Changeset 229596 in webkit


Ignore:
Timestamp:
Mar 13, 2018 6:02:21 PM (6 years ago)
Author:
Chris Dumez
Message:

fast/loader/javascript-url-iframe-remove-on-navigate.html is a flaky crash on iOS with async delegates
https://bugs.webkit.org/show_bug.cgi?id=183610

Reviewed by Youenn Fablet.

The issue was that in DocumentLoader::loadMainResource(), the call to requestMainResource() which
return null due to the load getting cancelled synchronously. If this load is the parent frame's last
pending load, then the 'load' event gets fired in the parent frame. In the test, the parent frame's
load event handler does a document.write() call which blows away the iframe. As a result, when
we return from the requestMainResource(), m_frame is null and we crash later on dereferencing it.

No new tests, covered by fast/loader/javascript-url-iframe-remove-on-navigate-async-delegate.html
which was crashing flakily.

  • loader/DocumentLoader.cpp:

(WebCore::DocumentLoader::loadMainResource):

Location:
trunk/Source/WebCore
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/Source/WebCore/ChangeLog

    r229589 r229596  
     12018-03-13  Chris Dumez  <cdumez@apple.com>
     2
     3        fast/loader/javascript-url-iframe-remove-on-navigate.html is a flaky crash on iOS with async delegates
     4        https://bugs.webkit.org/show_bug.cgi?id=183610
     5
     6        Reviewed by Youenn Fablet.
     7
     8        The issue was that in DocumentLoader::loadMainResource(), the call to requestMainResource() which
     9        return null due to the load getting cancelled synchronously. If this load is the parent frame's last
     10        pending load, then the 'load' event gets fired in the parent frame. In the test, the parent frame's
     11        load event handler does a document.write() call which blows away the iframe. As a result, when
     12        we return from the requestMainResource(), m_frame is null and we crash later on dereferencing it.
     13
     14        No new tests, covered by fast/loader/javascript-url-iframe-remove-on-navigate-async-delegate.html
     15        which was crashing flakily.
     16
     17        * loader/DocumentLoader.cpp:
     18        (WebCore::DocumentLoader::loadMainResource):
     19
    1202018-03-13  Jer Noble  <jer.noble@apple.com>
    221
  • trunk/Source/WebCore/loader/DocumentLoader.cpp

    r229349 r229596  
    17191719    m_mainResource = m_cachedResourceLoader->requestMainResource(WTFMove(mainResourceRequest)).value_or(nullptr);
    17201720
    1721 #if ENABLE(CONTENT_EXTENSIONS)
    1722     if (m_mainResource && m_mainResource->errorOccurred() && m_frame->page() && m_mainResource->resourceError().domain() == ContentExtensions::WebKitContentBlockerDomain) {
    1723         RELEASE_LOG_IF_ALLOWED("startLoadingMainResource: Blocked by content blocker error (frame = %p, main = %d)", m_frame, m_frame->isMainFrame());
    1724         cancelMainResourceLoad(frameLoader()->blockedByContentBlockerError(m_request));
    1725         return;
    1726     }
    1727 #endif
    1728 
    17291721    if (!m_mainResource) {
     1722        // The frame may have gone away if this load was cancelled synchronously and this was the last pending load.
     1723        // This is because we may have fired the load event in a parent frame.
     1724        if (!m_frame)
     1725            return;
     1726
    17301727        if (!m_request.url().isValid()) {
    17311728            RELEASE_LOG_IF_ALLOWED("startLoadingMainResource: Unable to load main resource, URL is invalid (frame = %p, main = %d)", m_frame, m_frame->isMainFrame());
     
    17441741        return;
    17451742    }
     1743
     1744    ASSERT(m_frame);
     1745
     1746#if ENABLE(CONTENT_EXTENSIONS)
     1747    if (m_mainResource->errorOccurred() && m_frame->page() && m_mainResource->resourceError().domain() == ContentExtensions::WebKitContentBlockerDomain) {
     1748        RELEASE_LOG_IF_ALLOWED("startLoadingMainResource: Blocked by content blocker error (frame = %p, main = %d)", m_frame, m_frame->isMainFrame());
     1749        cancelMainResourceLoad(frameLoader()->blockedByContentBlockerError(m_request));
     1750        return;
     1751    }
     1752#endif
    17461753
    17471754    if (!mainResourceLoader()) {
Note: See TracChangeset for help on using the changeset viewer.