Bug 148082

Summary: REGRESSION (r188486): use-after-free in SubresourceLoader::didReceiveResponse() when TemporaryChange goes out of scope
Product: WebKit Reporter: Andy Estes <aestes>
Component: Page LoadingAssignee: Andy Estes <aestes>
Status: RESOLVED FIXED    
Severity: Normal CC: ap, beidson, commit-queue, japhet
Priority: P2    
Version: WebKit Nightly Build   
Hardware: All   
OS: All   
Attachments:
Description Flags
ASan crash log for http/tests/appcache/deferred-events-delete-while-raising.html
none
ASan crash for http/tests/appcache/deferred-events-delete-while-raising.html
none
Patch ap: review+

Description Andy Estes 2015-08-17 11:15:50 PDT 
Created attachment 259163 [details]
ASan crash log for http/tests/appcache/deferred-events-delete-while-raising.html

See attached crash log.

The issue is that the TemporaryChange added in r188486 is declared before |protect|, which means its destructor will be called after the last ref to the SubresourceLoader is possibly removed.
Comment 1 Andy Estes 2015-08-17 11:23:37 PDT 
Created attachment 259164 [details]
ASan crash for http/tests/appcache/deferred-events-delete-while-raising.html
Comment 2 Andy Estes 2015-08-17 11:30:27 PDT 
Created attachment 259167 [details]
Patch
Comment 3 Alexey Proskuryakov 2015-08-17 11:45:21 PDT 
Comment on attachment 259167 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=259167&action=review

> Source/WebCore/loader/SubresourceLoader.cpp:210
> +    // This must be destroyed before |protect| to ensure the object is still alive when accessing m_callingDidReceiveResponse.

Not sure if this comment is useful.
Comment 4 Andy Estes 2015-08-17 11:52:44 PDT 
Committed r188531: <http://trac.webkit.org/changeset/188531>