REGRESSION: ( r240978-r240985 ) [ iOS Release ] Layout Test imported/w3c/web-platform...
authorachristensen@apple.com <achristensen@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 15 Feb 2019 18:51:09 +0000 (18:51 +0000)
committerachristensen@apple.com <achristensen@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 15 Feb 2019 18:51:09 +0000 (18:51 +0000)
https://bugs.webkit.org/show_bug.cgi?id=194523

Reviewed by Geoffrey Garen.

The scope of the FormCreationContext was limited to the scope of createHTTPBodyCFReadStream,
so when it was used in formCreate it was lucky to get the same context if the stack hadn't been overwritten
and if the FormData hadn't been freed.  Instead, keep it alive with new/delete like we do the FormStreamFields.
A younger me should've noticed this when reviewing r218517.

* platform/network/cf/FormDataStreamCFNet.cpp:
(WebCore::formCreate):
(WebCore::createHTTPBodyCFReadStream):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@241594 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/WebCore/ChangeLog
Source/WebCore/platform/network/cf/FormDataStreamCFNet.cpp

index 4147d29..a242ad6 100644 (file)
@@ -1,3 +1,19 @@
+2019-02-15  Alex Christensen  <achristensen@webkit.org>
+
+        REGRESSION: ( r240978-r240985 ) [ iOS Release ] Layout Test imported/w3c/web-platform-tests/xhr/send-redirect-post-upload.htm is crashing
+        https://bugs.webkit.org/show_bug.cgi?id=194523
+
+        Reviewed by Geoffrey Garen.
+
+        The scope of the FormCreationContext was limited to the scope of createHTTPBodyCFReadStream,
+        so when it was used in formCreate it was lucky to get the same context if the stack hadn't been overwritten
+        and if the FormData hadn't been freed.  Instead, keep it alive with new/delete like we do the FormStreamFields.
+        A younger me should've noticed this when reviewing r218517.
+
+        * platform/network/cf/FormDataStreamCFNet.cpp:
+        (WebCore::formCreate):
+        (WebCore::createHTTPBodyCFReadStream):
+
 2019-02-15  Commit Queue  <commit-queue@webkit.org>
 
         Unreviewed, rolling out r241559 and r241566.
index 67e2f27..dfdde71 100644 (file)
@@ -216,6 +216,10 @@ static void* formCreate(CFReadStreamRef stream, void* context)
     newInfo->formStream = stream; // Don't retain. That would create a reference cycle.
     newInfo->streamLength = formContext->streamLength;
     newInfo->bytesSent = 0;
+    
+    callOnMainThread([formContext] {
+        delete formContext;
+    });
 
     // Append in reverse order since we remove elements from the end.
     size_t size = newInfo->formData->elements().size();
@@ -380,9 +384,9 @@ RetainPtr<CFReadStreamRef> createHTTPBodyCFReadStream(FormData& formData)
     for (auto& element : resolvedFormData->elements())
         length += element.lengthInBytes();
 
-    FormCreationContext formContext = { WTFMove(resolvedFormData), length };
+    FormCreationContext* formContext = new FormCreationContext { WTFMove(resolvedFormData), length };
     CFReadStreamCallBacksV1 callBacks = { 1, formCreate, formFinalize, nullptr, formOpen, nullptr, formRead, nullptr, formCanRead, formClose, formCopyProperty, nullptr, nullptr, formSchedule, formUnschedule };
-    return adoptCF(CFReadStreamCreate(nullptr, static_cast<const void*>(&callBacks), &formContext));
+    return adoptCF(CFReadStreamCreate(nullptr, static_cast<const void*>(&callBacks), formContext));
 }
 
 void setHTTPBody(CFMutableURLRequestRef request, FormData* formData)