Title: [240410] branches/safari-607-branch/Source/WebCore
- Revision
- 240410
- Author
- [email protected]
- Date
- 2019-01-23 22:41:48 -0800 (Wed, 23 Jan 2019)
Log Message
Cherry-pick r239927. rdar://problem/47295363
DOMCacheStorage: use-after-move in doSequentialMatch()
https://bugs.webkit.org/show_bug.cgi?id=193396
Reviewed by Youenn Fablet.
Depending on the platform- and compiler-specific calling conventions,
the doSequentialMatch() code can move out the Vector<Ref<DOMCache>>
object into the callback lambda before the DOMCache object at the
specified index is retrieved for the DOMCache::doMatch() invocation.
This problem is now avoided by retrieving reference to the target
DOMCache object in an earlier _expression_.
* Modules/cache/DOMCacheStorage.cpp:
(WebCore::doSequentialMatch):
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@239927 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Diff
Modified: branches/safari-607-branch/Source/WebCore/ChangeLog (240409 => 240410)
--- branches/safari-607-branch/Source/WebCore/ChangeLog 2019-01-24 06:41:46 UTC (rev 240409)
+++ branches/safari-607-branch/Source/WebCore/ChangeLog 2019-01-24 06:41:48 UTC (rev 240410)
@@ -1,5 +1,46 @@
2019-01-23 Alan Coon <[email protected]>
+ Cherry-pick r239927. rdar://problem/47295363
+
+ DOMCacheStorage: use-after-move in doSequentialMatch()
+ https://bugs.webkit.org/show_bug.cgi?id=193396
+
+ Reviewed by Youenn Fablet.
+
+ Depending on the platform- and compiler-specific calling conventions,
+ the doSequentialMatch() code can move out the Vector<Ref<DOMCache>>
+ object into the callback lambda before the DOMCache object at the
+ specified index is retrieved for the DOMCache::doMatch() invocation.
+
+ This problem is now avoided by retrieving reference to the target
+ DOMCache object in an earlier _expression_.
+
+ * Modules/cache/DOMCacheStorage.cpp:
+ (WebCore::doSequentialMatch):
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@239927 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2019-01-14 Zan Dobersek <[email protected]>
+
+ DOMCacheStorage: use-after-move in doSequentialMatch()
+ https://bugs.webkit.org/show_bug.cgi?id=193396
+
+ Reviewed by Youenn Fablet.
+
+ Depending on the platform- and compiler-specific calling conventions,
+ the doSequentialMatch() code can move out the Vector<Ref<DOMCache>>
+ object into the callback lambda before the DOMCache object at the
+ specified index is retrieved for the DOMCache::doMatch() invocation.
+
+ This problem is now avoided by retrieving reference to the target
+ DOMCache object in an earlier _expression_.
+
+ * Modules/cache/DOMCacheStorage.cpp:
+ (WebCore::doSequentialMatch):
+
+2019-01-23 Alan Coon <[email protected]>
+
Cherry-pick r239905. rdar://problem/47494732
Release assert with <img usemap> in shadow tree
Modified: branches/safari-607-branch/Source/WebCore/Modules/cache/DOMCacheStorage.cpp (240409 => 240410)
--- branches/safari-607-branch/Source/WebCore/Modules/cache/DOMCacheStorage.cpp 2019-01-24 06:41:46 UTC (rev 240409)
+++ branches/safari-607-branch/Source/WebCore/Modules/cache/DOMCacheStorage.cpp 2019-01-24 06:41:48 UTC (rev 240410)
@@ -59,7 +59,8 @@
return;
}
- caches[index]->doMatch(WTFMove(info), WTFMove(options), [caches = WTFMove(caches), info, options, completionHandler = WTFMove(completionHandler), index](ExceptionOr<FetchResponse*>&& result) mutable {
+ auto& cache = caches[index].get();
+ cache.doMatch(WTFMove(info), WTFMove(options), [caches = WTFMove(caches), info, options, completionHandler = WTFMove(completionHandler), index](ExceptionOr<FetchResponse*>&& result) mutable {
if (result.hasException()) {
completionHandler(result.releaseException());
return;
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
