Title: [237504] releases/WebKitGTK/webkit-2.22/Source/WebCore
- Revision
- 237504
- Author
- [email protected]
- Date
- 2018-10-28 06:42:11 -0700 (Sun, 28 Oct 2018)
Log Message
Merged r236789 - Ref<FetchResponse> use-after-move in DOMCache::put()
https://bugs.webkit.org/show_bug.cgi?id=190239
Reviewed by Youenn Fablet.
Retrieve reference from the Ref<FetchResponse> object before it's
move-captured in the lambda that's passed to the
FetchResponse::consumeBodyReceivedByChunk() method that is invoked on
that very same object. This is a classic use-after-move bug that pops
up on compilers with different C++ calling convention.
* Modules/cache/DOMCache.cpp:
(WebCore::DOMCache::put):
Modified Paths
Diff
Modified: releases/WebKitGTK/webkit-2.22/Source/WebCore/ChangeLog (237503 => 237504)
--- releases/WebKitGTK/webkit-2.22/Source/WebCore/ChangeLog 2018-10-28 13:42:05 UTC (rev 237503)
+++ releases/WebKitGTK/webkit-2.22/Source/WebCore/ChangeLog 2018-10-28 13:42:11 UTC (rev 237504)
@@ -1,3 +1,19 @@
+2018-10-03 Zan Dobersek <[email protected]>
+
+ Ref<FetchResponse> use-after-move in DOMCache::put()
+ https://bugs.webkit.org/show_bug.cgi?id=190239
+
+ Reviewed by Youenn Fablet.
+
+ Retrieve reference from the Ref<FetchResponse> object before it's
+ move-captured in the lambda that's passed to the
+ FetchResponse::consumeBodyReceivedByChunk() method that is invoked on
+ that very same object. This is a classic use-after-move bug that pops
+ up on compilers with different C++ calling convention.
+
+ * Modules/cache/DOMCache.cpp:
+ (WebCore::DOMCache::put):
+
2018-09-20 Zalan Bujtas <[email protected]>
Release assert under RenderView::pageOrViewLogicalHeight
Modified: releases/WebKitGTK/webkit-2.22/Source/WebCore/Modules/cache/DOMCache.cpp (237503 => 237504)
--- releases/WebKitGTK/webkit-2.22/Source/WebCore/Modules/cache/DOMCache.cpp 2018-10-28 13:42:05 UTC (rev 237503)
+++ releases/WebKitGTK/webkit-2.22/Source/WebCore/Modules/cache/DOMCache.cpp 2018-10-28 13:42:11 UTC (rev 237504)
@@ -350,7 +350,8 @@
response->readableStream(*scriptExecutionContext()->execState());
if (response->isBodyReceivedByChunk()) {
- response->consumeBodyReceivedByChunk([promise = WTFMove(promise), request = WTFMove(request), response = WTFMove(response), data = "" pendingActivity = makePendingActivity(*this), this](auto&& result) mutable {
+ auto& responseRef = response.get();
+ responseRef.consumeBodyReceivedByChunk([promise = WTFMove(promise), request = WTFMove(request), response = WTFMove(response), data = "" pendingActivity = makePendingActivity(*this), this](auto&& result) mutable {
if (result.hasException()) {
this->putWithResponseData(WTFMove(promise), WTFMove(request), WTFMove(response), result.releaseException().isolatedCopy());
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
