Free memory read under MemoryCache::pruneLiveResourcesToSize()
authorcdumez@apple.com <cdumez@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 5 Feb 2015 21:29:19 +0000 (21:29 +0000)
committercdumez@apple.com <cdumez@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 5 Feb 2015 21:29:19 +0000 (21:29 +0000)
https://bugs.webkit.org/show_bug.cgi?id=141292
<rdar://problem/19725522>

Reviewed by Antti Koivisto.

In MemoryCache::pruneLiveResourcesToSize(), we were iterating over the
m_liveDecodedResources ListHashSet and possibly calling
CachedResource::destroyDecodedData() on the current value. Doing so
would cause a call to ListHashSet::remove() to remove the value pointed
by the current iterator, thus invalidating our iterator.

In this patch, we increment the ListHashSet iterator *before* calling
CachedResource::destroyDecodedData(), while the current iterator is
still valid. Note that this is safe because unlike iteration of most
WTF Hash data structures, iteration is guaranteed safe against mutation
of the ListHashSet, except for removal of the item currently pointed to
by a given iterator.

Test: http/tests/cache/memory-cache-pruning.html

* loader/cache/MemoryCache.cpp:
(WebCore::MemoryCache::pruneLiveResourcesToSize):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@179702 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/http/tests/cache/memory-cache-pruning-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/cache/memory-cache-pruning.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/WebCore.exp.in
Source/WebCore/loader/cache/MemoryCache.cpp
Source/WebCore/loader/cache/MemoryCache.h
Source/WebCore/testing/Internals.cpp
Source/WebCore/testing/Internals.h
Source/WebCore/testing/Internals.idl

diff --git a/LayoutTests/http/tests/cache/memory-cache-pruning-expected.txt b/LayoutTests/http/tests/cache/memory-cache-pruning-expected.txt
new file mode 100644 (file)
index 0000000..b869ae7
--- /dev/null
@@ -0,0 +1,11 @@
+This test exercices the code path executed when the memory cache reaches its maximum size
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS previousSize > 0 is true
+PASS internals.memoryCacheSize() < previousSize is true
+PASS successfullyParsed is true
+
+TEST COMPLETE
+   
diff --git a/LayoutTests/http/tests/cache/memory-cache-pruning.html b/LayoutTests/http/tests/cache/memory-cache-pruning.html
new file mode 100644 (file)
index 0000000..1324809
--- /dev/null
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<html>
+<head>
+<link rel=stylesheet href=../css/resources/shared.css>
+<script src="../../js-test-resources/js-test-pre.js"></script>
+<script>
+function runTest() {
+    previousSize = internals.memoryCacheSize();
+    shouldBeTrue("previousSize > 0");
+    internals.pruneMemoryCacheToSize(0);
+    shouldBeTrue("internals.memoryCacheSize() < previousSize");
+    finishJSTest();    
+}
+</script>
+</head>
+<body onload="runTest()">
+<img src="../resources/square100.png"/>
+<img src="../resources/square128.png"/>
+<audio src="../resources/test.mp4"></audio>
+<video src="../resources/test.mp4"></video>
+<script>
+description("This test exercices the code path executed when the memory cache reaches its maximum size");
+jsTestIsAsync = true;
+</script>
+<script src="../../js-test-resources/js-test-post.js"></script>
+</body>
+</html>
index f3b84c8..516988c 100644 (file)
@@ -1,3 +1,29 @@
+2015-02-05  Chris Dumez  <cdumez@apple.com>
+
+        Free memory read under MemoryCache::pruneLiveResourcesToSize()
+        https://bugs.webkit.org/show_bug.cgi?id=141292
+        <rdar://problem/19725522>
+
+        Reviewed by Antti Koivisto.
+
+        In MemoryCache::pruneLiveResourcesToSize(), we were iterating over the
+        m_liveDecodedResources ListHashSet and possibly calling
+        CachedResource::destroyDecodedData() on the current value. Doing so
+        would cause a call to ListHashSet::remove() to remove the value pointed
+        by the current iterator, thus invalidating our iterator.
+
+        In this patch, we increment the ListHashSet iterator *before* calling
+        CachedResource::destroyDecodedData(), while the current iterator is
+        still valid. Note that this is safe because unlike iteration of most
+        WTF Hash data structures, iteration is guaranteed safe against mutation
+        of the ListHashSet, except for removal of the item currently pointed to
+        by a given iterator.
+
+        Test: http/tests/cache/memory-cache-pruning.html
+
+        * loader/cache/MemoryCache.cpp:
+        (WebCore::MemoryCache::pruneLiveResourcesToSize):
+
 2015-02-05  Jer Noble  <jer.noble@apple.com>
 
