Data URL DecodeTask may get deleted outside main thread
authorantti@apple.com <antti@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 18 Mar 2016 07:23:10 +0000 (07:23 +0000)
committerantti@apple.com <antti@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 18 Mar 2016 07:23:10 +0000 (07:23 +0000)
commit8f063ab9f128b2f88810c755e96e6e99a641bfee
tree9be6eb203ea9f3ab8ac9bfd778cfedbf6aa41790
parent1ec8ac685e7490805eb8b86496d6e021e73a5786
Data URL DecodeTask may get deleted outside main thread
https://bugs.webkit.org/show_bug.cgi?id=155584
rdar://problem/24492104

Reviewed by Darin Adler.

This is unsafe as it owns strings and other types that are only safe to delete in the main thread.

There is a race between deref in dispatch() and deref in timerFired(). If the timer fires before dispatch()
exits the implicit deref will trigger deletion of DecodingResultDispatcher in the dispatching thread.

(WebCore::DataURLDecoder::DecodingResultDispatcher::timerFired):

    Fix by clearing m_decodeTask when the timer fires.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@198387 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/WebCore/ChangeLog
Source/WebCore/platform/network/DataURLDecoder.cpp