Diff
Modified: branches/safari-611-branch/LayoutTests/ChangeLog (277183 => 277184)
--- branches/safari-611-branch/LayoutTests/ChangeLog 2021-05-07 18:47:55 UTC (rev 277183)
+++ branches/safari-611-branch/LayoutTests/ChangeLog 2021-05-07 18:47:59 UTC (rev 277184)
@@ -1,3 +1,45 @@
+2021-05-06 Russell Epstein <repst...@apple.com>
+
+ Cherry-pick r271669. rdar://problem/77580999
+
+ Fix nullptr dereference introduced in r268228
+ https://bugs.webkit.org/show_bug.cgi?id=220776
+
+ Patch by Alex Christensen <achristen...@webkit.org> on 2021-01-20
+ Reviewed by Chris Dumez.
+
+ Source/WebCore:
+
+ Instead of taking data from the FileReaderLoader, which it assumes it still has later,
+ only give the bytes to _javascript_ that have been received since last time we called didReceiveData.
+ This makes blob.stream correct and not crash.
+
+ Test: fast/files/blob-stream-crash-2.html
+
+ * fileapi/Blob.cpp:
+ (WebCore::Blob::stream):
+ * fileapi/FileReaderLoader.cpp:
+ (WebCore::FileReaderLoader::takeRawData): Deleted.
+ * fileapi/FileReaderLoader.h:
+ (WebCore::FileReaderLoader::totalBytes const):
+
+ LayoutTests:
+
+ * fast/files/blob-stream-crash-2-expected.txt: Added.
+ * fast/files/blob-stream-crash-2.html: Added.
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@271669 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2021-01-20 Alex Christensen <achristen...@webkit.org>
+
+ Fix nullptr dereference introduced in r268228
+ https://bugs.webkit.org/show_bug.cgi?id=220776
+
+ Reviewed by Chris Dumez.
+
+ * fast/files/blob-stream-crash-2-expected.txt: Added.
+ * fast/files/blob-stream-crash-2.html: Added.
+
2021-04-29 Russell Epstein <repst...@apple.com>
Cherry-pick r276688. rdar://problem/77326513
Added: branches/safari-611-branch/LayoutTests/fast/files/blob-stream-crash-2-expected.txt (0 => 277184)
--- branches/safari-611-branch/LayoutTests/fast/files/blob-stream-crash-2-expected.txt (rev 0)
+++ branches/safari-611-branch/LayoutTests/fast/files/blob-stream-crash-2-expected.txt 2021-05-07 18:47:59 UTC (rev 277184)
@@ -0,0 +1,5 @@
+ALERT: RECEIVED BYTE 'a'
+ALERT: RECEIVED BYTE 'b'
+ALERT: RECEIVED BYTE 'c'
+ALERT: RECEIVED BYTE 'd'
+
Added: branches/safari-611-branch/LayoutTests/fast/files/blob-stream-crash-2.html (0 => 277184)
--- branches/safari-611-branch/LayoutTests/fast/files/blob-stream-crash-2.html (rev 0)
+++ branches/safari-611-branch/LayoutTests/fast/files/blob-stream-crash-2.html 2021-05-07 18:47:59 UTC (rev 277184)
@@ -0,0 +1,42 @@
+<script>
+
+ var bytesRead = 0;
+
+ function recursiveRead(reader) {
+ reader.read().then(function({ done, value }) {
+ for (var i = 0; i < value.length; i++) {
+ alert("RECEIVED BYTE '" + String.fromCharCode(value[i]) + "'");
+ bytesRead = bytesRead + 1;
+ }
+ if (bytesRead == 4) {
+ if (window.testRunner) {
+ testRunner.notifyDone();
+ }
+ } else {
+ recursiveRead(reader);
+ }
+ });
+ }
+
+ function runTest() {
+ let fileBits = [
+ 'a',
+ new File([], 'x'),
+ 'b',
+ new File([], 'x'),
+ 'c',
+ new File([], 'x'),
+ 'd'
+ ];
+ let file = new File(fileBits, 'y');
+ recursiveRead(file.stream().getReader());
+ }
+
+ if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+ }
+
+</script>
+<body _onload_="runTest()">
+</body>
Modified: branches/safari-611-branch/Source/WebCore/ChangeLog (277183 => 277184)
--- branches/safari-611-branch/Source/WebCore/ChangeLog 2021-05-07 18:47:55 UTC (rev 277183)
+++ branches/safari-611-branch/Source/WebCore/ChangeLog 2021-05-07 18:47:59 UTC (rev 277184)
@@ -1,3 +1,55 @@
+2021-05-06 Russell Epstein <repst...@apple.com>
+
+ Cherry-pick r271669. rdar://problem/77580999
+
+ Fix nullptr dereference introduced in r268228
+ https://bugs.webkit.org/show_bug.cgi?id=220776
+
+ Patch by Alex Christensen <achristen...@webkit.org> on 2021-01-20
+ Reviewed by Chris Dumez.
