[Webkit-unassigned] [Bug 168337] New: Crash in DocumentThreadableLoader::redirectReceived
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Feb 14 14:58:47 PST 2017
https://bugs.webkit.org/show_bug.cgi?id=168337
Bug ID: 168337
Summary: Crash in DocumentThreadableLoader::redirectReceived
Classification: Unclassified
Product: WebKit
Version: WebKit Nightly Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: WebCore Misc.
Assignee: webkit-unassigned at lists.webkit.org
Reporter: beidson at apple.com
Crash in DocumentThreadableLoader::redirectReceived
We know nothing about how to reproduce it.
Top of the (optimized) backtrace is:
7 WebCore: WebCore::DocumentThreadableLoader::redirectReceived(WebCore::CachedResource&, WebCore::ResourceRequest&, WebCore::ResourceResponse const&) <==
7 WebCore: WebCore::DocumentThreadableLoader::redirectReceived(WebCore::CachedResource&, WebCore::ResourceRequest&, WebCore::ResourceResponse const&)
7 WebCore: WebCore::CachedRawResource::didAddClient(WebCore::CachedResourceClient&)
7 WebCore: WebCore::ThreadTimers::sharedTimerFiredInternal()
7 WebCore: WebCore::timerFired(__CFRunLoopTimer*, void*)
7 CoreFoundation: __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__
Reading around all of the related code, it appears that this is a use-after free on the DocumentThreadableLoader.
Either being much more careful about always detaching the DocumentThreadableLoader from its CachedRawResource or adding a self-ref should fix this. Unfortunately I've been unable to reason further which is the more direct fix, but I think applying both is fine.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20170214/4cd17954/attachment.html>
More information about the webkit-unassigned
mailing list