         [Mac] HLS <video> will not fire 'progress' events, only 'stalled'.
index 2d6e7bd..fc7da8e 100644 (file)
@@ -197,6 +197,8 @@ __ZN7WebCore11MemoryCache15addImageToCacheEP7CGImageRKNS_3URLERKN3WTF6StringE
 __ZN7WebCore11MemoryCache18resourceForRequestERKNS_15ResourceRequestENS_9SessionIDE
 __ZN7WebCore11MemoryCache19getOriginsWithCacheERN3WTF7HashSetINS1_6RefPtrINS_14SecurityOriginEEENS_18SecurityOriginHashENS1_10HashTraitsIS5_EEEE
 __ZN7WebCore11MemoryCache20removeImageFromCacheERKNS_3URLERKN3WTF6StringE
+__ZN7WebCore11MemoryCache24pruneDeadResourcesToSizeEj
+__ZN7WebCore11MemoryCache24pruneLiveResourcesToSizeEjb
 __ZN7WebCore11MemoryCache25removeResourcesWithOriginERNS_14SecurityOriginE
 __ZN7WebCore11MemoryCache9singletonEv
 __ZN7WebCore11PageOverlay15setNeedsDisplayERKNS_7IntRectE
index c494db1..142b4d5 100644 (file)
@@ -300,7 +300,18 @@ void MemoryCache::pruneLiveResourcesToSize(unsigned targetSize, bool shouldDestr
     // elapsedTime will evaluate to false as the currentTime will be a lot
     // greater than the current->m_lastDecodedAccessTime.
     // For more details see: https://bugs.webkit.org/show_bug.cgi?id=30209
-    for (auto* current : m_liveDecodedResources) {
+    auto it = m_liveDecodedResources.begin();
+    while (it != m_liveDecodedResources.end()) {
+        auto* current = *it;
+
+        // Increment the iterator now because the call to destroyDecodedData() below
+        // may cause a call to ListHashSet::remove() and invalidate the current
+        // iterator. Note that this is safe because unlike iteration of most
+        // WTF Hash data structures, iteration is guaranteed safe against mutation
+        // of the ListHashSet, except for removal of the item currently pointed to
+        // by a given iterator.
+        ++it;
+
         ASSERT(current->hasClients());
         if (current->isLoaded() && current->decodedSize()) {
             // Check to see if the remaining resources are too new to prune.
@@ -311,9 +322,8 @@ void MemoryCache::pruneLiveResourcesToSize(unsigned targetSize, bool shouldDestr
             if (current->decodedDataIsPurgeable())
                 continue;
 
-            // Destroy our decoded data. This will remove us from 
-            // m_liveDecodedResources, and possibly move us to a different LRU 
-            // list in m_allResources.
+            // Destroy our decoded data. This will remove us from m_liveDecodedResources, and possibly move us
+            // to a different LRU list in m_allResources.
             current->destroyDecodedData();
 
             if (targetSize && m_liveSize <= targetSize)
index 7a08c46..ff94f48 100644 (file)
@@ -62,7 +62,7 @@ class SecurityOrigin;
 class MemoryCache {
     WTF_MAKE_NONCOPYABLE(MemoryCache); WTF_MAKE_FAST_ALLOCATED;
     friend NeverDestroyed<MemoryCache>;
-
+    friend class Internals;
 public:
     struct TypeStatistic {
         int count;
@@ -117,6 +117,7 @@ public:
     WEBCORE_EXPORT void evictResources();
     
     void prune();
+    unsigned size() const { return m_liveSize + m_deadSize; }
 
     void setDeadDecodedDataDeletionInterval(std::chrono::milliseconds interval) { m_deadDecodedDataDeletionInterval = interval; }
     std::chrono::milliseconds deadDecodedDataDeletionInterval() const { return m_deadDecodedDataDeletionInterval; }
index 3e3235b..40d1def 100644 (file)
@@ -409,6 +409,17 @@ void Internals::clearMemoryCache()
     MemoryCache::singleton().evictResources();
 }
 
+void Internals::pruneMemoryCacheToSize(unsigned size)
+{
+    MemoryCache::singleton().pruneDeadResourcesToSize(size);
+    MemoryCache::singleton().pruneLiveResourcesToSize(size, true);
+}
+
+unsigned Internals::memoryCacheSize() const
+{
+    return MemoryCache::singleton().size();
+}
+
 Node* Internals::treeScopeRootNode(Node* node, ExceptionCode& ec)
 {
     if (!node) {
index 9fb7146..761d5e4 100644 (file)
@@ -84,7 +84,10 @@ public:
     bool isPreloaded(const String& url);
     bool isLoadingFromMemoryCache(const String& url);
     String xhrResponseSource(XMLHttpRequest*);
+
     void clearMemoryCache();
+    void pruneMemoryCacheToSize(unsigned size);
+    unsigned memoryCacheSize() const;
 
     PassRefPtr<CSSComputedStyleDeclaration> computedStyleIncludingVisitedInfo(Node*, ExceptionCode&) const;
 
index 6f9e41b..c3ad203 100644 (file)
@@ -44,6 +44,8 @@ enum PageOverlayType {
     boolean isLoadingFromMemoryCache(DOMString url);
     DOMString xhrResponseSource(XMLHttpRequest xhr);
     void clearMemoryCache();
+    void pruneMemoryCacheToSize(long size);
+    long memoryCacheSize();
 
     [RaisesException] CSSStyleDeclaration computedStyleIncludingVisitedInfo(Node node);