Title: [198387] trunk/Source/WebCore
- Revision
- 198387
- Author
- [email protected]
- Date
- 2016-03-18 00:23:10 -0700 (Fri, 18 Mar 2016)
Log Message
Data URL DecodeTask may get deleted outside main thread
https://bugs.webkit.org/show_bug.cgi?id=155584
rdar://problem/24492104
Reviewed by Darin Adler.
This is unsafe as it owns strings and other types that are only safe to delete in the main thread.
There is a race between deref in dispatch() and deref in timerFired(). If the timer fires before dispatch()
exits the implicit deref will trigger deletion of DecodingResultDispatcher in the dispatching thread.
(WebCore::DataURLDecoder::DecodingResultDispatcher::timerFired):
Fix by clearing m_decodeTask when the timer fires.
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (198386 => 198387)
--- trunk/Source/WebCore/ChangeLog 2016-03-18 07:15:54 UTC (rev 198386)
+++ trunk/Source/WebCore/ChangeLog 2016-03-18 07:23:10 UTC (rev 198387)
@@ -1,3 +1,20 @@
+2016-03-17 Antti Koivisto <[email protected]>
+
+ Data URL DecodeTask may get deleted outside main thread
+ https://bugs.webkit.org/show_bug.cgi?id=155584
+ rdar://problem/24492104
+
+ Reviewed by Darin Adler.
+
+ This is unsafe as it owns strings and other types that are only safe to delete in the main thread.
+
+ There is a race between deref in dispatch() and deref in timerFired(). If the timer fires before dispatch()
+ exits the implicit deref will trigger deletion of DecodingResultDispatcher in the dispatching thread.
+
+ (WebCore::DataURLDecoder::DecodingResultDispatcher::timerFired):
+
+ Fix by clearing m_decodeTask when the timer fires.
+
2016-03-17 Carlos Garcia Campos <[email protected]>
REGRESSION(r195661): [GTK] very slow scrolling
Modified: trunk/Source/WebCore/platform/network/DataURLDecoder.cpp (198386 => 198387)
--- trunk/Source/WebCore/platform/network/DataURLDecoder.cpp 2016-03-18 07:15:54 UTC (rev 198386)
+++ trunk/Source/WebCore/platform/network/DataURLDecoder.cpp 2016-03-18 07:23:10 UTC (rev 198387)
@@ -86,6 +86,9 @@
else
m_decodeTask->completionHandler({ });
+ // Ensure DecodeTask gets deleted in the main thread.
+ m_decodeTask = nullptr;
+
deref();
}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
