Changeset 198387 in webkit

Timestamp:

Mar 18, 2016, 12:23:10 AM (9 years ago)

Author:

Antti Koivisto

Message:

Data URL DecodeTask may get deleted outside main thread
​https://bugs.webkit.org/show_bug.cgi?id=155584
rdar://problem/24492104

Reviewed by Darin Adler.

This is unsafe as it owns strings and other types that are only safe to delete in the main thread.

There is a race between deref in dispatch() and deref in timerFired(). If the timer fires before dispatch()
exits the implicit deref will trigger deletion of DecodingResultDispatcher in the dispatching thread.

(WebCore::DataURLDecoder::DecodingResultDispatcher::timerFired):

Fix by clearing m_decodeTask when the timer fires.

Location:

trunk/Source/WebCore

Files:

• ChangeLog (modified) (1 diff)
• platform/network/DataURLDecoder.cpp (modified) (1 diff)

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2016-03-17  Antti Koivisto  <antti@apple.com>
+
+        Data URL DecodeTask may get deleted outside main thread
+        https://bugs.webkit.org/show_bug.cgi?id=155584
+        rdar://problem/24492104
+
+        Reviewed by Darin Adler.
+
+        This is unsafe as it owns strings and other types that are only safe to delete in the main thread.
+
+        There is a race between deref in dispatch() and deref in timerFired(). If the timer fires before dispatch()
+        exits the implicit deref will trigger deletion of DecodingResultDispatcher in the dispatching thread.
+
+        (WebCore::DataURLDecoder::DecodingResultDispatcher::timerFired):
+
+            Fix by clearing m_decodeTask when the timer fires.
+
 2016-03-17  Carlos Garcia Campos  <cgarcia@igalia.com>
 

trunk/Source/WebCore/platform/network/DataURLDecoder.cpp

@@ -86 +86 @@
         else
             m_decodeTask->completionHandler({ });
+
+        // Ensure DecodeTask gets deleted in the main thread.
+        m_decodeTask = nullptr;
 
         deref();