[Qt] Fix a crash under ~PingLoader when the QNAM on the page has been destroyed.

https://bugs.webkit.org/show_bug.cgi?id=116035 Reviewed by Allan Sandfeld Jensen. Source/WebCore: The previous fix only moved the crash location from WebKit down to QNetworkReplyHttpImpl which expects its QNetworkAccessManager to still be alive. Fix it by watching the QNetworkReply's destroyed() signal and avoid the dangling pointer instead. The QNetworkReply doesn't need to be aborted in this case anyway. * platform/network/qt/QNetworkReplyHandler.cpp: (WebCore::QNetworkReplyWrapper::QNetworkReplyWrapper): (WebCore::QNetworkReplyWrapper::release): (WebCore::QNetworkReplyWrapper::stopForwarding): Rename resetConnections to stopForwarding since not all connections are related to data forwarding to the client anymore. (WebCore::QNetworkReplyWrapper::receiveMetaData): (WebCore::QNetworkReplyWrapper::replyDestroyed): (WebCore::QNetworkReplyWrapper::didReceiveFinished): * platform/network/qt/QNetworkReplyHandler.h: (QNetworkReplyWrapper): Source/WebKit/qt: * tests/qwebpage/tst_qwebpage.cpp: (tst_QWebPage::networkReplyParentDidntChange): Change test to match the new expectation. (tst_QWebPage::destroyQNAMBeforeAbortDoesntCrash): Change-Id: I5e82b8ccc8fccf496669af8de76888e367480f67 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@150120 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Allan Sandfeld Jensen <allan.jensen@digia.com>
author: Jocelyn Turcotte <jocelyn.turcotte@digia.com> 2013-05-15 16:31:13 +0000
committer: The Qt Project <gerrit-noreply@qt-project.org> 2013-06-06 13:03:03 +0200
commit: b3b8ed036fb802f638cac9c637065363fba8b4fa (patch)
tree: 4c5edacbb9c30320c70a0ca06fd906f6d08565d5 /Source/WebCore/platform
parent: b3923742ae3271ec1e273a5ffbc5555f3ee089ae (diff)
2 files changed, 14 insertions, 10 deletions
diff --git a/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp b/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp
index b763cc28f..d4bc9bcb8 100644
--- a/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp
+++ b/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp
@@ -268,13 +268,11 @@ QNetworkReplyWrapper::QNetworkReplyWrapper(QNetworkReplyHandlerCallQueue* queue,
 {
     Q_ASSERT(m_reply);
 
-    // Allow the QNetworkReply to outlive its parent QNetworkAccessManager in case the later gets destroyed before our ResourceHandle is done with it.
-    m_reply->setParent(0);
-
     // setFinished() must be the first that we connect, so isFinished() is updated when running other slots.
     connect(m_reply, SIGNAL(finished()), this, SLOT(setFinished()));
     connect(m_reply, SIGNAL(finished()), this, SLOT(receiveMetaData()));
     connect(m_reply, SIGNAL(readyRead()), this, SLOT(receiveMetaData()));
+    connect(m_reply, SIGNAL(destroyed()), this, SLOT(replyDestroyed()));
 }
 
 QNetworkReplyWrapper::~QNetworkReplyWrapper()
@@ -289,7 +287,7 @@ QNetworkReply* QNetworkReplyWrapper::release()
     if (!m_reply)
         return 0;
 
-    resetConnections();
+    m_reply->disconnect(this);
     QNetworkReply* reply = m_reply;
     m_reply = 0;
     m_sniffer = nullptr;
@@ -303,10 +301,10 @@ void QNetworkReplyWrapper::synchronousLoad()
     receiveMetaData();
 }
 
-void QNetworkReplyWrapper::resetConnections()
+void QNetworkReplyWrapper::stopForwarding()
 {
     if (m_reply) {
-        // Disconnect all connections except the one to setFinished() slot.
+        // Disconnect all connections that might affect the ResourceHandleClient.
         m_reply->disconnect(this, SLOT(receiveMetaData()));
         m_reply->disconnect(this, SLOT(didReceiveFinished()));
         m_reply->disconnect(this, SLOT(didReceiveReadyRead()));
@@ -317,8 +315,7 @@ void QNetworkReplyWrapper::resetConnections()
 void QNetworkReplyWrapper::receiveMetaData()
 {
     // This slot is only used to receive the first signal from the QNetworkReply object.
-    resetConnections();
-
+    stopForwarding();
 
     WTF::String contentType = m_reply->header(QNetworkRequest::ContentTypeHeader).toString();
     m_encoding = extractCharsetFromMediaType(contentType);
@@ -371,6 +368,12 @@ void QNetworkReplyWrapper::setFinished()
     m_reply->setProperty("_q_isFinished", true);
 }
 
+void QNetworkReplyWrapper::replyDestroyed()
+{
+    m_reply = 0;
+    m_sniffer = nullptr;
+}
+
 void QNetworkReplyWrapper::emitMetaDataChanged()
 {
     QueueLocker lock(m_queue);
@@ -401,7 +404,7 @@ void QNetworkReplyWrapper::didReceiveReadyRead()
 void QNetworkReplyWrapper::didReceiveFinished()
 {
     // Disconnecting will make sure that nothing will happen after emitting the finished signal.
-    resetConnections();
+    stopForwarding();
     m_queue->push(&QNetworkReplyHandler::finish);
 }
 
diff --git a/Source/WebCore/platform/network/qt/QNetworkReplyHandler.h b/Source/WebCore/platform/network/qt/QNetworkReplyHandler.h
index a68904147..6bc35cc12 100644
--- a/Source/WebCore/platform/network/qt/QNetworkReplyHandler.h
+++ b/Source/WebCore/platform/network/qt/QNetworkReplyHandler.h
@@ -94,9 +94,10 @@ private Q_SLOTS:
     void didReceiveReadyRead();
     void receiveSniffedMIMEType();
     void setFinished();
+    void replyDestroyed();
 
 private:
-    void resetConnections();
+    void stopForwarding();
     void emitMetaDataChanged();
 
     QNetworkReply* m_reply;
author	Jocelyn Turcotte <jocelyn.turcotte@digia.com>	2013-05-15 16:31:13 +0000
committer	The Qt Project <gerrit-noreply@qt-project.org>	2013-06-06 13:03:03 +0200
commit	b3b8ed036fb802f638cac9c637065363fba8b4fa (patch)
tree	4c5edacbb9c30320c70a0ca06fd906f6d08565d5 /Source/WebCore/platform
parent	b3923742ae3271ec1e273a5ffbc5555f3ee089ae (diff)