Free memory read under MemoryCache::pruneLiveResourcesToSize()
authorcdumez@apple.com <cdumez@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 5 Feb 2015 21:29:19 +0000 (21:29 +0000)
committercdumez@apple.com <cdumez@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 5 Feb 2015 21:29:19 +0000 (21:29 +0000)
commitaad40de1b1793cdcb9dc67c74d3087e44ef43f90
treeb6ff6a7a8b42a0516e437c6d24a0b896fada078e
parent061b6313e1aad8f5230787d452c8688e5996a81d
Free memory read under MemoryCache::pruneLiveResourcesToSize()
https://bugs.webkit.org/show_bug.cgi?id=141292
<rdar://problem/19725522>

Reviewed by Antti Koivisto.

In MemoryCache::pruneLiveResourcesToSize(), we were iterating over the
m_liveDecodedResources ListHashSet and possibly calling
CachedResource::destroyDecodedData() on the current value. Doing so
would cause a call to ListHashSet::remove() to remove the value pointed
by the current iterator, thus invalidating our iterator.

In this patch, we increment the ListHashSet iterator *before* calling
CachedResource::destroyDecodedData(), while the current iterator is
still valid. Note that this is safe because unlike iteration of most
WTF Hash data structures, iteration is guaranteed safe against mutation
of the ListHashSet, except for removal of the item currently pointed to
by a given iterator.

Test: http/tests/cache/memory-cache-pruning.html

* loader/cache/MemoryCache.cpp:
(WebCore::MemoryCache::pruneLiveResourcesToSize):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@179702 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/http/tests/cache/memory-cache-pruning-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/cache/memory-cache-pruning.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/WebCore.exp.in
Source/WebCore/loader/cache/MemoryCache.cpp
Source/WebCore/loader/cache/MemoryCache.h
Source/WebCore/testing/Internals.cpp
Source/WebCore/testing/Internals.h
Source/WebCore/testing/Internals.idl