Title: [225253] trunk/Source/WebKit
- Revision
- 225253
- Author
- [email protected]
- Date
- 2017-11-28 18:23:38 -0800 (Tue, 28 Nov 2017)
Log Message
NetworkCache::Storage should protect itself when removing operations from its maps
https://bugs.webkit.org/show_bug.cgi?id=180118
Patch by Youenn Fablet <[email protected]> on 2017-11-28
Reviewed by Antti Koivisto.
The operations can contain ref to the Storage object and removing them from the map may destroy the Storage object
* NetworkProcess/cache/NetworkCacheStorage.cpp:
(WebKit::NetworkCache::Storage::remove):
(WebKit::NetworkCache::Storage::finishReadOperation):
(WebKit::NetworkCache::Storage::finishWriteOperation):
(WebKit::NetworkCache::Storage::traverse):
Modified Paths
Diff
Modified: trunk/Source/WebKit/ChangeLog (225252 => 225253)
--- trunk/Source/WebKit/ChangeLog 2017-11-29 02:06:22 UTC (rev 225252)
+++ trunk/Source/WebKit/ChangeLog 2017-11-29 02:23:38 UTC (rev 225253)
@@ -1,5 +1,20 @@
2017-11-28 Youenn Fablet <[email protected]>
+ NetworkCache::Storage should protect itself when removing operations from its maps
+ https://bugs.webkit.org/show_bug.cgi?id=180118
+
+ Reviewed by Antti Koivisto.
+
+ The operations can contain ref to the Storage object and removing them from the map may destroy the Storage object
+
+ * NetworkProcess/cache/NetworkCacheStorage.cpp:
+ (WebKit::NetworkCache::Storage::remove):
+ (WebKit::NetworkCache::Storage::finishReadOperation):
+ (WebKit::NetworkCache::Storage::finishWriteOperation):
+ (WebKit::NetworkCache::Storage::traverse):
+
+2017-11-28 Youenn Fablet <[email protected]>
+
Register Documents as ServiceWorker clients to the StorageProcess
https://bugs.webkit.org/show_bug.cgi?id=180047
Modified: trunk/Source/WebKit/NetworkProcess/cache/NetworkCacheStorage.cpp (225252 => 225253)
--- trunk/Source/WebKit/NetworkProcess/cache/NetworkCacheStorage.cpp 2017-11-29 02:06:22 UTC (rev 225252)
+++ trunk/Source/WebKit/NetworkProcess/cache/NetworkCacheStorage.cpp 2017-11-29 02:23:38 UTC (rev 225253)
@@ -561,6 +561,8 @@
if (!mayContain(key))
return;
+ auto protectedThis = makeRef(*this);
+
// We can't remove the key from the Bloom filter (but some false positives are expected anyway).
// For simplicity we also don't reduce m_approximateSize on removals.
// The next synchronization will update everything.
@@ -567,7 +569,7 @@
removeFromPendingWriteOperations(key);
- serialBackgroundIOQueue().dispatch([this, protectedThis = makeRef(*this), key] () mutable {
+ serialBackgroundIOQueue().dispatch([this, protectedThis = WTFMove(protectedThis), key] () mutable {
deleteFiles(key);
RunLoop::main().dispatch([protectedThis = WTFMove(protectedThis)] { });
});
@@ -666,6 +668,8 @@
else if (!readOperation.isCanceled)
remove(readOperation.key);
+ auto protectedThis = makeRef(*this);
+
ASSERT(m_activeReadOperations.contains(&readOperation));
m_activeReadOperations.remove(&readOperation);
@@ -794,6 +798,8 @@
if (--writeOperation.activeCount)
return;
+ auto protectedThis = makeRef(*this);
+
m_activeWriteOperations.remove(&writeOperation);
dispatchPendingWriteOperations();
@@ -915,6 +921,9 @@
}
RunLoop::main().dispatch([this, &traverseOperation] {
traverseOperation.handler(nullptr, { });
+
+ auto protectedThis = makeRef(*this);
+
m_activeTraverseOperations.remove(&traverseOperation);
});
});
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
