148082 – REGRESSION (r188486): use-after-free in SubresourceLoader::didReceiveResponse() when TemporaryChange goes out of scope

Bug 148082 - REGRESSION (r188486): use-after-free in SubresourceLoader::didReceiveResponse() when TemporaryChange goes out of scope

Summary: REGRESSION (r188486): use-after-free in SubresourceLoader::didReceiveResponse...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Page Loading (show other bugs)
Version:	WebKit Nightly Build
Hardware:	All All

Importance:	P2 Normal
Assignee:	Andy Estes

URL:
Keywords:

Depends on:
Blocks:

Reported:	2015-08-17 11:15 PDT by Andy Estes
Modified:	2015-08-17 11:52 PDT (History)
CC List:	4 users (show)

See Also:

Attachments
ASan crash log for http/tests/appcache/deferred-events-delete-while-raising.html (98.69 KB, text/plain) 2015-08-17 11:15 PDT, Andy Estes	no flags	Details
ASan crash for http/tests/appcache/deferred-events-delete-while-raising.html (93.39 KB, text/plain) 2015-08-17 11:23 PDT, Andy Estes	no flags	Details
Patch (2.00 KB, patch) 2015-08-17 11:30 PDT, Andy Estes	ap: review+	Details \| Formatted Diff \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andy Estes 2015-08-17 11:15:50 PDT

Created attachment 259163 [details]
ASan crash log for http/tests/appcache/deferred-events-delete-while-raising.html

See attached crash log.

The issue is that the TemporaryChange added in r188486 is declared before |protect|, which means its destructor will be called after the last ref to the SubresourceLoader is possibly removed.

Comment 1 Andy Estes 2015-08-17 11:23:37 PDT

Created attachment 259164 [details]
ASan crash for http/tests/appcache/deferred-events-delete-while-raising.html

Comment 2 Andy Estes 2015-08-17 11:30:27 PDT

Created attachment 259167 [details]
Patch

Comment 3 Alexey Proskuryakov 2015-08-17 11:45:21 PDT

Comment on attachment 259167 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=259167&action=review

> Source/WebCore/loader/SubresourceLoader.cpp:210
> +    // This must be destroyed before |protect| to ensure the object is still alive when accessing m_callingDidReceiveResponse.

Not sure if this comment is useful.

Comment 4 Andy Estes 2015-08-17 11:52:44 PDT

Committed r188531: <http://trac.webkit.org/changeset/188531>