Attachment 373265 Details for Bug 199380 – Patch

[patch] Patch

bug-199380-20190701232228.patch (text/plain), 3.40 KB, created by Zan Dobersek on 2019-07-01 14:22:30 PDT

(hide)

Description:

Filename:

MIME Type:

Creator: Zan Dobersek

Created: 2019-07-01 14:22:30 PDT

Size: 3.40 KB

patch

obsolete

>Subversion Revision: 247015
>diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
>index afb211bfeecb8c6431309d3c52834ecd8a9f69f5..1204d0a6af8a720d693ffc769cb6006ad04b8cde 100644
>--- a/Source/WebCore/ChangeLog
>+++ b/Source/WebCore/ChangeLog
>@@ -1,3 +1,28 @@
>+2019-07-01  Zan Dobersek  <zdobersek@igalia.com>
>+
>+        FetchResponse::BodyLoader should not be movable
>+        https://bugs.webkit.org/show_bug.cgi?id=199380
>+
>+        Reviewed by NOBODY (OOPS!).
>+
>+        The FetchResponse::BodyLoader class has a FetchLoader member that is
>+        initialized upon construction with the reference of the owning
>+        FetchResponse::BodyLoader object. This reference doesn't change when
>+        the FetchResponse::BodyLoader object is moved into a different object
>+        and the FetchLoader unique_ptr along with it, leading to use-after-frees
>+        when that FetchLoader tries to invoke the FetchLoaderClient methods on
>+        the FetchResponse::BodyLoader object that's been moved from and is
>+        possibly already destroyed.
>+
>+        To avoid this, the FetchResponse::BodyLoader class is marked as
>+        non-movable, and the current cases of moves on objects of this class
>+        are changed to reflect the new property.
>+
>+        * Modules/fetch/FetchResponse.cpp:
>+        (WebCore::FetchResponse::addAbortSteps):
>+        (WebCore::FetchResponse::stop):
>+        * Modules/fetch/FetchResponse.h:
>+
> 2019-07-01  Zalan Bujtas  <zalan@apple.com>
> 
>         [iPadOS] Tapping on the bottom part of youtube video behaves as if controls were visible
>diff --git a/Source/WebCore/Modules/fetch/FetchResponse.cpp b/Source/WebCore/Modules/fetch/FetchResponse.cpp
>index 4fe7616a49b6d12f6a841a33bfa31c8d9b0bb26b..3a1d6e2382c1e0c0596998e1f1b5ad1dea5a3726 100644
>--- a/Source/WebCore/Modules/fetch/FetchResponse.cpp
>+++ b/Source/WebCore/Modules/fetch/FetchResponse.cpp
>@@ -214,8 +214,9 @@ void FetchResponse::addAbortSteps(Ref<AbortSignal>&& signal)
>         if (m_body)
>             m_body->loadingFailed(*loadingException());
> 
>-        if (auto bodyLoader = WTFMove(m_bodyLoader))
>-            bodyLoader->stop();
>+        if (m_bodyLoader)
>+            m_bodyLoader->stop();
>+        m_bodyLoader = WTF::nullopt;
>     });
> }
> 
>@@ -521,8 +522,9 @@ void FetchResponse::stop()
> {
>     RefPtr<FetchResponse> protectedThis(this);
>     FetchBodyOwner::stop();
>-    if (auto bodyLoader = WTFMove(m_bodyLoader))
>-        bodyLoader->stop();
>+    if (m_bodyLoader)
>+        m_bodyLoader->stop();
>+    m_bodyLoader = WTF::nullopt;
> }
> 
> const char* FetchResponse::activeDOMObjectName() const
>diff --git a/Source/WebCore/Modules/fetch/FetchResponse.h b/Source/WebCore/Modules/fetch/FetchResponse.h
>index 74c1454f9aaf31241816c51e46e0f04e70ae1322..67762009eb07d25593966529feda573924d8ac93 100644
>--- a/Source/WebCore/Modules/fetch/FetchResponse.h
>+++ b/Source/WebCore/Modules/fetch/FetchResponse.h
>@@ -34,6 +34,7 @@
> #include "ResourceResponse.h"
> #include <JavaScriptCore/TypedArrays.h>
> #include <wtf/WeakPtr.h>
>+#include <wtf/Nonmovable.h>
> 
> namespace JSC {
> class ExecState;
>@@ -128,9 +129,9 @@ private:
>     void addAbortSteps(Ref<AbortSignal>&&);
> 
>     class BodyLoader final : public FetchLoaderClient {
>+        WTF_MAKE_NONMOVABLE(BodyLoader);
>     public:
>         BodyLoader(FetchResponse&, NotificationCallback&&);
>-        BodyLoader(BodyLoader&&) = default;
>         ~BodyLoader();
> 
>         bool start(ScriptExecutionContext&, const FetchRequest&);

Actions: View | Formatted Diff | Diff

Attachments on bug 199380: 373265 | 373305