2007-12-13 Alp Toker <alp@atoker.com>

        Reviewed by Oliver Hunt.

        http://bugs.webkit.org/show_bug.cgi?id=16365
        [cURL] Acid2 test segmentation fault

        This patch makes the Acid2 test pass.

        Defer the cleanup of cancelled jobs and halt further transfer as early
        as possible.

        Bug found by and initial patch provided by Luca Bruno.

        * platform/network/curl/ResourceHandleManager.cpp:
        (WebCore::writeCallback):
        (WebCore::headerCallback):
        (WebCore::ResourceHandleManager::downloadTimerCallback):
        (WebCore::ResourceHandleManager::cancel):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@28709 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index b07bc920e2650bd76ac7013b97f7401708e32d0f..d4182891fd4b942b803042fb94289fbd43383200 100644 (file)
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,23 @@
+2007-12-13  Alp Toker  <alp@atoker.com>
+
+        Reviewed by Oliver Hunt.
+
+        http://bugs.webkit.org/show_bug.cgi?id=16365
+        [cURL] Acid2 test segmentation fault
+
+        This patch makes the Acid2 test pass.
+
+        Defer the cleanup of cancelled jobs and halt further transfer as early
+        as possible.
+
+        Bug found by and initial patch provided by Luca Bruno.
+
+        * platform/network/curl/ResourceHandleManager.cpp:
+        (WebCore::writeCallback):
+        (WebCore::headerCallback):
+        (WebCore::ResourceHandleManager::downloadTimerCallback):
+        (WebCore::ResourceHandleManager::cancel):
+
 2007-12-13  Sam Weinig  <sam@webkit.org>
 
         Reviewed by Mark Rowe.

diff --git a/WebCore/platform/network/curl/ResourceHandleManager.cpp b/WebCore/platform/network/curl/ResourceHandleManager.cpp
index dbe90fb6c2daefb7e88ef0cecbb67e4728e28dd2..c402bd2d7df5ef158b271e2846a4cd7b37f97213 100644 (file)
--- a/WebCore/platform/network/curl/ResourceHandleManager.cpp
+++ b/WebCore/platform/network/curl/ResourceHandleManager.cpp
@@ -84,7 +84,9 @@ static size_t writeCallback(void* ptr, size_t size, size_t nmemb, void* data)
 {
     ResourceHandle* job = static_cast<ResourceHandle*>(data);
     ResourceHandleInternal* d = job->getInternal();
-    int totalSize = size * nmemb;
+    if (d->m_cancelled)
+        return 0;
+    size_t totalSize = size * nmemb;
 
     // this shouldn't be necessary but apparently is. CURL writes the data
     // of html page even if it is a redirect that was handled internally
@@ -127,8 +129,9 @@ static size_t headerCallback(char* ptr, size_t size, size_t nmemb, void* data)
 {
     ResourceHandle* job = static_cast<ResourceHandle*>(data);
     ResourceHandleInternal* d = job->getInternal();
-
-    unsigned int totalSize = size * nmemb;
+    if (d->m_cancelled)
+        return 0;
+    size_t totalSize = size * nmemb;
     ResourceHandleClient* client = d->client();
 
     String header(static_cast<const char*>(ptr), totalSize);
@@ -227,9 +230,6 @@ void ResourceHandleManager::downloadTimerCallback(Timer<ResourceHandleManager>*
         if (!msg)
             break;
 
-        if (CURLMSG_DONE != msg->msg)
-            continue;
-
         // find the node which has same d->m_handle as completed transfer
         CURL* handle = msg->easy_handle;
         ASSERT(handle);
@@ -241,6 +241,15 @@ void ResourceHandleManager::downloadTimerCallback(Timer<ResourceHandleManager>*
             continue;
         ResourceHandleInternal* d = job->getInternal();
         ASSERT(d->m_handle == handle);
+
+        if (d->m_cancelled) {
+            removeFromCurl(job);
+            continue;
+        }
+
+        if (CURLMSG_DONE != msg->msg)
+            continue;
+
         if (CURLE_OK == msg->data.result) {
             if (d->client())
                 d->client()->didFinishLoading(job);
@@ -502,7 +511,10 @@ void ResourceHandleManager::cancel(ResourceHandle* job)
 {
     if (removeScheduledJob(job))
         return;
-    removeFromCurl(job);
+    ResourceHandleInternal* d = job->getInternal();
+    d->m_cancelled = true;
+    if (!m_downloadTimer.isActive())
+        m_downloadTimer.startOneShot(pollTimeSeconds);
 }
 
 } // namespace WebCore