Changeset 241594 in webkit


Ignore:
Timestamp:
Feb 15, 2019 10:51:09 AM (5 years ago)
Author:
achristensen@apple.com
Message:

REGRESSION: ( r240978-r240985 ) [ iOS Release ] Layout Test imported/w3c/web-platform-tests/xhr/send-redirect-post-upload.htm is crashing
https://bugs.webkit.org/show_bug.cgi?id=194523

Reviewed by Geoffrey Garen.

The scope of the FormCreationContext was limited to the scope of createHTTPBodyCFReadStream,
so when it was used in formCreate it was lucky to get the same context if the stack hadn't been overwritten
and if the FormData hadn't been freed. Instead, keep it alive with new/delete like we do the FormStreamFields.
A younger me should've noticed this when reviewing r218517.

  • platform/network/cf/FormDataStreamCFNet.cpp:

(WebCore::formCreate):
(WebCore::createHTTPBodyCFReadStream):

Location:
trunk/Source/WebCore
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/WebCore/ChangeLog

    r241593 r241594  
     12019-02-15  Alex Christensen  <achristensen@webkit.org>
     2
     3        REGRESSION: ( r240978-r240985 ) [ iOS Release ] Layout Test imported/w3c/web-platform-tests/xhr/send-redirect-post-upload.htm is crashing
     4        https://bugs.webkit.org/show_bug.cgi?id=194523
     5
     6        Reviewed by Geoffrey Garen.
     7
     8        The scope of the FormCreationContext was limited to the scope of createHTTPBodyCFReadStream,
     9        so when it was used in formCreate it was lucky to get the same context if the stack hadn't been overwritten
     10        and if the FormData hadn't been freed.  Instead, keep it alive with new/delete like we do the FormStreamFields.
     11        A younger me should've noticed this when reviewing r218517.
     12
     13        * platform/network/cf/FormDataStreamCFNet.cpp:
     14        (WebCore::formCreate):
     15        (WebCore::createHTTPBodyCFReadStream):
     16
    1172019-02-15  Commit Queue  <commit-queue@webkit.org>
    218

  • trunk/Source/WebCore/platform/network/cf/FormDataStreamCFNet.cpp

    r241008 r241594  
    217217    newInfo->streamLength = formContext->streamLength;
    218218    newInfo->bytesSent = 0;
     219   
     220    callOnMainThread([formContext] {
     221        delete formContext;
     222    });
    219223
    220224    // Append in reverse order since we remove elements from the end.
     
    381385        length += element.lengthInBytes();
    382386
    383     FormCreationContext formContext = { WTFMove(resolvedFormData), length };
     387    FormCreationContext* formContext = new FormCreationContext { WTFMove(resolvedFormData), length };
    384388    CFReadStreamCallBacksV1 callBacks = { 1, formCreate, formFinalize, nullptr, formOpen, nullptr, formRead, nullptr, formCanRead, formClose, formCopyProperty, nullptr, nullptr, formSchedule, formUnschedule };
    385     return adoptCF(CFReadStreamCreate(nullptr, static_cast<const void*>(&callBacks), &formContext));
     389    return adoptCF(CFReadStreamCreate(nullptr, static_cast<const void*>(&callBacks), formContext));
    386390}
    387391
Note: See TracChangeset for help on using the changeset viewer.