[Webkit-unassigned] [Bug 198320] [curl] Heap corruption in ~CurlResponse
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Jul 26 00:59:23 PDT 2019
https://bugs.webkit.org/show_bug.cgi?id=198320
--- Comment #12 from Takashi Komori <Takashi.Komori at sony.com> ---
(In reply to Fujii Hironori from comment #11)
> Comment on attachment 374940 [details]
> Patch
>
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=374940&action=review
>
> > Source/WebCore/platform/network/curl/CurlRequest.cpp:464
> > + auto resourceError = ResourceError::httpError(result, m_request.url().isolatedCopy(), type);
>
> CurlRequest::didCompleteTransfer is called in the worker thread.
> You are going to create an isolated copy of m_request.url() by doing
> m_request.url().isolatedCopy().
> Strictly speaking this is not allowed.
> Because the URL object can be modified in the main thread at the same time.
> Please file a another bug at the moment.
>
> > Source/WebCore/platform/network/curl/CurlRequest.cpp:601
> > + invokeDidReceiveResponse(response, Action::StartTransfer);
>
> This code doesn't look good.
> 'response' object is destructed in the worker thread.
> If objects in 'response' object would be copied in invokeDidReceiveResponse,
> ref-counter of those objects are accessed in both threads.
> To avoid such problem, you should pass the 'response' by using WTFMove.
> > invokeDidReceiveResponse(WTFMove(response), Action::StartTransfer);
>
> As far as I read the code, there is no such copying in
> invokeDidReceiveResponse.
> So, please file another bug at the moment.
>
Made ticket to fix ref-conted objects issue.
https://bugs.webkit.org/show_bug.cgi?id=200156
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190726/5ac10c49/attachment-0001.html>
More information about the webkit-unassigned
mailing list