Summary: | REGRESSION (r188486): use-after-free in SubresourceLoader::didReceiveResponse() when TemporaryChange goes out of scope | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Andy Estes <aestes> | ||||||||
Component: | Page Loading | Assignee: | Andy Estes <aestes> | ||||||||
Status: | RESOLVED FIXED | ||||||||||
Severity: | Normal | CC: | ap, beidson, commit-queue, japhet | ||||||||
Priority: | P2 | ||||||||||
Version: | WebKit Nightly Build | ||||||||||
Hardware: | All | ||||||||||
OS: | All | ||||||||||
Attachments: |
|
Description
Andy Estes
2015-08-17 11:15:50 PDT
Created attachment 259164 [details]
ASan crash for http/tests/appcache/deferred-events-delete-while-raising.html
Created attachment 259167 [details]
Patch
Comment on attachment 259167 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=259167&action=review > Source/WebCore/loader/SubresourceLoader.cpp:210 > + // This must be destroyed before |protect| to ensure the object is still alive when accessing m_callingDidReceiveResponse. Not sure if this comment is useful. Committed r188531: <http://trac.webkit.org/changeset/188531> |