<html>
<head>
<base href="https://bugs.webkit.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - PingHandle delete's itself but pointer is still used by handleDataURL"
href="https://bugs.webkit.org/show_bug.cgi?id=154752">154752</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>PingHandle delete's itself but pointer is still used by handleDataURL
</td>
</tr>
<tr>
<th>Classification</th>
<td>Unclassified
</td>
</tr>
<tr>
<th>Product</th>
<td>WebKit
</td>
</tr>
<tr>
<th>Version</th>
<td>WebKit Local Build
</td>
</tr>
<tr>
<th>Hardware</th>
<td>PC
</td>
</tr>
<tr>
<th>OS</th>
<td>Windows 7
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>Normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P2
</td>
</tr>
<tr>
<th>Component</th>
<td>Page Loading
</td>
</tr>
<tr>
<th>Assignee</th>
<td>webkit-unassigned@lists.webkit.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>chris.vno@outlook.com
</td>
</tr>
<tr>
<th>CC</th>
<td>beidson@apple.com
</td>
</tr></table>
<p>
<div>
<pre>Hi,
I came across this rare bug, resulting in a crash in:
WebKitd.dll!WebCore::handleDataURL(WebCore::ResourceHandle * handle) Line 81 C++
WebKitd.dll!WebCore::ResourceHandleManager::startPendingJob(WebCore::ResourceHandle * pRH) Line 398 C++
WebKitd.dll!WebCore::ResourceHandleManager::startPendingJobs() Line 386 C++
WebKitd.dll!WebCore::ResourceHandleManager::downloadTimerCallback() Line 349 C++
WebKitd.dll!WebCore::ResourceHandleManager::TickDownload() Line 1275 C++
Making the call:
handle->client()->didReceiveData(handle, out.data(), out.size(), 0);
I could reliably reproduce this in our sample application, with best success on hitting yahoo.com repeatedly. After some analysis I discovered that in "WebCore\platform\network\DataURL.cpp handleDataURL(ResourceHandle* handle)", it was possible for a handle->client() to be a PingHandle. A PingHandle will delete itself when the calldidReceiveResponse is made, however there is no guard from using the handle->client() pointer after that point. I fixed this by modifying
WebCore\platform\network\PingHandle.h
virtual ~PingHandle()
{
if (m_handle)
{
m_handle->cancel();
//02/26/2016 - Inform the handle the client has been deleted, this nulls its ptr
m_handle->clearClient();
}
}
WebCore\platform\network\DataURL.cpp
void handleDataURL(ResourceHandle* handle)
{
...
if (base64) {
data = decodeURLEscapeSequences(data);
handle->client()->didReceiveResponse(handle, response);
//02/26/2016 - Its possible that didReceiveResponse deletes the client as is the case for a PingHandle
if (handle->client())
{
Vector<char> out;
if (base64Decode(data, out, Base64IgnoreSpacesAndNewLines) && out.size() > 0) {
response.setExpectedContentLength(out.size());
handle->client()->didReceiveData(handle, out.data(), out.size(), 0);
}
}
} else {
TextEncoding encoding(charset);
data = decodeURLEscapeSequences(data, encoding);
handle->client()->didReceiveResponse(handle, response);
//02/26/2016 - Its possible that didReceiveResponse deletes the client as is the case for a PingHandle
if (handle->client())
{
CString encodedData = encoding.encode(data, URLEncodedEntitiesForUnencodables);
response.setExpectedContentLength(encodedData.length());
if (encodedData.length())
handle->client()->didReceiveData(handle, encodedData.data(), encodedData.length(), 0);
}
}
//02/26/2016 - Its possible that didReceiveResponse deletes the client as is the case for a PingHandle
if (handle->client())
{
handle->client()->didFinishLoading(handle, 0);
}
}
} // namespace WebCore
With these changes it will no longer crash, I hope this helps.
Chris Vienneau</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>