[webkit-changes] [229793] trunk/Source/WebCore

[zandobersek]

Title: [229793] trunk/Source/WebCore

Revision

229793

Author

zandober...@gmail.com

Date

2018-03-21 00:15:23 -0700 (Wed, 21 Mar 2018)

Log Message

Use-after-move in SWContextManager::terminateWorker() with Linux x86_64 calling convention
https://bugs.webkit.org/show_bug.cgi?id=183783

Reviewed by Chris Dumez.

In SWContextManager::terminateWorker(), some calling conventions can
end up moving the ServiceWorkerThreadProxy RefPtr into the lambda struct
before that proxy's thread (on which the lambda is bound to execute) is
retrieved.

Avoid this by taking a reference to the thread in a separate earlier
_expression_, before the RefPtr is moved into the lambda in the following
one.

* workers/service/context/SWContextManager.cpp:
(WebCore::SWContextManager::terminateWorker):

Modified Paths

• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/workers/service/context/SWContextManager.cpp

Diff

Modified: trunk/Source/WebCore/ChangeLog (229792 => 229793)

--- trunk/Source/WebCore/ChangeLog	2018-03-21 07:08:25 UTC (rev 229792)
+++ trunk/Source/WebCore/ChangeLog	2018-03-21 07:15:23 UTC (rev 229793)
@@ -1,3 +1,22 @@
+2018-03-21  Zan Dobersek  <zdober...@igalia.com>
+
+        Use-after-move in SWContextManager::terminateWorker() with Linux x86_64 calling convention
+        https://bugs.webkit.org/show_bug.cgi?id=183783
+
+        Reviewed by Chris Dumez.
+
+        In SWContextManager::terminateWorker(), some calling conventions can
+        end up moving the ServiceWorkerThreadProxy RefPtr into the lambda struct
+        before that proxy's thread (on which the lambda is bound to execute) is
+        retrieved.
+
+        Avoid this by taking a reference to the thread in a separate earlier
+        _expression_, before the RefPtr is moved into the lambda in the following
+        one.
+
+        * workers/service/context/SWContextManager.cpp:
+        (WebCore::SWContextManager::terminateWorker):
+
 2018-03-21  Timothy Horton  <timothy_hor...@apple.com>
 
         Fix the build

Modified: trunk/Source/WebCore/workers/service/context/SWContextManager.cpp (229792 => 229793)

--- trunk/Source/WebCore/workers/service/context/SWContextManager.cpp	2018-03-21 07:08:25 UTC (rev 229792)
+++ trunk/Source/WebCore/workers/service/context/SWContextManager.cpp	2018-03-21 07:15:23 UTC (rev 229793)
@@ -118,7 +118,8 @@
 
     m_pendingServiceWorkerTerminationRequests.add(identifier, std::make_unique<ServiceWorkerTerminationRequest>(*this, identifier, timeout));
 
-    serviceWorker->thread().stop([this, identifier, serviceWorker = WTFMove(serviceWorker), completionHandler = WTFMove(completionHandler)]() mutable {
+    auto& thread = serviceWorker->thread();
+    thread.stop([this, identifier, serviceWorker = WTFMove(serviceWorker), completionHandler = WTFMove(completionHandler)]() mutable {
         m_pendingServiceWorkerTerminationRequests.remove(identifier);
 
         if (auto* connection = SWContextManager::singleton().connection())

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes