Title: [241594] trunk/Source/WebCore
- Revision
- 241594
- Author
- [email protected]
- Date
- 2019-02-15 10:51:09 -0800 (Fri, 15 Feb 2019)
Log Message
REGRESSION: ( r240978-r240985 ) [ iOS Release ] Layout Test imported/w3c/web-platform-tests/xhr/send-redirect-post-upload.htm is crashing
https://bugs.webkit.org/show_bug.cgi?id=194523
Reviewed by Geoffrey Garen.
The scope of the FormCreationContext was limited to the scope of createHTTPBodyCFReadStream,
so when it was used in formCreate it was lucky to get the same context if the stack hadn't been overwritten
and if the FormData hadn't been freed. Instead, keep it alive with new/delete like we do the FormStreamFields.
A younger me should've noticed this when reviewing r218517.
* platform/network/cf/FormDataStreamCFNet.cpp:
(WebCore::formCreate):
(WebCore::createHTTPBodyCFReadStream):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (241593 => 241594)
--- trunk/Source/WebCore/ChangeLog 2019-02-15 18:26:16 UTC (rev 241593)
+++ trunk/Source/WebCore/ChangeLog 2019-02-15 18:51:09 UTC (rev 241594)
@@ -1,3 +1,19 @@
+2019-02-15 Alex Christensen <[email protected]>
+
+ REGRESSION: ( r240978-r240985 ) [ iOS Release ] Layout Test imported/w3c/web-platform-tests/xhr/send-redirect-post-upload.htm is crashing
+ https://bugs.webkit.org/show_bug.cgi?id=194523
+
+ Reviewed by Geoffrey Garen.
+
+ The scope of the FormCreationContext was limited to the scope of createHTTPBodyCFReadStream,
+ so when it was used in formCreate it was lucky to get the same context if the stack hadn't been overwritten
+ and if the FormData hadn't been freed. Instead, keep it alive with new/delete like we do the FormStreamFields.
+ A younger me should've noticed this when reviewing r218517.
+
+ * platform/network/cf/FormDataStreamCFNet.cpp:
+ (WebCore::formCreate):
+ (WebCore::createHTTPBodyCFReadStream):
+
2019-02-15 Commit Queue <[email protected]>
Unreviewed, rolling out r241559 and r241566.
Modified: trunk/Source/WebCore/platform/network/cf/FormDataStreamCFNet.cpp (241593 => 241594)
--- trunk/Source/WebCore/platform/network/cf/FormDataStreamCFNet.cpp 2019-02-15 18:26:16 UTC (rev 241593)
+++ trunk/Source/WebCore/platform/network/cf/FormDataStreamCFNet.cpp 2019-02-15 18:51:09 UTC (rev 241594)
@@ -216,6 +216,10 @@
newInfo->formStream = stream; // Don't retain. That would create a reference cycle.
newInfo->streamLength = formContext->streamLength;
newInfo->bytesSent = 0;
+
+ callOnMainThread([formContext] {
+ delete formContext;
+ });
// Append in reverse order since we remove elements from the end.
size_t size = newInfo->formData->elements().size();
@@ -380,9 +384,9 @@
for (auto& element : resolvedFormData->elements())
length += element.lengthInBytes();
- FormCreationContext formContext = { WTFMove(resolvedFormData), length };
+ FormCreationContext* formContext = new FormCreationContext { WTFMove(resolvedFormData), length };
CFReadStreamCallBacksV1 callBacks = { 1, formCreate, formFinalize, nullptr, formOpen, nullptr, formRead, nullptr, formCanRead, formClose, formCopyProperty, nullptr, nullptr, formSchedule, formUnschedule };
- return adoptCF(CFReadStreamCreate(nullptr, static_cast<const void*>(&callBacks), &formContext));
+ return adoptCF(CFReadStreamCreate(nullptr, static_cast<const void*>(&callBacks), formContext));
}
void setHTTPBody(CFMutableURLRequestRef request, FormData* formData)
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
