Changeset 241121 in webkit

Timestamp:

Feb 7, 2019 8:07:03 AM (5 years ago)

Author:

Antti Koivisto

Message:

Infinite recursion via CachedResource::~CachedResource
​https://bugs.webkit.org/show_bug.cgi?id=194378
<rdar://problem/42023295>

Reviewed by Daniel Bates.

I don't know the exact steps to trigger this but the mechanism seems clear.

1) An existing resource is removed from or replaced in CachedResourceLoader::m_documentResources map.
2) This decrements the handle count of resource and causes it be deleted.
3) CachedResource::~CachedResource calls m_owningCachedResourceLoader->removeCachedResource(*this). This only happens with

resources that are "owned" by CachedResourceLoader which is a rare special case (used by image document and if memory cache is disabled).

4) CachedResourceLoader::removeCachedResource looks up the resource from the map which causes a temporary CachedResourceHandle to be created.

This increments the handle count of the resource from 0 back to 1.

5) When the temporary dies, CachedResource::~CachedResource is called again and we cycle back to 3).

The fix here is simply to remove CachedResourceLoader::removeCachedResource call from ~CachedResource.
It is a leftover from when the map contained raw pointers instead of owning CachedResourceHandles.

Since m_documentResources map has a handle to the resource, the only way we are in the destructor is that the resource
has been removed from the map already (or is in process of being removed like in this crash). Any call that does anything
other than bail out is going to crash.

CachedResource::n_owningCachedResourceLoader member and CachedResourceLoader::removeCachedResource function only exist to
support this erranous call so they are removed as well.

• loader/ImageLoader.cpp:

(WebCore::ImageLoader::updateFromElement):

• loader/cache/CachedResource.cpp:

(WebCore::CachedResource::~CachedResource):

This is the substantive change. The rest just removes now-dead code.

• loader/cache/CachedResource.h:

(WebCore::CachedResource::setOwningCachedResourceLoader): Deleted.

• loader/cache/CachedResourceLoader.cpp:

(WebCore::CachedResourceLoader::~CachedResourceLoader):
(WebCore::CachedResourceLoader::requestUserCSSStyleSheet):
(WebCore::CachedResourceLoader::requestResource):
(WebCore::CachedResourceLoader::loadResource):
(WebCore::CachedResourceLoader::garbageCollectDocumentResources):
(WebCore::CachedResourceLoader::removeCachedResource): Deleted.

• loader/cache/CachedResourceLoader.h:

Location:

trunk/Source/WebCore

Files:

• ChangeLog (modified) (1 diff)
• loader/ImageLoader.cpp (modified) (1 diff)
• loader/cache/CachedResource.cpp (modified) (1 diff)
• loader/cache/CachedResource.h (modified) (2 diffs)
• loader/cache/CachedResourceLoader.cpp (modified) (6 diffs)
• loader/cache/CachedResourceLoader.h (modified) (1 diff)

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2019-02-07  Antti Koivisto  <antti@apple.com>
+
+        Infinite recursion via CachedResource::~CachedResource
+        https://bugs.webkit.org/show_bug.cgi?id=194378
+        <rdar://problem/42023295>
+
+        Reviewed by Daniel Bates.
+
+        I don't know the exact steps to trigger this but the mechanism seems clear.
+
+        1) An existing resource is removed from or replaced in CachedResourceLoader::m_documentResources map.
+        2) This decrements the handle count of resource and causes it be deleted.
+        3) CachedResource::~CachedResource calls m_owningCachedResourceLoader->removeCachedResource(*this). This only happens with
+           resources that are "owned" by CachedResourceLoader which is a rare special case (used by image document and if memory cache is disabled).
+        4) CachedResourceLoader::removeCachedResource looks up the resource from the map which causes a temporary CachedResourceHandle to be created.
+           This increments the handle count of the resource from 0 back to 1.
+        5) When the temporary dies, CachedResource::~CachedResource is called again and we cycle back to 3).
+
+        The fix here is simply to remove CachedResourceLoader::removeCachedResource call from ~CachedResource.
+        It is a leftover from when the map contained raw pointers instead of owning CachedResourceHandles.
+
+        Since m_documentResources map has a handle to the resource, the only way we are in the destructor is that the resource
+        has been removed from the map already (or is in process of being removed like in this crash). Any call that does anything
+        other than bail out is going to crash.
+
+        CachedResource::n_owningCachedResourceLoader member and CachedResourceLoader::removeCachedResource function only exist to
+        support this erranous call so they are removed as well.
+
+        * loader/ImageLoader.cpp:
+        (WebCore::ImageLoader::updateFromElement):
+        * loader/cache/CachedResource.cpp:
+        (WebCore::CachedResource::~CachedResource):
+
+        This is the substantive change. The rest just removes now-dead code.
+
+        * loader/cache/CachedResource.h:
+        (WebCore::CachedResource::setOwningCachedResourceLoader): Deleted.
+        * loader/cache/CachedResourceLoader.cpp:
+        (WebCore::CachedResourceLoader::~CachedResourceLoader):
+        (WebCore::CachedResourceLoader::requestUserCSSStyleSheet):
+        (WebCore::CachedResourceLoader::requestResource):
+        (WebCore::CachedResourceLoader::loadResource):
+        (WebCore::CachedResourceLoader::garbageCollectDocumentResources):
+        (WebCore::CachedResourceLoader::removeCachedResource): Deleted.
+        * loader/cache/CachedResourceLoader.h:
+
 2019-02-07  Miguel Gomez  <magomez@igalia.com>
 

