Changeset 198335 in webkit


Ignore:
Timestamp:
Mar 17, 2016 10:02:14 AM (8 years ago)
Author:
Antti Koivisto
Message:

DataURLDecoder::DecodingResultDispatcher may get deleted outside main thread
https://bugs.webkit.org/show_bug.cgi?id=155584
rdar://problem/24492104

Reviewed by Chris Dumez.

This is unsafe as it owns strings and other types that are only safe to delete in the main thread.

  • platform/network/DataURLDecoder.cpp:

(WebCore::DataURLDecoder::DecodingResultDispatcher::dispatch):

The problem is that this was a refcounted type. This created a race. If the timer fired before dispatch()
was exited the implicit deref here would trigger the deletion in the dispatching thread.

Fix by getting rid of the unnecessary refcounting. Timer firing will now delete the instance explicitly.

(WebCore::DataURLDecoder::DecodingResultDispatcher::startTimer):
(WebCore::DataURLDecoder::DecodingResultDispatcher::timerFired):

Location:
trunk/Source/WebCore
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/WebCore/ChangeLog

    r198334 r198335  
     12016-03-17  Antti Koivisto  <antti@apple.com>
     2
     3        DataURLDecoder::DecodingResultDispatcher may get deleted outside main thread
     4        https://bugs.webkit.org/show_bug.cgi?id=155584
     5        rdar://problem/24492104
     6
     7        Reviewed by Chris Dumez.
     8
     9        This is unsafe as it owns strings and other types that are only safe to delete in the main thread.
     10
     11        * platform/network/DataURLDecoder.cpp:
     12        (WebCore::DataURLDecoder::DecodingResultDispatcher::dispatch):
     13
     14            The problem is that this was a refcounted type. This created a race. If the timer fired before dispatch()
     15            was exited the implicit deref here would trigger the deletion in the dispatching thread.
     16
     17            Fix by getting rid of the unnecessary refcounting. Timer firing will now delete the instance explicitly.
     18
     19        (WebCore::DataURLDecoder::DecodingResultDispatcher::startTimer):
     20        (WebCore::DataURLDecoder::DecodingResultDispatcher::timerFired):
     21
    1222016-03-17  Commit Queue  <commit-queue@webkit.org>
    223

  • trunk/Source/WebCore/platform/network/DataURLDecoder.cpp

    r195694 r198335  
    5757#if HAVE(RUNLOOP_TIMER)
    5858
    59 class DecodingResultDispatcher : public ThreadSafeRefCounted<DecodingResultDispatcher> {
     59class DecodingResultDispatcher {
     60    WTF_MAKE_FAST_ALLOCATED;
    6061public:
    6162    static void dispatch(std::unique_ptr<DecodeTask> decodeTask)
    6263    {
    63         Ref<DecodingResultDispatcher> dispatcher = adoptRef(*new DecodingResultDispatcher(WTFMove(decodeTask)));
     64        auto* dispatcher = new DecodingResultDispatcher(WTFMove(decodeTask));
    6465        dispatcher->startTimer();
    6566    }
     
    7475    void startTimer()
    7576    {
    76         // Keep alive until the timer has fired.
    77         ref();
    7877        m_timer.startOneShot(0);
    7978        m_timer.schedule(m_decodeTask->scheduleContext.scheduledPairs);
     
    8786            m_decodeTask->completionHandler({ });
    8887
    89         deref();
     88        delete this;
    9089    }
    9190
Note: See TracChangeset for help on using the changeset viewer.