RESOLVED FIXED 148082
REGRESSION (r188486): use-after-free in SubresourceLoader::didReceiveResponse() when TemporaryChange goes out of scope 
https://bugs.webkit.org/show_bug.cgi?id=148082
Summary REGRESSION (r188486): use-after-free in SubresourceLoader::didReceiveResponse...
Andy Estes
Reported 2015-08-17 11:15:50 PDT
Created attachment 259163 [details] ASan crash log for http/tests/appcache/deferred-events-delete-while-raising.html See attached crash log. The issue is that the TemporaryChange added in r188486 is declared before |protect|, which means its destructor will be called after the last ref to the SubresourceLoader is possibly removed.
Attachments
ASan crash log for http/tests/appcache/deferred-events-delete-while-raising.html (98.69 KB, text/plain)
2015-08-17 11:15 PDT, Andy Estes 		no flags
Details
ASan crash for http/tests/appcache/deferred-events-delete-while-raising.html (93.39 KB, text/plain)
2015-08-17 11:23 PDT, Andy Estes 		no flags
Details
Patch (2.00 KB, patch)
2015-08-17 11:30 PDT, Andy Estes 		ap: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Andy Estes
Comment 1 2015-08-17 11:23:37 PDT
Created attachment 259164 [details] ASan crash for http/tests/appcache/deferred-events-delete-while-raising.html
Andy Estes
Comment 2 2015-08-17 11:30:27 PDT
Created attachment 259167 [details] Patch
Alexey Proskuryakov
Comment 3 2015-08-17 11:45:21 PDT
Comment on attachment 259167 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=259167&action=review > Source/WebCore/loader/SubresourceLoader.cpp:210 > + // This must be destroyed before |protect| to ensure the object is still alive when accessing m_callingDidReceiveResponse. Not sure if this comment is useful.
Andy Estes
Comment 4 2015-08-17 11:52:44 PDT
Committed r188531: <http://trac.webkit.org/changeset/188531>
Note You need to log in before you can comment on or make changes to this bug.