[webkit-changes] [281495] trunk/Source/WebCore

[commit-queue]

Title: [281495] trunk/Source/WebCore

Revision

281495

Author

commit-qu...@webkit.org

Date

2021-08-24 09:29:27 -0700 (Tue, 24 Aug 2021)

Log Message

ThreadSanitizer: data race in WTF::StringImpl::deref() for WebCore::FormDataElement::EncodedFileData::filename
https://bugs.webkit.org/show_bug.cgi?id=229432

Patch by Alex Christensen <achristen...@webkit.org> on 2021-08-24
Reviewed by Darin Adler.

Call the FormDataElement destructor on the main thread in advanceCurrentStream.

* platform/network/cf/FormDataStreamCFNet.cpp:
(WebCore::advanceCurrentStream):
(WebCore::createHTTPBodyCFReadStream):

Modified Paths

• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/platform/network/cf/FormDataStreamCFNet.cpp

Diff

Modified: trunk/Source/WebCore/ChangeLog (281494 => 281495)

--- trunk/Source/WebCore/ChangeLog	2021-08-24 15:05:47 UTC (rev 281494)
+++ trunk/Source/WebCore/ChangeLog	2021-08-24 16:29:27 UTC (rev 281495)
@@ -1,3 +1,16 @@
+2021-08-24  Alex Christensen  <achristen...@webkit.org>
+
+        ThreadSanitizer: data race in WTF::StringImpl::deref() for WebCore::FormDataElement::EncodedFileData::filename
+        https://bugs.webkit.org/show_bug.cgi?id=229432
+
+        Reviewed by Darin Adler.
+
+        Call the FormDataElement destructor on the main thread in advanceCurrentStream.
+
+        * platform/network/cf/FormDataStreamCFNet.cpp:
+        (WebCore::advanceCurrentStream):
+        (WebCore::createHTTPBodyCFReadStream):
+
 2021-08-24  Adrian Perez de Castro  <ape...@igalia.com>
 
         Non-unified build fixes, late August 2021

Modified: trunk/Source/WebCore/platform/network/cf/FormDataStreamCFNet.cpp (281494 => 281495)

--- trunk/Source/WebCore/platform/network/cf/FormDataStreamCFNet.cpp	2021-08-24 15:05:47 UTC (rev 281494)
+++ trunk/Source/WebCore/platform/network/cf/FormDataStreamCFNet.cpp	2021-08-24 16:29:27 UTC (rev 281495)
@@ -170,7 +170,9 @@
     if (!success)
         return false;
 
-    form->remainingElements.removeLast();
+    callOnMainThread([lastElement = form->remainingElements.takeLast()] {
+        // Ensure FormDataElement destructor happens on main thread.
+    });
 
     // Set up the callback.
     CFStreamClientContext context = { 0, form, 0, 0, 0 };
@@ -178,9 +180,8 @@
         formEventCallback, &context);
 
     // Schedule with the current set of run loops.
-    SchedulePairHashSet::iterator end = form->scheduledRunLoopPairs.end();
-    for (SchedulePairHashSet::iterator it = form->scheduledRunLoopPairs.begin(); it != end; ++it)
-        CFReadStreamScheduleWithRunLoop(form->currentStream.get(), (*it)->runLoop(), (*it)->mode());
+    for (auto& pair : form->scheduledRunLoopPairs)
+        CFReadStreamScheduleWithRunLoop(form->currentStream.get(), pair->runLoop(), pair->mode());
 
     return true;
 }
@@ -382,6 +383,7 @@
             return blobRegistry().blobRegistryImpl()->blobSize(url);
         });
     }
+    ASSERT(isMainThread());
     FormCreationContext* formContext = new FormCreationContext { WTFMove(dataForUpload), length };
     CFReadStreamCallBacksV1 callBacks = { 1, formCreate, formFinalize, nullptr, formOpen, nullptr, formRead, nullptr, formCanRead, formClose, formCopyProperty, nullptr, nullptr, formSchedule, formUnschedule };
     return adoptCF(CFReadStreamCreate(nullptr, static_cast<const void*>(&callBacks), formContext));

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes