167658 – Variable used after it's been WTFMove'd

Bug 167658 - Variable used after it's been WTFMove'd

Summary: Variable used after it's been WTFMove'd

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebCore Misc. (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Keith Rollin

URL:
Keywords:

Depends on:
Blocks:

Reported:	2017-01-31 12:18 PST by Keith Rollin
Modified:	2017-01-31 14:42 PST (History)
CC List:	5 users (show)

See Also:

Attachments
Patch (2.75 KB, patch) 2017-01-31 12:51 PST, Keith Rollin	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Keith Rollin 2017-01-31 12:18:29 PST

SubresourceLoader::didReceiveDataOrBuffer WTFMoves "buffer":

    ResourceLoader::didReceiveDataOrBuffer(data, length, WTFMove(buffer), encodedDataLength, dataPayloadType);

It later uses (the now empty) "buffer":

    m_resource->addData(buffer ? buffer->data() : data, buffer ? buffer->size() : length);

With both "buffer" and "data" now being empty, m_resource->addData may not work as intended. m_resource is a CachedResource*, but I think I saw that it was pointing to a CachedRawResource in my debugging. This means that CachedRawResource::addData may be called with null values. This calls CachedRawResource::notifyClientsDataWasReceived, which will exit early when no data is passed in, skipping any actual notification.

Comment 1 Chris Dumez 2017-01-31 12:25:44 PST

Good find.

Comment 2 Keith Rollin 2017-01-31 12:51:33 PST

Created attachment 300249 [details]
Patch

Comment 3 Chris Dumez 2017-01-31 12:56:49 PST

Comment on attachment 300249 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=300249&action=review

r=me

> Source/WebCore/loader/SubresourceLoader.cpp:391
> +    ResourceLoader::didReceiveDataOrBuffer(data, length, buffer.copyRef(), encodedDataLength, dataPayloadType);

RefPtr has a copy constructor. I don't think it is actually needed here.

Comment 4 Chris Dumez 2017-01-31 12:57:10 PST

Comment on attachment 300249 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=300249&action=review

>> Source/WebCore/loader/SubresourceLoader.cpp:391
>> +    ResourceLoader::didReceiveDataOrBuffer(data, length, buffer.copyRef(), encodedDataLength, dataPayloadType);
> 
> RefPtr has a copy constructor. I don't think it is actually needed here.

I meant I don't think copyRef() is actually needed.

Comment 5 Keith Rollin 2017-01-31 13:18:47 PST

It's needed because buffer is passed in as an rvalue reference and passed to the superclass as an rvalue reference. Without a WTFMove or a copyRef, we get:

/Volumes/Data/dev/WebKit/branches/missing_logging/OpenSource/Source/WebCore/loader/SubresourceLoader.cpp:391:58: error: rvalue reference to type 'RefPtr<...>' cannot bind to lvalue of type 'RefPtr<...>'

Comment 6 WebKit Commit Bot 2017-01-31 14:42:14 PST

Comment on attachment 300249 [details]
Patch

Clearing flags on attachment: 300249

Committed r211449: <http://trac.webkit.org/changeset/211449>

Comment 7 WebKit Commit Bot 2017-01-31 14:42:20 PST

All reviewed patches have been landed.  Closing bug.