Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 4c8d209dd76f8c8770505341180c5a78680f88cb
https://github.com/WebKit/WebKit/commit/4c8d209dd76f8c8770505341180c5a78680f88cb
Author: David Kilzer <[email protected]>
Date: 2026-02-02 (Mon, 02 Feb 2026)
Changed paths:
M Source/WebCore/loader/ContentFilter.cpp
M Source/WebCore/loader/ContentFilter.h
M Source/WebCore/loader/DocumentLoader.cpp
M Source/WebCore/loader/DocumentLoader.h
M Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp
M Source/WebKit/NetworkProcess/NetworkResourceLoader.h
Log Message:
-----------
CheckedPtr crash in NetworkResourceLoader::contentFilterDidBlock() when
ContentFilter is deleted during delayed async callback
<https://bugs.webkit.org/show_bug.cgi?id=306402>
<rdar://165364915>
Reviewed by Per Arne Vollan and Chris Dumez.
Fix the crash by converting WebCore::ContentFilter from
CheckedPtr/WeakPtr to RefPtr so that the lifetime of the object can be
kept through callbacks.
Change WeakRef<ContentFilterClient> to WeakPtr<ContentFilterClient> as
well.
An attempt to construct a test was made, but it required changes to
shipping code to make it reproduce a similar crash.
* Source/WebCore/loader/ContentFilter.cpp:
(WebCore::ContentFilter::create):
(WebCore::ContentFilter::ContentFilterCallbackAggregator::~ContentFilterCallbackAggregator):
(WebCore::ContentFilter::ContentFilterCallbackAggregator::didReceivePlatformContentFilterDecision):
(WebCore::ContentFilter::continueAfterSubstituteDataRequest):
* Source/WebCore/loader/ContentFilter.h:
* Source/WebCore/loader/DocumentLoader.cpp:
(WebCore::DocumentLoader::notifyFinished):
(WebCore::DocumentLoader::willSendRequest):
(WebCore::DocumentLoader::responseReceived):
(WebCore::DocumentLoader::dataReceived):
(WebCore::DocumentLoader::detachFromFrame):
(WebCore::DocumentLoader::clearMainResource):
(WebCore::DocumentLoader::becomeMainResourceClient):
(WebCore::DocumentLoader::contentFilterWillHandleProvisionalLoadFailure):
(WebCore::DocumentLoader::contentFilterHandleProvisionalLoadFailure):
* Source/WebCore/loader/DocumentLoader.h:
* Source/WebKit/NetworkProcess/NetworkResourceLoader.cpp:
(WebKit::NetworkResourceLoader::startContentFiltering):
(WebKit::NetworkResourceLoader::didReceiveResponse):
(WebKit::NetworkResourceLoader::didFinishLoading):
(WebKit::NetworkResourceLoader::willSendRedirectedRequestInternal):
(WebKit::NetworkResourceLoader::bufferingTimerFired):
(WebKit::NetworkResourceLoader::sendBuffer):
(WebKit::NetworkResourceLoader::didRetrieveCacheEntry):
(WebKit::NetworkResourceLoader::sendResultForCacheEntry):
(WebKit::NetworkResourceLoader::continueAfterServiceWorkerReceivedData):
(WebKit::NetworkResourceLoader::continueAfterServiceWorkerReceivedResponse):
(WebKit::NetworkResourceLoader::serviceWorkerDidFinish):
(WebKit::NetworkResourceLoader::contentFilterDidBlock):
(WebKit::NetworkResourceLoader::checkedContentFilter): Delete.
* Source/WebKit/NetworkProcess/NetworkResourceLoader.h:
Canonical link: https://commits.webkit.org/306652@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
