Title: [268906] trunk/Source/WebKit
- Revision
- 268906
- Author
- [email protected]
- Date
- 2020-10-23 00:33:47 -0700 (Fri, 23 Oct 2020)
Log Message
[SOUP] Fix crash in WebSocketTask
https://bugs.webkit.org/show_bug.cgi?id=217892
Patch by Michael Catanzaro <[email protected]> on 2020-10-23
Reviewed by Carlos Garcia Campos.
The WebSocketTask connects to the "starting" signal of its SoupMessage and never disconnects
this signal, which is only safe if it is guaranteed to outlive its SoupMessage. However, it
is not. We crash when the signal is emitted after the WebSocketTask is destroyed. To solve
this, we just need to disconnect the signal when required. Normally that would be done in
the destructor, but the WebSocketTask drops its ownership of the SoupMessage prior to that
point, so we need to disconnect on each possible paths.
* NetworkProcess/soup/WebSocketTaskSoup.cpp:
(WebKit::WebSocketTask::~WebSocketTask):
(WebKit::WebSocketTask::didConnect):
(WebKit::WebSocketTask::didFail):
Modified Paths
Diff
Modified: trunk/Source/WebKit/ChangeLog (268905 => 268906)
--- trunk/Source/WebKit/ChangeLog 2020-10-23 05:30:52 UTC (rev 268905)
+++ trunk/Source/WebKit/ChangeLog 2020-10-23 07:33:47 UTC (rev 268906)
@@ -1,3 +1,22 @@
+2020-10-23 Michael Catanzaro <[email protected]>
+
+ [SOUP] Fix crash in WebSocketTask
+ https://bugs.webkit.org/show_bug.cgi?id=217892
+
+ Reviewed by Carlos Garcia Campos.
+
+ The WebSocketTask connects to the "starting" signal of its SoupMessage and never disconnects
+ this signal, which is only safe if it is guaranteed to outlive its SoupMessage. However, it
+ is not. We crash when the signal is emitted after the WebSocketTask is destroyed. To solve
+ this, we just need to disconnect the signal when required. Normally that would be done in
+ the destructor, but the WebSocketTask drops its ownership of the SoupMessage prior to that
+ point, so we need to disconnect on each possible paths.
+
+ * NetworkProcess/soup/WebSocketTaskSoup.cpp:
+ (WebKit::WebSocketTask::~WebSocketTask):
+ (WebKit::WebSocketTask::didConnect):
+ (WebKit::WebSocketTask::didFail):
+
2020-10-22 Aditya Keerthi <[email protected]>
[Contact Picker API] Add skeleton implementation of ContactsManager.select()
Modified: trunk/Source/WebKit/NetworkProcess/soup/WebSocketTaskSoup.cpp (268905 => 268906)
--- trunk/Source/WebKit/NetworkProcess/soup/WebSocketTaskSoup.cpp 2020-10-23 05:30:52 UTC (rev 268905)
+++ trunk/Source/WebKit/NetworkProcess/soup/WebSocketTaskSoup.cpp 2020-10-23 07:33:47 UTC (rev 268906)
@@ -89,6 +89,9 @@
WebSocketTask::~WebSocketTask()
{
+ if (m_handshakeMessage)
+ g_signal_handlers_disconnect_by_data(m_handshakeMessage.get(), this);
+
cancel();
}
@@ -133,6 +136,7 @@
WebCore::ResourceResponse response;
response.updateFromSoupMessage(m_handshakeMessage.get());
m_channel.didReceiveHandshakeResponse(WTFMove(response));
+ g_signal_handlers_disconnect_by_data(m_handshakeMessage.get(), this);
m_handshakeMessage = nullptr;
}
@@ -172,6 +176,7 @@
WebCore::ResourceResponse response;
response.updateFromSoupMessage(m_handshakeMessage.get());
m_channel.didReceiveHandshakeResponse(WTFMove(response));
+ g_signal_handlers_disconnect_by_data(m_handshakeMessage.get(), this);
m_handshakeMessage = nullptr;
}
m_channel.didReceiveMessageError(errorMessage);
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
