Changeset 225292 in webkit


Ignore:
Timestamp:
Nov 29, 2017 1:41:59 PM (6 years ago)
Author:
achristensen@apple.com
Message:

Make WebFrameLoaderClient more robust against null pointer dereferencing
https://bugs.webkit.org/show_bug.cgi?id=180157
<rdar://problem/34895616>

Reviewed by Tim Horton.

There has always been rare null pointer crashes in this code, but they have become more common
now that we are waiting for completion handlers for redirects, which makes it more likely that
we are hitting this code after we have detached from the core frame.

  • WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp:

(WebKit::WebFrameLoaderClient::dispatchDecidePolicyForResponse):
(WebKit::WebFrameLoaderClient::dispatchDecidePolicyForNewWindowAction):
(WebKit::WebFrameLoaderClient::dispatchDecidePolicyForNavigationAction):

  • WebProcess/WebPage/WebFrame.cpp:

(WebKit::WebFrame::page const):

Location:
trunk/Source/WebKit
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/Source/WebKit/ChangeLog

    r225290 r225292  
     12017-11-29  Alex Christensen  <achristensen@webkit.org>
     2
     3        Make WebFrameLoaderClient more robust against null pointer dereferencing
     4        https://bugs.webkit.org/show_bug.cgi?id=180157
     5        <rdar://problem/34895616>
     6
     7        Reviewed by Tim Horton.
     8
     9        There has always been rare null pointer crashes in this code, but they have become more common
     10        now that we are waiting for completion handlers for redirects, which makes it more likely that
     11        we are hitting this code after we have detached from the core frame.
     12
     13        * WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp:
     14        (WebKit::WebFrameLoaderClient::dispatchDecidePolicyForResponse):
     15        (WebKit::WebFrameLoaderClient::dispatchDecidePolicyForNewWindowAction):
     16        (WebKit::WebFrameLoaderClient::dispatchDecidePolicyForNavigationAction):
     17        * WebProcess/WebPage/WebFrame.cpp:
     18        (WebKit::WebFrame::page const):
     19
    1202017-11-29  Alex Christensen  <achristensen@webkit.org>
    221
  • trunk/Source/WebKit/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp

    r225142 r225292  
    693693void WebFrameLoaderClient::dispatchDecidePolicyForResponse(const ResourceResponse& response, const ResourceRequest& request, FramePolicyFunction&& function)
    694694{
    695     WebPage* webPage = m_frame->page();
     695    WebPage* webPage = m_frame ? m_frame->page() : nullptr;
    696696    if (!webPage) {
    697697        function(PolicyAction::Ignore);
     
    722722    Ref<WebFrame> protect(*m_frame);
    723723    WebCore::Frame* coreFrame = m_frame->coreFrame();
     724    if (!coreFrame)
     725        return function(PolicyAction::Ignore);
    724726    auto navigationID = static_cast<WebDocumentLoader&>(*coreFrame->loader().provisionalDocumentLoader()).navigationID();
    725727    if (!webPage->sendSync(Messages::WebPageProxy::DecidePolicyForResponseSync(m_frame->frameID(), SecurityOriginData::fromFrame(coreFrame), navigationID, response, request, canShowMIMEType, listenerID, UserData(WebProcess::singleton().transformObjectsToHandles(userData.get()).get())), Messages::WebPageProxy::DecidePolicyForResponseSync::Reply(receivedPolicyAction, policyAction, downloadID), Seconds::infinity(), IPC::SendSyncOption::InformPlatformProcessWillSuspend)) {
     
    735737void WebFrameLoaderClient::dispatchDecidePolicyForNewWindowAction(const NavigationAction& navigationAction, const ResourceRequest& request, FormState* formState, const String& frameName, FramePolicyFunction&& function)
    736738{
    737     WebPage* webPage = m_frame->page();
     739    WebPage* webPage = m_frame ? m_frame->page() : nullptr;
    738740    if (!webPage) {
    739741        function(PolicyAction::Ignore);
     
    822824void WebFrameLoaderClient::dispatchDecidePolicyForNavigationAction(const NavigationAction& navigationAction, const ResourceRequest& request, bool didReceiveRedirectResponse, FormState* formState, FramePolicyFunction&& function)
    823825{
    824     WebPage* webPage = m_frame->page();
     826    WebPage* webPage = m_frame ? m_frame->page() : nullptr;
    825827    if (!webPage) {
    826828        function(PolicyAction::Ignore);
     
    836838    RefPtr<API::Object> userData;
    837839
    838     RefPtr<InjectedBundleNavigationAction> action = InjectedBundleNavigationAction::create(m_frame, navigationAction, formState);
    839 
    840     // Notify the bundle client.
    841     WKBundlePagePolicyAction policy = webPage->injectedBundlePolicyClient().decidePolicyForNavigationAction(webPage, m_frame, action.get(), request, userData);
     840    Ref<InjectedBundleNavigationAction> action = InjectedBundleNavigationAction::create(m_frame, navigationAction, formState);
     841
     842    // Notify the bundle client.
     843    WKBundlePagePolicyAction policy = webPage->injectedBundlePolicyClient().decidePolicyForNavigationAction(webPage, m_frame, action.ptr(), request, userData);
    842844    if (policy == WKBundlePagePolicyActionUse) {
    843845        function(PolicyAction::Use);
     
    875877
    876878    WebCore::Frame* coreFrame = m_frame->coreFrame();
     879    if (!coreFrame)
     880        return function(PolicyAction::Ignore);
    877881    WebDocumentLoader* documentLoader = static_cast<WebDocumentLoader*>(coreFrame->loader().policyDocumentLoader());
    878882    if (!documentLoader) {
  • trunk/Source/WebKit/WebProcess/WebPage/WebFrame.cpp

    r225282 r225292  
    172172
    173173WebPage* WebFrame::page() const
    174 { 
    175     if (!m_coreFrame)
    176         return 0;
     174{
     175    if (!m_coreFrame)
     176        return nullptr;
    177177   
    178178    if (Page* page = m_coreFrame->page())
    179179        return WebPage::fromCorePage(page);
    180180
    181     return 0;
     181    return nullptr;
    182182}
    183183
Note: See TracChangeset for help on using the changeset viewer.