trunk/Source/WebCore/loader/ImageLoader.cpp

@@ -195 +195 @@
             newImage->setStatus(CachedResource::Pending);
             newImage->setLoading(true);
-            newImage->setOwningCachedResourceLoader(&document.cachedResourceLoader());
             document.cachedResourceLoader().m_documentResources.set(newImage->url(), newImage.get());
             document.cachedResourceLoader().setAutoLoadImages(autoLoadOtherImages);

trunk/Source/WebCore/loader/cache/CachedResource.cpp

@@ -175 +175 @@
     cachedResourceLeakCounter.decrement();
 #endif
-
-    if (m_owningCachedResourceLoader)
-        m_owningCachedResourceLoader->removeCachedResource(*this);
 }
 

trunk/Source/WebCore/loader/cache/CachedResource.h

@@ -235 +235 @@
     virtual void destroyDecodedData() { }
 
-    void setOwningCachedResourceLoader(CachedResourceLoader* cachedResourceLoader) { m_owningCachedResourceLoader = cachedResourceLoader; }
-
     bool isPreloaded() const { return m_preloadCount; }
     void increasePreloadCount() { ++m_preloadCount; }
@@ -334 +332 @@
     Vector<std::pair<String, String>> m_varyingHeaderValues;
 
-    CachedResourceLoader* m_owningCachedResourceLoader { nullptr }; // only non-null for resources that are not in the cache
-
     // If this field is non-null we are using the resource as a proxy for checking whether an existing resource is still up to date
     // using HTTP If-Modified-Since/If-None-Match headers. If the response is 304 all clients of this resource are moved

trunk/Source/WebCore/loader/cache/CachedResourceLoader.cpp

@@ -162 +162 @@
 
     clearPreloads(ClearPreloadsMode::ClearAllPreloads);
-    for (auto& resource : m_documentResources.values())
-        resource->setOwningCachedResourceLoader(nullptr);
 
     // Make sure no requests still point to this CachedResourceLoader
@@ -259 +257 @@
     if (userSheet->allowsCaching())
         memoryCache.add(*userSheet);
-    // FIXME: loadResource calls setOwningCachedResourceLoader() if the resource couldn't be added to cache. Does this function need to call it, too?
 
     userSheet->load(*this);
@@ -862 +859 @@
 
     auto& memoryCache = MemoryCache::singleton();
-    if (request.allowsCaching() && memoryCache.disabled()) {
-        if (auto handle = m_documentResources.take(url.string()))
-            handle->setOwningCachedResourceLoader(nullptr);
-    }
+    if (request.allowsCaching() && memoryCache.disabled())
+        m_documentResources.remove(url.string());
 
     // See if we can use an existing resource from the cache.
@@ -1014 +1009 @@
     CachedResourceHandle<CachedResource> resource = createResource(type, WTFMove(request), sessionID(), cookieJar);
 
-    if (resource->allowsCaching() && !memoryCache.add(*resource))
-        resource->setOwningCachedResourceLoader(this);
+    if (resource->allowsCaching())
+        memoryCache.add(*resource);
 
     if (RuntimeEnabledFeatures::sharedFeatures().resourceTimingEnabled())
@@ -1303 +1298 @@
 }
 
-void CachedResourceLoader::removeCachedResource(CachedResource& resource)
-{
-    if (m_documentResources.contains(resource.url()) && m_documentResources.get(resource.url()).get() != &resource)
-        return;
-    m_documentResources.remove(resource.url());
-}
-
 void CachedResourceLoader::loadDone(LoadCompletionType type, bool shouldPerformPostLoadActions)
 {
@@ -1343 +1331 @@
         LOG(ResourceLoading, "  cached resource %p - hasOneHandle %d", resource.value.get(), resource.value->hasOneHandle());
 
-        if (resource.value->hasOneHandle()) {
+        if (resource.value->hasOneHandle())
             resourcesToDelete.append(resource.key);
-            resource.value->setOwningCachedResourceLoader(nullptr);
-        }
     }
 

trunk/Source/WebCore/loader/cache/CachedResourceLoader.h

@@ -130 +130 @@
     void clearDocumentLoader() { m_documentLoader = nullptr; }
     PAL::SessionID sessionID() const;
-
-    void removeCachedResource(CachedResource&);
 
     void loadDone(LoadCompletionType, bool shouldPerformPostLoadActions = true);