Crash in WebCore::DocumentLoader::willSendRequest() with ContentFilter and AppCache.
authorbeidson@apple.com <beidson@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 28 Jul 2015 00:06:32 +0000 (00:06 +0000)
committerbeidson@apple.com <beidson@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 28 Jul 2015 00:06:32 +0000 (00:06 +0000)
<rdar://problem/21960398> and https://bugs.webkit.org/show_bug.cgi?id=147339

Reviewed by Alexey Proskuryakov.

No new tests (Not yet proven to be possible to test this).

* loader/DocumentLoader.cpp:
(WebCore::DocumentLoader::willSendRequest): Grab the identifier from the CachedResource directly, not from the null ResourceLoader.
(WebCore::DocumentLoader::continueAfterNavigationPolicy): Null check the ResourceLoader, as it can definitely be gone by this point.

* loader/cache/CachedResource.cpp:
(WebCore::CachedResource::clearLoader): Save off the identifier for later use.
* loader/cache/CachedResource.h:
(WebCore::CachedResource::identifierForLoadWithoutResourceLoader): Expose the identifier that the ResourceLoader had when it went away.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@187466 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebCore/ChangeLog
Source/WebCore/loader/DocumentLoader.cpp
Source/WebCore/loader/cache/CachedResource.cpp
Source/WebCore/loader/cache/CachedResource.h

index d0b923a..42d653b 100644 (file)
@@ -1,3 +1,21 @@
+2015-07-27  Brady Eidson  <beidson@apple.com>
+
+        Crash in WebCore::DocumentLoader::willSendRequest() with ContentFilter and AppCache.
+        <rdar://problem/21960398> and https://bugs.webkit.org/show_bug.cgi?id=147339
+
+        Reviewed by Alexey Proskuryakov.
+
+        No new tests (Not yet proven to be possible to test this).
+
+        * loader/DocumentLoader.cpp:
+        (WebCore::DocumentLoader::willSendRequest): Grab the identifier from the CachedResource directly, not from the null ResourceLoader.
+        (WebCore::DocumentLoader::continueAfterNavigationPolicy): Null check the ResourceLoader, as it can definitely be gone by this point.
+
+        * loader/cache/CachedResource.cpp:
+        (WebCore::CachedResource::clearLoader): Save off the identifier for later use.
+        * loader/cache/CachedResource.h:
+        (WebCore::CachedResource::identifierForLoadWithoutResourceLoader): Expose the identifier that the ResourceLoader had when it went away.
+
 2015-07-27  Said Abou-Hallawa  <sabouhallawa@apple.com>
 
         Crash happens when calling removeEventListener for an SVG element which has an instance inside a <defs> element of shadow tree
index dbc8fee..c026de9 100644 (file)
@@ -550,8 +550,10 @@ void DocumentLoader::willSendRequest(ResourceRequest& newRequest, const Resource
         // We checked application cache for initial URL, now we need to check it for redirected one.
         ASSERT(!m_substituteData.isValid());
         m_applicationCacheHost->maybeLoadMainResourceForRedirect(newRequest, m_substituteData);
-        if (m_substituteData.isValid())
-            m_identifierForLoadWithoutResourceLoader = mainResourceLoader()->identifier();
+        if (m_substituteData.isValid()) {
+            RELEASE_ASSERT(m_mainResource);
+            m_identifierForLoadWithoutResourceLoader = m_mainResource->identifierForLoadWithoutResourceLoader();
+        }
     }
 
     // FIXME: Ideally we'd stop the I/O until we hear back from the navigation policy delegate
@@ -581,10 +583,15 @@ void DocumentLoader::continueAfterNavigationPolicy(const ResourceRequest&, bool
         // However, from an API perspective, this isn't a cancellation. Therefore, sever our relationship with the network load,
         // but prevent the ResourceLoader from sending ResourceLoadNotifier callbacks.
         RefPtr<ResourceLoader> resourceLoader = mainResourceLoader();
-        ASSERT(resourceLoader->shouldSendResourceLoadCallbacks());
-        resourceLoader->setSendCallbackPolicy(DoNotSendCallbacks);
+        if (resourceLoader) {
+            ASSERT(resourceLoader->shouldSendResourceLoadCallbacks());
+            resourceLoader->setSendCallbackPolicy(DoNotSendCallbacks);
+        }
+
         clearMainResource();
-        resourceLoader->setSendCallbackPolicy(SendCallbacks);
+
+        if (resourceLoader)
+            resourceLoader->setSendCallbackPolicy(SendCallbacks);
         handleSubstituteDataLoadSoon();
     }
 }
index 3bef21e..5a4059b 100644 (file)
@@ -405,6 +405,7 @@ void CachedResource::responseReceived(const ResourceResponse& response)
 void CachedResource::clearLoader()
 {
     ASSERT(m_loader);
+    m_identifierForLoadWithoutResourceLoader = m_loader->identifier();
     m_loader = nullptr;
     deleteIfPossible();
 }
index c28219c..d6f93f6 100644 (file)
@@ -260,6 +260,8 @@ public:
     virtual char* getOrCreateReadBuffer(size_t /* requestedSize */, size_t& /* actualSize */) { return nullptr; }
 #endif
 
+    unsigned long identifierForLoadWithoutResourceLoader() const { return m_identifierForLoadWithoutResourceLoader; }
+
 protected:
     void setEncodedSize(unsigned);
     void setDecodedSize(unsigned);
@@ -341,6 +343,8 @@ private:
     HashSet<CachedResourceHandleBase*> m_handlesToRevalidate;
 
     RedirectChainCacheStatus m_redirectChainCacheStatus;
+
+    unsigned long m_identifierForLoadWithoutResourceLoader { 0 };
 };
 
 class CachedResource::Callback {