Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 5d7cc5b2e05d81543a860b89b8dd839baf8bfe32
https://github.com/WebKit/WebKit/commit/5d7cc5b2e05d81543a860b89b8dd839baf8bfe32
Author: Chris Dumez <[email protected]>
Date: 2025-11-09 (Sun, 09 Nov 2025)
Changed paths:
M Source/WebCore/Modules/async-clipboard/ClipboardItemBindingsDataSource.cpp
M Source/WebCore/Modules/async-clipboard/ClipboardItemBindingsDataSource.h
M Source/WebCore/SaferCPPExpectations/UncheckedCallArgsCheckerExpectations
M Source/WebCore/fileapi/Blob.cpp
M Source/WebCore/fileapi/BlobLoader.h
M Source/WebCore/fileapi/FileReader.cpp
M Source/WebCore/fileapi/FileReader.h
M Source/WebCore/fileapi/FileReaderLoader.cpp
M Source/WebCore/fileapi/FileReaderLoader.h
M Source/WebCore/fileapi/FileReaderSync.cpp
M Source/WebCore/html/ImageBitmap.cpp
M Source/WebKitLegacy/WebCoreSupport/WebSocketChannel.cpp
M Source/WebKitLegacy/WebCoreSupport/WebSocketChannel.h
Log Message:
-----------
RELEASE_ASSERT under
ClipboardItemBindingsDataSource::ClipboardItemTypeLoader::didResolveToBlob()
https://bugs.webkit.org/show_bug.cgi?id=302196
rdar://164271413
Reviewed by Anne van Kesteren.
Make FileReaderLoader refcounted instead of relying on CheckedPtr/CheckedRef
for lifetime guarantees. From the crash trace, we can tell that in
ClipboardItemBindingsDataSource::ClipboardItemTypeLoader::didResolveToBlob()
at least, it is possible for the FileReaderLoader to get destroyed while
we're calling `start()` on it, synchronously. The CheckedPtr we had on the
stack caused a RELEASE_ASSERT to guarantee there could be no use-after-free.
* Source/WebCore/Modules/async-clipboard/ClipboardItemBindingsDataSource.cpp:
(WebCore::ClipboardItemBindingsDataSource::ClipboardItemTypeLoader::~ClipboardItemTypeLoader):
(WebCore::ClipboardItemBindingsDataSource::ClipboardItemTypeLoader::didFinishLoading):
(WebCore::ClipboardItemBindingsDataSource::ClipboardItemTypeLoader::didResolveToBlob):
* Source/WebCore/Modules/async-clipboard/ClipboardItemBindingsDataSource.h:
* Source/WebCore/SaferCPPExpectations/UncheckedCallArgsCheckerExpectations:
* Source/WebCore/fileapi/Blob.cpp:
(WebCore::Blob::stream):
* Source/WebCore/fileapi/BlobLoader.h:
(WebCore::BlobLoader::start):
* Source/WebCore/fileapi/FileReader.cpp:
(WebCore::FileReader::~FileReader):
(WebCore::FileReader::stop):
(WebCore::FileReader::readInternal):
(WebCore::FileReader::result const):
* Source/WebCore/fileapi/FileReader.h:
* Source/WebCore/fileapi/FileReaderLoader.cpp:
(WebCore::FileReaderLoader::create):
* Source/WebCore/fileapi/FileReaderLoader.h:
* Source/WebCore/fileapi/FileReaderSync.cpp:
(WebCore::FileReaderSync::readAsArrayBuffer):
(WebCore::FileReaderSync::readAsBinaryString):
(WebCore::FileReaderSync::readAsText):
(WebCore::FileReaderSync::readAsDataURL):
* Source/WebCore/html/ImageBitmap.cpp:
* Source/WebKitLegacy/WebCoreSupport/WebSocketChannel.cpp:
(WebCore::WebSocketChannel::processOutgoingFrameQueue):
* Source/WebKitLegacy/WebCoreSupport/WebSocketChannel.h:
Canonical link: https://commits.webkit.org/302772@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
