Title: [198335] trunk/Source/WebCore
- Revision
- 198335
- Author
- [email protected]
- Date
- 2016-03-17 10:02:14 -0700 (Thu, 17 Mar 2016)
Log Message
DataURLDecoder::DecodingResultDispatcher may get deleted outside main thread
https://bugs.webkit.org/show_bug.cgi?id=155584
rdar://problem/24492104
Reviewed by Chris Dumez.
This is unsafe as it owns strings and other types that are only safe to delete in the main thread.
* platform/network/DataURLDecoder.cpp:
(WebCore::DataURLDecoder::DecodingResultDispatcher::dispatch):
The problem is that this was a refcounted type. This created a race. If the timer fired before dispatch()
was exited the implicit deref here would trigger the deletion in the dispatching thread.
Fix by getting rid of the unnecessary refcounting. Timer firing will now delete the instance explicitly.
(WebCore::DataURLDecoder::DecodingResultDispatcher::startTimer):
(WebCore::DataURLDecoder::DecodingResultDispatcher::timerFired):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (198334 => 198335)
--- trunk/Source/WebCore/ChangeLog 2016-03-17 16:43:41 UTC (rev 198334)
+++ trunk/Source/WebCore/ChangeLog 2016-03-17 17:02:14 UTC (rev 198335)
@@ -1,3 +1,24 @@
+2016-03-17 Antti Koivisto <[email protected]>
+
+ DataURLDecoder::DecodingResultDispatcher may get deleted outside main thread
+ https://bugs.webkit.org/show_bug.cgi?id=155584
+ rdar://problem/24492104
+
+ Reviewed by Chris Dumez.
+
+ This is unsafe as it owns strings and other types that are only safe to delete in the main thread.
+
+ * platform/network/DataURLDecoder.cpp:
+ (WebCore::DataURLDecoder::DecodingResultDispatcher::dispatch):
+
+ The problem is that this was a refcounted type. This created a race. If the timer fired before dispatch()
+ was exited the implicit deref here would trigger the deletion in the dispatching thread.
+
+ Fix by getting rid of the unnecessary refcounting. Timer firing will now delete the instance explicitly.
+
+ (WebCore::DataURLDecoder::DecodingResultDispatcher::startTimer):
+ (WebCore::DataURLDecoder::DecodingResultDispatcher::timerFired):
+
2016-03-17 Commit Queue <[email protected]>
Unreviewed, rolling out r198201.
Modified: trunk/Source/WebCore/platform/network/DataURLDecoder.cpp (198334 => 198335)
--- trunk/Source/WebCore/platform/network/DataURLDecoder.cpp 2016-03-17 16:43:41 UTC (rev 198334)
+++ trunk/Source/WebCore/platform/network/DataURLDecoder.cpp 2016-03-17 17:02:14 UTC (rev 198335)
@@ -56,11 +56,12 @@
#if HAVE(RUNLOOP_TIMER)
-class DecodingResultDispatcher : public ThreadSafeRefCounted<DecodingResultDispatcher> {
+class DecodingResultDispatcher {
+ WTF_MAKE_FAST_ALLOCATED;
public:
static void dispatch(std::unique_ptr<DecodeTask> decodeTask)
{
- Ref<DecodingResultDispatcher> dispatcher = adoptRef(*new DecodingResultDispatcher(WTFMove(decodeTask)));
+ auto* dispatcher = new DecodingResultDispatcher(WTFMove(decodeTask));
dispatcher->startTimer();
}
@@ -73,8 +74,6 @@
void startTimer()
{
- // Keep alive until the timer has fired.
- ref();
m_timer.startOneShot(0);
m_timer.schedule(m_decodeTask->scheduleContext.scheduledPairs);
}
@@ -86,7 +85,7 @@
else
m_decodeTask->completionHandler({ });
- deref();
+ delete this;
}
RunLoopTimer<DecodingResultDispatcher> m_timer;
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