+
+ Source/WebCore:
+
+ Instead of taking data from the FileReaderLoader, which it assumes it still has later,
+ only give the bytes to _javascript_ that have been received since last time we called didReceiveData.
+ This makes blob.stream correct and not crash.
+
+ Test: fast/files/blob-stream-crash-2.html
+
+ * fileapi/Blob.cpp:
+ (WebCore::Blob::stream):
+ * fileapi/FileReaderLoader.cpp:
+ (WebCore::FileReaderLoader::takeRawData): Deleted.
+ * fileapi/FileReaderLoader.h:
+ (WebCore::FileReaderLoader::totalBytes const):
+
+ LayoutTests:
+
+ * fast/files/blob-stream-crash-2-expected.txt: Added.
+ * fast/files/blob-stream-crash-2.html: Added.
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@271669 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2021-01-20 Alex Christensen <achristen...@webkit.org>
+
+ Fix nullptr dereference introduced in r268228
+ https://bugs.webkit.org/show_bug.cgi?id=220776
+
+ Reviewed by Chris Dumez.
+
+ Instead of taking data from the FileReaderLoader, which it assumes it still has later,
+ only give the bytes to _javascript_ that have been received since last time we called didReceiveData.
+ This makes blob.stream correct and not crash.
+
+ Test: fast/files/blob-stream-crash-2.html
+
+ * fileapi/Blob.cpp:
+ (WebCore::Blob::stream):
+ * fileapi/FileReaderLoader.cpp:
+ (WebCore::FileReaderLoader::takeRawData): Deleted.
+ * fileapi/FileReaderLoader.h:
+ (WebCore::FileReaderLoader::totalBytes const):
+
2021-04-29 Russell Epstein <repst...@apple.com>
Cherry-pick r276742. rdar://problem/77326513
Modified: branches/safari-611-branch/Source/WebCore/fileapi/Blob.cpp (277183 => 277184)
--- branches/safari-611-branch/Source/WebCore/fileapi/Blob.cpp 2021-05-07 18:47:55 UTC (rev 277183)
+++ branches/safari-611-branch/Source/WebCore/fileapi/Blob.cpp 2021-05-07 18:47:59 UTC (rev 277184)
@@ -266,7 +266,17 @@
void didStartLoading() final { }
void didReceiveData() final
{
- controller().enqueue(m_loader->takeRawData());
+ auto result = m_loader->arrayBufferResult();
+ if (!result)
+ return;
+
+ if (m_loader->isCompleted() && !m_bytesRead)
+ controller().enqueue(WTFMove(result));
+ else {
+ auto bytesLoaded = m_loader->bytesLoaded();
+ controller().enqueue(result->slice(m_bytesRead, bytesLoaded));
+ m_bytesRead = bytesLoaded;
+ }
}
void didFinishLoading() final
{
@@ -278,6 +288,7 @@
}
UniqueRef<FileReaderLoader> m_loader;
+ size_t m_bytesRead { 0 };
};
auto* globalObject = scriptExecutionContext.globalObject();
Modified: branches/safari-611-branch/Source/WebCore/fileapi/FileReaderLoader.cpp (277183 => 277184)
--- branches/safari-611-branch/Source/WebCore/fileapi/FileReaderLoader.cpp 2021-05-07 18:47:55 UTC (rev 277183)
+++ branches/safari-611-branch/Source/WebCore/fileapi/FileReaderLoader.cpp 2021-05-07 18:47:59 UTC (rev 277184)
@@ -279,11 +279,6 @@
return ArrayBuffer::create(*m_rawData);
}
-RefPtr<JSC::ArrayBuffer> FileReaderLoader::takeRawData()
-{
- return std::exchange(m_rawData, nullptr);
-}
-
String FileReaderLoader::stringResult()
{
ASSERT(m_readType != ReadAsArrayBuffer && m_readType != ReadAsBlob);
Modified: branches/safari-611-branch/Source/WebCore/fileapi/FileReaderLoader.h (277183 => 277184)
--- branches/safari-611-branch/Source/WebCore/fileapi/FileReaderLoader.h 2021-05-07 18:47:55 UTC (rev 277183)
+++ branches/safari-611-branch/Source/WebCore/fileapi/FileReaderLoader.h 2021-05-07 18:47:59 UTC (rev 277184)
@@ -79,7 +79,6 @@
WEBCORE_EXPORT RefPtr<JSC::ArrayBuffer> arrayBufferResult() const;
unsigned bytesLoaded() const { return m_bytesLoaded; }
unsigned totalBytes() const { return m_totalBytes; }
- RefPtr<JSC::ArrayBuffer> takeRawData();
Optional<ExceptionCode> errorCode() const { return m_errorCode; }
void setEncoding(const String&);
@@ -87,6 +86,8 @@
const URL& url() { return m_urlForReading; }
+ bool isCompleted() const;
+
private:
void terminate();
void cleanup();
@@ -94,8 +95,6 @@
void convertToText();
void convertToDataURL();
- bool isCompleted() const;
-
static ExceptionCode httpStatusCodeToErrorCode(int);
static ExceptionCode toErrorCode(BlobResourceHandle::Error);
