[Webkit-unassigned] [Bug 182271] [WPE][GTK] Heap use after free in RunLoop::TimerBase constructor lambda

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Jan 30 15:30:12 PST 2018


https://bugs.webkit.org/show_bug.cgi?id=182271

Michael Catanzaro <mcatanzaro at igalia.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |mcatanzaro at igalia.com

--- Comment #2 from Michael Catanzaro <mcatanzaro at igalia.com> ---
(In reply to Carlos Garcia Campos from comment #1)
> I think the problem is that the pending frame load is deleted inside the
> hysteresis callback. 
> 
> - markLoadAsCompleted() is called by hysteresis
> - markLoadAsCompleted() ends up calling m_loadCompletionHandler()
> - the completion handler removes the pending frame load from the map which
> deletes it.
> 
> The completion handler is the last thing done by markLoadAsCompleted(), so
> I'm not sure that's a problem. Could you try protecting this before calling
> m_loadCompletionHandler just in case?

Seems like a nice explanation; now I think I finally understand it. I spent too much time squinting at the RunLoop code, and not enough looking at SpeculativeLoadManager. The problem probably doesn't occur for Cocoa ports because their Timer does not do extra work immediately after firing its callback, but ours needs to reset the ready time.

Adding a protector does not help, probably because even with the protector, the Timer is still dead when control returns to its source callback.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180130/a84be4e5/attachment.html>


More information about the webkit-unassigned mailing list