>
<a id="trunkSourceWebKit2ChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/ChangeLog (198142 => 198143)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/ChangeLog 2016-03-14 18:13:02 UTC (rev 198142)
+++ trunk/Source/WebKit2/ChangeLog 2016-03-14 18:29:05 UTC (rev 198143)
</span><span class="lines">@@ -1,3 +1,17 @@
</span><ins>+2016-03-14 Brent Fulgham <bfulgham@apple.com>
+
+ PingHandle delete's itself but pointer is still used by handleDataURL
+ https://bugs.webkit.org/show_bug.cgi?id=154752
+ <rdar://problem/24872347>
+
+ Reviewed by Alex Christensen.
+
+ When a PingLoad is destroyed, we should tell its client so that the client can clear the pointer it
+ holds to the element to avoid accidentally attempting to use deallocated memory.
+
+ * NetworkProcess/PingLoad.h:
+ (WebKit::PingLoad::~PingLoad): Notify the client we are being destroyed.
+
</ins><span class="cx"> 2016-03-14 Carlos Garcia Campos <cgarcia@igalia.com>
</span><span class="cx">
</span><span class="cx"> Unreviewed. Fix the GTK+ build after r198124.
</span></span></pre></div>
<a id="trunkSourceWebKit2NetworkProcessNetworkDataTaskh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/NetworkProcess/NetworkDataTask.h (198142 => 198143)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/NetworkProcess/NetworkDataTask.h 2016-03-14 18:13:02 UTC (rev 198142)
+++ trunk/Source/WebKit2/NetworkProcess/NetworkDataTask.h 2016-03-14 18:29:05 UTC (rev 198143)
</span><span class="lines">@@ -104,6 +104,7 @@
</span><span class="cx"> void didReceiveData(RefPtr<WebCore::SharedBuffer>&&);
</span><span class="cx"> void didBecomeDownload();
</span><span class="cx">
</span><ins>+ NetworkDataTaskClient* client() const { return m_client; }
</ins><span class="cx"> void clearClient() { m_client = nullptr; }
</span><span class="cx">
</span><span class="cx"> DownloadID pendingDownloadID() { return m_pendingDownloadID; }
</span></span></pre></div>
<a id="trunkSourceWebKit2NetworkProcessPingLoadh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/NetworkProcess/PingLoad.h (198142 => 198143)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/NetworkProcess/PingLoad.h 2016-03-14 18:13:02 UTC (rev 198142)
+++ trunk/Source/WebKit2/NetworkProcess/PingLoad.h 2016-03-14 18:29:05 UTC (rev 198143)
</span><span class="lines">@@ -74,8 +74,11 @@
</span><span class="cx">
</span><span class="cx"> virtual ~PingLoad()
</span><span class="cx"> {
</span><del>- if (m_task)
</del><ins>+ if (m_task) {
+ ASSERT(m_task->client() == this);
+ m_task->clearClient();
</ins><span class="cx"> m_task->cancel();
</span><ins>+ }
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> RefPtr<NetworkDataTask> m_task;
</span></span></pre>
</div>
</div>
</body>
</html>