[Webkit-unassigned] [Bug 154752] New: PingHandle delete's itself but pointer is still used by handleDataURL
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Feb 26 14:12:40 PST 2016
https://bugs.webkit.org/show_bug.cgi?id=154752
Bug ID: 154752
Summary: PingHandle delete's itself but pointer is still used
by handleDataURL
Classification: Unclassified
Product: WebKit
Version: WebKit Local Build
Hardware: PC
OS: Windows 7
Status: NEW
Severity: Normal
Priority: P2
Component: Page Loading
Assignee: webkit-unassigned at lists.webkit.org
Reporter: chris.vno at outlook.com
CC: beidson at apple.com
Hi,
I came across this rare bug, resulting in a crash in:
WebKitd.dll!WebCore::handleDataURL(WebCore::ResourceHandle * handle) Line 81 C++
WebKitd.dll!WebCore::ResourceHandleManager::startPendingJob(WebCore::ResourceHandle * pRH) Line 398 C++
WebKitd.dll!WebCore::ResourceHandleManager::startPendingJobs() Line 386 C++
WebKitd.dll!WebCore::ResourceHandleManager::downloadTimerCallback() Line 349 C++
WebKitd.dll!WebCore::ResourceHandleManager::TickDownload() Line 1275 C++
Making the call:
handle->client()->didReceiveData(handle, out.data(), out.size(), 0);
I could reliably reproduce this in our sample application, with best success on hitting yahoo.com repeatedly. After some analysis I discovered that in "WebCore\platform\network\DataURL.cpp handleDataURL(ResourceHandle* handle)", it was possible for a handle->client() to be a PingHandle. A PingHandle will delete itself when the calldidReceiveResponse is made, however there is no guard from using the handle->client() pointer after that point. I fixed this by modifying
WebCore\platform\network\PingHandle.h
virtual ~PingHandle()
{
if (m_handle)
{
m_handle->cancel();
//02/26/2016 - Inform the handle the client has been deleted, this nulls its ptr
m_handle->clearClient();
}
}
WebCore\platform\network\DataURL.cpp
void handleDataURL(ResourceHandle* handle)
{
...
if (base64) {
data = decodeURLEscapeSequences(data);
handle->client()->didReceiveResponse(handle, response);
//02/26/2016 - Its possible that didReceiveResponse deletes the client as is the case for a PingHandle
if (handle->client())
{
Vector<char> out;
if (base64Decode(data, out, Base64IgnoreSpacesAndNewLines) && out.size() > 0) {
response.setExpectedContentLength(out.size());
handle->client()->didReceiveData(handle, out.data(), out.size(), 0);
}
}
} else {
TextEncoding encoding(charset);
data = decodeURLEscapeSequences(data, encoding);
handle->client()->didReceiveResponse(handle, response);
//02/26/2016 - Its possible that didReceiveResponse deletes the client as is the case for a PingHandle
if (handle->client())
{
CString encodedData = encoding.encode(data, URLEncodedEntitiesForUnencodables);
response.setExpectedContentLength(encodedData.length());
if (encodedData.length())
handle->client()->didReceiveData(handle, encodedData.data(), encodedData.length(), 0);
}
}
//02/26/2016 - Its possible that didReceiveResponse deletes the client as is the case for a PingHandle
if (handle->client())
{
handle->client()->didFinishLoading(handle, 0);
}
}
} // namespace WebCore
With these changes it will no longer crash, I hope this helps.
Chris Vienneau
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20160226/ed372690/attachment.html>
More information about the webkit-unassigned
mailing list