Protect WebSocketChannel before calling client methods

https://bugs.webkit.org/show_bug.cgi?id=216791 Patch by Carlos Garcia Campos <cgarcia@igalia.com> on 2020-11-19 Reviewed by Youenn Fablet. Ensure we keep a reference to the WebSocketChannel before calling client methods that might close the channel. * WebProcess/Network/WebSocketChannel.cpp: (WebKit::WebSocketChannel::close): (WebKit::WebSocketChannel::fail): (WebKit::WebSocketChannel::didClose): (WebKit::WebSocketChannel::resume): git-svn-id: http://svn.webkit.org/repository/webkit/trunk@270021 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Igalia · Nov 19, 2020 · 5ccce66 · 5ccce66
1 parent 87558ee
commit 5ccce66
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 0 deletions.
diff --git a/Source/WebKit/ChangeLog b/Source/WebKit/ChangeLog
@@ -1,3 +1,18 @@
+2020-11-19  Carlos Garcia Campos  <cgarcia@igalia.com>
+
+        Protect WebSocketChannel before calling client methods
+        https://bugs.webkit.org/show_bug.cgi?id=216791
+
+        Reviewed by Youenn Fablet.
+
+        Ensure we keep a reference to the WebSocketChannel before calling client methods that might close the channel.
+
+        * WebProcess/Network/WebSocketChannel.cpp:
+        (WebKit::WebSocketChannel::close):
+        (WebKit::WebSocketChannel::fail):
+        (WebKit::WebSocketChannel::didClose):
+        (WebKit::WebSocketChannel::resume):
+
 2020-11-18  Megan Gardner  <megan_gardner@apple.com>
 
         Menu Bar support for app highlights in book.

diff --git a/Source/WebKit/WebProcess/Network/WebSocketChannel.cpp b/Source/WebKit/WebProcess/Network/WebSocketChannel.cpp
@@ -197,6 +197,9 @@ unsigned WebSocketChannel::bufferedAmount() const
 
 void WebSocketChannel::close(int code, const String& reason)
 {
+    // An attempt to send closing handshake may fail, which will get the channel closed and dereferenced.
+    auto protectedThis = makeRef(*this);
+
     m_isClosing = true;
     if (m_client)
         m_client->didStartClosingHandshake();
@@ -211,6 +214,9 @@ void WebSocketChannel::close(int code, const String& reason)
 
 void WebSocketChannel::fail(const String& reason)
 {
+    // The client can close the channel, potentially removing the last reference.
+    auto protectedThis = makeRef(*this);
+
     logErrorMessage(reason);
     if (m_client)
         m_client->didReceiveMessageError();
@@ -327,6 +333,9 @@ void WebSocketChannel::didClose(unsigned short code, String&& reason)
     m_inspector.didReceiveWebSocketFrame(m_document.get(), closingFrame);
     m_inspector.didCloseWebSocket(m_document.get());
 
+    // An attempt to send closing handshake may fail, which will get the channel closed and dereferenced.
+    auto protectedThis = makeRef(*this);
+
     bool receivedClosingHandshake = code != WebCore::WebSocketChannel::CloseEventCodeAbnormalClosure;
     if (receivedClosingHandshake)
         m_client->didStartClosingHandshake();
@@ -375,6 +384,7 @@ void WebSocketChannel::suspend()
 
 void WebSocketChannel::resume()
 {
+    auto protectedThis = makeRef(*this);
     m_isSuspended = false;
     while (!m_isSuspended && !m_pendingTasks.isEmpty())
         m_pendingTasks.takeFirst()();