Title: [169249] trunk/Source/WebCore
- Revision
- 169249
- Author
- [email protected]
- Date
- 2014-05-22 23:36:03 -0700 (Thu, 22 May 2014)
Log Message
[Curl] Crash when exceeding maximum cache limit.
https://bugs.webkit.org/show_bug.cgi?id=133185
Patch by [email protected] <[email protected]> on 2014-05-22
Reviewed by Brent Fulgham.
When the maximum cache limit is exceeded, I get a crash.
This happens when deleting cache entries, because a reference to the url string object in the LRU list
is used as a parameter to invalidateCacheEntry(), when called from makeRoomForNewEntry().
When the string is removed from the LRU list in makeRoomForNewEntry(), the string is deleted.
Next, the string is accessed again to remove the url from the index, and we crash.
This can be fixed by removing the string from the LRU list after it is removed from the index.
Fixing the crash also revealed an infinite loop problem.
If the url for some reason only exist in the LRU list, and not in the index,
we will inifitely loop in makeRoomForNewEntry(), trying to remove this url from the cache, but never succeeding.
This can be fixed by removing the url from the LRU list, also when it's not in the index.
* platform/network/curl/CurlCacheManager.cpp:
(WebCore::CurlCacheManager::makeRoomForNewEntry): Avoid infinite loop by checking if there are more cache entries to remove.
(WebCore::CurlCacheManager::invalidateCacheEntry): Avoid crash and infinite loop by removing url from LRU list last.
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (169248 => 169249)
--- trunk/Source/WebCore/ChangeLog 2014-05-23 05:18:23 UTC (rev 169248)
+++ trunk/Source/WebCore/ChangeLog 2014-05-23 06:36:03 UTC (rev 169249)
@@ -1,3 +1,27 @@
+2014-05-22 [email protected] <[email protected]>
+
+ [Curl] Crash when exceeding maximum cache limit.
+ https://bugs.webkit.org/show_bug.cgi?id=133185
+
+ Reviewed by Brent Fulgham.
+
+ When the maximum cache limit is exceeded, I get a crash.
+ This happens when deleting cache entries, because a reference to the url string object in the LRU list
+ is used as a parameter to invalidateCacheEntry(), when called from makeRoomForNewEntry().
+ When the string is removed from the LRU list in makeRoomForNewEntry(), the string is deleted.
+ Next, the string is accessed again to remove the url from the index, and we crash.
+
+ This can be fixed by removing the string from the LRU list after it is removed from the index.
+
+ Fixing the crash also revealed an infinite loop problem.
+ If the url for some reason only exist in the LRU list, and not in the index,
+ we will inifitely loop in makeRoomForNewEntry(), trying to remove this url from the cache, but never succeeding.
+ This can be fixed by removing the url from the LRU list, also when it's not in the index.
+
+ * platform/network/curl/CurlCacheManager.cpp:
+ (WebCore::CurlCacheManager::makeRoomForNewEntry): Avoid infinite loop by checking if there are more cache entries to remove.
+ (WebCore::CurlCacheManager::invalidateCacheEntry): Avoid crash and infinite loop by removing url from LRU list last.
+
2014-05-22 Simon Fraser <[email protected]>
Make viewport units work in CSS gradients
Modified: trunk/Source/WebCore/platform/network/curl/CurlCacheManager.cpp (169248 => 169249)
--- trunk/Source/WebCore/platform/network/curl/CurlCacheManager.cpp 2014-05-23 05:18:23 UTC (rev 169248)
+++ trunk/Source/WebCore/platform/network/curl/CurlCacheManager.cpp 2014-05-23 06:36:03 UTC (rev 169249)
@@ -185,7 +185,7 @@
if (m_disabled)
return;
- while (m_currentStorageSize > m_storageSizeLimit) {
+ while ((m_currentStorageSize > m_storageSizeLimit) && m_LRUEntryList.size() > 0) {
ASSERT(m_index.find(m_LRUEntryList.last()) != m_index.end());
invalidateCacheEntry(m_LRUEntryList.last());
}
@@ -303,9 +303,9 @@
m_currentStorageSize -= it->value->entrySize();
it->value->invalidate();
- m_LRUEntryList.remove(url);
m_index.remove(url);
}
+ m_LRUEntryList.remove(url);
}
void CurlCacheManager::didFail(const String& url)
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
