Chromium Code Reviews
|
|
Chromium Code Reviews
Issue
1902683002:
DocumentThreadableLoader: Add guards for sync notifyFinished() in setResource() (Closed)
|
Created:
4 years, 8 months ago by hiroshige Modified:
4 years, 7 months ago CC:
blink-reviews, chromium-reviews, gavinp+loader_chromium.org, Nate Chapin, loading-reviews_chromium.org, tyoshino+watch_chromium.org Base URL:
https://chromium.googlesource.com/chromium/src.git@master Target Ref:
refs/pending/heads/master Project:
chromium Visibility:
Public. |
DescriptionDocumentThreadableLoader: Add guards for sync notifyFinished() in setResource()
In loadRequest(), setResource() can call clear() synchronously:
DocumentThreadableLoader::clear()
DocumentThreadableLoader::handleError()
Resource::didAddClient()
RawResource::didAddClient()
and thus |m_client| can be null while resource() isn't null after setResource(),
causing crashes (Issue 595964).
This CL checks whether |*this| is destructed and
whether |m_client| is null after setResource().
BUG=595964
Committed: https://crrev.com/2571533bbb5b554ff47205c8ef1513ccc0817c3e
Cr-Commit-Position: refs/heads/master@{#391001}
Patch Set 1 #
Total comments: 4
Patch Set 2 : Comment #Messages
Total messages: 29 (12 generated)
The CQ bit was checked by hiroshige@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1902683002/1 View timeline at https://chromium-cq-status.appspot.com/patch-timeline/1902683002/1
Description was changed from ========== DocumentThreadableLoader: Add guards for sync notifyFinished() in setResource() setResource() BUG=595964 ========== to ========== DocumentThreadableLoader: Add guards for sync notifyFinished() in setResource() setResource() can call clear() synchronously: DocumentThreadableLoader::clear() DocumentThreadableLoader::handleError() Resource::didAddClient() RawResource::didAddClient() and thus |m_client| can be null while resource() isn't null after setResource(), causing crashes (Issue 595964). This CL checks whether |*this| is destructed and whether |m_client| is null after setResource(). BUG=595964 ==========
hiroshige@chromium.org changed reviewers: + tyoshino@chromium.org
PTAL. (this should be merged to at least M-51 beta)
lgtm https://codereview.chromium.org/1902683002/diff/1/third_party/WebKit/Source/c... File third_party/WebKit/Source/core/loader/DocumentThreadableLoader.cpp (right): https://codereview.chromium.org/1902683002/diff/1/third_party/WebKit/Source/c... third_party/WebKit/Source/core/loader/DocumentThreadableLoader.cpp:863: return; add comment to note that we need to call clear() for the case fetch.*() method failed but in case clear() is called inside setResource() synchronously, m_client is already cleared and therefore we need to return here.
https://codereview.chromium.org/1902683002/diff/1/third_party/WebKit/Source/c... File third_party/WebKit/Source/core/loader/DocumentThreadableLoader.cpp (right): https://codereview.chromium.org/1902683002/diff/1/third_party/WebKit/Source/c... third_party/WebKit/Source/core/loader/DocumentThreadableLoader.cpp:863: return; On 2016/04/19 06:27:44, tyoshino wrote: > add comment to note that we need to call clear() for the case fetch.*() method > failed but in case clear() is called inside setResource() synchronously, > m_client is already cleared and therefore we need to return here. oh, basically the same as what you've put in the description.
The CQ bit was unchecked by commit-bot@chromium.org
Dry run: This issue passed the CQ dry run.
Description was changed from ========== DocumentThreadableLoader: Add guards for sync notifyFinished() in setResource() setResource() can call clear() synchronously: DocumentThreadableLoader::clear() DocumentThreadableLoader::handleError() Resource::didAddClient() RawResource::didAddClient() and thus |m_client| can be null while resource() isn't null after setResource(), causing crashes (Issue 595964). This CL checks whether |*this| is destructed and whether |m_client| is null after setResource(). BUG=595964 ========== to ========== DocumentThreadableLoader: Add guards for sync notifyFinished() in setResource() In loadRequest(), setResource() can call clear() synchronously: DocumentThreadableLoader::clear() DocumentThreadableLoader::handleError() Resource::didAddClient() RawResource::didAddClient() and thus |m_client| can be null while resource() isn't null after setResource(), causing crashes (Issue 595964). This CL checks whether |*this| is destructed and whether |m_client| is null after setResource(). BUG=595964 ==========
hiroshige@chromium.org changed reviewers: + japhet@chromium.org
+japhet@, could you take a look as a core/loader OWNER? https://codereview.chromium.org/1902683002/diff/1/third_party/WebKit/Source/c... File third_party/WebKit/Source/core/loader/DocumentThreadableLoader.cpp (right): https://codereview.chromium.org/1902683002/diff/1/third_party/WebKit/Source/c... third_party/WebKit/Source/core/loader/DocumentThreadableLoader.cpp:863: return; On 2016/04/19 06:29:00, tyoshino wrote: > On 2016/04/19 06:27:44, tyoshino wrote: > > add comment to note that we need to call clear() for the case fetch.*() method > > failed but in case clear() is called inside setResource() synchronously, > > m_client is already cleared and therefore we need to return here. > > oh, basically the same as what you've put in the description. Done.
