Diff
Modified: branches/safari-601-branch/Source/WebCore/ChangeLog (200734 => 200735)
--- branches/safari-601-branch/Source/WebCore/ChangeLog 2016-05-12 01:32:03 UTC (rev 200734)
+++ branches/safari-601-branch/Source/WebCore/ChangeLog 2016-05-12 01:32:07 UTC (rev 200735)
@@ -1,5 +1,29 @@
2016-05-11 Matthew Hanson <matthew_han...@apple.com>
+ Merge r198143. rdar://problem/26228593
+
+ 2016-03-14 Chris Vienneau <chris....@outlook.com>
+
+ PingHandle delete's itself but pointer is still used by handleDataURL
+ https://bugs.webkit.org/show_bug.cgi?id=154752
+ <rdar://problem/24872347>
+
+ Reviewed by Alex Christensen.
+
+ When a PingHandle is destroyed, we should tell its client so that the client can clear the pointer it
+ holds to the element to avoid accidentally attempting to use deallocated memory.
+
+ The ResourceHandle's client member may be null after "didReceiveResponse" is called. We should confirm
+ the client is still valid after these calls.
+
+ * platform/network/DataURL.cpp:
+ (WebCore::handleDataURL): Check the client pointer before using it.
+ * platform/network/PingHandle.h:
+ (WebCore::PingHandle::~PingHandle): Notify the client we are being destroyed.
+ * platform/platform/network/ResourceHandle.h:
+
+2016-05-11 Matthew Hanson <matthew_han...@apple.com>
+
Merge r199243. rdar://problem/26228520
2016-04-08 Said Abou-Hallawa <sabouhallawa@apple,com>
Modified: branches/safari-601-branch/Source/WebCore/platform/network/DataURL.cpp (200734 => 200735)
--- branches/safari-601-branch/Source/WebCore/platform/network/DataURL.cpp 2016-05-12 01:32:03 UTC (rev 200734)
+++ branches/safari-601-branch/Source/WebCore/platform/network/DataURL.cpp 2016-05-12 01:32:07 UTC (rev 200735)
@@ -44,6 +44,9 @@
ASSERT(handle->firstRequest().url().protocolIsData());
String url = ""
+ ASSERT(handle);
+ ASSERT(handle->client());
+
int index = url.find(',');
if (index == -1) {
handle->client()->cannotShowURL(handle);
@@ -75,23 +78,30 @@
data = ""
handle->client()->didReceiveResponse(handle, response);
- Vector<char> out;
- if (base64Decode(data, out, Base64IgnoreWhitespace) && out.size() > 0) {
- response.setExpectedContentLength(out.size());
- handle->client()->didReceiveData(handle, out.data(), out.size(), 0);
+ // didReceiveResponse might cause the client to be deleted.
+ if (handle->client()) {
+ Vector<char> out;
+ if (base64Decode(data, out, Base64IgnoreWhitespace) && out.size() > 0) {
+ response.setExpectedContentLength(out.size());
+ handle->client()->didReceiveData(handle, out.data(), out.size(), 0);
+ }
}
} else {
TextEncoding encoding(charset);
data = "" encoding);
handle->client()->didReceiveResponse(handle, response);
- CString encodedData = encoding.encode(data, URLEncodedEntitiesForUnencodables);
- response.setExpectedContentLength(encodedData.length());
- if (encodedData.length())
- handle->client()->didReceiveData(handle, encodedData.data(), encodedData.length(), 0);
+ // didReceiveResponse might cause the client to be deleted.
+ if (handle->client()) {
+ CString encodedData = encoding.encode(data, URLEncodedEntitiesForUnencodables);
+ response.setExpectedContentLength(encodedData.length());
+ if (encodedData.length())
+ handle->client()->didReceiveData(handle, encodedData.data(), encodedData.length(), 0);
+ }
}
- handle->client()->didFinishLoading(handle, 0);
+ if (handle->client())
+ handle->client()->didFinishLoading(handle, 0);
}
} // namespace WebCore
Modified: branches/safari-601-branch/Source/WebCore/platform/network/PingHandle.h (200734 => 200735)
--- branches/safari-601-branch/Source/WebCore/platform/network/PingHandle.h 2016-05-12 01:32:03 UTC (rev 200734)
+++ branches/safari-601-branch/Source/WebCore/platform/network/PingHandle.h 2016-05-12 01:32:07 UTC (rev 200735)
@@ -67,8 +67,11 @@
virtual ~PingHandle()
{
- if (m_handle)
+ if (m_handle) {
+ ASSERT(m_handle->client() == this);
+ m_handle->setClient(nullptr);
m_handle->cancel();
+ }
}
RefPtr<ResourceHandle> m_handle;
Modified: branches/safari-601-branch/Source/WebCore/platform/network/ResourceHandle.h (200734 => 200735)
--- branches/safari-601-branch/Source/WebCore/platform/network/ResourceHandle.h 2016-05-12 01:32:03 UTC (rev 200734)
+++ branches/safari-601-branch/Source/WebCore/platform/network/ResourceHandle.h 2016-05-12 01:32:07 UTC (rev 200735)
@@ -199,7 +199,7 @@
WEBCORE_EXPORT virtual void cancel();
// The client may be 0, in which case no callbacks will be made.
- ResourceHandleClient* client() const;
+ WEBCORE_EXPORT ResourceHandleClient* client() const;
WEBCORE_EXPORT void setClient(ResourceHandleClient*);
// Called in response to ResourceHandleClient::willSendRequestAsync().
Modified: branches/safari-601-branch/Source/WebKit2/ChangeLog (200734 => 200735)
--- branches/safari-601-branch/Source/WebKit2/ChangeLog 2016-05-12 01:32:03 UTC (rev 200734)
+++ branches/safari-601-branch/Source/WebKit2/ChangeLog 2016-05-12 01:32:07 UTC (rev 200735)
@@ -1,3 +1,21 @@
+2016-05-11 Matthew Hanson <matthew_han...@apple.com>
+
+ Merge r198143. rdar://problem/26228593
+
+ 2016-03-14 Brent Fulgham <bfulg...@apple.com>
+
+ PingHandle delete's itself but pointer is still used by handleDataURL
+ https://bugs.webkit.org/show_bug.cgi?id=154752
+ <rdar://problem/24872347>
+
+ Reviewed by Alex Christensen.
+
+ When a PingLoad is destroyed, we should tell its client so that the client can clear the pointer it
+ holds to the element to avoid accidentally attempting to use deallocated memory.
+
+ * NetworkProcess/PingLoad.h:
+ (WebKit::PingLoad::~PingLoad): Notify the client we are being destroyed.
+
2016-02-26 Babak Shafiei <bshaf...@apple.com>
Merge patch for rdar://problem/24826901.
