Changeset 229179 in webkit


Ignore:
Timestamp:
Mar 2, 2018 9:52:17 AM (6 years ago)
Author:
Chris Dumez
Message:

fast/events/before-unload-remove-itself.html crashes with async policy delegates
https://bugs.webkit.org/show_bug.cgi?id=183290
<rdar://problem/38069045>

Reviewed by Alex Christensen.

Source/WebCore:

When the navigation policy happens asynchronously, it is now possible for the
Frame / FrameLoader to get destroyed between the point that policyChecker().checkNavigationPolicy()
is called and when continueLoadAfterNavigationPolicy() is called.

To address the issue, we now protect the Frame and capture it in the lambda passed
to policyChecker().checkNavigationPolicy().

Test: fast/events/before-unload-remove-itself-async-delegate.html

  • loader/FrameLoader.cpp:

(WebCore::FrameLoader::loadURL):
(WebCore::FrameLoader::loadWithDocumentLoader):

LayoutTests:

Add layout test coverage.

  • fast/events/before-unload-remove-itself-async-delegate-expected.txt: Added.
  • fast/events/before-unload-remove-itself-async-delegate.html: Added.
Location:
trunk
Files:
2 added
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/LayoutTests/ChangeLog

    r229177 r229179  
     12018-03-02  Chris Dumez  <cdumez@apple.com>
     2
     3        fast/events/before-unload-remove-itself.html crashes with async policy delegates
     4        https://bugs.webkit.org/show_bug.cgi?id=183290
     5        <rdar://problem/38069045>
     6
     7        Reviewed by Alex Christensen.
     8
     9        Add layout test coverage.
     10
     11        * fast/events/before-unload-remove-itself-async-delegate-expected.txt: Added.
     12        * fast/events/before-unload-remove-itself-async-delegate.html: Added.
     13
    1142018-03-02  Chris Dumez  <cdumez@apple.com>
    215
  • trunk/Source/WebCore/ChangeLog

    r229177 r229179  
     12018-03-02  Chris Dumez  <cdumez@apple.com>
     2
     3        fast/events/before-unload-remove-itself.html crashes with async policy delegates
     4        https://bugs.webkit.org/show_bug.cgi?id=183290
     5        <rdar://problem/38069045>
     6
     7        Reviewed by Alex Christensen.
     8
     9        When the navigation policy happens asynchronously, it is now possible for the
     10        Frame / FrameLoader to get destroyed between the point that policyChecker().checkNavigationPolicy()
     11        is called and when continueLoadAfterNavigationPolicy() is called.
     12
     13        To address the issue, we now protect the Frame and capture it in the lambda passed
     14        to policyChecker().checkNavigationPolicy().
     15
     16        Test: fast/events/before-unload-remove-itself-async-delegate.html
     17
     18        * loader/FrameLoader.cpp:
     19        (WebCore::FrameLoader::loadURL):
     20        (WebCore::FrameLoader::loadWithDocumentLoader):
     21
    1222018-03-02  Chris Dumez  <cdumez@apple.com>
    223
  • trunk/Source/WebCore/loader/FrameLoader.cpp

    r229108 r229179  
    13271327        policyChecker().setLoadType(newLoadType);
    13281328        auto completionHandlerCalled = adoptRef(*new SharedBool);
    1329         policyChecker().checkNavigationPolicy(ResourceRequest(request), false /* didReceiveRedirectResponse */, oldDocumentLoader.get(), formState, [this, completionHandlerCalled = completionHandlerCalled.copyRef()] (const ResourceRequest& request, FormState*, bool shouldContinue) {
     1329        policyChecker().checkNavigationPolicy(ResourceRequest(request), false /* didReceiveRedirectResponse */, oldDocumentLoader.get(), formState, [this, protectedFrame = makeRef(m_frame), completionHandlerCalled = completionHandlerCalled.copyRef()] (const ResourceRequest& request, FormState*, bool shouldContinue) {
    13301330            if (!completionHandlerCalled->value) {
    13311331                completionHandlerCalled->value = true;
     
    14971497        policyChecker().stopCheck();
    14981498        auto completionHandlerCalled = adoptRef(*new SharedBool);
    1499         policyChecker().checkNavigationPolicy(ResourceRequest(loader->request()), false /* didReceiveRedirectResponse */, oldDocumentLoader.get(), formState, [this, completionHandlerCalled = completionHandlerCalled.copyRef()] (const ResourceRequest& request, FormState*, bool shouldContinue) {
     1499        policyChecker().checkNavigationPolicy(ResourceRequest(loader->request()), false /* didReceiveRedirectResponse */, oldDocumentLoader.get(), formState, [this, protectedFrame = makeRef(m_frame), completionHandlerCalled = completionHandlerCalled.copyRef()] (const ResourceRequest& request, FormState*, bool shouldContinue) {
    15001500            if (!completionHandlerCalled->value) {
    15011501                completionHandlerCalled->value = true;
     
    15331533    m_frame.navigationScheduler().cancel(true);
    15341534
    1535     policyChecker().checkNavigationPolicy(ResourceRequest(loader->request()), false /* didReceiveRedirectResponse */, loader, formState, [this, allowNavigationToInvalidURL] (const ResourceRequest& request, FormState* formState, bool shouldContinue) {
     1535    policyChecker().checkNavigationPolicy(ResourceRequest(loader->request()), false /* didReceiveRedirectResponse */, loader, formState, [this, protectedFrame = makeRef(m_frame), allowNavigationToInvalidURL] (const ResourceRequest& request, FormState* formState, bool shouldContinue) {
    15361536        continueLoadAfterNavigationPolicy(request, formState, shouldContinue, allowNavigationToInvalidURL);
    15371537    });
Note: See TracChangeset for help on using the changeset viewer.