Bug 62304

Summary: PingLoader dtor has NULL dereference
Product: WebKit Reporter: David Tapuska <dave+webkit>
Component: WebCore Misc.Assignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: ap, dbates, fishd, staikos, webkit.review.bot
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Other   
OS: Other   
Attachments:
Description Flags
Check for valid ref before calling cancel
none
Check for valid ref before calling cancel none

David Tapuska
Reported 2011-06-08 12:10:12 PDT
PingLoader::~PingLoader has a potential null dereference if the ResourceHandle failed during creation.
Attachments
Check for valid ref before calling cancel (1.75 KB, patch)
2011-06-08 12:15 PDT, David Tapuska 		no flags
DetailsFormatted DiffDiff
Check for valid ref before calling cancel (1.45 KB, patch)
2011-06-08 12:20 PDT, David Tapuska 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
David Tapuska
Comment 1 2011-06-08 12:15:50 PDT
Created attachment 96455 [details] Check for valid ref before calling cancel
David Tapuska
Comment 2 2011-06-08 12:20:43 PDT
Created attachment 96459 [details] Check for valid ref before calling cancel Sorry PrepareChangeLog munged the ChangeLog with the git commit incorrectly.
Alexey Proskuryakov
Comment 3 2011-06-08 15:50:20 PDT
Can a regression test e made for this?
David Tapuska
Comment 4 2011-06-09 06:24:17 PDT
(In reply to comment #3) > Can a regression test e made for this? I don't have a reproduction step. The fix for this crash was mined from coredumps on our platform. For a regression test we'd need to somehow fudge that the ResourceHandle failed to create a resource; and the ResourceHandle::create is platform specific.
Alexey Proskuryakov
Comment 5 2011-06-09 08:46:55 PDT
In that case, how did you decide that this is a bug in PingLoader destructor, and not in ResourceHandle::start() on your platform?
David Tapuska
Comment 6 2011-06-09 08:52:16 PDT
(In reply to comment #5) > In that case, how did you decide that this is a bug in PingLoader destructor, and not in ResourceHandle::start() on your platform? Checkout the ResourceLoader.cpp and MainResourceLoader.cpp and you'll find that anyone that uses ResourceHandle::create will check that the value returned is a valid ref before accessing it. ResourceHandle::create has a NULL return path depending on the return code from newHandle->start(...) the start implementation is the platform specific code I referred to.
Alexey Proskuryakov
Comment 7 2011-06-09 09:05:56 PDT
ResourceHandle::start() is expected to return false when invoked on a detached page. This shouldn't happen with PingLoader - it's created in very specific and controlled circumstances. So, it's different from any other caller of ResourceHandle::create(). Does PingLoader actually work on your platform?
David Tapuska
Comment 8 2011-06-09 09:32:21 PDT
(In reply to comment #7) > ResourceHandle::start() is expected to return false when invoked on a detached page. This shouldn't happen with PingLoader - it's created in very specific and controlled circumstances. So, it's different from any other caller of ResourceHandle::create(). > > Does PingLoader actually work on your platform? ResoruceHandle::start() can return false for other reasons as well. Not just on a detached page. For example in the ResourceHandleWin.cpp if InternetConnectW fails; start will return false and then the ResourceHandle::create will return 0.
Alexey Proskuryakov
Comment 9 2011-06-09 09:47:15 PDT
ok
Daniel Bates
Comment 10 2011-06-09 10:12:33 PDT
Comment on attachment 96459 [details] Check for valid ref before calling cancel r=me
WebKit Review Bot
Comment 11 2011-06-09 10:49:46 PDT
Comment on attachment 96459 [details] Check for valid ref before calling cancel Clearing flags on attachment: 96459 Committed r88458: <http://trac.webkit.org/changeset/88458>
WebKit Review Bot
Comment 12 2011-06-09 10:49:51 PDT
All reviewed patches have been landed. Closing bug.
Darin Adler
Comment 13 2011-06-09 10:51:43 PDT
<rdar://problem/9581084>
Note You need to log in before you can comment on or make changes to this bug.