RESOLVED INVALID 14935
ResourceLoader should call ResourceHandle::setClient(0) after checking it's still the ResourceHandle's client 
https://bugs.webkit.org/show_bug.cgi?id=14935
Summary ResourceLoader should call ResourceHandle::setClient(0) after checking it's s...
Anyang Ren
Reported 2007-08-10 16:33:52 PDT
Revision 24624 added ResourceHandle::setClient(). The only call to this new method is in ResourceLoader::releaseResources, and it passes 0 as the 'client' argument. So it's not clear whether ResourceHandle::setClient() is intended to be called with a non-NULL 'client' argument. That would allow someone else to change the client of the ResourceHandle created by ResourceLoader. When that happens, the m_handle->setClient(0) call in ResourceLoader::releaseResources() would be messing with this other client, preventing the ResourceHandle from calling back to this other client. I think ResourceHandle::setClient() needs to be changed to only accept a null 'client' argument (or renamed ResourceHandle::clearClient with no argument), or ResourceLoader::releaseResources() needs to validate its assumption that it is still the ResourceHandle's client before calling m_handle->setClient(0). I will attach a patch that does the latter.
Attachments
Verify we're still the ResourceHandle's client before clearing it out (616 bytes, patch)
2007-08-10 16:39 PDT, Anyang Ren 		darin: review-
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Anyang Ren
Comment 1 2007-08-10 16:39:00 PDT
Created attachment 15914 [details] Verify we're still the ResourceHandle's client before clearing it out
David Kilzer (:ddkilzer)
Comment 2 2007-08-11 08:33:50 PDT
Comment on attachment 15914 [details] Verify we're still the ResourceHandle's client before clearing it out In the future, please set the review? flag on patches. Thanks! At minimum, this patch will also need a ChangeLog entry. (I'm leaving it as review? so that the patch will be reviewed.) See this page for details: http://webkit.org/coding/contributing.html
Darin Adler
Comment 3 2007-08-11 15:26:19 PDT
Comment on attachment 15914 [details] Verify we're still the ResourceHandle's client before clearing it out I don't think there's any reason to make this code change. It's only needed if ResourceLoader shares a ResourceHandle with another client. That's never done, so we don't need the code. Unless there's something I'm missing and this actually happens.
Anyang Ren
Comment 4 2007-08-13 17:43:58 PDT
This can happen if a WebKit embedder calls ResourceLoader::handle(), a public method, and then call ResourceHandle::setClient on the returned ResourceHandle to set its client to something else. I'd like to know if this usage of ResourceHandle::setClient is allowed. If not, perhaps ResourceHandle::setClient should be constrained to prevent a WebKit embedder from making this mistake. I just wanted to bring this issue to your attention. Please feel free to mark this bug invalid or wontfix after you have considered this issue. Thank you for your quick response.
Adam Roben (:aroben)
Comment 5 2007-08-13 17:47:02 PDT
(In reply to comment #4) > This can happen if a WebKit embedder calls ResourceLoader::handle(), > a public method, and then call ResourceHandle::setClient on the > returned ResourceHandle to set its client to something else. I'd > like to know if this usage of ResourceHandle::setClient is allowed. > If not, perhaps ResourceHandle::setClient should be constrained > to prevent a WebKit embedder from making this mistake. I don't think there's a way to make this happen through the WebKit API, so I don't think it's possible for a "WebKit embedder" to get into this situation. Perhaps you're talking about someone who is making changes to WebCore/WebKit itself? If so, seeing the patches that are running into this situation would make this whole discussion much clearer.
Anyang Ren
Comment 6 2007-08-29 11:01:32 PDT
Adam, sorry about the late reply. Yes, I was experimenting with calling handle->setClient() in WebFrameLoaderClient::download to set the ResourceHandle's client to some other object that handles the download. But I don't need to do that any more. So I'm closing this bug.
Note You need to log in before you can comment on or make changes to this bug.