Title: [195965] trunk/Source/WebCore
- Revision
- 195965
- Author
- [email protected]
- Date
- 2016-02-01 10:15:25 -0800 (Mon, 01 Feb 2016)
Log Message
REGRESSION(r195770): Use-after-free in ResourceLoaderOptions::cachingPolicy
https://bugs.webkit.org/show_bug.cgi?id=153727
<rdar://problem/24429886>
Reviewed by Chris Dumez.
The `this` object may be freed after calling deleteIfPossible(). Make the early-return-if-
deleted more explicit, and only check allowsCaching() after the deleteIfPossible() return
value check.
* loader/cache/CachedResource.cpp:
(WebCore::CachedResource::removeClient):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (195964 => 195965)
--- trunk/Source/WebCore/ChangeLog 2016-02-01 17:56:58 UTC (rev 195964)
+++ trunk/Source/WebCore/ChangeLog 2016-02-01 18:15:25 UTC (rev 195965)
@@ -1,3 +1,18 @@
+2016-02-01 Jer Noble <[email protected]>
+
+ REGRESSION(r195770): Use-after-free in ResourceLoaderOptions::cachingPolicy
+ https://bugs.webkit.org/show_bug.cgi?id=153727
+ <rdar://problem/24429886>
+
+ Reviewed by Chris Dumez.
+
+ The `this` object may be freed after calling deleteIfPossible(). Make the early-return-if-
+ deleted more explicit, and only check allowsCaching() after the deleteIfPossible() return
+ value check.
+
+ * loader/cache/CachedResource.cpp:
+ (WebCore::CachedResource::removeClient):
+
2016-02-01 Dan Bernstein <[email protected]>
Tried to fix a build after r195899.
Modified: trunk/Source/WebCore/loader/cache/CachedResource.cpp (195964 => 195965)
--- trunk/Source/WebCore/loader/cache/CachedResource.cpp 2016-02-01 17:56:58 UTC (rev 195964)
+++ trunk/Source/WebCore/loader/cache/CachedResource.cpp 2016-02-01 18:15:25 UTC (rev 195965)
@@ -482,26 +482,30 @@
didRemoveClient(client);
}
- bool deleted = deleteIfPossible();
- if (allowsCaching() && !deleted && !hasClients()) {
- auto& memoryCache = MemoryCache::singleton();
- if (inCache()) {
- memoryCache.removeFromLiveResourcesSize(*this);
- memoryCache.removeFromLiveDecodedResourcesList(*this);
- }
- if (!m_switchingClientsToRevalidatedResource)
- allClientsRemoved();
- destroyDecodedDataIfNeeded();
- if (response().cacheControlContainsNoStore() && url().protocolIs("https")) {
- // RFC2616 14.9.2:
- // "no-store: ... MUST make a best-effort attempt to remove the information from volatile storage as promptly as possible"
- // "... History buffers MAY store such responses as part of their normal operation."
- // We allow non-secure content to be reused in history, but we do not allow secure content to be reused.
- memoryCache.remove(*this);
- }
- memoryCache.pruneSoon();
+ if (deleteIfPossible()) {
+ // `this` object is dead here.
+ return;
}
- // This object may be dead here.
+
+ if (!allowsCaching() || hasClients())
+ return;
+
+ auto& memoryCache = MemoryCache::singleton();
+ if (inCache()) {
+ memoryCache.removeFromLiveResourcesSize(*this);
+ memoryCache.removeFromLiveDecodedResourcesList(*this);
+ }
+ if (!m_switchingClientsToRevalidatedResource)
+ allClientsRemoved();
+ destroyDecodedDataIfNeeded();
+ if (response().cacheControlContainsNoStore() && url().protocolIs("https")) {
+ // RFC2616 14.9.2:
+ // "no-store: ... MUST make a best-effort attempt to remove the information from volatile storage as promptly as possible"
+ // "... History buffers MAY store such responses as part of their normal operation."
+ // We allow non-secure content to be reused in history, but we do not allow secure content to be reused.
+ memoryCache.remove(*this);
+ }
+ memoryCache.pruneSoon();
}
void CachedResource::destroyDecodedDataIfNeeded()
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
