[webkit-changes] [282912] branches/safari-612-branch/Source/WebCore

Wed, 22 Sep 2021 21:30:41 -0700

Title: [282912] branches/safari-612-branch/Source/WebCore
Revision
282912
Author
repst...@apple.com
Date
2021-09-22 21:29:15 -0700 (Wed, 22 Sep 2021)

Log Message

Cherry-pick r282241. rdar://problem/83430068

    Potential crash under CachedRawResource::didAddClient()
    https://bugs.webkit.org/show_bug.cgi?id=230121
    <rdar://82936913>

    Reviewed by Alex Christensen.

    In r280083, I tried to address this crash by holding a strong reference
    to the SharedBuffer before calling forEachSegment() on it. However, the
    crash is still happening after this fix.

    My suspicion is that the SharedBuffer's internal m_segments vector gets
    modified as we iterate over it. As a result, I am reverting r280083 and
    iterating over a copy of m_segments in forEachSegment() instead.

    No new tests, we haven't been able to reproduce.

    * WebCore.xcodeproj/project.pbxproj:
    * loader/cache/CachedRawResource.cpp:
    (WebCore::CachedRawResource::didAddClient):
    * platform/SharedBuffer.cpp:
    (WebCore::SharedBuffer::forEachSegment const):

    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@282241 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Modified Paths

Diff

Modified: branches/safari-612-branch/Source/WebCore/ChangeLog (282911 => 282912)


--- branches/safari-612-branch/Source/WebCore/ChangeLog	2021-09-23 04:29:12 UTC (rev 282911)
+++ branches/safari-612-branch/Source/WebCore/ChangeLog	2021-09-23 04:29:15 UTC (rev 282912)
@@ -1,5 +1,58 @@
 2021-09-22  Alan Coon  <alanc...@apple.com>
 
+        Cherry-pick r282241. rdar://problem/83430068
+
+    Potential crash under CachedRawResource::didAddClient()
+    https://bugs.webkit.org/show_bug.cgi?id=230121
+    <rdar://82936913>
+    
+    Reviewed by Alex Christensen.
+    
+    In r280083, I tried to address this crash by holding a strong reference
+    to the SharedBuffer before calling forEachSegment() on it. However, the
+    crash is still happening after this fix.
+    
+    My suspicion is that the SharedBuffer's internal m_segments vector gets
+    modified as we iterate over it. As a result, I am reverting r280083 and
+    iterating over a copy of m_segments in forEachSegment() instead.
+    
+    No new tests, we haven't been able to reproduce.
+    
+    * WebCore.xcodeproj/project.pbxproj:
+    * loader/cache/CachedRawResource.cpp:
+    (WebCore::CachedRawResource::didAddClient):
+    * platform/SharedBuffer.cpp:
+    (WebCore::SharedBuffer::forEachSegment const):
+    
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@282241 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2021-09-09  Chris Dumez  <cdu...@apple.com>
+
+            Potential crash under CachedRawResource::didAddClient()
+            https://bugs.webkit.org/show_bug.cgi?id=230121
+            <rdar://82936913>
+
+            Reviewed by Alex Christensen.
+
+            In r280083, I tried to address this crash by holding a strong reference
+            to the SharedBuffer before calling forEachSegment() on it. However, the
+            crash is still happening after this fix.
+
+            My suspicion is that the SharedBuffer's internal m_segments vector gets
+            modified as we iterate over it. As a result, I am reverting r280083 and
+            iterating over a copy of m_segments in forEachSegment() instead.
+
+            No new tests, we haven't been able to reproduce.
+
+            * WebCore.xcodeproj/project.pbxproj:
+            * loader/cache/CachedRawResource.cpp:
+            (WebCore::CachedRawResource::didAddClient):
+            * platform/SharedBuffer.cpp:
+            (WebCore::SharedBuffer::forEachSegment const):
+
+2021-09-22  Alan Coon  <alanc...@apple.com>
+
         Cherry-pick r282045. rdar://problem/83429674
 
     REGRESSION(r275515): pointer-events:none may get stuck in LFC runs

Modified: branches/safari-612-branch/Source/WebCore/loader/cache/CachedRawResource.cpp (282911 => 282912)


--- branches/safari-612-branch/Source/WebCore/loader/cache/CachedRawResource.cpp	2021-09-23 04:29:12 UTC (rev 282911)
+++ branches/safari-612-branch/Source/WebCore/loader/cache/CachedRawResource.cpp	2021-09-23 04:29:15 UTC (rev 282912)
@@ -167,8 +167,8 @@
         auto responseProcessedHandler = [this, protectedThis = WTFMove(protectedThis), client] {
             if (!hasClient(*client))
                 return;
-            if (auto data = "" {
-                data->forEachSegment([&](auto& segment) {
+            if (m_data) {
+                m_data->forEachSegment([&](auto& segment) {
                     if (hasClient(*client))
                         client->dataReceived(*this, segment.data(), segment.size());
                 });

Modified: branches/safari-612-branch/Source/WebCore/platform/SharedBuffer.cpp (282911 => 282912)


--- branches/safari-612-branch/Source/WebCore/platform/SharedBuffer.cpp	2021-09-23 04:29:12 UTC (rev 282911)
+++ branches/safari-612-branch/Source/WebCore/platform/SharedBuffer.cpp	2021-09-23 04:29:15 UTC (rev 282912)
@@ -238,7 +238,8 @@
 
 void SharedBuffer::forEachSegment(const Function<void(const Span<const uint8_t>&)>& apply) const
 {
-    for (auto& segment : m_segments)
+    auto segments = m_segments;
+    for (auto& segment : segments)
         apply(Span { segment.segment->data(), segment.segment->size() });
 }
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to