[Webkit-unassigned] [Bug 198320] [curl] Heap corruption in ~CurlResponse

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Jul 26 00:59:23 PDT 2019


--- Comment #12 from Takashi Komori <Takashi.Komori at sony.com> ---
(In reply to Fujii Hironori from comment #11)
> Comment on attachment 374940 [details]
> Patch
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=374940&action=review
> > Source/WebCore/platform/network/curl/CurlRequest.cpp:464
> > +        auto resourceError = ResourceError::httpError(result, m_request.url().isolatedCopy(), type);
> CurlRequest::didCompleteTransfer is called in the worker thread.
> You are going to create an isolated copy of m_request.url() by doing
> m_request.url().isolatedCopy().
> Strictly speaking this is not allowed.
> Because the URL object can be modified in the main thread at the same time.
> Please file a another bug at the moment.
> > Source/WebCore/platform/network/curl/CurlRequest.cpp:601
> > +        invokeDidReceiveResponse(response, Action::StartTransfer);
> This code doesn't look good.
> 'response' object is destructed in the worker thread.
> If objects in 'response' object would be copied in invokeDidReceiveResponse,
> ref-counter of those objects are accessed in both threads.
> To avoid such problem, you should pass the 'response' by using WTFMove.
> > invokeDidReceiveResponse(WTFMove(response), Action::StartTransfer);
> As far as I read the code, there is no such copying in
> invokeDidReceiveResponse.
> So, please file another bug at the moment.

Made ticket to fix ref-conted objects issue.

You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190726/5ac10c49/attachment-0001.html>

More information about the webkit-unassigned mailing list