Regression(r228708): Crash under WebCore::MediaResource::responseReceived(WebCore...
authorcdumez@apple.com <cdumez@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 21 Feb 2018 23:56:16 +0000 (23:56 +0000)
committercdumez@apple.com <cdumez@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 21 Feb 2018 23:56:16 +0000 (23:56 +0000)
commit5e3e30193265b12008eb42db0b9ba7d3c14ee5d6
tree9d5969d8c78cd691525d2183fbaa23aee37ac1b6
parent06e1f983273f66832691fe30e6bfc7ce6473e4c3
Regression(r228708): Crash under WebCore::MediaResource::responseReceived(WebCore::CachedResource&, WebCore::ResourceResponse const&)
https://bugs.webkit.org/show_bug.cgi?id=183018
<rdar://problem/37754154>

Reviewed by Eric Carlson.

The fix at r228708 was trying to address the fact that avplayer sometimes
deallocates WebCoreNSURLSessionDataTask objects on a non-main thread, which
was not safe because its _resource data member needs to be deallocated on
the main thread.

The issue is that r228708 caused _resource to outlive its WebCoreNSURLSessionDataTask.
This is an issue because _resource has a client data member (of type WebCoreNSURLSessionDataTaskClient)
which has a raw pointer to the WebCoreNSURLSessionDataTask. This means that the main thread could
call methods like responseReceived() on the resource, which would call responseReceived() on the
client, which would try to call [WebCoreNSURLSessionDataTask receivedResponse:] with an invalid
m_task pointer.

To address the issue, I introduced a clearTask() method on WebCoreNSURLSessionDataTaskClient, which
gets called from a non-main thread to clear the client's m_task pointer when the task is destroyed
on a non-main thread. So that this is safe, every time the client tries to use m_task, we now
acquire a lock for thread-safety and do a null-check on m_task.

No new tests, no known reproduction case.

* platform/graphics/PlatformMediaResourceLoader.h:
(WebCore::PlatformMediaResource::client):
* platform/network/cocoa/WebCoreNSURLSession.mm:
(WebCore::WebCoreNSURLSessionDataTaskClient::clearTask):
(WebCore::WebCoreNSURLSessionDataTaskClient::dataSent):
(WebCore::WebCoreNSURLSessionDataTaskClient::responseReceived):
(WebCore::WebCoreNSURLSessionDataTaskClient::shouldCacheResponse):
(WebCore::WebCoreNSURLSessionDataTaskClient::dataReceived):
(WebCore::WebCoreNSURLSessionDataTaskClient::redirectReceived):
(WebCore::WebCoreNSURLSessionDataTaskClient::accessControlCheckFailed):
(WebCore::WebCoreNSURLSessionDataTaskClient::loadFailed):
(WebCore::WebCoreNSURLSessionDataTaskClient::loadFinished):
(-[WebCoreNSURLSessionDataTask dealloc]):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@228903 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/WebCore/ChangeLog
Source/WebCore/platform/graphics/PlatformMediaResourceLoader.h
Source/WebCore/platform/network/cocoa/WebCoreNSURLSession.mm