REGRESSION (r188486): Crash in SubresourceLoader::didReceiveResponse() when Temporary...
authoraestes@apple.com <aestes@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 17 Aug 2015 18:52:38 +0000 (18:52 +0000)
committeraestes@apple.com <aestes@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 17 Aug 2015 18:52:38 +0000 (18:52 +0000)
https://bugs.webkit.org/show_bug.cgi?id=148082

Reviewed by Alexey Proskuryakov.

Covered by existing tests run under ASan or Guard Malloc.

* loader/SubresourceLoader.cpp:
(WebCore::SubresourceLoader::didReceiveResponse): Ensure that callingDidReceiveResponse is destroyed while the
SubresourceLoader is still alive by declaring it after protect.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@188531 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebCore/ChangeLog
Source/WebCore/loader/SubresourceLoader.cpp

index 624eb7a..9597d1f 100644 (file)
@@ -1,3 +1,16 @@
+2015-08-17  Andy Estes  <aestes@apple.com>
+
+        REGRESSION (r188486): Crash in SubresourceLoader::didReceiveResponse() when TemporaryChange goes out of scope
+        https://bugs.webkit.org/show_bug.cgi?id=148082
+
+        Reviewed by Alexey Proskuryakov.
+
+        Covered by existing tests run under ASan or Guard Malloc.
+
+        * loader/SubresourceLoader.cpp:
+        (WebCore::SubresourceLoader::didReceiveResponse): Ensure that callingDidReceiveResponse is destroyed while the
+        SubresourceLoader is still alive by declaring it after protect.
+
 2015-08-17  Simon Fraser  <simon.fraser@apple.com>
 
         will-change should sometimes trigger compositing
index 5985eb6..077ad1d 100644 (file)
@@ -203,12 +203,12 @@ void SubresourceLoader::didReceiveResponse(const ResourceResponse& response)
     ASSERT(!response.isNull());
     ASSERT(m_state == Initialized);
 
-    TemporaryChange<bool> callingDidReceiveResponse(m_callingDidReceiveResponse, true);
-
     // Reference the object in this method since the additional processing can do
     // anything including removing the last reference to this object; one example of this is 3266216.
     Ref<SubresourceLoader> protect(*this);
 
+    TemporaryChange<bool> callingDidReceiveResponse(m_callingDidReceiveResponse, true);
+
     if (shouldIncludeCertificateInfo())
         response.includeCertificateInfo();