Bug 181747

Summary: WebCoreResourceHandleAsOperationQueueDelegate/ResourceHandleCFURLConnectionDelegateWithOperationQueue may be deleted in main thread callback
Product: WebKit Reporter: Daniel Bates <dbates>
Component: PlatformAssignee: Daniel Bates <dbates>
Status: RESOLVED FIXED    
Severity: Normal CC: achristensen, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Local Build   
Hardware: Mac   
OS: macOS 10.13   
Attachments:
Description Flags
Patch achristensen: review+

Daniel Bates
Reported 2018-01-17 10:26:31 PST
While investigating the assertion failure in bug #181746 I noticed that WebCoreResourceHandleAsOperationQueueDelegate does not retain itself before waiting on a main thread operation. The main thread operation can do anything, including detaching from WebCoreResourceHandleAsOperationQueueDelegate and deleting it. A PingHandle is one example of a resource handle that will delete itself as soon as possible => detach and delete its resource handle delegate (WebCoreResourceHandleAsOperationQueueDelegate). Specifically, a PingHandle will delete itself when the delegate queries (on the main thread) whether it can respond to an authentication request (a ping never responds to authentication requests) => WebCoreResourceHandleAsOperationQueueDelegate is deleted while it is waiting for the main thread to respond.
Attachments
Patch (4.89 KB, patch)
2018-01-17 10:35 PST, Daniel Bates
achristensen: review+
Radar WebKit Bug Importer
Comment 1 2018-01-17 10:33:57 PST
Daniel Bates
Comment 2 2018-01-17 10:35:02 PST
Alex Christensen
Comment 3 2018-01-17 10:38:38 PST
Comment on attachment 331510 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=331510&action=review > Source/WebCore/platform/network/mac/WebCoreResourceHandleAsOperationQueueDelegate.mm:172 > + auto protectedSelf = retainPtr(self); I'm not sure if this one's necessary because it doesn't do anything with self after calling the function which, until it is sent to the main thread, has a protector inside it's lambda capture.
Alex Christensen
Comment 4 2018-01-17 10:38:57 PST
We should consider doing the same for the CFURLConnection code on Windows.
Daniel Bates
Comment 5 2018-01-17 10:40:19 PST
Comment on attachment 331510 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=331510&action=review >> Source/WebCore/platform/network/mac/WebCoreResourceHandleAsOperationQueueDelegate.mm:172 >> + auto protectedSelf = retainPtr(self); > > I'm not sure if this one's necessary because it doesn't do anything with self after calling the function which, until it is sent to the main thread, has a protector inside it's lambda capture. Oops! Will remove.
Daniel Bates
Comment 6 2018-01-17 10:48:42 PST
(In reply to Alex Christensen from comment #4) > We should consider doing the same for the CFURLConnection code on Windows. Will do before landing.
Daniel Bates
Comment 7 2018-01-17 10:57:21 PST
Note You need to log in before you can comment on or make changes to this bug.