Skip to site navigation (Press enter)

[webkit-changes] [259522] trunk/Source/WebCore

commit-queue Fri, 03 Apr 2020 17:17:07 -0700

Title: [259522] trunk/Source/WebCore

Revision: 259522
Author: [email protected]
Date: 2020-04-03 17:16:04 -0700 (Fri, 03 Apr 2020)

Log Message

Use-after-move of `formState` in WebCore::PolicyChecker::checkNavigationPolicy()
https://bugs.webkit.org/show_bug.cgi?id=209987


Patch by Alex Christensen <[email protected]> on 2020-04-03
Reviewed by Chris Dumez.

Use std::exchange because formState is used later.
No change in behavior, but this will allow use-after-move hunts to continue.

* loader/PolicyChecker.cpp:
(WebCore::PolicyChecker::checkNavigationPolicy):

Modified Paths

trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/loader/PolicyChecker.cpp

Diff

Modified: trunk/Source/WebCore/ChangeLog (259521 => 259522)


--- trunk/Source/WebCore/ChangeLog	2020-04-03 23:45:58 UTC (rev 259521)
+++ trunk/Source/WebCore/ChangeLog	2020-04-04 00:16:04 UTC (rev 259522)
@@ -1,3 +1,16 @@
+2020-04-03  Alex Christensen  <[email protected]>
+
+        Use-after-move of `formState` in WebCore::PolicyChecker::checkNavigationPolicy()
+        https://bugs.webkit.org/show_bug.cgi?id=209987
+
+        Reviewed by Chris Dumez.
+
+        Use std::exchange because formState is used later.
+        No change in behavior, but this will allow use-after-move hunts to continue.
+
+        * loader/PolicyChecker.cpp:
+        (WebCore::PolicyChecker::checkNavigationPolicy):
+
 2020-04-03  Sihui Liu  <[email protected]>
 
         ASSERTION FAILED: objectStoreInfo in SQLiteIDBBackingStore::getRecord

Modified: trunk/Source/WebCore/loader/PolicyChecker.cpp (259521 => 259522)


--- trunk/Source/WebCore/loader/PolicyChecker.cpp	2020-04-03 23:45:58 UTC (rev 259521)
+++ trunk/Source/WebCore/loader/PolicyChecker.cpp	2020-04-04 00:16:04 UTC (rev 259522)
@@ -203,7 +203,7 @@
     auto requestIdentifier = PolicyCheckIdentifier::create();
     m_delegateIsDecidingNavigationPolicy = true;
     String suggestedFilename = action.downloadAttribute().isEmpty() ? nullAtom() : action.downloadAttribute();
-    FramePolicyFunction decisionHandler = [this, function = WTFMove(function), request = ResourceRequest(request), formState = WTFMove(formState), suggestedFilename = WTFMove(suggestedFilename),
+    FramePolicyFunction decisionHandler = [this, function = WTFMove(function), request = ResourceRequest(request), formState = std::exchange(formState, nullptr), suggestedFilename = WTFMove(suggestedFilename),
          blobURLLifetimeExtension = WTFMove(blobURLLifetimeExtension), requestIdentifier, isInitialEmptyDocumentLoad] (PolicyAction policyAction, PolicyCheckIdentifier responseIdentifier) mutable {
         if (!responseIdentifier.isValidFor(requestIdentifier)) {
             RELEASE_LOG_IF_ALLOWED("checkNavigationPolicy: ignoring because response is not valid for request");

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes