WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
62304
PingLoader dtor has NULL dereference
https://bugs.webkit.org/show_bug.cgi?id=62304
Summary
PingLoader dtor has NULL dereference
David Tapuska
Reported
2011-06-08 12:10:12 PDT
PingLoader::~PingLoader has a potential null dereference if the ResourceHandle failed during creation.
Attachments
Check for valid ref before calling cancel
(1.75 KB, patch)
2011-06-08 12:15 PDT
,
David Tapuska
no flags
Details
Formatted Diff
Diff
Check for valid ref before calling cancel
(1.45 KB, patch)
2011-06-08 12:20 PDT
,
David Tapuska
no flags
Details
Formatted Diff
Diff
Show Obsolete
(1)
View All
Add attachment
proposed patch, testcase, etc.
David Tapuska
Comment 1
2011-06-08 12:15:50 PDT
Created
attachment 96455
[details]
Check for valid ref before calling cancel
David Tapuska
Comment 2
2011-06-08 12:20:43 PDT
Created
attachment 96459
[details]
Check for valid ref before calling cancel Sorry PrepareChangeLog munged the ChangeLog with the git commit incorrectly.
Alexey Proskuryakov
Comment 3
2011-06-08 15:50:20 PDT
Can a regression test e made for this?
David Tapuska
Comment 4
2011-06-09 06:24:17 PDT
(In reply to
comment #3
)
> Can a regression test e made for this?
I don't have a reproduction step. The fix for this crash was mined from coredumps on our platform. For a regression test we'd need to somehow fudge that the ResourceHandle failed to create a resource; and the ResourceHandle::create is platform specific.
Alexey Proskuryakov
Comment 5
2011-06-09 08:46:55 PDT
In that case, how did you decide that this is a bug in PingLoader destructor, and not in ResourceHandle::start() on your platform?
David Tapuska
Comment 6
2011-06-09 08:52:16 PDT
(In reply to
comment #5
)
> In that case, how did you decide that this is a bug in PingLoader destructor, and not in ResourceHandle::start() on your platform?
Checkout the ResourceLoader.cpp and MainResourceLoader.cpp and you'll find that anyone that uses ResourceHandle::create will check that the value returned is a valid ref before accessing it. ResourceHandle::create has a NULL return path depending on the return code from newHandle->start(...) the start implementation is the platform specific code I referred to.
Alexey Proskuryakov
Comment 7
2011-06-09 09:05:56 PDT
ResourceHandle::start() is expected to return false when invoked on a detached page. This shouldn't happen with PingLoader - it's created in very specific and controlled circumstances. So, it's different from any other caller of ResourceHandle::create(). Does PingLoader actually work on your platform?
David Tapuska
Comment 8
2011-06-09 09:32:21 PDT
(In reply to
comment #7
)
> ResourceHandle::start() is expected to return false when invoked on a detached page. This shouldn't happen with PingLoader - it's created in very specific and controlled circumstances. So, it's different from any other caller of ResourceHandle::create(). > > Does PingLoader actually work on your platform?
ResoruceHandle::start() can return false for other reasons as well. Not just on a detached page. For example in the ResourceHandleWin.cpp if InternetConnectW fails; start will return false and then the ResourceHandle::create will return 0.
Alexey Proskuryakov
Comment 9
2011-06-09 09:47:15 PDT
ok
Daniel Bates
Comment 10
2011-06-09 10:12:33 PDT
Comment on
attachment 96459
[details]
Check for valid ref before calling cancel r=me
WebKit Review Bot
Comment 11
2011-06-09 10:49:46 PDT
Comment on
attachment 96459
[details]
Check for valid ref before calling cancel Clearing flags on attachment: 96459 Committed
r88458
: <
http://trac.webkit.org/changeset/88458
>
WebKit Review Bot
Comment 12
2011-06-09 10:49:51 PDT
All reviewed patches have been landed. Closing bug.
Darin Adler
Comment 13
2011-06-09 10:51:43 PDT
<
rdar://problem/9581084
>
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug