[webkit-changes] [214786] trunk/Source/WebKit2

Mon, 03 Apr 2017 06:09:07 -0700

Title: [214786] trunk/Source/WebKit2
Revision
214786
Author
an...@apple.com
Date
2017-04-03 06:08:46 -0700 (Mon, 03 Apr 2017)

Log Message

Mutex may be freed too late in NetworkCache::Storage::traverse
https://bugs.webkit.org/show_bug.cgi?id=170400
<rdar://problem/30515865>

Reviewed by Carlos Garcia Campos and Andreas Kling.

Fix a race.

* NetworkProcess/cache/NetworkCacheStorage.cpp:
(WebKit::NetworkCache::Storage::traverse):

    Ensure the mutex is not accessed after we dispatch to the main thread.
    The main thread call deletes the owning TraverseOperation.

Modified Paths

Diff

Modified: trunk/Source/WebKit2/ChangeLog (214785 => 214786)


--- trunk/Source/WebKit2/ChangeLog	2017-04-03 13:07:59 UTC (rev 214785)
+++ trunk/Source/WebKit2/ChangeLog	2017-04-03 13:08:46 UTC (rev 214786)
@@ -1,3 +1,19 @@
+2017-04-03  Antti Koivisto  <an...@apple.com>
+
+        Mutex may be freed too late in NetworkCache::Storage::traverse
+        https://bugs.webkit.org/show_bug.cgi?id=170400
+        <rdar://problem/30515865>
+
+        Reviewed by Carlos Garcia Campos and Andreas Kling.
+
+        Fix a race.
+
+        * NetworkProcess/cache/NetworkCacheStorage.cpp:
+        (WebKit::NetworkCache::Storage::traverse):
+
+            Ensure the mutex is not accessed after we dispatch to the main thread.
+            The main thread call deletes the owning TraverseOperation.
+
 2017-04-01  Dan Bernstein  <m...@apple.com>
 
         [iOS] <input type=file> label should be specified using plural rules

Modified: trunk/Source/WebKit2/NetworkProcess/cache/NetworkCacheStorage.cpp (214785 => 214786)


--- trunk/Source/WebKit2/NetworkProcess/cache/NetworkCacheStorage.cpp	2017-04-03 13:07:59 UTC (rev 214785)
+++ trunk/Source/WebKit2/NetworkProcess/cache/NetworkCacheStorage.cpp	2017-04-03 13:08:46 UTC (rev 214786)
@@ -859,11 +859,13 @@
                 return traverseOperation.activeCount <= maximumParallelReadCount;
             });
         });
-        // Wait for all reads to finish.
-        std::unique_lock<Lock> lock(traverseOperation.activeMutex);
-        traverseOperation.activeCondition.wait(lock, [&traverseOperation] {
-            return !traverseOperation.activeCount;
-        });
+        {
+            // Wait for all reads to finish.
+            std::unique_lock<Lock> lock(traverseOperation.activeMutex);
+            traverseOperation.activeCondition.wait(lock, [&traverseOperation] {
+                return !traverseOperation.activeCount;
+            });
+        }
         RunLoop::main().dispatch([this, &traverseOperation] {
             traverseOperation.handler(nullptr, { });
             m_activeTraverseOperations.remove(&traverseOperation);

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to