https://codereview.chromium.org/1902683002/diff/1/third_party/WebKit/Source/c... File third_party/WebKit/Source/core/loader/DocumentThreadableLoader.cpp (right): https://codereview.chromium.org/1902683002/diff/1/third_party/WebKit/Source/c... third_party/WebKit/Source/core/loader/DocumentThreadableLoader.cpp:863: return; On 2016/04/19 06:40:48, hiroshige wrote: > On 2016/04/19 06:29:00, tyoshino wrote: > > On 2016/04/19 06:27:44, tyoshino wrote: > > > add comment to note that we need to call clear() for the case fetch.*() > method > > > failed but in case clear() is called inside setResource() synchronously, > > > m_client is already cleared and therefore we need to return here. > > > > oh, basically the same as what you've put in the description. > > Done. Thanks. LGTM
japhet@, could you take a look?
friendly ping.
hiroshige@chromium.org changed reviewers: + mkwst@chromium.org
+mkwst@ as another core/loader owner. PTAL.
LGTM. Is there a test you can add that would verify the behavior?
On 2016/05/02 09:32:01, Mike West wrote: > LGTM. Is there a test you can add that would verify the behavior? Clusterfuzz has a reproducible case, but I don't want to expose it until the fix is fully merged. So far I couldn't create a unit test that exposes this bug.
The CQ bit was checked by hiroshige@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1902683002/20001 View timeline at https://chromium-cq-status.appspot.com/patch-timeline/1902683002/20001
The CQ bit was unchecked by commit-bot@chromium.org
Dry run: This issue passed the CQ dry run.
The CQ bit was checked by hiroshige@chromium.org
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1902683002/20001 View timeline at https://chromium-cq-status.appspot.com/patch-timeline/1902683002/20001
Message was sent while issue was closed.
Description was changed from ========== DocumentThreadableLoader: Add guards for sync notifyFinished() in setResource() In loadRequest(), setResource() can call clear() synchronously: DocumentThreadableLoader::clear() DocumentThreadableLoader::handleError() Resource::didAddClient() RawResource::didAddClient() and thus |m_client| can be null while resource() isn't null after setResource(), causing crashes (Issue 595964). This CL checks whether |*this| is destructed and whether |m_client| is null after setResource(). BUG=595964 ========== to ========== DocumentThreadableLoader: Add guards for sync notifyFinished() in setResource() In loadRequest(), setResource() can call clear() synchronously: DocumentThreadableLoader::clear() DocumentThreadableLoader::handleError() Resource::didAddClient() RawResource::didAddClient() and thus |m_client| can be null while resource() isn't null after setResource(), causing crashes (Issue 595964). This CL checks whether |*this| is destructed and whether |m_client| is null after setResource(). BUG=595964 ==========
Message was sent while issue was closed.
Committed patchset #2 (id:20001)
Message was sent while issue was closed.
Description was changed from ========== DocumentThreadableLoader: Add guards for sync notifyFinished() in setResource() In loadRequest(), setResource() can call clear() synchronously: DocumentThreadableLoader::clear() DocumentThreadableLoader::handleError() Resource::didAddClient() RawResource::didAddClient() and thus |m_client| can be null while resource() isn't null after setResource(), causing crashes (Issue 595964). This CL checks whether |*this| is destructed and whether |m_client| is null after setResource(). BUG=595964 ========== to ========== DocumentThreadableLoader: Add guards for sync notifyFinished() in setResource() In loadRequest(), setResource() can call clear() synchronously: DocumentThreadableLoader::clear() DocumentThreadableLoader::handleError() Resource::didAddClient() RawResource::didAddClient() and thus |m_client| can be null while resource() isn't null after setResource(), causing crashes (Issue 595964). This CL checks whether |*this| is destructed and whether |m_client| is null after setResource(). BUG=595964 Committed: https://crrev.com/2571533bbb5b554ff47205c8ef1513ccc0817c3e Cr-Commit-Position: refs/heads/master@{#391001} ==========
Message was sent while issue was closed.
Patchset 2 (id:??) landed as https://crrev.com/2571533bbb5b554ff47205c8ef1513ccc0817c3e Cr-Commit-Position: refs/heads/master@{#391001} |
