[Webkit-unassigned] [Bug 198320] [curl] Heap corruption in ~CurlResponse

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Jul 25 23:43:51 PDT 2019 

https://bugs.webkit.org/show_bug.cgi?id=198320

Fujii Hironori <Hironori.Fujii at sony.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
 Attachment #374940|review?                     |review-
              Flags|                            |

--- Comment #11 from Fujii Hironori <Hironori.Fujii at sony.com> ---
Comment on attachment 374940
  --> https://bugs.webkit.org/attachment.cgi?id=374940
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=374940&action=review

> Source/WebCore/platform/network/curl/CurlRequest.cpp:464
> +        auto resourceError = ResourceError::httpError(result, m_request.url().isolatedCopy(), type);

CurlRequest::didCompleteTransfer is called in the worker thread.
You are going to create an isolated copy of m_request.url() by doing m_request.url().isolatedCopy().
Strictly speaking this is not allowed.
Because the URL object can be modified in the main thread at the same time.
Please file a another bug at the moment.

> Source/WebCore/platform/network/curl/CurlRequest.cpp:601
> +        invokeDidReceiveResponse(response, Action::StartTransfer);

This code doesn't look good.
'response' object is destructed in the worker thread.
If objects in 'response' object would be copied in invokeDidReceiveResponse, ref-counter of those objects are accessed in both threads.
To avoid such problem, you should pass the 'response' by using WTFMove.
> invokeDidReceiveResponse(WTFMove(response), Action::StartTransfer);

As far as I read the code, there is no such copying in invokeDidReceiveResponse.
So, please file another bug at the moment.

> Source/WebCore/platform/network/curl/CurlRequest.h:144
> +    bool invokeDidReceiveResponseForFileIfNeeded();

Why did you change this? The previous code looks good to me.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190726/a480e049/attachment.html>

More information about the webkit-unassigned mailing list